Data Processing Addendum

Last updated: 17/07/2026

1. Roles

For personal and financial data you input or sync into Coinly, you act as the data controller and Coinly acts as the data processor under the EU GDPR and equivalent laws.

2. Scope of processing

  • Subject matter: hosting and processing financial records to deliver the service.
  • Duration: for the term of your subscription plus the retention period in the Privacy Policy.
  • Data categories: account identifiers, transactions, balances, receipts, budgets, bank-connection metadata.
  • Data subjects: account holders, invited collaborators, counterparties in transactions.

3. Subprocessors

We use vetted subprocessors for hosting, database, email, AI processing, and bank-connection providers. The current list is available on request at privacy@coinlyfinance.com. We notify customers of material changes.

4. Security measures

Encryption in transit and at rest, role-based access controls, row-level database security, audit logging, least-privilege service accounts, and regular reviews of subprocessor compliance.

5. International transfers

Where personal data is transferred outside the EEA/UK, we rely on Standard Contractual Clauses or equivalent safeguards.

6. Data subject requests

We assist controllers in responding to access, rectification, deletion, restriction, and portability requests through in-app tools and support at privacy@coinlyfinance.com.

7. Breach notification

We will notify affected customers without undue delay after becoming aware of a personal data breach affecting their data.

8. Return and deletion

On termination, customer data is deleted or anonymised within 90 days, except where retention is required by law.