Privacy Policy

Last Updated: May 2026

We will post any changes to this Privacy Policy on our website and will notify you by email where required by applicable law. Please review this Privacy Policy periodically. Your continued use of our website, platform, or services constitutes acceptance of any changes.

1. Introduction

Finrep Inc., a Delaware corporation ("Finrep," "we," "us," or "our"), is the US operating subsidiary of Finrep Alchemy, a Cayman Islands holding company. This Privacy Policy (the "Privacy Policy") explains how we collect, use, disclose, and safeguard personal information when you (a) visit our website at www.finrep.ai (the "Website"); or (b) access or use the Finrep AI-powered financial reporting and SEC filing management platform accessible at app.finrep.ai (the "Platform"); or (c) otherwise interact with our products and services (collectively, the "Services").

Finrep provides AI-powered financial reporting and SEC filing management solutions to enterprise and commercial customers. In providing the Services, Finrep processes personal information in two distinct capacities: (a) Website and Direct Customer Data: Personal information collected from Website visitors and direct customers for Finrep's own business purposes, in which capacity Finrep acts as a data controller; and (b) Customer Platform Data: Personal information submitted by enterprise customers and processed through the Platform on behalf of those customers, in which capacity Finrep acts as a data processor or service provider and the enterprise customer acts as the data controller. Enterprise customers who have executed a Data Processing Agreement ("DPA") with Finrep should refer to that DPA for the terms governing Finrep's processing of Customer Platform Data as processor. To the extent of any conflict between this Privacy Policy and an applicable DPA, the DPA governs with respect to Customer Platform Data.

Please read this Privacy Policy carefully. By accessing or using our website or services, you agree to the practices described herein. If you do not agree, please do not use our website or services.

We do not sell your personal information, nor do we intend to do so.

For questions, please contact us at: privacy@finrep.ai.

2. Scope and Territorial Applicability

This Privacy Policy applies to personal information processed in connection with our Website and Services, regardless of where you are located. Finrep's primary operations and servers are located in the United States.

Specific sections of this Privacy Policy address the rights of individuals in the following jurisdictions: the European Economic Area, United Kingdom, and Switzerland (Section 11); California (Sections 12 and 13); and additional US states (Section 14).

This Privacy Policy does not govern the processing of personal data of Finrep's employees, contractors, or job applicants in their capacity as such. Finrep provides employees with separate privacy notices as required by applicable employment law.

3. What Information Do We Collect?

(a) Information You Provide Directly

When you register for an account, request a demo, subscribe to communications, or otherwise interact with Finrep, we may collect:

1. name and contact details, including business email address, phone number, and business address;
2. professional and business information, including employer, job title, and industry;
3. account credentials, including username and password;
4. payment information, processed by a third-party payment processor (see sub-section (c) below);
5. records of correspondence if you contact us; and
6. any other information you choose to provide.

(b) Information Collected Automatically

When you visit or use our Website or Platform, we automatically collect:

1. IP address and approximate geolocation;
2. browser type, version, and operating system;
3. device type and device identifiers;
4. pages visited, links clicked, and referring URLs;
5. session duration and interaction data; and
6. information collected via cookies and similar tracking technologies (see Section 6).

(c) Financial Information

We use a third-party payment processor to handle subscription payments. We do not directly collect or store full payment card numbers or bank account information. Payment transactions are processed by Stripe, Inc., whose use of your information is governed by its own privacy policy and PCI-DSS compliance program.

(d) Customer Platform Data

In providing the Platform to enterprise customers, Finrep processes personal information relating to the enterprise customers' own employees, officers, directors, shareholders, and other individuals whose data is submitted through the Platform ("Customer Platform Data"). Customer Platform Data is processed solely on behalf of and under the instructions of the applicable enterprise customer, who acts as the data controller. Customer Platform Data may include financial documents, SEC filings, financial statements, board materials, and other business records submitted for AI-assisted processing and analysis. Finrep does not independently determine the purposes for which Customer Platform Data is processed. Enterprise customers are solely responsible for ensuring they have appropriate legal authority to submit data to the Platform.

(e) AI and Third-Party Processing of Content

When enterprise customers use the Platform to process financial documents and other content, Finrep transmits that content to the following third-party AI service providers to enable core Platform features:

1. Anthropic, PBC (Claude API): Financial documents and other inputs are transmitted to Anthropic for AI-assisted analysis and content generation.
2. Microsoft Azure OpenAI Service: Inputs are transmitted to Azure OpenAI for natural language processing and document analysis.
3. Google Cloud Vertex AI: Inputs are transmitted to Vertex AI for AI-assisted processing and analysis.

Finrep does not use your content to train generalized AI models. Each AI provider applies default data protection commitments to API traffic, including commitments that API inputs are not used to train or improve the underlying model and that data is retained only for a limited period for safety and operational purposes.

(f) Information from Third Parties

We may receive information about prospective customers from business contact databases, publicly available sources, and referral partners, which we combine with data we collect directly and use in accordance with this Privacy Policy.

4. How Do We Collect Information?

We collect personal information in the following ways:

1. when you register for or access our Website or Platform;
2. when you upload or submit content or documents to the Platform;
3. through third-party integrations that synchronize data with the Platform;
4. automatically as you navigate the Website, through cookies and similar tracking technologies; and
5. from third-party sources, including marketing partners and referral partners, where permitted by applicable law.

5. How Do We Use Your Information?

We use the information we collect for the following purposes:

1. to create and manage your account and authenticate your identity;
2. to provide, operate, maintain, and improve the Platform and Services;
3. to process AI-powered features, including document analysis, financial data extraction, and drafting assistance, using third-party AI providers as described in Section 3(e);
4. to process payments and manage subscriptions;
5. to respond to inquiries, support requests, and feedback;
6. to send administrative communications, including account notices, subscription renewals, and policy updates;
7. to send marketing communications in accordance with your preferences and applicable law;
8. to detect, investigate, and prevent fraud, security incidents, and unauthorized access;
9. to comply with applicable legal and regulatory obligations; and
10. to anonymize and aggregate data for statistical and product improvement purposes.

AI Processing: Finrep does not use Customer Platform Data, including financial documents and SEC filings submitted through the Platform, to train proprietary AI models. Third-party AI providers process such content solely to deliver the Platform features requested by the applicable enterprise customer, subject to the data protection commitments described in Section 3(e).

6. Our Cookie Policy

Cookies are small text files placed on your device when you visit our Website or use our Platform. We use the following types of cookies and similar technologies:

(a) Strictly Necessary Cookies

Required for the operation and security of the Website, including authentication and session management. These cannot be disabled.

(b) Performance and Analytics Cookies

We use analytics tools to collect information about how visitors use our Website and Platform. To opt out of analytics tracking, please contact us at privacy@finrep.ai.

(c) Functional Cookies

These remember your preferences, such as language and account settings, to provide a more personalized experience.

(d) Advertising and Tracking Cookies

We may use interest-based advertising technologies to deliver relevant advertisements on third-party platforms. You may opt out through the Network Advertising Initiative at optout.networkadvertising.org or the Digital Advertising Alliance at optout.aboutads.info.

(e) Your Cookie Choices

You may configure your browser to refuse all or certain cookies. We honor Global Privacy Control ("GPC") signals as a valid opt-out of sharing of personal information for cross-context behavioral advertising by California residents. For EEA and UK users, non-essential cookies will not be set without your consent.

7. How Do We Protect Your Information?

Finrep implements the following administrative, technical, and physical security measures to protect personal information from unauthorized access, use, alteration, or disclosure:

1. encryption of all data in transit using TLS;
2. encryption of data at rest;
3. role-based access controls limiting access to personal information on a need-to-know basis;
4. multi-factor authentication for Platform users;
5. regular security monitoring and vulnerability assessments; and
6. contractual data protection and security obligations imposed on all service providers and subprocessors.

Despite these measures, no method of transmission over the Internet or electronic storage is completely secure, and Finrep cannot guarantee absolute security. Any transmission of personal information is at your own risk.

8. Data Security and Breach Notification

(a) Breach Notification

In the event of a personal data breach affecting your personal information, Finrep will notify you in accordance with applicable law. For EEA, UK, and Swiss users, notification will be made to the relevant supervisory authority within 72 hours of becoming aware of a qualifying breach as required by the GDPR, and to affected data subjects without undue delay where the breach is likely to result in a high risk to their rights and freedoms. For other users, we will notify you within 30 days via email or notice on our Website, as applicable.

For Customer Platform Data processed as a processor on behalf of enterprise customers, Finrep will notify the applicable enterprise customer of any personal data breach in accordance with the timelines specified in the applicable DPA, to enable the enterprise customer to fulfill its own notification obligations.

(b) Individual Redress

Finrep supports the individual redress principle. Individuals have the right to pursue legally enforceable rights against data collectors and processors who fail to comply with applicable law.

9. Disclosure of Personal Information

(a) Service Providers and Subprocessors

We share personal information with third-party vendors and service providers that perform services on our behalf, including cloud hosting, AI processing, payment processing, analytics, email delivery, and security monitoring (collectively, "Subprocessors"). All Subprocessors are required to maintain confidentiality and to process personal information only for the purposes for which it was disclosed. See Section 21 for our list of key Subprocessors.

(b) Enterprise Customer Disclosure

Customer Platform Data is disclosed only to the applicable enterprise customer and their authorized personnel, and to Subprocessors engaged to assist in the provision of the Services. Finrep does not access or use Customer Platform Data for any purpose other than delivering the Services and as required by law.

(c) Corporate Affiliates

We may share personal information with our parent company, Finrep Alchemy (Cayman Islands), and our affiliated engineering entity, FinrepAI Alchemy Technology Private Limited (India), for internal operational and product development purposes. These affiliates do not independently collect, process, or store personal information of our customers or end users.

(d) Business Transfers

We may disclose personal information to a buyer or successor in connection with a merger, acquisition, divestiture, restructuring, dissolution, or similar transaction, provided the receiving party agrees to handle personal information in a manner consistent with this Privacy Policy.

(e) Legal Compliance and Protection

We may disclose personal information (i) to comply with applicable law, regulation, court order, or government request; (ii) to enforce our agreements and Terms of Service; or (iii) to protect the rights, property, or safety of Finrep, our customers, or others.

(f) Aggregated or De-identified Data

We may share aggregated or de-identified information that cannot reasonably be used to identify any individual, for analytics, product development, marketing, or other business purposes, without restriction.

(g) No Sale of Personal Information

We do not sell, rent, or trade your personal information to third parties for their own commercial purposes.

10. Data Retention

(a) Account and Profile Data

We retain account and profile data for the duration of your account and for 90 days following account closure, unless you request earlier deletion or applicable law requires a longer retention period.

(b) Transaction and Billing Data

Payment and subscription records are retained for a minimum of seven years to comply with applicable tax and accounting obligations.

(c) Customer Platform Data

Customer Platform Data is retained for the duration of the applicable customer agreement and for a reasonable period thereafter as specified in the applicable DPA or customer agreement. Enterprise customers may configure data retention and deletion settings within the Platform to the extent such features are available. Following expiration of the applicable retention period, Customer Platform Data is securely deleted or anonymized.

(d) General Retention Principle

When information is no longer needed for the purposes for which it was collected, Finrep will securely delete, anonymize, or return it in accordance with applicable law.

11. For Our EEA, UK, and Swiss Users (GDPR)

This Section supplements the rest of this Privacy Policy and applies to individuals in the European Economic Area ("EEA"), United Kingdom ("UK"), and Switzerland ("European Users").

(a) Data Controller and Processor

For Website and Marketing Data and direct customer data, Finrep acts as the data controller under the GDPR. For Customer Platform Data processed on behalf of enterprise customers, Finrep acts as a data processor and the enterprise customer acts as the data controller. Finrep's processing of Customer Platform Data as processor is governed by the applicable DPA, which incorporates the EU Standard Contractual Clauses where required.

(b) Lawful Bases for Processing

Finrep processes personal data about European Users on the following lawful bases under Article 6 GDPR:

1. Contractual necessity (Art. 6(1)(b)): Processing necessary to perform a contract with you or to take pre-contractual steps.
2. Legitimate interests (Art. 6(1)(f)): Processing for our legitimate business interests, including improving the Platform, fraud prevention, and direct marketing to existing customers, where such interests are not overridden by your interests or fundamental rights.
3. Legal obligation (Art. 6(1)(c)): Processing required to comply with applicable law.
4. Consent (Art. 6(1)(a)): For non-essential marketing communications and non-essential cookies. You may withdraw consent at any time without affecting the lawfulness of prior processing.

(c) International Data Transfers

Transfers of personal data from the EEA, UK, or Switzerland to the United States are made in reliance on the EU Standard Contractual Clauses (2021 SCCs) as approved by the European Commission on June 4, 2021, and the UK Addendum thereto where applicable. Enterprise customers who require a DPA incorporating Standard Contractual Clauses should contact us at privacy@finrep.ai.

(d) Rights of Data Subjects

European Users have the following rights with respect to personal data processed by Finrep as controller, subject to applicable conditions under the GDPR:

1. Access (Art. 15): Request a copy of the personal data we hold and information about how we process it.
2. Rectification (Art. 16): Request correction of inaccurate or incomplete personal data.
3. Erasure (Art. 17): Request deletion of your personal data where it is no longer needed or where consent is withdrawn and no other lawful basis applies.
4. Restriction of Processing (Art. 18): Request restriction of processing in certain circumstances.
5. Data Portability (Art. 20): Request a copy of your personal data in a structured, machine-readable format.
6. Objection (Art. 21): Object to processing based on legitimate interests or for direct marketing.
7. Withdrawal of Consent: Withdraw consent at any time where processing is based on consent.
8. Right to Lodge a Complaint: You may lodge a complaint with your EEA Member State supervisory authority, or the UK Information Commissioner's Office (ICO) at ico.org.uk/make-a-complaint for UK residents.

To exercise your rights, please contact us at privacy@finrep.ai. We will respond within 30 days. We may require identity verification before processing your request.

12. Your California Privacy Rights

Finrep does not sell, trade, or otherwise transfer to outside third parties your "Personal Information" as defined under California Civil Code Section 1798.82(h). California Civil Code Section 1798.83 permits California residents to request information regarding disclosure of their Personal Information to third parties for direct marketing purposes. To make such a request, please contact us at privacy@finrep.ai.

13. California Consumer Privacy Act (CCPA/CPRA)

This Section supplements this Privacy Policy for California residents ("Consumers") pursuant to the California Consumer Privacy Act of 2018 ("CCPA"), as amended by the California Privacy Rights Act of 2020 ("CPRA"), effective January 1, 2023.

(a) Right to Know

You may request (up to twice per 12-month period) disclosure of: (i) the categories and specific pieces of personal information we have collected about you; (ii) the categories of sources; (iii) the business or commercial purpose; and (iv) the categories of third parties with whom we share personal information.

(b) Categories of Personal Information Collected

For California residents, we collect the following categories: identifiers (including name, email address, IP address, and account credentials); professional or employment-related information (including company name and job title); commercial information (including subscription records); internet and network activity information (including Website and Platform usage data); and inferences drawn from the foregoing.

(c) Right to Delete

Upon verifiable request, we will delete personal information we have collected about you and direct our service providers to do the same, subject to applicable CCPA/CPRA exceptions.

(d) Right to Correct

You have the right to request correction of inaccurate personal information we maintain about you.

(e) Right to Opt-Out of Sale or Sharing

Finrep does not sell personal information. Finrep does not share personal information for cross-context behavioral advertising purposes as defined by CPRA. We honor Global Privacy Control (GPC) signals as a valid opt-out of sharing.

(f) Sensitive Personal Information

The only sensitive personal information we process is payment card information, handled exclusively by our third-party payment processor, and used solely to process payments. We do not use or disclose sensitive personal information for any secondary purpose.

(g) Non-Discrimination

We will not discriminate against you for exercising your CCPA/CPRA rights.

(h) Contact

Contact us at privacy@finrep.ai. We will respond within 45 days. We may require identity verification. You may designate an authorized agent to submit a request on your behalf by providing written authorization.

(i) Under 16

We will not sell or share personal information of users under the age of 16 without affirmative authorization from the user (aged 13 to 15) or the user's parent or guardian (under 13).

14. Additional US State Privacy Rights

Residents of certain US states have rights with respect to their personal information under applicable state privacy laws, including Virginia (VCDPA), Colorado (CPA), Texas (TDPSA), Connecticut (CTDPA), Montana (MCDPA), and Utah (UCPA). Where Finrep meets the applicable thresholds under these laws, Finrep will honor the following rights:

1. Right to Access: You may request confirmation of whether we process your personal data and a copy of such data.
2. Right to Correction: You may request correction of inaccurate personal data.
3. Right to Deletion: You may request deletion of personal data we have collected from you, subject to applicable exceptions.
4. Right to Data Portability: You may request a copy of your personal data in a portable and readily usable format.
5. Right to Opt-Out: You may opt out of the processing of your personal data for purposes of targeted advertising, sale, or profiling in furtherance of decisions that produce legal or similarly significant effects.
6. Right to Appeal: If we decline to take action on your request, you have the right to appeal our decision. We will respond to your appeal within 60 days.

To exercise these rights, please contact us at privacy@finrep.ai. We will respond within 45 days, which may be extended by a further 45 days where reasonably necessary. We will not discriminate against you for exercising these rights.

15. Children's Privacy (COPPA)

Our Website and Services are not directed to children under the age of 13. We do not knowingly collect personally identifiable information from children under the age of 13. If we become aware that we have inadvertently collected personal information from a child under 13, we will take prompt steps to delete it. If you believe we may have information about a child under 13, please contact us at privacy@finrep.ai.

If you are under 13, please do not use or access our website or services.

16. Financial Services Privacy (GLB Act)

Finrep serves enterprise customers in financial services and related industries and may process nonpublic personal financial information ("NPI") as a service provider to financial institutions, as defined under the Gramm-Leach-Bliley Act ("GLB Act") (15 U.S.C. 6801 et seq.) and the FTC's Privacy Rule (16 C.F.R. Part 313). Finrep processes NPI solely as directed by the applicable enterprise customer and in accordance with the applicable service agreement.

Enterprise customers that are financial institutions subject to the GLB Act are responsible for: (i) providing required GLB privacy notices to their customers; (ii) obtaining required opt-out consents where applicable; (iii) ensuring their agreements with Finrep satisfy GLB safeguarding requirements for service providers; and (iv) complying with applicable state insurance and financial privacy regulations.

Finrep maintains a comprehensive information security program designed to protect the security, confidentiality, and integrity of NPI in accordance with the FTC Safeguards Rule (16 C.F.R. Part 314), as amended. For inquiries regarding financial services privacy compliance, please contact privacy@finrep.ai.

17. AI and Automated Processing

(a) AI-Generated Outputs

Finrep's Platform uses artificial intelligence technologies, including large language models, to generate automated outputs from user-submitted content, including document analysis, financial data extraction, and drafting assistance. AI-generated outputs are probabilistic in nature and may contain inaccuracies, omissions, or errors. You acknowledge that AI-generated outputs are not a substitute for human judgment and that you are solely responsible for reviewing, validating, and acting upon any AI-generated outputs before use, including in connection with any regulatory filing or financial disclosure.

(b) No Training on Customer Data

Finrep does not use Customer Platform Data to train proprietary AI models. AI Tool providers engaged by Finrep are contractually prohibited from using Customer Platform Data for model training purposes, consistent with their default commercial API terms.

18. CAN-SPAM Act of 2003

In compliance with the CAN-SPAM Act of 2003, Finrep will not use false or misleading email subject lines or sender addresses; will identify commercial messages as advertisements in a reasonable manner; will include its physical address in all commercial email; will honor opt-out and unsubscribe requests promptly; and will include a clear unsubscribe mechanism in every marketing email. To opt out of marketing email, follow the unsubscribe instructions in any such email or contact us at privacy@finrep.ai.

19. Privacy and Third-Party Links

Our Website and Platform may contain links to third-party websites and services. These linked sites are operated independently and have their own privacy policies. Finrep has no responsibility or liability for the content or activities of linked sites. We encourage you to review the privacy policies of any third-party sites before sharing personal information.

20. Copyright Infringement (DMCA Notice)

If you believe that content on our Website infringes your copyright, please provide our designated Copyright Agent with a written DMCA Takedown Notice containing: (i) your physical or electronic signature; (ii) identification of the copyrighted work(s) claimed to have been infringed; (iii) identification of the allegedly infringing material and its location; (iv) your address, telephone number, and email address; (v) a statement of good faith belief that the use is not authorized; and (vi) a statement, under penalty of perjury, that the information is accurate and that you are authorized to act on behalf of the copyright owner.

Send DMCA Takedown Notices to: legal@finrep.ai, Finrep Inc., Attn: DMCA Notice, 8 The Green, Ste A, Dover, Delaware 19901.

21. List of Service Providers and Subprocessors

Finrep uses the following key service providers and subprocessors in connection with the operation of the Platform and delivery of Services. All service providers are bound by contractual data protection obligations consistent with this Privacy Policy and applicable DPAs. Enterprise customers subject to a DPA may request an updated subprocessor list at any time by contacting privacy@finrep.ai.

22. Modifications to This Privacy Policy

We reserve the right to update this Privacy Policy at any time to reflect changes in legal requirements, our business practices, or the technologies we use. We will post the updated Privacy Policy on our Website with a revised "Last Updated" date. Where required by applicable law, we will provide direct email notification of material changes. Your continued use of the Website or Services after any update constitutes acceptance of the revised Privacy Policy.

23. Contact Us

For questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

Privacy Officer

Finrep Inc.

8 The Green, Ste A, Dover, Delaware 19901

Email: privacy@finrep.ai

Website: www.finrep.ai