Privacy Policy

1. Introduction

This Privacy Policy explains how Accordix processes personal data in connection with the Accordix website and service. Accordix is a document collection and shared inbox workflow for accountants and their clients. It is not an accounting system, tax filing system, payroll system, certified legal archive, or replacement for statutory accounting records retention.

This policy describes how we handle personal data for which we act as a controller — primarily the data needed to run the website, create and secure accounts, communicate with users, provide support, and keep the service secure. For personal data inside the documents that customers upload, we generally act as a processor; that relationship is governed by our Data Processing Agreement and is summarised in section 5.

2. Who we are

The controller for the processing described in this policy is:

Anton Desiatnykov
Legal form: sole trader operating under a Slovak trade licence (živnostenské oprávnenie)
Registered address: Agátová 3460/7F, 841 01 Bratislava-Dúbravka, Slovak Republic
Company ID (IČO): 57 025 991
Trade register: č. živnostenského registra 110-355749
Tax ID (DIČ): [DIČ]
VAT ID (IČ DPH): [IČ DPH, if applicable]
Privacy contact: privacy@accordix.sk

We have not appointed a Data Protection Officer at this stage; our internal assessment of that requirement is reviewed periodically. You can reach us about any privacy matter at privacy@accordix.sk.

3. Scope of this policy

This policy applies to:

visitors to the Accordix website;
people who register for and use an Accordix account (business members and accountants);
people who contact us for support or other enquiries.

It does not govern how the businesses and accountants who use Accordix decide to process the documents and personal data they upload. For that content we act on their instructions as a processor — see section 5 and the Data Processing Agreement.

4. Data we collect

Account data. Name, email address, and (optionally) phone number provided at registration; the organization/workspace name for business accounts; account role (member or accountant); the user interface language you choose.

Authentication data. A securely hashed password (we never store passwords in plain text), email-verification status, and the session/authentication cookie that keeps you signed in.

Workspace and usage metadata. Information needed to operate the workflow: document titles and metadata, document requests and their status, reminders, and timestamps. Where you upload document files, those files may themselves contain personal data — see section 5.

Communications and support. Messages you send us and our replies, and the email address used.

Technical logs. Limited server logs needed to operate and secure the service (for example timestamps, error information, and coarse request information). We deliberately do not log document contents, recipient email addresses, secrets, tokens, or download links.

Billing metadata. Paid plans are not currently offered, so we do not process billing or payment data. If paid plans launch, we will update this policy to describe the billing data and the payment provider before any such data is collected.

Analytics / tracking. Accordix currently uses no third-party website analytics or advertising trackers. See our Cookie Policy.

5. Customer content and uploaded documents

Customers and their clients upload documents (invoices, receipts, delivery notes, contracts, bank statements, payroll support, and similar) into their workspace. These documents frequently contain personal data — for example names, contact details, company and tax identifiers, bank account numbers, and the details of individuals appearing on invoices and receipts.

For personal data contained in documents uploaded by customers or their clients, Accordix generally acts as a processor on behalf of the relevant customer. The customer determines what documents are uploaded, why they are processed, and how long they must be retained. The applicable processing terms are described in our Data Processing Agreement.

Accordix does not own customer documents and is not responsible for the customer's own accounting, tax, payroll, or statutory record-retention obligations.

Optional AI-assisted document analysis. Where an accountant turns on the optional "find missing linked documents" feature for a specific request, the raw document file linked to that request — which may include bank statements and other financial data — is sent to our AI subprocessor, Google Cloud Vertex AI (Gemini), and processed in the EU (eu multi-region), to suggest other documents the client may still need to provide. This happens only on that per-request opt-in, on the customer's instruction (so Accordix acts as a processor and Google as a subprocessor — see the Subprocessors page). The output is suggestions that a person reviews: it does not constitute automated decision-making producing legal or similarly significant effects about any individual (GDPR Art. 22), and a failed analysis never blocks the upload. Routine in-product text extraction and classification run locally and do not use this or any other third-party AI provider. The feature is off unless an accountant enables it.

6. Purposes of processing

We process the controller data described above to:

create, secure, and operate user accounts and workspaces;
verify email addresses and authenticate sign-in;
provide and maintain the document-collection workflow;
send service and workflow communications (for example verification emails and reminders triggered within the product);
respond to support requests;
keep the service secure, prevent abuse, and diagnose problems;
comply with our legal obligations.

7. Legal bases

Where we act as a controller, we rely on the following legal bases under the GDPR:

Performance of a contract (Art. 6(1)(b)) — to provide the service to you and your organization.
Legitimate interests (Art. 6(1)(f)) — to secure the service, prevent abuse, maintain limited logs, and improve reliability, balanced against your rights.
Legal obligation (Art. 6(1)(c)) — where we must retain or disclose data to meet a legal requirement.
Consent (Art. 6(1)(a)) — where we ask for it (for example any future non-essential cookies or optional communications).

For personal data inside uploaded documents, the relevant legal basis is determined by the customer as controller, not by Accordix.

We do not sell personal data. We share it only with service providers (subprocessors) who help us run Accordix, and only as needed. Our current subprocessors and the data they process are listed on our Subprocessors page; at the time of writing they are our hosting provider, our email delivery/intake provider, and — where an accountant enables the optional "find missing linked documents" feature — Google Cloud Vertex AI for AI document analysis.

We may also disclose data where required by law or to protect our rights, and in connection with a corporate transaction (for example a merger or acquisition), subject to appropriate safeguards.

9. International transfers

We aim to keep personal data within the European Union / EEA. Our application hosting is located in the EU (Frankfurt, Germany), and Google Cloud Vertex AI requests are configured to the EU (eu multi-region). Where a subprocessor is headquartered outside the EU/EEA (for example Google, which is US-headquartered) or processes data outside the EU/EEA, we rely on an appropriate transfer mechanism (such as an adequacy decision or Standard Contractual Clauses); the Subprocessors page records the mechanism for each provider.

10. Data retention

We keep controller data for as long as your account is active and for a limited period afterwards, then delete or anonymise it, unless a longer period is required for legal, security, or billing reasons.

Account and workspace data: retained while the account is active, and for up to 30 days after the account is closed to allow export, after which it is deleted or anonymised.
Technical and security logs: retained for up to 90 days, unless a longer period is needed to investigate a security incident.
Backups: data in backups may persist until backups are rotated, within approximately 35 days.
Support messages: retained for up to 24 months after the enquiry is resolved.

Retention of personal data inside uploaded documents is determined by the customer; see the Data Processing Agreement and our Data Export & Deletion page.

11. Security

We use reasonable technical and organizational measures designed to protect personal data, including encryption in transit (HTTPS), hashed passwords, role-based access, and organization-level separation of data. No system can be guaranteed to be completely secure. Our current measures and their honest limitations are described on our Security page.

12. Your rights

Subject to the conditions in the GDPR, you have the right to: access your personal data; rectify inaccurate data; erase data; restrict or object to processing; data portability; and to withdraw consent where processing is based on consent. You also have the right to lodge a complaint with a supervisory authority (section 18).

Where Accordix acts as a processor for data inside uploaded documents, requests from individuals are generally directed to the relevant customer (controller); we will assist that customer as described in the Data Processing Agreement.

13. How to exercise your rights

To exercise any of these rights, contact us at privacy@accordix.sk. We may need to verify your identity before acting on a request. We will respond within the timeframes required by applicable law.

14. Cookies and tracking

Accordix uses only strictly necessary cookies to operate the service (for example to keep you signed in and remember your language). We do not use advertising or third-party analytics cookies. Full details are in our Cookie Policy.

15. Children

Accordix is a business-to-business service and is not directed to children. We do not knowingly collect personal data from children.

16. Changes to this policy

We may update this policy from time to time. When we do, we will change the "Last updated" date above and, where appropriate, notify account holders. Continued use of the service after an update constitutes acknowledgement of the revised policy to the extent permitted by law.

17. Contact

For any question about this policy or your personal data, contact privacy@accordix.sk or write to us at Agátová 3460/7F, 841 01 Bratislava-Dúbravka, Slovak Republic.

18. Supervisory authority

If you are in Slovakia, you may lodge a complaint with the Úrad na ochranu osobných údajov Slovenskej republiky (Office for Personal Data Protection of the Slovak Republic), Hraničná 12, 820 07 Bratislava, https://dataprotection.gov.sk. If you are elsewhere in the EU/EEA, you may contact your local supervisory authority.