Legal

Data Processing Agreement

Last updated: 2026-07-13

This Data Processing Agreement (“DPA”) explains how Numwisely handles the personal data you put into the service on behalf of other people — for example, the names, addresses, and contact details of your clients on invoices, or details that appear on receipts you upload. It meets the requirement in Article 28 of the GDPR for a written agreement between a controller and a processor.

1. Who is who

  • You (the customer)are the “controller”. You decide what personal data you put into the service and why.
  • Visualsofjulius OY(Business ID FI29419016, Aura, Finland), operator of Numwisely, is the “processor”. We process that data only to provide the service to you.

2. What we process and for how long

  • Subject and purpose: processing personal data contained in your expenses, income, receipts, invoices, and client records, only to operate the features you use.
  • Types of data: names, addresses, contact details, business identifiers (e.g. VAT numbers), amounts, and any personal data that appears in the documents you upload.
  • Data subjects: your clients, suppliers, employees, and any individuals named in your records.
  • Duration: for as long as you use the service, plus any period we are legally required to retain accounting records (see the Privacy Policy).

3. Our promises as processor

  • Process personal data only on your documented instructions (using the service is such an instruction).
  • Keep the data confidential and ensure people who handle it are bound by confidentiality.
  • Apply appropriate technical and organizational security measures (GDPR Article 32).
  • Help you respond to requests from individuals exercising their data-protection rights.
  • Notify you without undue delay if we become aware of a personal-data breach affecting your data.
  • Delete or return personal data when our agreement ends, except where law requires us to keep it.
  • Make available the information needed to show we meet these obligations.

4. Sub-processors

You give general authorization for us to use the following sub-processors. We remain responsible for any sub-processor we use.

  • Supabase — database, authentication, and file storage (Europe, region eu-central-2).
  • Google (Gemini API & Cloud Run OCR) — AI extraction and chat, invoice-template generation, and image OCR (United States).
  • Vercel — application hosting, served from an EU region (United States company).
  • Resend — sending invoice and notification emails (United States).
  • Visma (Maventa) and Recommand — e-invoice delivery operators, used only when you send structured e-invoices (European Union).
  • Notion — optional two-way sync, only if you connect it (United States).
  • Telegram — optional receipt-photo bot, only if you connect it (international).

Services you connect under your own agreements — for example your own Stripe account for payment links or your own email (SMTP) provider — act for you directly and are not our sub-processors.

We update this list before adding a new sub-processor. To be notified of changes, email contact@visualsofjulius.com.

5. International transfers

Most data is stored in Europe. Where a sub-processor is based outside the EU/EEA (for example in the United States), the transfer is covered by the EU–US Data Privacy Framework and/or the European Commission’s Standard Contractual Clauses, with additional measures where needed.

6. How this is accepted

This DPA applies automatically when you use Numwisely to process personal data on behalf of others. If you need a separately signed copy (for example for your own records or audit), email contact@visualsofjulius.com. It works alongside our Terms and Conditions and Privacy Policy.