Privacy Policy
Last updated 31 July 2025
1. Who We Are
This Privacy Policy explains how Finly Ltd (“Finly”, “we”, “us”, “our”) collects, uses, shares, and protects personal data when you visit operatorfoundry.com or purchase our services (the “Service”). Finly Ltd is a private limited company registered in Cyprus (Company № HE 445932) with its registered office at:
1 Mourouzi St, GEORGIA COURT, Floor 4, Office 401
Mesa Geitonia, 4001 Limassol, Cyprus
For the purposes of Regulation (EU) 2016/679 (“GDPR”), Finly Ltd is the Data Controller for account‑, marketing‑ and billing‑related data, and a Data Processor for any personal data customers upload into our platform (e.g. names inside policy templates).
2. Personal Data We Process
2.1 Data you provide directly
- Account Data — name, business email, password hash, company name, VAT/Tax ID.
- Billing Data — address, country, last 4 digits of card, payment token (via Stripe).
- Support Data — contents of emails, chat messages, Loom video links, Slack posts.
- Uploaded Content — any files or text you import into our templates.
2.2 Data we collect automatically
- Usage Data — log files (IP, user‑agent, referring URL, timestamps), page views, button clicks.
- Device & Analytics Data — pseudonymised identifiers from cookies or similar tech via Plausible Analytics (EU‑hosted, no personal identifiers).
3. Legal Bases for Processing
| Purpose | Legal Basis |
|---|---|
| Provision of the Service, account management, downloads | Art. 6 (1) (b) GDPR — contract performance |
| Billing & fraud prevention | Art. 6 (1) (c) GDPR — legal obligation |
| Product analytics & service security | Art. 6 (1) (f) GDPR — legitimate interest |
| Marketing emails about similar products | Art. 6 (1) (a) or (f) GDPR — consent or legitimate interest* |
*You can opt out of marketing at any time via unsubscribe link or email.
4. How We Use Personal Data
- To create and secure your account and allow downloads.
- To process payments and issue invoices.
- To provide customer support and notify you of critical updates.
- To improve the Service via aggregated analytics.
- To send product announcements where legally permitted.
5. Sharing & Sub‑Processors
We never sell personal data. We only share it with vetted service providers under data‑processing agreements:
- Stripe Payments Europe, Ltd. — payment processing (EU data centre).
- Plausible Analytics OÜ — privacy‑friendly analytics (Estonia).
- Amazon Web Services (AWS) — EU‑West‑1 (Ireland) hosting.
- Slack Technologies Ltd. — optional support workspace (EU‑US DPF/SCCs).
Data may be transferred outside the EEA where necessary. In such cases we rely on an adequacy decision (e.g. EU‑US Data Privacy Framework) or Standard Contractual Clauses.
6. Retention Periods
- Account & billing records — 6 years after last financial transaction (tax law).
- Support emails — 24 months after ticket closure.
- Analytics logs — 12 months rolling, aggregated thereafter.
- Uploaded content — until you delete it or 30 days after account closure.
7. Your GDPR Rights
You have the right to:
- Access, correct or erase your personal data.
- Restrict or object to processing.
- Data portability.
- Withdraw consent at any time (marketing).
- Lodge a complaint with the Cyprus Data Protection Commissioner (dataprotection.gov.cy).
To exercise any right, email [email protected]. We will respond within 30 days.
8. Security Measures
We apply industry‑standard safeguards: HTTPS, at‑rest encryption, MFA for admins, least‑privilege IAM, automated backups, vulnerability scanning and annual penetration tests.
9. Cookies & Similar Tech
We use a single first‑party session cookie for authentication and Plausible’s cookieless analytics. No third‑party advertising cookies are set. You can block cookies via your browser, but essential features may break.
10. Marketing Communications
If you opt‑in, we’ll send occasional product updates. You can unsubscribe anytime by clicking the link in the email or contacting us.
11. Children’s Privacy
The Service is not directed to children under 16. We do not knowingly process data of minors. If you believe a child has provided personal data, contact us for deletion.
12. Changes to this Policy
Material changes will be announced at least 30 days in advance by email or banner. The “Last updated” date will change accordingly.
13. Contact Us
Questions or concerns? Email [email protected] or write to the registered address above.