Booksyro logoBooksyro
← Back to home

Privacy Policy

Last updated: 2026-06-24

Booksyro (Denmark) is the data controller for personal data processed through Booksyro. This Policy explains what we collect, why, and the rights you have under the EU General Data Protection Regulation (GDPR).

1. What we collect

Account data: name, email, password hash, business name, VAT number, country, currency preferences.

Financial documents you upload: receipts, invoices, and any text or images they contain (merchant, amount, VAT, date, line items).

Bank transaction data: when you connect a bank via Plaid — account names, balances, transactions, merchant data.

Derived data: AI-extracted fields, categorisations, anomaly flags, monthly summaries.

Usage data: log entries, IP address, browser, device, timestamps, error reports.

Billing data: handled by Stripe; we receive plan status and the last four digits of the card, never the full card.

Consent records: when and which version of the Terms / Privacy Policy you accepted.

2. Why we use it (lawful basis)

  • To provide the service — performance of contract (Art. 6(1)(b) GDPR).
  • To run AI categorisation and anomaly detection — performance of contract, with sub-processors bound by data processing terms.
  • To send transactional email (sign-in, password reset, billing) — performance of contract.
  • To prevent fraud and abuse, secure the service, and meet legal/tax obligations — legitimate interests and legal obligation (Art. 6(1)(c)(f)).
  • To improve the product — legitimate interests, using aggregate/anonymous data only.

We do not use your financial documents to train AI models.

3. Who we share data with

We use a small set of trusted sub-processors. See the full list and roles in the DPA & subprocessor list. We do not sell personal data.

If you invite an accountant, the data you grant them access to is shared with them under the access scope you choose (read-only or full).

4. International transfers

We process data primarily in the EU. Some sub-processors (e.g. Stripe, Plaid, Gemini) may process data outside the EEA. Where they do, transfers are covered by Standard Contractual Clauses or an adequacy decision.

5. How long we keep it

  • Account & financial records: for the lifetime of your account, plus up to 5 years after closure to meet bookkeeping/tax retention obligations applicable to you and to us. You may request earlier deletion (see below); we will erase data unless we have an overriding legal obligation to retain it.
  • Backups: encrypted backups are rotated and overwritten within 30 days.
  • Server logs: up to 90 days.
  • Suppression records (bounced/unsubscribed emails): retained indefinitely to honour your preferences.

6. Your rights under GDPR

  • Access & portability — download all your data from Settings → Account → "Download my data" (JSON + CSV).
  • Rectification — edit profile and records in-app.
  • Erasure — delete your account from Settings → Account; this removes your data subject to the retention notes above.
  • Restriction & objection — email admin@booksyro.com.
  • Withdraw consent at any time (without affecting prior processing).
  • Lodge a complaint with your local data protection authority — in Denmark, that is Datatilsynet.

7. Security

Data is encrypted in transit (TLS) and at rest. Database access uses row-level security scoped to your user ID. Passwords are stored as bcrypt/argon hashes by our auth provider. Access to production systems is restricted and logged. We support strong passwords and recommend a unique one for Booksyro.

8. Cookies

We use essential cookies/local storage for sign-in sessions. See the Cookie Policy.

9. Children

Booksyro is not directed at children under 16 and we do not knowingly collect their data.

10. Changes

We will notify you of material changes by email or in-app at least 14 days before they take effect.

11. Contact

Data controller: Booksyro, Denmark. Contact: admin@booksyro.com.

Questions? Contact admin@booksyro.com.
Booksyro, Denmark.