Privacy Policy

We collect the information needed to operate the Service on your behalf:

• Account information. Name, email address, phone number, company name, password hash, and role (client, accountant, or firm owner).
• Invoice and document data. Files you upload (PDFs, images, spreadsheets) together with the financial data they contain — vendor names, invoice numbers, line items, amounts, VAT, and dates.
• Bank statement data. MT940 and similar exports you upload, together with the transactions they contain.
• Chat content. Messages exchanged between you and your accountant (or client) inside the Service.
• Technical data. Device type, OS version, app version, IP address, and basic event logs used for diagnostics and abuse prevention.

We use the information we collect to:

• Provide and operate the Service — extract structured data from your invoices, match invoices to bank transactions, deliver chat messages, and generate accounting exports.
• Authenticate you and keep your account secure, including two-factor authentication.
• Diagnose errors, detect abuse, and improve the reliability of the Service.
• Communicate with you about your account, security notices, and support requests.

We do not sell your personal data, and we do not use your invoice content for advertising.

We use a small number of trusted sub-processors to run the Service. Each one receives only the information needed to perform its task:

• Google Cloud (Google LLC). Hosting, databases, and file storage for the Service.
• Google Gemini (Google LLC). Automated extraction of structured data from uploaded invoices and documents. Extracted content is returned to our systems and is not used by Google to train general models.
• Stripe, Inc. Billing and payment processing for firms on paid plans. Stripe receives billing contact details and payment information; we do not store full card numbers on our servers.
• Email delivery provider. Transactional email (password resets, security notices) is sent via a standard email service provider.

We retain account and invoice data for as long as your workspace is active. Because invoices and bank statements are records that firms and their clients are often legally required to keep for several years, deletion is not automatic.

You can request deletion of your account and the associated data at any time by emailing messaging@onsadmin.com. We will delete personal data within 30 days of a verified request, except where we are required to retain specific records to comply with legal, accounting, or tax obligations.

Depending on where you live (for example under the EU / UK GDPR), you have the right to access, correct, export, or delete the personal data we hold about you, and to object to certain kinds of processing. You can exercise these rights from inside Settings, or by emailing messaging@onsadmin.com.

Traffic to and from the Service is encrypted with TLS. Access tokens use short-lived JWTs with rotating refresh tokens. Passwords are stored hashed, never in plain text. Optional two-factor authentication is available for all accounts. No system is perfectly secure, and we encourage you to use a strong, unique password and to enable two-factor authentication.

The Service is not intended for children under 16, and we do not knowingly collect personal data from them. If you believe a child has provided us with personal data, please contact us so we can remove it.

We may update this Privacy Policy from time to time. When we make material changes we will update the “Last updated” date above and, for significant changes, notify you in the app or by email.

Questions or requests about this policy can be sent to messaging@onsadmin.com.