Skip to main content
SelgeSaldo SelgeSaldo Clarity in numbers · Calm in your books

Privacy-by-Design

We do not train AI on your books.

Bookkeepers carry legal liability for what's in your ledger. Sending the entire ledger to an LLM is a non-starter. Here's exactly what crosses the wire and what does not.

Stays in Estonia

  • Full ledger (companies, transactions, declarations)
  • Bank statements & invoices (encrypted at rest)
  • Payroll & employee personal codes (PII encrypted with AES-GCM)
  • Audit log of every change

Goes to AI (only on demand)

  • OCR text from one PDF you uploaded — when you click ✨ Extract
  • Chat question + KMS / EMTA snippets — when you ask the AI assistant
  • Period totals (rate buckets) — when you run AI sanity-check on a KMD draft
  • All other data is never sent. Categorisation runs on Free is rule-based, not AI.

Never happens

  • AI training on your data
  • Retention beyond the API request
  • Sharing with third parties
  • Sending your full ledger anywhere outside our DB

Where exactly does the AI run?

AI features go through OpenAI's API (gpt-5-nano for chat, gpt-5.4-mini for document parsing and KMD sanity-check). OpenAI's enterprise terms (which we operate under) explicitly state: input and output data is not used to train OpenAI's models. We additionally never include personally identifiable information in the prompts — names, IBAN, isikukood are stripped at our boundary before the request leaves our server.

Why this matters: the Xero precedent

In March 2026, Xero — the largest accounting platform globally — explicitly banned the use of their API data for training any AI/ML models. They cited 'protection of commercial confidentiality and user trust'. We agree. Our terms include the same prohibition.

Audit trail

Every AI call is logged in our database with: which user, which company, which feature, how many tokens, how much it cost, and which prompt version. You (and your accountant) can review the full history. Each AI suggestion is just that — a suggestion. The number that ends up in the EMTA submission is always under human control.

What about GDPR / Estonian data law?

Our default position: data lives at rest on EU-hosted infrastructure (Postgres in Frankfurt or Tallinn). The minimum data leaves the EU only in the form of a single API request to OpenAI's EU endpoint, processed in the EU per their data residency commitments. See our DPA for the full processor list.

Have a question we didn't cover? Reply to any signup email — a human reads it.

See pricing →