Privacy Policy

Last updated: January 2025

1. Introduction

Kontalab ("we") respects the privacy of your data and is committed to protecting personal information in accordance with the General Data Protection Regulation (GDPR) and applicable Romanian law. This policy explains what data we collect, how we use it and what rights you have.

2. Data we collect

2.1. Account data

  • First name, last name, email address
  • Company name and tax ID (optional)
  • Language preferences and account settings

2.2. Accounting data

  • Trial balances, journal ledger, account ledgers
  • Documents (invoices, receipts, bank statements)
  • Partners (clients, suppliers — company data, not personal)
  • Inventory and stock movements
  • Treasury (bank and cash balances)

Important: Accounting data is synced exclusively from your accounting software, read-only. We do not collect personal data of your employees, clients or suppliers beyond what appears in the accounting documents (e.g. a company name on an invoice).

2.3. Technical data

  • IP address, browser type, operating system
  • Access and Platform-usage logs
  • Agent performance and error data (if installed)

3. How we use the data

  • Providing and improving the Service (dashboard, reports, AI)
  • Computing financial indicators and generating alerts
  • Answering AI questions based on your accounting data
  • Communications about your account, billing and service updates
  • Detecting and preventing fraud and abuse
  • Complying with legal obligations

We do not sell your data to third parties. We do not use your accounting data to train AI models. We do not share your data with other companies.

4. Legal basis

  • Performance of the contract — processing necessary to provide the Service
  • Legitimate interest — improving and securing the Platform
  • Legal obligation — keeping access logs as required by law
  • Consent — marketing communications (optional, withdrawable at any time)

5. Data storage and security

  • Servers are located in the European Union
  • Encryption in transit: TLS 1.3
  • Encryption at rest: AES-256
  • Automatic daily backups with 30-day retention
  • Role-based, authenticated, restricted access
  • Audit log for all sensitive operations

6. Data sharing

We share data only with:

  • Infrastructure providers (EU hosting) — under processing agreements
  • AI providers (question processing) — data is anonymized where possible
  • Authorities — only when legally required

7. Data retention

  • Account data: for the lifetime of the account + 30 days after deletion
  • Accounting data: for the lifetime of the account + 30 days after deletion
  • Technical logs: maximum 12 months
  • Billing data: as required by tax law (10 years)

8. Your rights (GDPR)

You have the right to:

  • Access — request a copy of your data
  • Rectification — correct inaccurate data
  • Erasure — request deletion ("the right to be forgotten")
  • Restriction of processing — limit how we use your data
  • Portability — receive your data in a structured format
  • Objection — object to processing in certain situations
  • Withdrawal of consent — at any time, without retroactive effect

To exercise your rights, contact us at [email protected]. We respond within 30 days.

9. Cookies

The website uses only strictly necessary cookies (authentication, session). We do not use tracking or marketing cookies.

10. Complaints

If you believe the processing of your data violates the GDPR, you have the right to lodge a complaint with the Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)www.dataprotection.ro.

11. Changes

We may update this policy from time to time. We will notify you by email and within the Platform at least 30 days before substantial changes.

12. DPO contact

For data protection questions:
Email: [email protected]