Nance

Privacy Policy

Last updated: April 14th, 2026

Welcome to Nance, your hardest working Finance colleague, continuously managing your financial processes with precision and providing strategic insights. At Nance, we take your privacy seriously and comply with the General Data Protection Regulation and other relevant laws and regulations when processing your personal data.

In this Privacy Policy, you will learn more about the way we handle your personal data. This Privacy Policy only applies to the processing activities for which Nance determines the purposes and means of processing as an independent data controller. When Nance processes personal data on behalf of its customers, these activities are governed by the applicable Data Processing Agreement (DPA) concluded with each customer.

1. Who is Nance?

This Privacy Policy explains how personal data are processed through Nance, the AI-powered financial operations assistant. Nance may be the data controller or data processor, depending on the data that is being processed:

When Nance acts as a data controller:
Nance processes personal data for its own business purposes, such as managing customer relationships and invoicing. This Privacy Policy applies to these processing activities.

When Nance acts as a data processor:
Nance processes personal data on behalf of its customers, in accordance with their instructions. Those processing activities are governed by the Data Processing Agreement concluded with the relevant customers.

Our contact details:
Nance B.V.
Markkaweg 2
2153NB Nieuw-Vennep
The Netherlands

Nance is registered in the Dutch Chamber of Commerce under number 72189185.

If you have any questions about the way we handle your personal data or wish to exercise any of your rights, you can contact us via [email protected].

2. Purpose and Scope

As a data controller, Nance processes personal data of its customers for the following purposes:

  • Managing customer relationships, including maintaining customer accounts and contact records, issuing and sending invoices for services provided and communication with customers regarding product updates, maintenance or service issues;
  • Compliance with legal and fiscal obligations;
  • Ensuring security and improving the platform.

3. Categories of Personal Data

Depending on the use of Nance, the following categories of data may be processed:

  • Customer relationship data (e.g., company name, contact person, email, phone number, billing address).
  • Financial data of the customer (e.g., invoice content, bank account numbers, payment details, transaction metadata);
  • Communication data (email content, Slack or WhatsApp messages exchanged with the customer in the context of the performance of the Service Agreement);
  • Usage and log data (time stamps, system activity, workflow logs);

Data is also used for improving and training Nance's AI models, including algorithmic performance analysis, bias detection, and quality assurance, but this data does not contain any personal data, only instructions to and processes of Nance.

4. Legal Bases for Processing

Processing of personal data within Nance is based on the following legal grounds under Article 6 GDPR:

PurposeLegal Basis
Managing customer relationships and issuing invoicesPerformance of a contract (Art. 6(1)(b)) and legal obligation (Art. 6(1)(c))
Compliance with legal/fiscal obligationsLegal obligation (Art. 6(1)(c))
Ensuring security and platform improvementLegitimate interest (Art. 6(1)(f))

5. How Data Are Collected

Personal data are obtained through:

  • Direct interactions during customer onboarding and invoicing;
  • Uploads or data entries performed by the customer;
  • Automatically generated logs during the customer's use of Nance;
  • Interactions with the Nance support team;

6. Automated Decision-Making and Profiling

Nance performs limited automated actions such as generating payment reminders or categorising invoices. These actions do not produce legal or similarly significant effects on individuals within the meaning of Article 22 GDPR.

Where an automated decision might have a legal effect (e.g., triggering a financial alert or workflow block), human review is available, and affected users can object or request manual verification.

7. Data Sharing and Processors

Nance may share data with:

  • Hosting and infrastructure providers (e.g., cloud services for data storage and backups);
  • Communication platforms (e.g., email or messaging integrations);
  • Accounting and banking system providers (for invoicing and financial administration).

Nance engages service providers that act as sub-processors on its behalf.

Sub-Processors: Anthropic PBC (United States), Google LLC (United States/EU), Weaviate B.V. (Netherlands), Exact Holding B.V. (Netherlands), AgileBits Inc. (Canada), and Functional Software, Inc. (United States).

8. International Data Transfers

If personal data are transferred outside the European Economic Area (EEA), this is done only to countries covered by one or more of the following:

  • an adequacy decision under Article 45 GDPR (e.g., the United States under the EU–US Data Privacy Framework, where certified); or
  • Standard Contractual Clauses (SCCs); or
  • Binding Corporate Rules (BCRs) under Articles 46–47 GDPR.

9. Data Security

Nance implements appropriate technical and organisational measures under Article 32 GDPR, including:

  • Ensure that the personal data can be accessed only by authorized personnel for the purposes set forth in this Privacy Policy;
  • Take all reasonable measures to prevent unauthorized access to the personal data through the use of appropriate physical and logical (passwords) entry controls, securing areas for data processing, and implementing procedures for monitoring the use of data processing facilities;
  • Build in systems and audit trails;
  • Use secure passwords, network intrusion detection technology, encryption and authentication technology, secure logon procedures and virus protection;
  • Take appropriate measures to manage the risks associated with the processing of personal data, such as the risk of accidental or unlawful destruction, loss, or alteration, unauthorized access, disclosure or other unlawful forms of processing;
  • Ensure pseudonymization and/or encryption of personal data, where appropriate;
  • Maintain the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
  • Maintain the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
  • Implement a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing of personal data;
  • Monitor compliance on an ongoing basis;
  • Implement measures to identify vulnerabilities with regard to the processing of personal data in systems used to provide services to the Data Controller;
  • Provide employee and contractor training to ensure ongoing capabilities to carry out the security measures established in the security policy.

In the event of a personal data breach, we will notify the competent supervisory authority and affected data subjects in accordance with Articles 33–34 GDPR.

10. Data Retention

Personal data are retained for no longer than necessary for the purposes described above. For the categories of data listed below, we maintain the following retention periods:

  • Customer relationship data: retained for as long as necessary to manage the contractual relationship and comply with legal obligations.
  • Financial and transaction data: retained for the applicable statutory retention period (typically 7 years under fiscal law);
  • Audit and system logs: retained for up to 30 days.

11. Data Subject Rights

As a data subject, you have the following rights under the GDPR:

  • Access to your data (Art. 15);
  • Rectification of inaccurate data (Art. 16);
  • Erasure of data where legally permissible (Art. 17);
  • Restriction of processing (Art. 18);
  • Objection to processing (Art. 21);
  • Data portability (Art. 20).

If you wish to exercise any of these rights, you can contact us via [email protected]. We will respond to your request as soon as possible, but ultimately within one month. If your request is excessive or very complex, we may need more time to comply with your request. If this is the case, we will inform you within one month.

If we cannot reach an agreement, you have the right to lodge a complaint with the Dutch Data Protection Authority. For more information, visit www.autoriteitpersoonsgegevens.nl.

12. Updates to this Privacy Policy

This Privacy Policy may be updated to reflect changes in processing activities or applicable laws. The latest version will always be available at https://meetnance.ai/privacy.

Download

Download a copy of our Privacy Policy for your records.

Download Privacy Policy (PDF)