GDPR Policy

1. Introduction

This GDPR Policy explains how ReconcileIQ ("Service", "we", "our", or "us") handles data in compliance with the General Data Protection Regulation (GDPR) for users in the European Economic Area (EEA). This policy details our commitment to protecting the privacy and rights of data subjects under the GDPR.

2. GDPR Compliance Framework

2.1 Roles and Responsibilities

Under the GDPR framework:

• Users of ReconcileIQ act as Data Controllers when they upload financial data for processing.
• ReconcileIQ acts solely as a Data Processor, processing data on behalf of and under the instructions of the Data Controller (the user).

2.2 GDPR Core Principles

We adhere to the following GDPR principles:

• Data minimization: We process only what is necessary for reconciliation.
• Purpose limitation: Data is processed solely for the express purpose of bank reconciliation.
• Storage limitation: No personal data is retained after processing is complete.
• Integrity and confidentiality: All data is processed securely with appropriate technical measures.
• Accountability: We maintain records of processing activities in compliance with Article 30 of GDPR.

3. Data Processing Agreement (DPA)

This section constitutes a Data Processing Agreement (DPA) between ReconcileIQ (Data Processor) and the user (Data Controller), as required under Article 28 of the GDPR.

3.1 Processing Details

• Subject matter: Bank statement and bookkeeping reconciliation.
• Nature and purpose: Automated comparison and matching of financial records.
• Duration: Immediate processing with automatic deletion upon completion (generally within 5 minutes).
• Type of data: Financial transaction data, potentially including personal data of transaction counterparties.

3.2 Processor Obligations

As a Data Processor, ReconcileIQ:

• Processes personal data only on documented instructions from the Data Controller (the user).
• Ensures that persons authorized to process personal data have committed to confidentiality.
• Implements appropriate technical and organizational security measures.
• Does not engage other processors without prior authorization from the Data Controller.
• Assists the Data Controller in fulfilling their obligations to respond to data subjects' requests.
• Deletes or returns all personal data to the Controller after the processing.
• Makes available to the Controller all information necessary to demonstrate compliance.

4. Data Subject Rights

Under the GDPR, data subjects have specific rights regarding their personal data. However, due to the nature of ReconcileIQ's processing:

• No personal data is retained after processing, making subsequent access, rectification, or erasure requests non-applicable in most cases.
• Processing is limited to user-initiated requests and is completed rapidly (generally within minutes).
• Users should contact the Data Controller (the uploader of the data) for GDPR-related inquiries, as we act solely as a Data Processor.

If you have GDPR-related inquiries, including exercising data subject rights, please contact us. Note that because data is immediately deleted, we may not hold any personal data to rectify or erase.

5. Records of Processing Activities

In accordance with Article 30 of the GDPR, we maintain records of our processing activities:

5.1 Data Categories

Encrypted financial transaction records and metadata necessary for reconciliation.

5.2 Processing Details

• Duration: Generally less than 5 minutes of processing time.
• Storage: Temporary, encrypted in volatile memory only.
• Deletion: Automatic secure deletion after processing.
• Access: No long-term persistent storage of keys or decrypted data.

6. Data Breach Notification

In the unlikely event of a data breach during the short processing window:

• We will notify affected users (Data Controllers) without undue delay, within 72 hours of becoming aware of the breach.
• We will investigate the scope of the breach and implement remedial measures.
• We will provide the Data Controller with sufficient information to meet their obligations under Article 33 of GDPR.
• We will notify authorities as required by applicable law.

7. International Data Transfers

ReconcileIQ processes all data on servers located within the European Economic Area (EEA) or in countries that provide adequate data protection as defined by the European Commission. We do not transfer personal data to third countries or international organizations outside of these regions.

8. Contact Information

For GDPR-related inquiries, please contact us at: [email protected]