numericky.cz › Data security and handling

Data security and handling

We work with your company's sensitive financial data. Here is a clear explanation of how we protect it, where it runs, and what we never do with it.

Read-only connection EU servers, GDPR TLS and AES-256 encryption

Principle

We see the numbers to help you decide. We do not move them.

We connect to your bank and accounting in read-only mode. That means we only read the data to prepare reporting, a cash flow outlook and decision support. We do not change anything in your systems and we never send money.

Scope of access

What we read and what we never do

What we read

  • Transactions and balances from your bank via a read-only API token
  • Accounting data from exports or import (for example CSV)
  • Only the data needed for reporting and financial decisions

What we never do

  • We do not write back to your systems
  • We do not initiate payments and we do not move your money
  • We do not use your bank login credentials, only read-only tokens or exports

Where data runs

Storage and encryption

Your data stays in the European Union and is protected at a level appropriate for financial services.

Database

Supabase (PostgreSQL) in the European Union, AWS infrastructure

Operations

The website and portal run on the Netlify platform

In transit

TLS and HTTPS encryption

At rest

AES-256 encryption, bank tokens stored encrypted

Access to data

Who can reach your data

  • Each client's data is separated at the database level, you see only your own
  • Access is limited to a small group of people bound by confidentiality, on a need-to-know basis
  • Permissions are role-based, with no shared logins
  • Sign-in uses verified identity (Supabase Auth)
  • Service keys stay strictly on the server, never in the browser

Contractual framework

Data processing agreement (DPA)

A data processing agreement (DPA) under Article 28 GDPR is part of the cooperation. It supplements the main contract and clearly sets out our obligations.

  • We process data only on your instructions
  • We notify you of a security incident within 24 hours
  • We help you fulfil data subject rights
  • You stay in control of subprocessors, with the right to object

The full text is in our privacy policy and terms and conditions.

Artificial intelligence

How we use AI and automation

We use AI and automation to process your data faster, find connections in it and prepare clear decision support. The output is always advisory. The decision stays with you and no automated decision-making about your company takes place.

Retention and deletion

How long we keep data

  • We keep data for the duration of the contract and then for a maximum of 30 days, after which we securely delete it
  • At the end of the cooperation you choose an export in a machine-readable format (CSV, JSON or SQL) within 14 days, or deletion
  • After deletion we confirm the deletion date in writing
  • The exception is data we must keep by law, for example accounting records for 10 years

Uploading documents

When you send us files

  • We store files in private storage, not on public links
  • Upload links have limited validity and status checks
  • We log access to documents and store the IP address as a hash

Frequently asked questions

What clients ask

Can you send a payment from my account or change anything?

No. The connection is read-only. We do not write to your systems, we do not initiate payments and we do not use your bank login credentials, only read-only tokens or exports.

Where is my data stored?

In the European Union, in a Supabase (PostgreSQL) database on AWS infrastructure. Transfers are protected by TLS and HTTPS, and data at rest is encrypted with AES-256.

Who has access to my data?

A limited group of people bound by confidentiality, on a need-to-know basis. Each client's data is separated in the database and access is role-based.

What do you use AI and automation for?

To process and analyse your data so we can prepare clear decision support faster. The output is always advisory and the decision stays with you. No automated decision-making about your company takes place.

Do we sign a data protection agreement?

Yes. A data processing agreement (DPA) under Article 28 GDPR is part of the cooperation. It supplements the main contract and sets out how we handle data.

What happens to data at the end of the cooperation?

You choose an export of your data in a machine-readable format (CSV, JSON or SQL) within 14 days, or deletion. After deletion we confirm the deletion date in writing. The exception is data we must keep by law.

Want to see what we will see in your numbers?

Start with a financial scan. We will show you what you cannot see in your company and how we work with data.

Free financial scan Book a consultation