1. Introduction
Finch Accounts Payable Application ("Finch") is a secure and self-hosted accounts payable management solution that operates within the client's own Microsoft tenant. This Privacy Policy outlines our commitment to protecting the personal information and data Finch processes on behalf of its users. It covers the policies and procedures Finch follows to ensure data privacy and regulatory compliance.

2. Scope and Applicability
This Privacy Policy applies to all users of Finch, including employees, contractors, and any third-party users accessing the application. Finch is designed to be self-hosted by clients in their Microsoft environment, and Finch does not access, store, or transfer data outside the client’s tenant. By using Finch, clients agree to this Privacy Policy, which complies with international data protection regulations such as GDPR, CCPA, and PIPEDA.

​

3. Personal Information Collection and Use

Finch only processes personal information necessary for the accounts payable management functions as outlined by the client. Finch does not collect, access, or store personal information directly. Instead, Finch’s self-hosted setup ensures that all data remains within the client’s Microsoft tenant. Typical data processed within Finch may include:

• Employee Information: Contact information, job title, and department for access management and role-based controls.

• Supplier/Vendor Information: Names, addresses, bank account details, and tax information for processing payments and managing accounts payable.

• Transactional Information: Purchase orders, invoices, approvals, and audit logs related to accounts payable transactions.

 

4. Data Retention and Disposal
Finch operates within the data retention policies set by the client within their Microsoft tenant. Clients are responsible for defining their own retention policies, and Finch does not retain or manage data independently. Upon termination of Finch’s use, all data related to the accounts payable system will remain within the client’s tenant, allowing them to perform secure data disposal as per their internal policies.

5. Data Security and Confidentiality
We prioritize the security and confidentiality of information processed through Finch by implementing the following measures:
 

• Encryption: Data is encrypted in transit within the Microsoft tenant, following industry-standard protocols.

• Access Controls: Finch leverages the client’s Microsoft tenant security controls to restrict access based on user roles and responsibilities.

• Audit Logging: All access and actions performed within Finch are logged for accountability and audit purposes. Audit logs are maintained within the client’s tenant as per their policies.

• Multi-Factor Authentication (MFA): Finch encourages clients to use MFA for added security on their Microsoft tenant, ensuring only authorized users access the application.

6. Client Responsibility for Data Privacy Compliance
As Finch is self-hosted within the client’s Microsoft tenant, the client is responsible for configuring their tenant’s data privacy settings, maintaining data accuracy, and ensuring compliance with applicable laws and regulations regarding personal data. Finch provides guidance on security configurations to help clients meet their compliance requirements.

7. Data Sharing and Transfer
Finch does not share or transfer data outside the client’s Microsoft tenant. All data remains under the control and administration of the client. Finch does not have access to data hosted within the client’s environment, and no data is shared with third parties unless the client expressly configures such settings within their own tenant.

8. User Rights and Data Access Requests
Clients using Finch within their tenant are responsible for managing data access requests, corrections, or deletions, in accordance with relevant data protection regulations. Finch facilitates compliance by ensuring all data is accessible within the client’s tenant, but does not have access to handle such requests directly.

9. Third-Party Integrations
Finch does not integrate with third-party services directly. However, if the client chooses to connect Finch to other applications within their Microsoft environment, they are responsible for managing data privacy settings and permissions within these integrations.

10. Cookies and Tracking
Finch does not utilize tracking mechanisms, as all data is managed and processed within the client’s Microsoft environment. Any tracking or analytics would be conducted through the client’s internal systems and policies.

11. Breach Notification
As Finch is hosted in the client’s environment, they bear responsibility for breach monitoring, detection, and notification to relevant authorities and affected parties as required by applicable law. Finch will provide guidance and support to clients in configuring breach detection protocols within their Microsoft tenant, but Finch itself does not monitor or store data.

12. Changes to This Privacy Policy
Finch may update this Privacy Policy as required by regulatory changes or enhancements to the application. Clients will be notified of any significant changes, and it is the client’s responsibility to review and accept the updated policy to continue using Finch.

13. Contact Information
If you have any questions or concerns about this Privacy Policy or how personal data is managed within Finch, please contact our support team or your dedicated client representative.