GDPR Compliance
Last updated: 11 July 2026
This page details how Finur complies with Regulation (EU) 2016/679 (GDPR) and the parties' roles in data processing.
1. Controller vs. processor
For your account data (name, email, billing), PROACTIVE SHIPPING S.R.L., VAT no. RO49176949, Trade Registry no. J2023022378407, registered office at Str. Ion Țuculescu no. 42, Bl. P3, Sc. C, 3rd floor, Ap. 47, District 3, Bucharest, Romania acts as controller.
For your clients' data uploaded to the platform (accounting documents, payroll data, contact details of the companies in your portfolio), your firm is the controller and Finur acts as processor, strictly on your instructions. The data processing agreement (DPA) is part of the terms of service.
2. Data subject rights
- Right of access (art. 15): you can export your account data at any time.
- Right to rectification (art. 16): data can be corrected directly in the platform.
- Right to erasure (art. 17): closing the account triggers cascade deletion from all systems.
- Right to restriction of processing (art. 18).
- Right to portability (art. 20): export in standard formats (CSV, PDF, XML).
- Right to object (art. 21).
- Right not to be subject to a decision based solely on automated processing (art. 22): by design, no external action executes without human approval.
3. Exercising your rights
Write to us at contact@finur.io. We reply within 30 days at the latest. If the request concerns data for which your firm is the controller, we forward it to the firm and inform you.
You have the right to lodge a complaint with the Romanian supervisory authority (ANSPDCP), at dataprotection.ro, B-dul G-ral Gheorghe Magheru 28-30, Bucharest.
4. Technical and organisational measures
- Per-firm data isolation at database level (Row Level Security).
- Encryption in transit (TLS) and at rest.
- Two-factor authentication and audit logs for sensitive actions.
- Cascade deletion on account closure: database, stored files and the vector search index.
- Restricted, role-based, logged internal access to production.
5. Data breaches
In the event of a breach posing a risk to data subjects' rights, we notify ANSPDCP within 72 hours and affected users without undue delay, in accordance with arts. 33-34 GDPR.