Legal

Privacy Policy

Effective date: 12 May 2025 Last updated: 12 May 2025 Version: 1.0

01

Data Controller

The Finner.AI platform is operated by:

Airenden, Lda

Legal form
Sociedade por Quotas (Lda) — limited liability company under Portuguese law
Registered in
Portugal, European Union
VAT / NIF
To be published upon commercial registration
Email
privacy@finner.ai
General enquiries
hello@finner.ai
Website
https://finner.ai

Airenden, Lda acts as the data controller within the meaning of Article 4(7) of Regulation (EU) 2016/679 (GDPR) for all personal data processed through the Finner.AI platform and this website.

Where Finner.AI processes personal data on behalf of a client organisation (e.g. a family office that engages us to process its employees' or beneficiaries' data), Airenden, Lda acts as a data processor under a separate Data Processing Agreement (DPA) with that client, who is the data controller for those processing activities.

02

Scope and Applicability

This Privacy Policy applies to:

  • Visitors to the Finner.AI website at https://finner.ai
  • Prospective customers who contact us, request a demo, or sign up for early access
  • Authorised users of the Finner.AI platform on behalf of a client organisation
  • Any individual whose personal data is processed by Airenden, Lda as controller in connection with the provision of the Finner.AI service

This Policy does not cover the processing of financial or portfolio data (public or private) that belongs to a client organisation in its capacity as data controller. Such processing is governed by the applicable DPA between Airenden, Lda and that client.

Applicable law This Policy is drafted in accordance with: Regulation (EU) 2016/679 (General Data Protection Regulation — GDPR); Regulation (EU) 2024/1689 (EU Artificial Intelligence Act — EU AI Act); the Portuguese Law no. 58/2019 implementing the GDPR; and applicable ePrivacy rules.

03

Data We Collect

3.1 Data you provide directly

  • Contact and identity data: name, job title, email address, phone number, company name — when you fill in our contact form, request a demo, or correspond with us
  • Account data: login credentials (hashed), role and access permissions — when an account is created for you by your organisation
  • Communications: content of emails, messages, and support requests you send to us

3.2 Data collected automatically

  • Technical data: IP address, browser type and version, operating system, device identifiers, time zone and language settings
  • Usage data: pages visited, features used, clickstream data, session duration, error logs
  • Cookie data: see Section 10

3.3 Data received from third parties

  • Financial data feeds: market data from licensed data providers (e.g. pricing, corporate actions) — this data relates to instruments, not individuals, and is not personal data unless linked to an identifiable person
  • Fund administrator documents: PDF reports, capital call notices, and distribution statements uploaded by the client — processed as instructed by the client under a DPA

04

Purposes and Legal Basis

We process personal data only where we have a valid legal basis under Article 6 GDPR. The table below sets out the main processing activities:

Contract performance (Art. 6(1)(b) GDPR)

  • Creating and managing user accounts
  • Delivering the Finner.AI platform and its features
  • Processing demo requests and responding to enquiries prior to entering a contract
  • Sending transactional communications (alerts, reports, billing notices)

Legitimate interests (Art. 6(1)(f) GDPR)

  • Improving and securing the platform (fraud prevention, system integrity monitoring)
  • Internal analytics to understand how features are used — subject to appropriate pseudonymisation
  • Contacting prospective clients who have expressed interest in the platform (direct marketing to professionals, with opt-out provided)

Legal obligation (Art. 6(1)(c) GDPR)

  • Complying with applicable financial services, tax, anti-money laundering (AML), and data protection law obligations
  • Responding to lawful requests from competent authorities

Consent (Art. 6(1)(a) GDPR)

  • Non-essential cookies and analytics tracking (see Section 10)
  • Marketing communications beyond the initial contact context, where required

Where we rely on consent, you have the right to withdraw it at any time without affecting the lawfulness of processing prior to withdrawal.

05

AI-Powered Processing

Finner.AI uses artificial intelligence and machine learning models to provide its core services. This section describes how AI processing operates and your rights in relation to it, in accordance with the EU Artificial Intelligence Act (Regulation (EU) 2024/1689) and Article 22 GDPR.

EU AI Act — Risk Classification The AI systems used within Finner.AI are classified as limited risk under the EU AI Act. They are not classified as high-risk AI systems under Annex III of the Regulation, as the platform is used exclusively by professional clients (family offices) in a business-to-business context for portfolio monitoring, analysis, and reporting — and does not make binding decisions with legal or similarly significant effects on natural persons without human oversight.

5.1 What our AI systems do

  • Portfolio analysis and insight generation: AI models analyse aggregated portfolio data to generate observations, risk signals, concentration alerts, and commentary. These outputs are advisory and subject to review by qualified investment professionals.
  • Natural language interface: A large language model (LLM) processes user queries to retrieve and summarise portfolio information. Query text is processed to generate responses; it is not used to train the model without separate explicit consent.
  • Document parsing: Machine learning models extract structured data from uploaded documents (e.g. fund reports, capital call notices). Extraction outputs are presented to users for review and correction.
  • Anomaly and risk detection: Statistical models identify unusual patterns in portfolio data and generate alerts. All alerts are surfaced to the user; no automated action is taken without user instruction.
  • Cash flow forecasting: Predictive models generate forward-looking estimates of capital calls and distributions. These are probabilistic estimates, not guaranteed predictions.

5.2 Transparency obligations (EU AI Act, Art. 50)

In compliance with Article 50 of the EU AI Act, Airenden, Lda discloses that:

  • AI-generated content (insights, commentary, summaries) is clearly labelled within the platform interface as AI-generated
  • The natural language interface is an AI system; users are informed of this at first use
  • No AI-generated output is presented as a definitive investment recommendation or advice under MiFID II without appropriate human review

5.3 Human oversight

All material outputs of Finner.AI's AI systems are designed to support — not replace — human decision-making. The platform does not take any autonomous action with financial or legal consequence. Users retain full control over all portfolio decisions, and AI-generated insights are clearly distinguished from confirmed data.

5.4 Automated decision-making (GDPR Art. 22)

Finner.AI does not subject any individual to solely automated decisions that produce legal or similarly significant effects on them within the meaning of Article 22 GDPR. All AI outputs are advisory and require a human decision before any action with legal consequence is taken.

If you believe an AI-generated output has materially affected you, please contact us at privacy@finner.ai to request human review.

5.5 AI model providers

Finner.AI relies on third-party AI infrastructure providers (including cloud-based LLM APIs). Where such providers process personal data, they do so under data processing agreements that meet GDPR requirements. We do not share personally identifiable financial data with AI providers without appropriate contractual safeguards. Specific subprocessors are listed in our Subprocessor Register, available on request.

06

Data Sharing

We do not sell personal data. We share personal data only in the following circumstances:

Service providers and subprocessors

We engage trusted third-party processors to provide infrastructure, analytics, and communication services (e.g. cloud hosting, email delivery, customer support tooling). All subprocessors are bound by data processing agreements and may only process data on our documented instructions.

Client organisations

Where you are an authorised user of the platform, your account and access data are visible to the designated administrators of your client organisation.

Legal and regulatory disclosure

We may disclose personal data to law enforcement, regulatory authorities, or courts where required to do so by applicable law, or where necessary to protect the rights, property, or safety of Airenden, Lda, our clients, or others.

Business transfers

In the event of a merger, acquisition, or sale of all or substantially all of our assets, personal data held by Airenden, Lda may be transferred to the acquirer. We will provide notice before any such transfer and inform you of any changes to this Policy.

07

International Transfers

Airenden, Lda is established in Portugal and processes data primarily within the European Economic Area (EEA). Where we or our subprocessors transfer personal data outside the EEA, we ensure an appropriate transfer mechanism is in place, such as:

  • An adequacy decision by the European Commission under Art. 45 GDPR
  • Standard Contractual Clauses (SCCs) adopted by the European Commission under Art. 46(2)(c) GDPR
  • Binding Corporate Rules (BCRs) where applicable

You may request a copy of the transfer mechanisms we rely on for specific subprocessors by contacting privacy@finner.ai.

08

Retention Periods

We retain personal data only for as long as necessary to fulfil the purpose for which it was collected, or as required by law.

  • Account and platform data: for the duration of the contractual relationship plus 3 years, or as required for legal compliance
  • Contact and marketing data: until you opt out or withdraw consent, or after 2 years of inactivity
  • Usage and technical logs: up to 12 months from collection, subject to security and legal requirements
  • Financial document data processed as a processor: as instructed by the client controller in the applicable DPA
  • Legal obligation records: for the period required by the applicable obligation (e.g. 7 years for accounting records under Portuguese law)

At the end of the applicable retention period, data is securely deleted or anonymised.

09

Your Rights Under GDPR

As a data subject, you have the following rights under the GDPR. To exercise any of them, contact us at privacy@finner.ai. We will respond within one calendar month of receiving your request (extendable by a further two months where requests are complex or numerous).

Right of access (Art. 15)

You may request confirmation of whether we process your personal data and, if so, a copy of that data and information about how it is processed.

Right to rectification (Art. 16)

You may request that we correct inaccurate or incomplete personal data we hold about you.

Right to erasure (Art. 17)

You may request deletion of your personal data where it is no longer necessary for the purposes collected, or where you withdraw consent and no other legal basis applies.

Right to restriction (Art. 18)

You may request that we restrict processing of your data in certain circumstances, for example while accuracy is contested or an objection is pending.

Right to data portability (Art. 20)

Where processing is based on consent or contract and carried out by automated means, you may request your data in a structured, commonly used, machine-readable format.

Right to object (Art. 21)

You may object at any time to processing based on legitimate interests, including profiling. You have an absolute right to object to direct marketing.

Rights related to automated decision-making (Art. 22)

You have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. See Section 5.4 for how Finner.AI addresses this.

Right to withdraw consent (Art. 7(3))

Where processing is based on consent, you may withdraw it at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

We will not charge a fee for exercising your rights unless requests are manifestly unfounded or excessive, in which case a reasonable fee or refusal may apply. We may ask you to verify your identity before processing a rights request.

10

Cookies

This website uses cookies and similar technologies. We use:

  • Strictly necessary cookies: required for the site to function (e.g. session management, security tokens). No consent is required for these.
  • Analytics cookies: used to understand how visitors interact with our website (e.g. pages visited, session duration). These are only set with your consent.
  • Preference cookies: used to remember your settings and choices. Set with your consent.

You can manage or withdraw your cookie consent at any time via the cookie settings link in the footer, or by adjusting your browser settings. Withdrawing cookie consent does not affect any other processing of your personal data.

11

Security

Airenden, Lda implements appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access, in accordance with Article 32 GDPR. These measures include:

  • Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
  • Role-based access controls and principle of least privilege
  • Regular security assessments and penetration testing
  • Audit logging for access to sensitive data
  • Employee training on data protection and information security

In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours and, where required, inform affected individuals without undue delay, in accordance with Articles 33 and 34 GDPR.

12

Complaints

If you believe that your personal data has been processed in a manner that does not comply with the GDPR, you have the right to lodge a complaint with a supervisory authority, pursuant to Article 77 GDPR.

The lead supervisory authority for Airenden, Lda, as a Portuguese-registered entity, is:

Lead Supervisory Authority Comissão Nacional de Proteção de Dados (CNPD)
Av. D. Carlos I, 134 — 1º, 1200-651 Lisboa, Portugal
Website: www.cnpd.pt
Email: geral@cnpd.pt

If you are located in another EU/EEA member state, you may also lodge a complaint with your local data protection authority. We encourage you to contact us first at privacy@finner.ai so we can attempt to resolve your concern directly.

13

Changes to this Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, services, or applicable law. When we make material changes, we will update the "Last updated" date at the top of this page and, where appropriate, notify you by email or through the platform.

We encourage you to review this Policy periodically. Continued use of the Finner.AI platform after the effective date of a revised Policy constitutes acceptance of the changes, to the extent permitted by applicable law.

Previous versions of this Policy are available on request.

14

Contact Us

For any questions about this Privacy Policy, to exercise your data subject rights, or to raise a data protection concern, please contact us:

Data Protection Contact Airenden, Lda — operating as Finner.AI
Email: privacy@finner.ai
General: hello@finner.ai

We aim to acknowledge all data protection enquiries within 5 business days and to respond fully within one calendar month.