Privacy policy

Last updated: April 6, 2026

1. Data controller

Atenea Labs OÜ
Registry code: 16668881
VAT number: EE102677991
Harju maakond, Tallinn, Kesklinna linnaosa, Sakala tn 7-2, 10141
Estonia
Contact: privacy@cont.ee

Atenea Labs OÜ ("we", "us", "our") operates the cont.ee platform. This privacy policy explains how we collect, use, store, share, and protect personal data when you use our website, application, and related services (collectively, the "Service").

2. Scope of this policy

This policy applies to all individuals who interact with the Service, including:

• Visitors to the cont.ee website
• Users who submit a waitlist or early access request
• Registered users of the cont.ee application
• Authorised representatives of companies using the Service
• Counterparties whose data appears in bank transactions or invoices processed through the Service

3. Data we collect

3.1 Account and identity data

When you register or are invited to the Service, we collect:

• Full name and display name
• Email address
• Password (stored as a cryptographic hash; we never store plaintext passwords)
• Language preference
• Multi-factor authentication secret (if MFA is enabled)

3.2 Company and entity data

For each company (entity) managed through the Service, we collect:

• Legal name and registry code
• VAT registration number and status
• Registered address
• Financial year dates and annual report category
• Base currency
• Group structure and subsidiary relationships

3.3 Banking and financial data

When you connect a bank account via Open Banking, we collect and process:

• Bank account identifiers (IBAN, institution name, currency)
• Transaction history: booking dates, amounts, currencies, directions (debit/credit), descriptions, counterparty names and IBANs
• Account balances
• Multi-currency exchange rate information
• Open Banking consent identifiers and expiry dates

We display a masked version of your IBAN in the user interface for security purposes. Raw transaction data is normalised and stored for accounting processing.

3.4 Counterparty data

The Service processes data about your business counterparties (suppliers, customers, employees, shareholders) as it appears in your bank transactions, invoices, and accounting records:

• Legal names and registry codes
• VAT numbers
• Bank account identifiers (IBANs)
• Transaction history with your company

3.5 Documents and evidence

When you upload documents (invoices, receipts, contracts), we collect:

• The document file itself (stored in encrypted object storage)
• File metadata: name, size, MIME type
• A SHA-256 cryptographic hash for integrity verification
• Extraction metadata from automated processing (OCR/AI), including confidence scores

3.6 Accounting and tax data

The Service processes and stores:

• Chart of accounts and journal entries (debits, credits, VAT codes)
• VAT return drafts (KMD, KMD INF) and income tax drafts (TSD)
• Dividend proposals and distribution calculations
• Representation expense records and business trip allowances
• Prepayment schedules and foreign exchange revaluations
• Period close checklists and review sign-offs

3.7 AI interaction data

When you use the AI-powered features of the Service (transaction classification, financial Q&A, anomaly detection), we collect:

• Your questions and instructions to the AI agent
• AI-generated proposals and responses
• Confidence scores and classification decisions
• Tool call logs (which data queries the AI executed)

For privacy protection, we log a cryptographic hash of AI prompts rather than the full prompt text. We do not use your data to train AI models.

3.8 Technical and session data

• Session tokens and authentication cookies (HttpOnly, encrypted)
• IP addresses and request metadata for security monitoring
• Error reports (via Sentry, configured with personal data collection disabled)

3.9 Waitlist submission data

When you request early access, we collect: full name, work email, company name, registry code (optional), VAT status, number of companies, banking preferences, preferred language, and a description of the problem you want to solve.

4. Legal basis for processing

We process personal data on the following legal bases under the GDPR:

• Performance of a contract (Article 6(1)(b)): Processing necessary to provide the Service to registered users, including account management, bank synchronisation, accounting operations, and tax draft preparation.
• Legitimate interest (Article 6(1)(f)): Security monitoring, fraud prevention, error tracking, service improvement, and maintaining audit trails required by accounting regulations.
• Legal obligation (Article 6(1)(c)): Retention of accounting records for 7 years as required by the Estonian Accounting Act; compliance with tax reporting obligations.
• Consent (Article 6(1)(a)): Waitlist submissions; connecting bank accounts via Open Banking (explicit consent given during the bank authorisation flow). You may withdraw consent at any time.

5. Open Banking and bank data access

cont.ee connects to your bank accounts through Enable Banking, a licensed Account Information Service Provider (AISP) regulated under PSD2. When you initiate a bank connection:

• You are redirected to your bank's secure authentication environment to grant explicit consent.
• Consent is granted for access to account balances and transaction history only. We never initiate payments on your behalf.
• Consent is time-limited (maximum 90 days) and can be revoked at any time through the Service or directly with your bank.
• We do not store your bank login credentials. Authentication is handled entirely by your bank.
• Enable Banking acts as a technical intermediary; they process data in accordance with their own privacy policy and PSD2 obligations.

Bank data retrieved through Open Banking is used exclusively for the purposes of accounting, reconciliation, and tax preparation within the Service. We do not sell, share, or use your bank data for marketing, profiling, or any purpose unrelated to the accounting services provided.

6. AI and automated processing

The Service uses artificial intelligence to assist with accounting tasks. This includes:

• Transaction classification: Proposing account codes, VAT treatments, and expense categories for bank transactions.
• Document extraction: Extracting structured data from uploaded invoices and receipts.
• Anomaly detection: Identifying unusual transactions or potential errors.
• Financial Q&A: Answering natural language questions about your financial data.
• Tax draft assembly: Preparing VAT and income tax declaration drafts.

All AI outputs are proposals that require human review and approval before they affect your accounting records. High-confidence recurring patterns may be auto-suggested but are always visible in a review queue. Sensitive items (dividends, fringe benefits, related-party transactions) always require explicit human approval.

AI processing is performed using third-party large language model (LLM) providers (currently Azure OpenAI). Your financial data is sent to the LLM provider only as needed to generate classifications and answers. We do not permit the LLM provider to use your data for model training. Data sent to the LLM is scoped to the specific entity and query context.

7. Data sharing and sub-processors

We do not sell your personal data. We share data only with the following categories of recipients, under appropriate contractual safeguards:

7.1 Infrastructure providers

• Cloud hosting: Our application and database are hosted on infrastructure within the European Economic Area (EEA). Data is encrypted in transit and at rest.
• Object storage: Uploaded documents are stored in encrypted object storage (server-side encryption).

7.2 Open Banking provider

• Enable Banking OY: Licensed AISP that facilitates secure bank connectivity under PSD2. Processes bank account identifiers and transaction data as a technical intermediary.

7.3 AI/LLM provider

• Microsoft (Azure OpenAI Service): Processes financial data for AI-assisted classification, extraction, and Q&A. Data is processed within Azure's European data centres. Microsoft does not use customer data to train models under our enterprise agreement.

7.4 Error monitoring

• Sentry: Receives error reports for application stability monitoring. Configured with personal data collection disabled (send_default_pii=false). No financial data is sent to Sentry.

We do not share data with advertising networks, data brokers, or any third party for marketing purposes.

8. International data transfers

Your data is primarily stored and processed within the European Economic Area (EEA). Where data is transferred to sub-processors outside the EEA (e.g., for error monitoring), we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission and adequacy decisions where applicable.

9. Data retention

• Accounting records and documents: Retained for a minimum of 7 years from the date of upload or creation, as required by the Estonian Accounting Act (Raamatupidamise seadus). Documents cannot be permanently deleted during the retention period.
• Journal entries and tax drafts: Retained for 7 years from the end of the relevant financial period.
• Bank transaction data: Retained for 7 years as part of the accounting evidence chain.
• Audit trail (domain events): Append-only and retained indefinitely for compliance and auditability. Events include logins, permission changes, journal approvals, tax draft approvals, and document actions.
• User accounts: Retained while the account is active. Upon account deletion, personal identifiers are anonymised; accounting records are retained per legal obligations.
• Session data: Access tokens expire after 15 minutes. Refresh tokens expire after 7 days and are revoked on logout.
• Waitlist submissions: Retained for up to 12 months. Deleted upon request or if the application is not accepted.
• AI interaction logs: Tool call records and prompt hashes retained for 7 years as part of the audit trail.

10. Data security

We implement comprehensive technical and organisational measures to protect your data:

• Encryption in transit: All connections use TLS (HTTPS) — API, database, object storage, and external service communications.
• Encryption at rest: Database and object storage use server-side encryption.
• Entity isolation: A three-layer defence ensures that data from one company cannot be accessed by users of another company: API middleware validation, application-level entity scoping, and database Row-Level Security (RLS) policies.
• Password security: Passwords are hashed using industry-standard algorithms (bcrypt/argon2id). We never store or transmit plaintext passwords.
• Access control: Role-based access control (RBAC) with six distinct roles, from workspace administrator to read-only observer. Permissions are enforced on every API request.
• Session security: JWT-based authentication with short-lived access tokens (15 minutes), single-use refresh tokens, and immediate session revocation on logout.
• Secrets management: API keys, signing keys, and banking credentials are stored as encrypted environment variables, never in source code.
• Audit logging: All security-relevant actions are logged to an append-only audit trail that cannot be modified or deleted.

11. Cookies and tracking

The Service uses only strictly necessary cookies:

• Authentication cookies: access_token, refresh_token, and session_id — HttpOnly cookies used to maintain your authenticated session. These are essential for the Service to function and cannot be disabled.

We do not use third-party tracking cookies, advertising cookies, or analytics cookies. We do not use Google Analytics, Facebook Pixel, or similar tracking technologies. The landing website (cont.ee) does not set any cookies.

12. Your rights under GDPR

As a data subject, you have the following rights:

• Right of access (Article 15): Request a copy of the personal data we hold about you.
• Right to rectification (Article 16): Request correction of inaccurate personal data.
• Right to erasure (Article 17): Request deletion of your personal data, subject to legal retention obligations (e.g., 7-year accounting record retention).
• Right to restriction (Article 18): Request that we limit processing of your data in certain circumstances.
• Right to data portability (Article 20): Receive your personal data in a structured, commonly used, machine-readable format.
• Right to object (Article 21): Object to processing based on legitimate interest.
• Right to withdraw consent: Where processing is based on consent (e.g., Open Banking access), you may withdraw consent at any time without affecting the lawfulness of prior processing.
• Right to lodge a complaint: You may file a complaint with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) at aki.ee, or with the supervisory authority in your country of residence.

To exercise any of these rights, contact us at privacy@cont.ee. We will respond within 30 days.

Please note that certain data (accounting records, journal entries, tax drafts, audit trail events) cannot be deleted during the legally mandated 7-year retention period, even upon request. In such cases, we will anonymise personal identifiers where possible while preserving the accounting records as required by law.

13. Automated decision-making

The Service uses AI to propose transaction classifications and tax treatments. These proposals do not produce legal effects or similarly significant effects on individuals, as:

• All AI proposals require human review and approval before they are applied.
• Users can override, modify, or reject any AI-generated proposal.
• Sensitive classifications (dividends, fringe benefits, related-party transactions) are never auto-applied regardless of confidence level.

If you believe an automated classification has affected you, you may contact us to request human review.

14. Children's data

The Service is designed for business use and is not directed at individuals under the age of 18. We do not knowingly collect personal data from children.

15. Changes to this policy

We may update this privacy policy to reflect changes in our practices, technology, legal requirements, or other factors. Material changes will be communicated to registered users via email or in-app notification. The "Last updated" date at the top of this page indicates when the policy was last revised.

16. Contact

For any questions, concerns, or requests regarding this privacy policy or your personal data, please contact:

Atenea Labs OÜ
Data Protection Contact
Email: privacy@cont.ee
Address: Sakala tn 7-2, 10141 Tallinn, Estonia