Privacy Policy

Last updated 2025-10-10

1. Introduction

This Privacy Policy describes how AXCAP AB (“Sendtale”, “we”, “us”, or “our”) collects, processes, and protects information in connection with the Sendtale web application, mobile apps, APIs, and all related services (collectively, the “Service”).

Sendtale is headquartered in Stockholm, Sweden and operates under Swedish and EU law. We are committed to handling your data securely, transparently, and in full compliance with EU GDPR, UK GDPR, CCPA/CPRA, and all applicable data‑protection legislation.

2. Data Controller and Entity Details

  • Sendtale / AXCAP AB
  • Kivra: 559258‑4816
  • 106 31 Stockholm, Sweden
  • VAT Number: SE559258481601
  • Website: https://sendtale.com
  • Email: privacy@sendtale.com

For different data types: Sendtale acts as a Data Controller for user accounts, billing, and analytics. Sendtale acts as a Data Processor for content imported from third‑party sources (e.g., inboxes, business integrations).

3. Categories of Personal Data Processed

Sendtale collects and processes only information necessary for providing the Service securely:

a. Account and Identification Data

  • Name, company, email, and contact details.
  • Authentication credentials (via Clerk or Google OAuth).
  • Billing data such as VAT ID and payment information.

b. Transaction and Receipt Data

  • Digital receipts from connected sources (e.g., Gmail, Uber, Facebook Ads).
  • Metadata such as transaction amount, merchant, timestamp, and category.
  • Uploads you make manually to the Sendtale application.

c. Technical and Usage Data

  • Device information, IP address, OS, and browser type.
  • Access timestamps, error logs, and system diagnostics.
  • Anonymized behavioral metrics (collected through self‑hosted PostHog).

d. AI‑Browsing Data

Sendtale operates its own secure server infrastructure to power AI‑assisted browsing, document summarization, and automatic categorization of receipts and transactions. When activated, data is processed only under your authorization, entirely on EU‑based Sendtale‑owned servers, with no external model training or AI provider exposure.

4. Lawful Bases for Processing

Sendtale processes data under one or more of the following legal bases under GDPR Article 6:

PurposeLawful Basis
Account creation, authentication, and user managementContract necessity
Importing receipt and transaction dataConsent
AI‑based data preprocessing and classificationLegitimate interest or explicit user consent
Billing and tax complianceLegal obligation
Analytics and error monitoringLegitimate interest
Security and fraud preventionLegitimate interest
Marketing communicationsConsent

Where consent is the lawful basis, you can withdraw it at any time without affecting previous lawful processing.

5. Use of Data

  • Deliver, maintain, and improve the Sendtale Service.
  • Retrieve, parse, and structure receipts through authorized integrations or AI‑browsing.
  • Synchronize structured transactions with accounting or corporate card systems.
  • Comply with corporate, tax, or legal obligations.
  • Improve technical reliability and user experience.
  • Communicate service updates, policy notices, or requested support.

Sendtale does not use any user data for advertising, external model training, or data resale.

6. Data Retention

Data CategoryTypical Retention
Active account dataThroughout account lifetime
Deleted account dataPermanently removed within 30 days of deletion
System logs & analyticsUp to 12 months (anonymized)
Backups (encrypted)Rotated and purged within 30 days

All deletions are executed with cryptographically secure erasure methods.

7. Data Security Framework

  • AES‑256 encryption for data at rest; TLS 1.3 for data in transit.
  • Role‑based access control and multi‑factor authentication.
  • Intrusion detection and automatic security event monitoring.
  • Quarterly vulnerability scanning and annual penetration testing.
  • Complete isolation of AI‑browsing servers from authentication and billing systems.
  • Mandatory background checks, security training, and confidentiality for all employees.

8. Data Storage, Hosting, and AI‑Infrastructure

All user data—including AI‑browsing operations—is stored and processed within EU‑based data centers.

  • High‑performance isolated nodes specifically allocated to AI receipt extraction.
  • No third‑party cloud AI inference or external API models.
  • Internal sandboxing to separate each client’s data context from others.
  • All AI computations are transient (handled in RAM only) with no external caching or training.

9. Subprocessors and Third‑Party Providers

Sendtale uses a restricted and GDPR‑audited set of subprocessors:

SubprocessorPurposeJurisdiction / Safeguards
Stripe Inc.Payments & invoice automationU.S. – EU SCCs & Data Privacy Framework
Clerk.devAuthentication & session managementEU / GDPR compliant
Google LLCReceipt access via authorized scopesU.S. – SCCs
PostHog Ltd. (self‑hosted)Analytics & performance metricsEU data residency
Sendtale AI Servers (AXCAP AB)Proprietary AI‑browsing & document recognitionEU only – owned by AXCAP AB

10. Data Sharing

We do not share personal or transactional data for marketing or resale. Limited disclosure may occur only:

  • To approved subprocessors solely for service operation.
  • To regulatory bodies when legally required.
  • To acquirers or successors in case of reorganization (with equal protections).

11. International Transfers

  • Application of Standard Contractual Clauses (SCCs) approved by the EU Commission.
  • Technical encryption safeguards for all cross‑border flows.
  • Transfer Impact Assessments (TIAs) documenting residual risk.

AI‑browsing infrastructure functions entirely in the EU and does not transfer data internationally.

12. Rights of Data Subjects

You may exercise the following rights by contactingprivacy@sendtale.com:

  • Access – Receive a copy of your personal data.
  • Rectification – Correct inaccurate details.
  • Erasure – Request account/data deletion.
  • Restriction – Temporarily limit processing.
  • Portability – Obtain data in machine‑readable form.
  • Objection – Oppose legitimate‑interest processing or AI profiling.
  • Withdraw Consent – Revoke consent at any time.

Verified requests will be answered within 30 days as required by GDPR.

13. California (CCPA/CPRA) Residents

Sendtale does not sell personal information. California residents may request:

  • Disclosure of categories of information collected or shared.
  • Copies of specific personal information.
  • Deletion of personal information.
  • Details about how their information is used or disclosed.

All requests are free of charge and handled within legal time limits of California law.

14. AI‑Specific Transparency Measures

  • All AI outputs are machine‑assisted and human‑reviewable only for structuring data.
  • No automated decisions produce legal or financial consequences.
  • AI inferences are transparent, explainable, and auditable.
  • Users can disable AI‑browsing or request its complete exclusion at any time.
  • Annual bias and risk assessments are performed under our AI governance program.

15. Incident Response and Notification

If unauthorized access or loss of data occurs, Sendtale will notify affected users and authorities without undue delay (within 72 hours, per GDPR Article 33). Reports include categories of data affected, impact assessment, and remediation details. A dedicated SOC monitors all production systems continuously.

16. Data Protection by Design and Default

  • Privacy impact assessments before major feature releases.
  • Principle of least privilege across all systems.
  • Isolation of AI‑browsing servers via segmented networks.
  • Configuration aligned to ENISA and ISO 27001 controls.

17. Children’s Data

The Service is intended for business users aged 18 or older. We do not knowingly collect or process children’s data; any such information will be deleted immediately upon discovery.

18. Policy Updates

We may revise this Privacy Policy periodically to reflect technological progress, legal developments, or AI enhancements. Updates will be posted on this page, and material changes will be communicated via email or in‑product notification.

19. Governing Law and Jurisdiction

This Privacy Policy is governed by Swedish law, with disputes under the exclusive jurisdiction of the courts in Stockholm, Sweden, without prejudice to your right to file a complaint in your local EU jurisdiction.

20. Contact and Data Protection Officer

  • AXCAP AB (Sendtale)
  • Kivra: 559258‑4816
  • 106 31 Stockholm, Sweden
  • Email: privacy@sendtale.com

© 2025 Sendtale by Axcap AB. All rights reserved.

PrivacyTermsContact