Privacy Policy
Last updated: 1 April 2026
1. Data Controller
The data controller for Tilvi is Tilvi (hereinafter "Tilvi", "we", or "the service"). For privacy inquiries: privacy@tilvi.fi
2. What data we collect
We collect and process the following data:
- Account data: email address (for authentication), display name, business type
- Financial data: bank statement CSV files you upload, transactions, categorizations, VAT reports, and invoices
- Usage data: login times, page requests (Vercel server logs), error logs
- Payment info: subscription plan. No card data is stored — payments are handled by Stripe.
3. Purpose and legal basis
| Purpose | Legal basis |
|---|---|
| Providing the service (bookkeeping, reports) | Contract (GDPR Art. 6(1)(b)) |
| Billing via Stripe | Contract (GDPR Art. 6(1)(b)) |
| Security and fraud prevention | Legitimate interests (GDPR Art. 6(1)(f)) |
| Legal obligations | Legal obligation (GDPR Art. 6(1)(c)) |
4. EU data residency
All data is stored in Supabase in the EU (Western Europe) region. Data is not transferred outside the EU/EEA without appropriate safeguards.
5. Data retention
Data is retained as long as you have an active account. Upon account deletion, all your data is permanently removed within 30 days.
6. Third-party services
- Supabase (database and auth) — DPA in place
- Stripe (payments) — DPA in place
- Anthropic (AI) — transaction data is sent to Claude for categorization; Anthropic does not use API customer data to train models
- Resend (email) — for invoice delivery
- Vercel (hosting and analytics) — aggregated analytics without personal data
7. Your rights
Under GDPR you have the right to:
- Access: request a copy of data we hold about you
- Rectification: request correction of inaccurate data
- Erasure: delete your account and all data from the Settings page, or email privacy@tilvi.fi
- Portability: request your data in machine-readable format
- Objection: object to certain processing
We respond to requests within 30 days. You may also lodge a complaint with the Finnish Data Protection Ombudsman (tietosuoja.fi).
8. Cookies
We use only technically necessary cookies (session, authentication). We do not use tracking or marketing cookies.
9. Changes to this policy
We will notify you of material changes by email at least 14 days before they take effect.
10. Contact
Privacy matters: privacy@tilvi.fi