Privacy Policy
Effective date: 2026-05-07 · Document version: 2026-05-07
This Privacy Policy explains how the Operator processes personal data in connection with the Service. We comply with Regulation (EU) 2016/679 ("GDPR") and the Estonian Personal Data Protection Act (Isikuandmete kaitse seadus, "IKS").
1. Data controller
Xprofit OÜ, registry code 14662029, registered at Pae tn 21, 11414 Tallinn, Estonia. Data-protection contact: info@xprofitx.com.
We have not appointed a data-protection officer because we are below the threshold of GDPR Art 37(1). Data-protection enquiries go to the email above and are handled by management.
2. Categories of personal data we process
| Category | Examples | Source |
|---|---|---|
| Account | Email, name, password (bcrypt-hashed), TOTP secret (AES-256 encrypted), preferred locale, registration time. | From you |
| Company data | Registry code, name, address, VAT number, EMTAK code, director. | From you and from public Äriregister |
| Employees of your company | Names, dates of employment, salary, isikukood (encrypted at rest with AES-256-GCM at the application layer). | From you |
| Banking & invoices | IBAN (encrypted), bank statement entries, invoices, receipts, declarations and their drafts. | From you / your bank CSV exports |
| Payment data | Subscription tier, billing email, payment confirmation tokens. We do NOT see or store full card numbers — those are tokenised by Stripe / EveryPay. | From you, via the payment processor |
| Technical | IP, login time, user-agent, request logs, audit trail of changes. | Automatic |
| AI prompts and outputs | Text you submit to AI features (chat, document parsing, categorisation) and the AI's response. | From you |
3. Purposes and lawful bases (GDPR Art 6)
| Purpose | Lawful basis |
|---|---|
| Provide the Service: prepare declarations, host your data, generate documents. | Performance of contract — Art 6(1)(b) |
| Authentication, security, fraud prevention. | Legitimate interests — Art 6(1)(f) |
| Billing and payment processing. | Performance of contract — Art 6(1)(b); legal obligation — Art 6(1)(c) (accounting law). |
| Statutory record-keeping. | Legal obligation — Art 6(1)(c) (Raamatupidamise seadus § 12, 7-year retention). |
| Service improvement, telemetry, error monitoring. | Legitimate interests — Art 6(1)(f). You can object via the contact email. |
| AI features (chat, parsing, categorisation). | Performance of contract — Art 6(1)(b) when you actively use them. |
| Marketing email (only if you opt in). | Consent — Art 6(1)(a). Withdrawable at any time. |
4. Recipients and processors
We disclose personal data only as necessary to operate the Service. Our subprocessors are:
- Stripe Payments Europe Ltd (Ireland) and Stripe Inc. (USA) — payment processing for international cards. Standard Contractual Clauses for US transfer.
- EveryPay AS (Estonia, part of LHV Group) — payment processing for SEPA, Estonian card schemes, open banking.
- OpenAI Ireland Ltd / OpenAI L.L.C. (USA) — AI features. Data is sent under OpenAI's Enterprise data-handling terms; OpenAI does not use submitted content to train its public models. Standard Contractual Clauses for US transfer.
- Self-hosted AI (Ollama, EmbeddingGemma) — runs in our own infrastructure, no third-party transfer.
- Hosting infrastructure provider (EU region) — operating the Service on our behalf under a written contract that includes GDPR Art 28 clauses.
- Email delivery provider (when configured) — for transactional and notification emails.
- Estonian authorities (Maksu- ja Tolliamet, Äriregister) — only when you yourself trigger a submission and only with your active credentials. We do not submit your data to authorities on our own initiative.
5. International transfers
Where data is transferred outside the European Economic Area (Stripe US, OpenAI US), we rely on Standard Contractual Clauses (Decision (EU) 2021/914) — Module Two for Controller-to-Processor transfers and Module Three where the recipient itself sub-processes — supplemented by technical measures including encryption in transit (TLS 1.3) and at rest (AES-256-GCM for sensitive fields). We have completed a Transfer Impact Assessment (TIA) for each US recipient and will refresh it whenever the legal landscape materially changes (e.g. expiry of an adequacy decision). A copy of the SCCs and TIA is available on request to the data-protection contact.
6. Retention
- Account and company data: while the account is active, plus 7 years after termination if required by Raamatupidamise seadus § 12. Otherwise deleted within 90 days of account closure.
- Banking entries, invoices, declarations and primary accounting records: 7 years from the end of the relevant fiscal year.
- Authentication / security logs: 12 months.
- AI prompts and responses: 30 days, then deleted from our database. AI providers (e.g. OpenAI) may retain inputs for up to 30 days for abuse monitoring per their terms.
- Consent log entries: 5 years (to evidence consent under GDPR Art 7(1)).
- Marketing-related data (if you opt in): until you unsubscribe.
7. Your rights (GDPR Art 15–22)
- Right of access — request a copy of your personal data.
- Right to rectification — correct inaccurate data.
- Right to erasure — delete data when no legal retention applies.
- Right to restriction of processing.
- Right to data portability — receive your data in a structured, machine-readable format.
- Right to object to processing based on legitimate interests.
- Right to withdraw consent at any time, without affecting the lawfulness of processing prior to withdrawal.
- Right not to be subject to a decision based solely on automated processing producing legal or similarly significant effects (we do not perform such decisions).
To exercise any of these rights, write to info@xprofitx.com from the email address registered to your account, including the right(s) you wish to exercise and any context that helps us identify the data. We respond within 30 days; for complex or numerous requests we may extend by two further months and will notify you of the extension and reasons within the first 30 days.
Data-subject requests are free of charge for the first request in any 12-month period. If a request is manifestly unfounded or excessive (in particular because of its repetitive character) we may charge a reasonable administrative fee or refuse to act, in line with GDPR Art 12(5).
8. Right to lodge a complaint
You may complain to the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon, Tatari 39, 10134 Tallinn, aki.ee) or to the supervisory authority in your EU country of residence.
8.1 Special categories (GDPR Art 9)
The Service is not designed to process special categories of personal data — health, biometric, racial or ethnic origin, political opinions, religious beliefs, trade-union membership, genetic data, sex life, sexual orientation. You must not upload such data to the Service. If we detect that special-category data has been uploaded, we will delete it without notice and notify you of the action; repeated upload may lead to account suspension.
8.2 Personal-data breaches
Where a personal-data breach is likely to result in a high risk to your rights and freedoms (GDPR Art 34), we will notify you without undue delay by email to the address registered to your account, and where appropriate by an in-app banner. The notification will describe the nature of the breach, the categories and approximate number of data subjects and records affected, the likely consequences, and the measures taken or proposed. We notify the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) within 72 hours of becoming aware of any reportable breach (GDPR Art 33).
9. Security
Technical and organisational measures we apply include:
- Transport encryption (TLS 1.3) for all client connections.
- Application-level encryption (AES-256-GCM via Cloak) for sensitive fields: isikukood, IBAN, TOTP secret.
- Bcrypt password hashing.
- Optional two-factor authentication (TOTP).
- Role-based access control inside the Operator and audit log of every administrative action.
- Daily encrypted database backups with 30-day rotation.
- Documented incident-response plan with notification to data subjects and the Inspectorate within 72 hours of a high-risk personal-data breach (GDPR Art 33–34).
10. Cookies
We use essential cookies for authentication and security. Optional analytics and marketing cookies are loaded only with your prior consent given through the cookie banner. See the Cookie Policy for details and to withdraw consent.
11. Children
Under § 8 of the Estonian Personal Data Protection Act and Art 8 GDPR, processing of personal data of a child below 13 years requires parental consent. The Service is directed at adults running businesses; we do not knowingly collect personal data from anyone under 16 in the context of providing the Service. If you become aware that a child has provided data without proper authorisation, contact us at the email below so that we can delete the data and any account opened with it.
We apply the principle of data minimisation throughout the Service: we collect only data that is necessary to deliver the requested feature, retain it only for the period required by the relevant lawful basis, and do not enrich profiles or perform behavioural advertising.
12. Changes to this Policy
We will publish material changes to this Policy 30 days before they take effect, with notice by email and an in-app banner. The current version date is shown at the top of this page.
13. Contact
Privacy enquiries: info@xprofitx.com. Postal: Pae tn 21, 11414 Tallinn, Estonia.