Legal

Privacy Policy

Effective date: March 15, 2026  ·  Last updated: May 12, 2026

Voldier™ does not sell your personal data. We do not share your financial data with advertisers, data brokers, or any third parties except as described in this policy.

1. Who We Are (Data Controller)

Voldier is a product of VOLDIER LIMITED, an Irish private company limited by shares with registered office in Dublin, Ireland (Companies Registration Office number IE [pending], Irish VAT number IE [pending]). For the purposes of the General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"), Voldier Limited is the Data Controller of personal data processed through the Service. This Privacy Policy describes how we collect, use, and protect information when you use our Operative Finance platform — accounts receivable automation, payment matching, and Invoice-On-Payment™ orchestration for EU SMBs.

General contact: [email protected]  ·  Data Protection Officer: [email protected]

Lead supervisory authority: Irish Data Protection Commission (DPC)dataprotection.ie.

2. Information We Collect

2.1 Information You Provide

  • Account data: Name, email address, company name, role, and password (hashed with bcrypt)
  • Business data: Customer names, email addresses, phone numbers, invoice amounts, and payment records you enter into the platform
  • Payment method: Credit/debit card data processed by our licensed payment processor. We never store full card numbers.

2.2 Information Collected Automatically

  • Usage data: Pages visited, features used, timestamps, and actions taken within the application
  • Device and browser data: IP address, browser type, operating system, and device identifiers
  • Log data: Server logs for security and troubleshooting purposes (retained 90 days)

2.3 Bank Connection and Payment Notification Data

When you use our payment reconciliation features, we may collect bank transaction data through licensed Account Information Service Providers (AISPs) authorised under PSD2 (Directive (EU) 2015/2366), process payment notification emails you forward, or ingest bank statement files you upload. We may collect:

  • Payment amount, value date, IBAN, and end-to-end reference
  • SEPA Credit Transfer reference numbers, SEPA Instant transaction IDs, SEPA Direct Debit mandate IDs, and TARGET2 reference numbers
  • Account metadata, transaction descriptions, and AISP-issued access tokens needed to maintain the account information connection

We do not initiate transfers (we are not a Payment Initiation Service Provider), store online banking credentials, or access unrelated inbox content. For forwarded emails, we do not retain full inbox contents outside the payment records you intentionally submit.

3. How We Use Your Information

  • To provide, maintain, and improve the Service
  • To automatically match payment notifications to open invoices in your account
  • To send payment reminders to your customers on your behalf (only when you instruct us to)
  • To generate financial reports and analytics for your business
  • To send you service-related notifications and product updates
  • To detect fraud, abuse, and security incidents
  • To comply with legal obligations

We do not use your data to train AI/ML models sold to third parties. We may use aggregate, anonymized data to improve our own matching algorithms.

4. Information Sharing

We share your information only in the following circumstances:

  • Service providers (processors): We engage third-party processors under GDPR Art. 28 data processing agreements to operate the Service (cloud hosting, email delivery, SMS delivery, monitoring). These processors are contractually bound to protect your data and may only process it on documented instructions from Voldier. A current list of our subprocessors is available at /legal/subprocessors.html.
  • Payment processors: Card and SEPA payment processing is handled by independent payment service providers authorised in the European Economic Area. They act as independent controllers of cardholder and bank-account data under their own privacy notices and security frameworks (PCI-DSS Level 1, PSD2 SCA). The list of integrated processors may change over time; we will reflect updates in this policy.
  • Account Information Service Providers (AISPs): When you authorise a bank connection, licensed PSD2 AISPs may process bank account metadata, access tokens, and transaction data solely to maintain the account information connection and deliver data to Voldier.
  • Legal requirements: We may disclose information where required by Irish or EU law, by a competent supervisory authority, by a court order, or to protect the rights, property, or safety of Voldier, our users, or the public.
  • Business transfers: In the event of a merger, acquisition, or sale of assets, your data may be transferred as part of that transaction. We will notify you before your data is transferred and becomes subject to a different privacy policy.

We do not sell, rent, or share your personal data with advertisers, data brokers, or marketing firms.

4.1 Lawful Basis and GDPR Compliance

Voldier Limited acts as Data Controller in respect of personal data processed through the Service. Our lawful bases under Article 6 of the General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") are:

  • Art. 6(1)(b) — Contract performance: processing necessary to deliver the Service you have subscribed to.
  • Art. 6(1)(c) — Legal obligation: retention of accounting and tax records required by Irish and EU law.
  • Art. 6(1)(f) — Legitimate interest: fraud prevention, service security, abuse detection, and ICT operational resilience under Regulation (EU) 2022/2554 (DORA).

Where Voldier performs any automated decisioning (for example in reconciliation matching), processing complies with GDPR Art. 22 — you have the right to obtain human intervention, express your point of view, and contest any decision that produces legal or similarly significant effects.

4.2 Payment Trust Mechanism and Affiliate Referrals

The payment trust mechanism is a Voldier-operated B2B payment-reputation product computed from the Service's reconciliation data. It is not a consumer credit-reference agency under the Consumer Credit Directive 2008/48/EC or the Irish Consumer Credit Act 1995, does not produce consumer credit decisions, and is not used to make adverse-action decisions in the consumer-credit sense. Aggregated, B2B-only reputation signals may be displayed to counterparties at the merchant's direction or with the merchant's consent.

Third-party referrals. Where the Service displays offers from independent third-party providers (accounts-receivable financing partners, working-capital providers, payment processors, accounting platforms), submitting an application transmits your application data to that third party. From that point forward, the third party's privacy policy governs that data. Voldier may receive referral compensation; commercial communications comply with the Unfair Commercial Practices Directive 2005/29/EC (UCPD), transposed in Ireland by the Consumer Protection Act 2007, and disclosure obligations of the ePrivacy Directive 2002/58/EC.

You may opt out of referral surfaces in account settings or by contacting [email protected].

5. Data Retention

We retain your data for as long as your account is active or as needed to provide the Service. After account termination:

  • Account and business data is retained for 30 days post-cancellation, then purged
  • Financial transaction records may be retained for up to 7 years to comply with accounting and tax regulations
  • Backup snapshots are purged within 90 days of deletion

6. Security (GDPR Art. 32)

We implement appropriate technical and organisational measures pursuant to GDPR Art. 32, aligned with ISO/IEC 27001 controls and the ICT risk-management requirements of the Digital Operational Resilience Act (Regulation (EU) 2022/2554, "DORA", applicable from 17 January 2025). These include TLS 1.3 for data in transit, AES-256 encryption for sensitive data at rest, bcrypt password hashing, role-based access controls, audit logging, regular penetration testing, and documented incident-response procedures. In the event of a personal data breach likely to result in risk to data subjects, Voldier notifies the Irish Data Protection Commission within 72 hours (GDPR Art. 33) and, where required, notifies affected data subjects (GDPR Art. 34).

7. Your Rights Under GDPR

As a data subject under the General Data Protection Regulation (Regulation (EU) 2016/679), you have the following rights (Articles 15 to 22):

  • Right of access (Art. 15): obtain a copy of the personal data we hold about you and information about how it is processed.
  • Right to rectification (Art. 16): correct inaccurate or incomplete data.
  • Right to erasure / "right to be forgotten" (Art. 17): request deletion of your personal data, subject to legal retention requirements.
  • Right to restriction of processing (Art. 18): restrict processing in defined circumstances.
  • Right to data portability (Art. 20): receive your data in a structured, commonly used, machine-readable format (JSON).
  • Right to object (Art. 21): object to processing based on legitimate interest, including profiling.
  • Right not to be subject to automated decision-making (Art. 22): obtain human review of any decision producing legal or similarly significant effects.
  • Right to withdraw consent (Art. 7(3)): withdraw consent at any time where processing is based on consent, without affecting prior lawful processing.
  • Right to opt out of marketing: unsubscribe from marketing emails at any time using the unsubscribe link (ePrivacy Directive 2002/58/EC).

Data Protection Officer (DPO)

To exercise these rights, contact our Data Protection Officer at [email protected] or email [email protected] with the subject "GDPR Request — [right you are exercising]". We respond within one month of receipt (GDPR Art. 12(3)); this may be extended by up to two further months for complex requests, with notification.

You may also submit a data deletion request at: Account Settings → Delete Account.

Lodging a complaint

Voldier Limited is established in Ireland; our lead supervisory authority is the Irish Data Protection Commission (DPC)dataprotection.ie. You also have the right to lodge a complaint with the supervisory authority of the EU/EEA member state in which you reside, work, or where the alleged infringement occurred (GDPR Art. 77).

8. Cookies and Tracking (ePrivacy)

Cookie use complies with the ePrivacy Directive 2002/58/EC (as amended by 2009/136/EC) and Irish SI No. 336 of 2011 (European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011). Following CJEU C-673/17 (Planet49), pre-ticked consent boxes are not used. We deploy:

  • Strictly necessary cookies: required for authentication and session management. Deployed without consent under Art. 5(3) exemption.
  • Analytics cookies: used to understand how users interact with the Service (aggregated, pseudonymised). Require explicit opt-in via the consent banner.
  • Marketing cookies: not deployed on this property.

We do not use advertising or cross-site tracking cookies and we do not participate in third-party ad networks. You may withdraw or change your cookie consent at any time via the cookie preferences link in the page footer.

9. International Data Transfers (Chapter V GDPR)

Voldier is operated by Voldier Limited on dedicated infrastructure located within the European Economic Area. Your personal data is processed within the EEA by default. Where transfers to a third country outside the EEA are required (for example, to a sub-processor in a non-adequate jurisdiction), we rely on:

  • Adequacy decisions issued by the European Commission (currently including the United Kingdom, Switzerland, Japan, New Zealand, Republic of Korea, and others).
  • Standard Contractual Clauses (SCCs) adopted by Commission Implementing Decision (EU) 2021/914, combined with a Transfer Impact Assessment (TIA) where required following Schrems II (CJEU C-311/18).
  • Supplementary technical measures (encryption at rest and in transit, pseudonymisation, access controls).

When Voldier uses AI models, processing occurs on Voldier-operated infrastructure within the EEA — your data is never sent to third-party AI vendors (OpenAI, Google, Anthropic, etc.).

10. Children's Privacy

The Service is intended for businesses and is not directed at children. Consistent with GDPR Art. 8 and the Irish Data Protection Act 2018 (which sets the digital age of consent at 16), we do not knowingly process personal data of children under 16. If you believe we have inadvertently collected such information, contact us immediately at [email protected].

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you via email at least 14 days before material changes take effect. The "last updated" date at the top of this page will reflect the most recent revision.

Payment Behavior Score (Internal)

Controller: Voldier Limited, Dublin, Ireland (Companies Registration Office number IE [pending]). Privacy contact: [email protected].

Data Protection Officer: Voldier Limited has not yet appointed a formal external DPO. Under § 38 of the German Federal Data Protection Act (BDSG), a DPO is mandatory only once an organisation regularly employs at least 20 persons engaged in automated personal-data processing; we are below that threshold and below the equivalent GDPR Art. 37 obligations. Until the threshold is reached, all privacy enquiries are centralised at [email protected] (and [email protected]), both monitored directly by the founder.

Purpose: We compute an internal "payment behavior score" based on your invoice and payment history with the merchant that serves you. This score is used ONLY by that merchant for its internal collections and credit decisions.

Legal basis: Explicit consent (GDPR Art. 6(1)(a)) plus contract performance (Art. 6(1)(b)).

This is NOT a credit check: this is NOT a consumer credit-reference agency under the Consumer Credit Directive 2008/48/EC or the Irish Consumer Credit Act 1995, this is NOT a credit-bureau report, and this score is NOT shared with third parties or with other merchants. It is an internal, closed-loop reputation signal.

Recipients: none outside Voldier. Cross-merchant lookups are NOT enabled today. If we ever add furnishing to credit-reference agencies, we will solicit a fresh, specific Art. 6(1)(a) consent.

Retention: Score history is retained for seven (7) years after the last activity on your account, then anonymised. Full detail in our Data Retention Policy.

Source of your data (GDPR Art. 14): You either signed up directly, or the merchant that serves you created your profile in our system through their Sync/ERP integration or manual upload. In the second case, you should also have received the merchant's own privacy notice.

Your rights:

  • Right of access (Art. 15): email [email protected].
  • Right to rectification (Art. 16): dispute any factor from the portal.
  • Right to erasure (Art. 17): request by email; soft-delete within 30 days (some financial records are retained 7 years by law).
  • Right to withdraw consent (Art. 7(3)): Settings → Privacy → Withdraw, or DELETE /individual/consent/credit_scoring via API.
  • Human review of an automated decision (Art. 22(3)): Settings → Score → "Request human review", or POST /individual/score-review.

Right to lodge a complaint: You may file a complaint with the UK Information Commissioner's Office (ico.org.uk) or with the data-protection authority of your EU/EEA Member State of residence, work, or place of alleged infringement — for example, the Irish Data Protection Commission (DPC), CNIL in France, BfDI in Germany, AEPD in Spain, or Garante in Italy.

Notice version: vo_v1. Last updated: 2026-05-27. Canonical URL: https://voldier.com/legal/privacy.

12. Contact and Data Requests

For any privacy questions, requests, or concerns:

Data Protection Officer: [email protected]

General privacy email: [email protected]

Postal: VOLDIER LIMITED, Dublin, Ireland

Lead supervisory authority: Irish Data Protection Commission — dataprotection.ie

Response time: We respond to GDPR data-subject requests within one month (Art. 12(3)), extendable by up to two further months for complex requests.