Last updated: 17 June 2026
This Privacy Notice explains how Premore processes personal data in connection with the Exorda service.
The controller is Premore.
Finnish Business ID: 1877355-4
Privacy-related enquiries may be sent to:
support@exorda.net
We process personal data to provide, maintain and protect Exorda. Technical observations and aggregated or anonymised information may be used to develop the service in a way that does not identify an individual user or the contents of a workspace.
Personal data is processed in particular for the following purposes:
The primary legal basis for processing personal data is the performance of a contract when the data is processed in order to provide the Exorda service to the user.
Processing based on the performance of a contract includes, for example, creating a user account, logging in, using the service, managing workspaces and access rights, storing data entered by the user and providing the core functions of the service.
Processing based on a legal obligation includes, for example, obligations relating to payments, invoicing, accounting, taxation, consumer protection and requests from competent authorities. This concerns administrative and payment-related service data, not the use of the user’s personal finance tracking data for separate purposes.
Processing based on Premore’s legitimate interests includes maintaining service security, preventing misuse, investigating technical issues, providing customer support, ensuring that the service functions properly and establishing, exercising or defending legal claims.
If a specific service function is based on the user’s consent, this is explained in connection with that function. The basic use of Exorda does not currently rely on consent for advertising, analytics or marketing.
We process only personal data that is necessary to provide and maintain Exorda, or data that the user adds to the service.
The categories of personal data include:
Exorda does not store the user’s password in plain text. A one-way technical hash of the password is stored, and it cannot be restored to the original password. For this reason, Premore cannot see the user’s current password or return it to the user. The user may change or reset the password through the service functionality.
Some technical identifiers are stored in hashed form or otherwise protected form. These data are used, for example, for login, security, misuse prevention and access management.
The names, descriptions and similar transaction-specific free-text content entered by the user in the Data Entry view are stored in encrypted form. These data are intended to support the user’s own personal finance tracking. They are not used for advertising targeting and are not sold or disclosed to advertisers.
Actual payment card details are not stored in Exorda. Payments are processed through a payment service provider. Exorda stores the technical payment service identifiers and the payment or subscription status needed to manage paid access.
Financial data, notes, descriptions, party data and other information entered into the service may contain personal data depending on what the user chooses to enter. The user is responsible for ensuring that they have the right to add data that they enter into the service or share in a workspace.
The service is not intended for storing special categories of personal data, such as health data, religious or political data, online banking credentials or payment card details.
Personal data is mainly obtained directly from the user when the user creates an account, uses the service, manages workspaces, uses paid features, contacts customer support or enters data into the service.
Some data is generated automatically when the service is used, for example through login, sessions, access rights, subscriptions, security checks, error situations and the technical operation of the service.
Technical data relating to payments and subscriptions is obtained from the payment service provider. Such data includes, for example, the status of a payment or subscription, the technical identifier of a payment transaction and information on whether paid access is active.
Exorda uses a PHP session cookie that is necessary for the operation of the service.
The session cookie is used to maintain the user’s session, manage login, check access rights and provide the protected functions of the service. The session cookie is necessary for the normal operation of the service and is removed when the browser session ends.
Exorda does not use Google Analytics, behavioural analytics, third-party advertising cookies or tracking identifiers for targeted advertising.
Because Exorda uses only the session cookie that is necessary for the service to function, the service does not display a separate cookie consent window. If non-essential cookies or similar identifiers are added to the service later, this practice will be updated before they are introduced.
We do not sell personal data, financial data, workspace content or usage data to advertisers.
Exorda’s actual service data is stored in Infomaniak’s hosting environment in Switzerland. Infomaniak Network SA processes personal data on behalf of Premore as a processor. A data processing agreement under Article 28 GDPR is in place with the hosting provider.
For paid use, Exorda uses a payment service provider, currently Stripe, to process payments, subscriptions and paid access rights. Only data necessary for processing the payment and subscription is provided to the payment service provider, such as the user’s email address, the payment service customer or subscription identifier, payment status and technical payment transaction data.
Exorda does not provide the payment service provider with the user’s financial data, transaction names or descriptions, workspace content, asset values, liability data, loan data, reconciliation material or other personal finance tracking data.
Personal data is disclosed to authorities or other third parties only if required by law, an official order, a legal claim, service security or the defence of rights.
If the service or its business is transferred to another operator, for example in a corporate arrangement, business transfer or similar transaction, personal data may be transferred to the new service provider to the extent necessary to continue the service and protect users’ rights.
Exorda’s actual application data and the personal finance tracking data entered by the user are stored in Infomaniak’s hosting environment in Switzerland. Switzerland is covered by the European Commission’s adequacy decision.
For paid use, the payment service provider processes the personal data necessary for payment and subscription processing in accordance with its own terms of service, privacy practices and applicable data protection mechanisms.
Exorda does not transfer the user’s actual personal finance tracking data, workspace content, transaction names or descriptions, reconciliation material, loan data or asset data to the payment service provider.
If the user enters, attaches or copies bank or payment transaction material into the service for reconciliation, the material is processed only to carry out the reconciliation function requested by the user.
Raw bank or payment transaction material is not stored in Exorda as permanent material. During the preview stage, the material is processed temporarily so that the service can identify columns, show the user a preview and prepare suggestions for the user to review.
If the user approves transactions for saving, only the transactions approved by the user are stored in Exorda as normal transaction data. The original copied or attached raw bank material is not stored as permanent material.
Technical metadata from reconciliation may be retained, such as the reconciliation time, selected month, number of processed rows, number of saved transactions and a technical identifier needed to support a possible undo function. This metadata is used for managing reconciliation, investigating error situations and processing transactions approved by the user.
Exorda is not a bank, payment service, account information service or official accounting system. The user should check the reconciliation results before using them as a basis for decisions or further processing.
Personal data is retained for as long as the user account is active or for as long as retention is necessary to provide the service, process subscriptions and payments, provide customer support, maintain service security, prevent misuse, comply with legal obligations or handle legal claims.
Financial data entered by the user into the service is generally retained for as long as the user account or the relevant workspace exists, unless the user deletes the data earlier or there is another basis for retaining it.
If the user starts the account deletion process, the account may be deleted automatically if there is no obstacle relating to active billing, workspace ownership or access rights in shared workspaces.
If the user has an active paid subscription or paid access right, account deletion may require that the subscription period or paid access right has ended first or that billing has otherwise been resolved.
If the user owns private workspaces, those workspaces and their data are deleted when the user account is deleted. This may include, for example, transactions, categories, parties, asset values, liability data, loan data, reconciliations, reporting data and workspace settings. Deletion is permanent and cannot be undone.
If the user is a member of a shared workspace, the user’s access to the workspace is removed, but the workspace data may remain available to other workspace users.
If the user is the only owner of a shared workspace, account deletion may first require adding another owner to the workspace, transferring ownership to another user, converting the workspace into a private workspace or deleting the workspace separately.
After account deletion, some necessary technical, billing, accounting, security, misuse prevention or legal claim-related data may be retained for as long as necessary under law, contract, service security or legitimate claims.
We use appropriate technical and organisational measures to protect personal data. These include encrypted transmission, access control, user roles, one-way password hashing, encrypted storage of transaction-specific free-text content entered by the user, logging, protection of the server environment, backups, workspace-level separation of data and restricting access to necessary data only.
Passwords and some technical identifiers are stored in a form that cannot be restored to the original plain-text form. Such data cannot be used by service administration to read the original password or identifier.
Transaction names, descriptions and similar transaction-specific content entered by the user in the Data Entry view are stored in encrypted form. Their content is not used for advertising, user profiling or external analytics.
Not all security measures are described publicly in detail, so that the security of the service is not weakened.
The user is responsible for keeping their login credentials confidential and for granting workspace access only to persons who have the right to see the data in that workspace.
Exorda does not make automated individual decisions within the meaning of Article 22 GDPR that would produce legal effects concerning the user or similarly significant effects.
The service performs technical and rule-based access checks, such as restricting access based on subscription, access right, trial period, workspace role or security reason. These checks are used to implement service access rights and protect the service.
Exorda does not use Google Analytics, behavioural tracking, targeted advertising or marketing profiling based on the user’s financial data.
Under applicable data protection law, the user has the right to:
The exercise of these rights may depend on the purpose and legal basis of the processing. Not all data can necessarily be deleted or changed immediately if retention is necessary, for example, due to a legal obligation, billing, security, misuse prevention, performance of a contract or a legal claim.
Requests concerning data subject rights may be sent to support@exorda.net. In order to process the request, the user’s identity or right to make the request may need to be verified.
Certain personal data is necessary to provide the Exorda service. For example, creating a user account, logging in, managing access rights and using the protected parts of the service require the processing of certain basic and technical data.
If the user does not provide the data necessary for the service to function, it may not be possible to create a user account or use all parts of the service.
The financial data entered into the service is chosen by the user, but the service functions, calculations, reports and reconciliations are based on the data that the user decides to add to the service.
The user has the right to lodge a complaint with the competent data protection authority if the user considers that their personal data has been processed in violation of data protection law.
In Finland, the competent supervisory authority is the Office of the Data Protection Ombudsman.
The processing of personal data is governed by the EU General Data Protection Regulation (GDPR) and applicable Finnish data protection legislation.
We may update this Privacy Notice when necessary, for example due to changes in the service, processing activities, service providers, legislation or data protection practices.
The current version is always available in the Exorda service. Material changes may be announced in the service or by other appropriate means.