exfin

Legal

Privacy Policy

Version 1.0 · Effective 12 July 2026

exfin is a research and evidence platform for banks. It is operated by Orlyn, Inhaber: Luca Diaz Hilterscheid, Märkische Heide 5, 14532 Kleinmachnow, Deutschland ("we", "us"). General contact: luca@orlyn.ai. Privacy contact: privacy@orlyn.ai. We have not appointed a data protection officer; all data protection matters go to privacy@orlyn.ai.

This policy covers the marketing website and the exfin product (the dashboard banks log into). It explains what personal data we process, why, for how long, who receives it, and your rights. It is written to be read; where a legal basis is cited, it refers to Regulation (EU) 2016/679 (GDPR).

1. The four situations in which we touch personal data

We act in two different legal roles, and it matters which one applies to you:

  1. You visit this website. We are the controller. Section 2 applies.
  2. You use the exfin dashboard as a member of a customer bank. We are the controller for your account and usage data. Section 3 applies.
  3. A public register publishes data about you (for example a commercial register entry naming you as a managing director) and our software mirrors that register. We are the controller for this processing. Section 4 summarizes it; the full transparency notice is the Public Records Notice.
  4. A bank instructs research about you (for example an adverse-media screening as part of its statutory customer due diligence). The bank is the controller; we process on its documented instruction as a processor under Art. 28 GDPR. Section 5 explains what that means for you.

2. Website visitors

Hosting and server logs. This website is delivered by Vercel. When you open a page, the hosting infrastructure processes the technical data any web request carries: IP address, requested URL, timestamp, browser and device information (user agent), and the referring page. We use these server logs to deliver the site, keep it secure, and diagnose faults. Legal basis: Art. 6(1)(f) GDPR (our legitimate interest in operating a secure, functioning website). Log data is kept for the short rotation windows of the hosting provider [HOSTING LOG RETENTION WINDOW TO CONFIRM] and is not merged with any other data.

No cookies, no tracking. The marketing website sets no cookies, uses no analytics, no tracking pixels, and no third-party advertising or social-media embeds. Fonts are served from our own hosting, not from a font network.

Demo requests. If you submit the demo form, we process the data you enter (name, work email, institution, optional message) solely to respond to your request. The submission is delivered to our mailbox by our email provider, Resend. We keep demo requests as ordinary business correspondence and delete them on request at any time. Legal basis: Art. 6(1)(b) GDPR (steps prior to entering into a contract, taken at your request) and Art. 6(1)(f) GDPR (our interest in answering inquiries). The form is protected by a rate limit that briefly holds request counts per IP address in memory; nothing about this is stored durably.

Email contact. If you email us, we process your address and message to handle the correspondence, on the same legal bases as demo requests.

3. Product users (the dashboard)

If your bank is a customer of exfin and gives you access, we process:

  • Account data: name, work email address, your role in the workspace (for example analyst or administrator), your bank (tenant) and team assignment, and authentication events. Authentication is operated with Supabase Auth; passwords are stored only as salted hashes, and sign-in links can be sent by email. Legal basis: Art. 6(1)(b) GDPR (performance of the usage relationship) in conjunction with the contract with your bank.
  • Strictly necessary session cookies. The dashboard sets authentication cookies whose only purpose is to keep you signed in. They are technically required; no consent is needed for them (Section 25(2) TDDDG). The dashboard sets no tracking cookies and contains no analytics.
  • Audit records. The product keeps an append-only audit ledger of material actions: who started a screening, who confirmed or dismissed a verdict, who exported a report, with timestamps and prior states. This ledger exists so that the work banks do in exfin is reviewable by them and by their auditors, and so that security incidents can be investigated. Legal basis: Art. 6(1)(f) GDPR (auditability and security of a tool used for regulated work) and, where applicable, Art. 6(1)(c) GDPR.
  • Support communications: whatever you send us when something breaks, used to fix it.

We do not profile dashboard users, we run no usage analytics on individuals, and we never use product data for advertising.

4. The public-records graph (summary)

exfin maintains a database of facts published by official company registers and gazettes: companies, their officers and beneficial owners, insolvency publications, entity identifiers. Where a register publishes data about a natural person acting in a business capacity (directors, authorized representatives, beneficial owners, sole traders), our software stores what the register publishes, with a citation to the register entry for every fact.

For this processing we are the controller, on the legal basis of Art. 6(1)(f) GDPR. The complete transparency notice under Art. 14 GDPR, including every named source, the retention clocks, the objection mechanism, and our no-scoring commitment, is published permanently at /public-records-notice. The short version:

  • We process only what registers themselves publish, in professional capacity.
  • Every fact carries a citation. We add nothing, we infer nothing, and we never compute a score, rating, or ranking about any person.
  • Statutory deletion clocks of the source registers are enforced in code.
  • Objections go to privacy@orlyn.ai and are answered within one month.

5. Bank-instructed processing (we act as processor)

When a bank uses exfin to run a screening or assemble a research dossier on a named subject, including a natural person in a professional capacity as part of the bank's anti-money-laundering due diligence, the bank determines the purpose and is the controller under Art. 4(7) GDPR. We process on the bank's documented instruction under a data processing agreement per Art. 28 GDPR [DPA DOCUMENT REFERENCE].

What we guarantee inside that role, by construction:

  • Nothing runs unprompted. A person screening starts only when the bank instructs it, and the bank must record a due-diligence purpose with every request; the purpose is stored and audited.
  • Results are isolated per bank behind database row-level security. There is no cross-bank reuse and no shared person dossier pool.
  • Findings are verbatim quotes from cited public sources, labeled with their procedural stage. No person-level score, rating, ranking, or probability value exists anywhere in the product.
  • Erasure works. A screening can be erased on demand, and every screening has a retention horizon that a daily purge job enforces. After erasure, only audit entries that carry internal identifiers, never names, remain.

If your data was processed in a bank-instructed screening, the bank is your first point of contact for GDPR rights; its own privacy notices govern. If you contact us instead, we will forward your request to the responsible bank and help resolve it within the processor role.

6. Recipients and subprocessors

We share personal data only with the service providers listed here, under data processing agreements, and with customer banks in the ways described above. We never sell personal data.

ProviderFunctionHQWhere processing happens
Supabase, Inc.Database, authentication, file storage for the productUSAProject region [TO CONFIRM; EXPECTED LONDON (AWS EU-WEST-2, UNITED KINGDOM)]
Railway Corp.Backend compute for the productUSAService pinned to europe-west4 (Netherlands)
Vercel Inc.Hosting of this website and the dashboard frontendUSAGlobal edge delivery of static assets; [FUNCTION REGION TO CONFIRM]
ResendEmail delivery (demo requests, transactional email)USA[PROCESSING REGION TO CONFIRM]
DeepSeek (via LiteLLM routing)Language-model inference for extraction, verification, and drafting over public web textChinaProvider API [ENDPOINT AND SAFEGUARDS TO CONFIRM; AN EU INFERENCE ENDPOINT SWAP IS AVAILABLE BY CONFIGURATION]
Voyage AIText embeddings over public web textUSAProvider API [REGION TO CONFIRM]
Langfuse GmbHLLM trace storage (prompts and model outputs), when tracing is enabledGermanyEU data region (cloud.langfuse.com), hosted on AWS in Ireland (eu-west-1) per the provider's data-regions documentation
Tavily, Brave Search, Serper, ExaWeb search APIs used by the research engineNon-EU providersProvider APIs [TRANSFER MECHANISM PER PROVIDER TO CONFIRM]
Sentry (Functional Software, Inc.)Error monitoring (exceptions only), when enabledUSA[PRODUCTION STATUS AND REGION TO CONFIRM]

What actually reaches the model and search providers: page text fetched from public web sources, search queries, and research prompts. For a bank-instructed person screening, the subject's name necessarily appears in the search queries and the fetched text. Account data, audit records, and the product database never leave the hosting providers listed in the first two rows.

7. International transfers

Product data at rest (the database, files, audit records) stays in the provider regions named above: the United Kingdom [DATABASE REGION TO CONFIRM]and the Netherlands. Transfers to the United Kingdom rest on the European Commission's adequacy decision for the UK. Where a provider processes data in the United States or another third country, we rely on the EU standard contractual clauses and, where available, the provider's EU-US Data Privacy Framework certification [SCC AND DPF STATUS PER PROVIDER TO CONFIRM].

We name the exception plainly rather than hiding it in a list: our current language-model provider, DeepSeek, is headquartered in China, a country without an adequacy decision. What it receives is public web page text, research prompts, and, in bank-instructed screenings, subject names inside queries. An EU-hosted inference endpoint is available by configuration and is the committed swap at the first customer requirement [CURRENT ENDPOINT AND CONTRACTUAL SAFEGUARDS TO CONFIRM].

8. How long we keep data

DataRetention
Server logs (website)Short provider rotation windows [TO CONFIRM]
Demo requests and email correspondenceUntil handled and as business correspondence; deleted on request
Dashboard account dataUntil the account is removed and the contract with the bank ends, then deletion subject to statutory retention duties
Audit ledgerDuration of the customer relationship plus statutory retention; identifiers-only entries persist under the append-only design
Bank-instructed screeningsRetention horizon set per screening by the bank, enforced by a daily purge job; erasable on demand at any time
Public-register factsPer the Public Records Notice: while the source register publishes the fact, subject to objection
Insolvency publications naming a personAt most 180 days, inside the source register's own six-month deletion clock (Section 3 InsBekV)
Debt-register entries (class armed, no data collected today)At most 1095 days, inside the statutory three-year clock (Section 882e ZPO)
Database backupsEncrypted rolling backups [RETENTION WINDOW TO CONFIRM]

9. Security

Product data is protected by, among other measures: per-tenant row-level security at the database layer, role-based access control, TLS for data in transit, provider-managed encryption at rest, an append-only audit ledger, and continuous integration checks that enforce compliance invariants (for example, the check that no person-level score can exist in the schema or API). Access to production systems is restricted to the operator.

10. Your rights

You have the rights of Art. 15 to 21 GDPR: access, rectification, erasure, restriction, data portability, and objection. Where processing rests on legitimate interest, Art. 21 GDPR gives you the right to object on grounds relating to your particular situation; for the public-records lane, the Public Records Notice describes exactly how we handle objections and how quickly (within one month).

Requests go to privacy@orlyn.ai. We answer within one month (Art. 12(3) GDPR). You also have the right to lodge a complaint with a data protection supervisory authority, in particular in the member state of your residence or workplace. The authority responsible for us is the Landesbeauftragte für den Datenschutz und für das Recht auf Akteneinsicht Brandenburg (LDA Brandenburg), Stahnsdorfer Damm 77, 14532 Kleinmachnow, lda.brandenburg.de.

11. No automated decision-making

We make no decisions producing legal or similarly significant effects on any person by solely automated means (Art. 22 GDPR). The product computes no score, rating, ranking, or probability value about any natural person, and its outputs are drafts that a human analyst must review. Banks are contractually prohibited from using exfin output as the sole basis for automated decisions about natural persons.

12. Changes to this policy

We update this policy when the product or our providers change. The version and effective date at the top tell you what you are reading; material changes to how we process personal data are announced to customer banks in advance and, for the public-records lane, reflected in the Public Records Notice.

13. Contact

Orlyn, Inhaber: Luca Diaz Hilterscheid, Märkische Heide 5, 14532 Kleinmachnow, Deutschland.
Privacy: privacy@orlyn.ai. General: luca@orlyn.ai.
No data protection officer has been appointed; data protection matters go to privacy@orlyn.ai.

← Back to the site