Privacy Policy

Reconcify is an AI-powered invoice processing platform operated by Future Technologies SARL-S (operating as Reconcify), 2, am Stronck, L-6915 Roodt-sur-Syre, Luxembourg. Registration: RCS Luxembourg B303953, VAT LU37196938. Managing Director: Bruno Soric. Your organization (the accounting firm) is the data controller. Future Technologies SARL-S acts as the data processor on its behalf (GDPR Art. 28).

• Account data: email, name, role, and login timestamps.
• Documents: invoices and bank statements you upload or provide via Google Drive.
• Extracted data: invoice numbers, amounts, dates, supplier and customer names, VAT information.
• Integration tokens: Google OAuth credentials, encrypted at rest with AES-256-GCM (when using Google Drive).
• AI usage data: model, provider, token counts, and cost per processing operation.
• Audit logs: processing state transitions and user actions.
• Security events: incident type, severity, and affected scope, as required for breach notification under Art. 33 and 34.
• Demo request data: name, company, email, phone, and message, if submitted via the demo request form.

• Extract and reconcile invoice data using AI (via Mistral AI, EU-compliant provider, default model: Mistral)
• Match invoices to bank transactions
• Send email notifications about processing results
• Maintain audit logs for tax compliance
• Process demo requests and respond to prospective customer inquiries

• Supabase: authentication and file storage (Frankfurt, Germany, AWS eu-central-1).
• Mistral AI: EU-based AI provider for document OCR and data extraction (Paris, France). Data does not leave the EU.
• Google Cloud: Google Drive and Sheets integration (optional, for data export).
• Railway: application hosting (EU region).
• Resend: transactional email delivery.

• Uploaded files: 90 days after processing, then automatically purged
• Processing results: configurable, default 12 months
• Audit logs: 12 months
• Account data: duration of account + 30 days after deletion
• OAuth tokens: until disconnection or account deletion
• AI usage records: 12 months, then automatically purged
• Demo request data: 12 months after submission, then automatically purged

Under GDPR, you have the following rights. You can exercise most of them directly through the application:

• Right of Access (Art. 15): go to Settings and click “Export My Data” to download your personal data, including account information, processing job metadata, file metadata, and usage records in JSON format.
• Right to Erasure (Art. 17): go to Settings > Danger Zone > “Delete My Account” to permanently delete your account and associated data. Audit logs are retained for 12 months per legal obligation.
• Right to Data Portability (Art. 20): the “Export My Data” function provides a structured, machine-readable JSON export.
• Right to Rectification (Art. 16): contact us to correct inaccurate personal data.
• Right to Restriction (Art. 18): contact us to restrict processing of your data.
• Right to Object (Art. 21): contact us to object to processing based on legitimate interest.
• Right to Lodge a Complaint: you may lodge a complaint with your national data protection authority (e.g., CNPD Luxembourg at cnpd.public.lu, Datenschutzbehorde Austria at www.dsb.gv.at, or BfDI Germany at www.bfdi.bund.de).

Where data is transferred outside the EEA, we rely on Standard Contractual Clauses (Art. 46(2)(c)) or the EU-U.S. Data Privacy Framework.

We may update this policy and will notify users of material changes via email at least 14 days before the changes take effect.