Privacy Policy
Last updated 2025-10-10
1. Introduction
This Privacy Policy describes how AXCAP AB (“Sendtale”, “we”, “us”, or “our”) collects, processes, and protects information in connection with the Sendtale web application, mobile apps, APIs, and all related services (collectively, the “Service”).
Sendtale is headquartered in Stockholm, Sweden and operates under Swedish and EU law. We are committed to handling your data securely, transparently, and in full compliance with EU GDPR, UK GDPR, CCPA/CPRA, and all applicable data‑protection legislation.
2. Data Controller and Entity Details
- Sendtale / AXCAP AB
- Kivra: 559258‑4816
- 106 31 Stockholm, Sweden
- VAT Number: SE559258481601
- Website: https://sendtale.com
- Email: privacy@sendtale.com
For different data types: Sendtale acts as a Data Controller for user accounts, billing, and analytics. Sendtale acts as a Data Processor for content imported from third‑party sources (e.g., inboxes, business integrations).
3. Categories of Personal Data Processed
Sendtale collects and processes only information necessary for providing the Service securely:
a. Account and Identification Data
- Name, company, email, and contact details.
- Authentication credentials (via Clerk or Google OAuth).
- Billing data such as VAT ID and payment information.
b. Transaction and Receipt Data
- Digital receipts from connected sources (e.g., Gmail, Uber, Facebook Ads).
- Metadata such as transaction amount, merchant, timestamp, and category.
- Uploads you make manually to the Sendtale application.
c. Technical and Usage Data
- Device information, IP address, OS, and browser type.
- Access timestamps, error logs, and system diagnostics.
- Anonymized behavioral metrics (collected through self‑hosted PostHog).
d. AI‑Browsing Data
Sendtale operates its own secure server infrastructure to power AI‑assisted browsing, document summarization, and automatic categorization of receipts and transactions. When activated, data is processed only under your authorization, entirely on EU‑based Sendtale‑owned servers, with no external model training or AI provider exposure.
4. Lawful Bases for Processing
Sendtale processes data under one or more of the following legal bases under GDPR Article 6:
| Purpose | Lawful Basis |
|---|---|
| Account creation, authentication, and user management | Contract necessity |
| Importing receipt and transaction data | Consent |
| AI‑based data preprocessing and classification | Legitimate interest or explicit user consent |
| Billing and tax compliance | Legal obligation |
| Analytics and error monitoring | Legitimate interest |
| Security and fraud prevention | Legitimate interest |
| Marketing communications | Consent |
Where consent is the lawful basis, you can withdraw it at any time without affecting previous lawful processing.
5. Use of Data
- Deliver, maintain, and improve the Sendtale Service.
- Retrieve, parse, and structure receipts through authorized integrations or AI‑browsing.
- Synchronize structured transactions with accounting or corporate card systems.
- Comply with corporate, tax, or legal obligations.
- Improve technical reliability and user experience.
- Communicate service updates, policy notices, or requested support.
Sendtale does not use any user data for advertising, external model training, or data resale.
6. Data Retention
| Data Category | Typical Retention |
|---|---|
| Active account data | Throughout account lifetime |
| Deleted account data | Permanently removed within 30 days of deletion |
| System logs & analytics | Up to 12 months (anonymized) |
| Backups (encrypted) | Rotated and purged within 30 days |
All deletions are executed with cryptographically secure erasure methods.
7. Data Security Framework
- AES‑256 encryption for data at rest; TLS 1.3 for data in transit.
- Role‑based access control and multi‑factor authentication.
- Intrusion detection and automatic security event monitoring.
- Quarterly vulnerability scanning and annual penetration testing.
- Complete isolation of AI‑browsing servers from authentication and billing systems.
- Mandatory background checks, security training, and confidentiality for all employees.
8. Data Storage, Hosting, and AI‑Infrastructure
All user data—including AI‑browsing operations—is stored and processed within EU‑based data centers.
- High‑performance isolated nodes specifically allocated to AI receipt extraction.
- No third‑party cloud AI inference or external API models.
- Internal sandboxing to separate each client’s data context from others.
- All AI computations are transient (handled in RAM only) with no external caching or training.
9. Subprocessors and Third‑Party Providers
Sendtale uses a restricted and GDPR‑audited set of subprocessors:
| Subprocessor | Purpose | Jurisdiction / Safeguards |
|---|---|---|
| Stripe Inc. | Payments & invoice automation | U.S. – EU SCCs & Data Privacy Framework |
| Clerk.dev | Authentication & session management | EU / GDPR compliant |
| Google LLC | Receipt access via authorized scopes | U.S. – SCCs |
| PostHog Ltd. (self‑hosted) | Analytics & performance metrics | EU data residency |
| Sendtale AI Servers (AXCAP AB) | Proprietary AI‑browsing & document recognition | EU only – owned by AXCAP AB |
10. Data Sharing
We do not share personal or transactional data for marketing or resale. Limited disclosure may occur only:
- To approved subprocessors solely for service operation.
- To regulatory bodies when legally required.
- To acquirers or successors in case of reorganization (with equal protections).
11. International Transfers
- Application of Standard Contractual Clauses (SCCs) approved by the EU Commission.
- Technical encryption safeguards for all cross‑border flows.
- Transfer Impact Assessments (TIAs) documenting residual risk.
AI‑browsing infrastructure functions entirely in the EU and does not transfer data internationally.
12. Rights of Data Subjects
You may exercise the following rights by contactingprivacy@sendtale.com:
- Access – Receive a copy of your personal data.
- Rectification – Correct inaccurate details.
- Erasure – Request account/data deletion.
- Restriction – Temporarily limit processing.
- Portability – Obtain data in machine‑readable form.
- Objection – Oppose legitimate‑interest processing or AI profiling.
- Withdraw Consent – Revoke consent at any time.
Verified requests will be answered within 30 days as required by GDPR.
13. California (CCPA/CPRA) Residents
Sendtale does not sell personal information. California residents may request:
- Disclosure of categories of information collected or shared.
- Copies of specific personal information.
- Deletion of personal information.
- Details about how their information is used or disclosed.
All requests are free of charge and handled within legal time limits of California law.
14. AI‑Specific Transparency Measures
- All AI outputs are machine‑assisted and human‑reviewable only for structuring data.
- No automated decisions produce legal or financial consequences.
- AI inferences are transparent, explainable, and auditable.
- Users can disable AI‑browsing or request its complete exclusion at any time.
- Annual bias and risk assessments are performed under our AI governance program.
15. Incident Response and Notification
If unauthorized access or loss of data occurs, Sendtale will notify affected users and authorities without undue delay (within 72 hours, per GDPR Article 33). Reports include categories of data affected, impact assessment, and remediation details. A dedicated SOC monitors all production systems continuously.
16. Data Protection by Design and Default
- Privacy impact assessments before major feature releases.
- Principle of least privilege across all systems.
- Isolation of AI‑browsing servers via segmented networks.
- Configuration aligned to ENISA and ISO 27001 controls.
17. Children’s Data
The Service is intended for business users aged 18 or older. We do not knowingly collect or process children’s data; any such information will be deleted immediately upon discovery.
18. Policy Updates
We may revise this Privacy Policy periodically to reflect technological progress, legal developments, or AI enhancements. Updates will be posted on this page, and material changes will be communicated via email or in‑product notification.
19. Governing Law and Jurisdiction
This Privacy Policy is governed by Swedish law, with disputes under the exclusive jurisdiction of the courts in Stockholm, Sweden, without prejudice to your right to file a complaint in your local EU jurisdiction.
20. Contact and Data Protection Officer
- AXCAP AB (Sendtale)
- Kivra: 559258‑4816
- 106 31 Stockholm, Sweden
- Email: privacy@sendtale.com