Privacy Policy

Ordinal AB is the data controller for the personal data we process about you as a user of the Service.

We process your personal data on the following bases:

• Provide and operate the Service — Performance of contract (GDPR Art. 6(1)(b)). Data: account, organization, financial data.
• Process subscription payments — Performance of contract (GDPR Art. 6(1)(b)). Data: payment data.
• Send transactional emails (auth codes, invoice delivery) — Performance of contract (GDPR Art. 6(1)(b)). Data: email address, invoice details.
• Automated document extraction — Performance of contract (GDPR Art. 6(1)(b)). Data: uploaded documents.
• Import bank transactions via open banking — Performance of contract (GDPR Art. 6(1)(b)). Data: banking data.
• Sync documents from email/cloud providers — Performance of contract (GDPR Art. 6(1)(b)). Data: email provider tokens, attachment data.
• Maintain security and prevent fraud — Legitimate interest (GDPR Art. 6(1)(f)). Data: technical data, account data.
• Comply with Bokföringslagen retention requirements — Legal obligation (GDPR Art. 6(1)(c)). Data: financial data, ledger entries.
• Respond to support inquiries — Performance of contract (GDPR Art. 6(1)(b)). Data: account data, communication content.

When you upload a document or it is imported from a connected email or cloud storage account, the document may be processed using artificial intelligence to extract structured data (amounts, dates, supplier details, VAT information).

Document extraction is performed by Google Gemini. When a document is processed, its content (including text and images) is transmitted to Google's API. Google processes this data solely for the purpose of returning extracted results and does not use it for model training under our agreement with them.

Bank transaction descriptions may also be sent to Google Gemini for merchant name identification.

You are responsible for reviewing all automatically extracted data before it is used in your accounting records.

We share personal data with the following service providers, who process data on our behalf:

• Supabase (EU) — Database hosting, authentication, file storage. Data shared: all Service data.
• Stripe (EU/US, SCCs) — Payment processing. Data shared: payment and subscription data.
• Google (Gemini API) (EU/US, SCCs) — Document extraction, merchant enrichment. Data shared: document content, transaction descriptions.
• Resend (US, SCCs) — Transactional email delivery. Data shared: email addresses, email content.
• Enable Banking (EU, Finland) — Open banking (PSD2). Data shared: bank account and transaction data.
• Trigger.dev (EU) — Background job processing. Data shared: organization IDs, job metadata.
• Google (Gmail API) (EU/US, SCCs) — Email document sync. Data shared: OAuth tokens, email metadata, attachments.
• Microsoft (Graph API) (EU/US, SCCs) — Email document sync. Data shared: OAuth tokens, email metadata, attachments.
• Dropbox (US, SCCs) — Cloud storage document sync. Data shared: OAuth tokens, file metadata, documents.
• Google Maps (EU/US, SCCs) — Address autocomplete. Data shared: address strings.
• Umami Cloud (EU/US, SCCs) — Cookie-less website analytics. Data shared: usage and technical analytics data.

We maintain data processing agreements with all sub-processors. For transfers outside the EU/EEA, we rely on EU Standard Contractual Clauses (SCCs) or adequacy decisions as applicable.

We will notify you at least 30 days before adding a new sub-processor.

Your data is primarily stored and processed within the EU/EEA. Where data is transferred to countries outside the EU/EEA (primarily the United States), we ensure appropriate safeguards are in place:

• EU Standard Contractual Clauses (SCCs) — in our agreements with US-based sub-processors
• EU-US Data Privacy Framework — where the sub-processor is certified

We retain personal data for the following periods:

• Account data — Duration of account + 30 days after deletion. Basis: contract performance.
• Accounting records (ledger entries, invoices, documents) — 7 years after end of the calendar year the fiscal year was concluded. Basis: Bokföringslagen 7 kap. 2 §.
• Payment/billing data — Duration of subscription + as required by tax law. Basis: contract + legal obligation.
• Server logs — 90 days. Basis: legitimate interest (security).
• Deleted account personal data — Deleted within 30 days of account termination.

Accounting data retained under Bokföringslagen is stored securely and used only for legal compliance purposes. We rely on GDPR Art. 17(3)(b) (legal obligation) as the basis for retaining this data after you request deletion.

In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay in accordance with GDPR Art. 34. Notification will be sent to the email address associated with your account and will describe:

• The nature of the breach
• The likely consequences
• The measures we have taken or propose to take to address the breach

We will also notify the Swedish Authority for Privacy Protection (IMY) within 72 hours of becoming aware of a breach that is likely to result in a risk to individuals' rights and freedoms, in accordance with GDPR Art. 33.

Under GDPR, you have the following rights regarding your personal data:

• Access (Art. 15) — Request a copy of the personal data we hold about you.
• Rectification (Art. 16) — Request correction of inaccurate personal data.
• Erasure (Art. 17) — Request deletion of your personal data, subject to legal retention obligations.
• Restriction (Art. 18) — Request that we limit processing of your data in certain circumstances.
• Data portability (Art. 20) — Receive your data in a structured, commonly used, machine-readable format.
• Objection (Art. 21) — Object to processing based on legitimate interest.
• Withdraw consent — Where processing is based on consent, withdraw it at any time.

To exercise any of these rights, contact us at info@ordinal.sh. We will respond within 30 days.

If you are unsatisfied with our response, you have the right to lodge a complaint with the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY) at imy.se.

The Service uses only essential cookies required for authentication and session management. These cookies are:

• httpOnly — not accessible to JavaScript
• Secure — transmitted only over HTTPS
• SameSite=Lax — restricted to same-site requests

We also use Umami Cloud for cookie-less website analytics. Umami is configured to respect browser Do Not Track settings and to exclude query strings and hash fragments from tracked URLs.

We do not use analytics cookies or advertising cookies. No cookie consent banner is required for cookies because we only use strictly necessary cookies as defined by the Swedish lag om elektronisk kommunikation (LEK).

The Service is not directed at individuals under 18 years of age. We do not knowingly collect personal data from children. If you become aware that a child has provided us with personal data, please contact us at info@ordinal.sh.

We may update this Privacy Policy from time to time. Material changes will be communicated at least 30 days in advance via email or in-app notice. The "Last updated" date at the top of this page indicates when the policy was last revised.

For questions about this Privacy Policy or to exercise your data protection rights:

We process your personal data on the following bases:

• Provide and operate the Service — Performance of contract (GDPR Art. 6(1)(b)). Data: account, organization, financial data.
• Process subscription payments — Performance of contract (GDPR Art. 6(1)(b)). Data: payment data.
• Send transactional emails (auth codes, invoice delivery) — Performance of contract (GDPR Art. 6(1)(b)). Data: email address, invoice details.
• Manage trial signup and access requests — Steps prior to entering into a contract at your request (GDPR Art. 6(1)(b)); where required, consent (GDPR Art. 6(1)(a)). Data: trial signup data.
• Automated document extraction — Performance of contract (GDPR Art. 6(1)(b)). Data: uploaded documents.
• Import bank transactions via open banking — Performance of contract (GDPR Art. 6(1)(b)). Data: banking data.
• Sync documents from email/cloud providers — Performance of contract (GDPR Art. 6(1)(b)). Data: email provider tokens, attachment data.
• Maintain security and prevent fraud — Legitimate interest (GDPR Art. 6(1)(f)). Data: technical data, account data.
• Comply with Bokföringslagen retention requirements — Legal obligation (GDPR Art. 6(1)(c)). Data: financial data, ledger entries.
• Respond to support inquiries — Performance of contract (GDPR Art. 6(1)(b)). Data: account data, communication content.

When you upload a document or it is imported from a connected email or cloud storage account, the document may be processed using artificial intelligence to extract structured data (amounts, dates, supplier details, VAT information).

Document extraction is performed by Google Gemini. When a document is processed, its content (including text and images) is transmitted to Google's API. Google processes this data solely for the purpose of returning extracted results and does not use it for model training under our agreement with them.

Bank transaction descriptions may also be sent to Google Gemini for merchant name identification.

You are responsible for reviewing all automatically extracted data before it is used in your accounting records.

We share personal data with the following service providers, who process data on our behalf:

• Supabase (EU) — Database hosting, authentication, file storage. Data shared: all Service data.
• Stripe (EU/US, SCCs) — Payment processing. Data shared: payment and subscription data.
• Google (Gemini API) (EU/US, SCCs) — Document extraction, merchant enrichment. Data shared: document content, transaction descriptions.
• Resend (US, SCCs) — Transactional email delivery. Data shared: email addresses, email content.
• Enable Banking (EU, Finland) — Open banking (PSD2). Data shared: bank account and transaction data.
• Trigger.dev (EU) — Background job processing. Data shared: organization IDs, job metadata.
• Google (Gmail API) (EU/US, SCCs) — Email document sync. Data shared: OAuth tokens, email metadata, attachments.
• Microsoft (Graph API) (EU/US, SCCs) — Email document sync. Data shared: OAuth tokens, email metadata, attachments.
• Dropbox (US, SCCs) — Cloud storage document sync. Data shared: OAuth tokens, file metadata, documents.
• Google Maps (EU/US, SCCs) — Address autocomplete. Data shared: address strings.

We maintain data processing agreements with all sub-processors. For transfers outside the EU/EEA, we rely on EU Standard Contractual Clauses (SCCs) or adequacy decisions as applicable.

We will notify you at least 30 days before adding a new sub-processor.

Your data is primarily stored and processed within the EU/EEA. Where data is transferred to countries outside the EU/EEA (primarily the United States), we ensure appropriate safeguards are in place:

• EU Standard Contractual Clauses (SCCs) — in our agreements with US-based sub-processors
• EU-US Data Privacy Framework — where the sub-processor is certified

We retain personal data for the following periods:

• Account data — Duration of account + 30 days after deletion. Basis: contract performance.
• Accounting records (ledger entries, invoices, documents) — 7 years after end of the calendar year the fiscal year was concluded. Basis: Bokföringslagen 7 kap. 2 §.
• Payment/billing data — Duration of subscription + as required by tax law. Basis: contract + legal obligation.
• Trial signup data — Until trial or access follow-up is complete, or earlier if you ask us to remove it. Basis: pre-contractual request / consent.
• Server logs — 90 days. Basis: legitimate interest (security).
• Deleted account personal data — Deleted within 30 days of account termination.

Accounting data retained under Bokföringslagen is stored securely and used only for legal compliance purposes. We rely on GDPR Art. 17(3)(b) (legal obligation) as the basis for retaining this data after you request deletion.

In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay in accordance with GDPR Art. 34. Notification will be sent to the email address associated with your account and will describe:

• The nature of the breach
• The likely consequences
• The measures we have taken or propose to take to address the breach

We will also notify the Swedish Authority for Privacy Protection (IMY) within 72 hours of becoming aware of a breach that is likely to result in a risk to individuals' rights and freedoms, in accordance with GDPR Art. 33.

Under GDPR, you have the following rights regarding your personal data:

• Access (Art. 15) — Request a copy of the personal data we hold about you.
• Rectification (Art. 16) — Request correction of inaccurate personal data.
• Erasure (Art. 17) — Request deletion of your personal data, subject to legal retention obligations.
• Restriction (Art. 18) — Request that we limit processing of your data in certain circumstances.
• Data portability (Art. 20) — Receive your data in a structured, commonly used, machine-readable format.
• Objection (Art. 21) — Object to processing based on legitimate interest.
• Withdraw consent — Where processing is based on consent, withdraw it at any time.

To exercise any of these rights, contact us at info@ordinal.sh. We will respond within 30 days.

If you are unsatisfied with our response, you have the right to lodge a complaint with the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY) at imy.se.

The Service uses only essential cookies required for authentication and session management. These cookies are:

• httpOnly — not accessible to JavaScript
• Secure — transmitted only over HTTPS
• SameSite=Lax — restricted to same-site requests

We do not use analytics cookies, advertising cookies, or third-party tracking technologies. No cookie consent banner is required because we only use strictly necessary cookies as defined by the Swedish lag om elektronisk kommunikation (LEK).

The Service is not directed at individuals under 18 years of age. We do not knowingly collect personal data from children. If you become aware that a child has provided us with personal data, please contact us at info@ordinal.sh.

We may update this Privacy Policy from time to time. Material changes will be communicated at least 30 days in advance via email or in-app notice. The "Last updated" date at the top of this page indicates when the policy was last revised.

For questions about this Privacy Policy or to exercise your data protection rights: