Privacy Policy for Accaio
Last Updated: November 26, 2025
Effective Date: January 1, 2025
1. Introduction and Scope
Accaio ("we," "us," or "our") provides an AI-powered communication automation and document processing platform designed specifically for Belgian accounting firms. We are committed to protecting the privacy and security of the data entrusted to us by our customers (Accounting Firms) and their clients (SMEs).
This Privacy Policy describes how we collect, use, process, and disclose data in compliance with:
- The General Data Protection Regulation (GDPR) (EU) 2016/679
- The Belgian Data Protection Act of 30 July 2018
- The EU AI Act (Regulation laying down harmonised rules on artificial intelligence)
- Ethical guidelines established by the ITAA (Institute for Tax Advisors and Accountants)
1.1 Company Information (Controller)
Loev BV
Address: Dalenstraat 2, 3020 Winksele
VAT Number: BE1025608813
General Email: guust@accaio.com
Privacy Email: privacy@accaio.be
1.2 The Role of Accaio
It is critical to distinguish our roles regarding data processing:
Accaio acts as a Data Processor for the client data, financial documents, and communication history that Accounting Firms upload or sync to our platform ("Service Data"). The Accounting Firm acts as the Data Controller and retains ownership of this data.
Accaio acts as a Data Controller for the data we collect about our website visitors, our customers' employees (users), job applicants, and leads ("Business Data").
2. Processing Activities (Detailed Breakdown)
We process data for the specific purposes outlined below. For each activity, we specify the data, legal basis, and retention period.
2.1 Service Delivery (The SaaS Platform)
Role: Data Processor (on behalf of Accounting Firm)
Purpose: Providing RAG Email Agents, OCR document processing, and accounting software synchronization
Data Categories: Client Data: Email threads, WhatsApp messages, meeting transcripts, invoices, UBL XML. Vectors: Semantic embeddings of the above data stored in our vector database.
Legal Basis: Performance of a Contract (GDPR Art. 6.1.b) with the Accounting Firm
Retention: Configurable by the Firm. Default is 7 years (Belgian accounting standard) or until contract termination
2.2 Account Management & Support
Role: Data Controller
Purpose: Managing user accounts, billing, authentication, and responding to support tickets (via email or chat)
Data Categories: Accountant names, email addresses, hashed passwords, support ticket history, activity logs
Legal Basis: Performance of a Contract (GDPR Art. 6.1.b) and Legitimate Interest for support (GDPR Art. 6.1.f)
Retention: Duration of the contract + 2 years for support history; 7 years for billing data (legal obligation)
2.3 Marketing and Newsletters
Role: Data Controller
Purpose: Sending product updates, newsletters, and industry insights to interested parties
Data Categories: Name, email address, interaction history with emails
Legal Basis: Consent (GDPR Art. 6.1.a) for new leads; Legitimate Interest (GDPR Art. 6.1.f) for existing customers
Retention: Until the user unsubscribes. An unsubscribe link is included in every email
2.4 Website Usage & Analytics
Role: Data Controller
Purpose: Improving website performance, analyzing user journeys, and security monitoring
Data Categories: IP addresses (anonymized where possible), browser type, device info, clickstream data. Tools used include PostHog
Legal Basis: Legitimate Interest (GDPR Art. 6.1.f) for functional cookies; Consent (GDPR Art. 6.1.a) for tracking cookies
Retention: Maximum 2 years after last activity (see Cookie Policy for specifics)
2.5 Recruitment (Job Applicants)
Role: Data Controller
Purpose: Evaluating candidates for employment at Accaio
Data Categories: CVs, cover letters, LinkedIn profiles, interview notes
Legal Basis: Legitimate Interest (GDPR Art. 6.1.f) during selection; Contractual Necessity (GDPR Art. 6.1.b) for offers
Retention: 4 weeks after procedure ends, or 1 year with specific consent for the recruitment reserve
3. Artificial Intelligence and Automated Decision Making
In compliance with the EU AI Act, Accaio implements the following safeguards:
3.1 Human-in-the-Loop
- Accaio is an assistive tool, not a fully autonomous agent
- Drafting vs. Sending: Our RAG Email Agent drafts responses, but an accountant (human) must review and approve them before they are sent
- Verification: Accountants are responsible for verifying the accuracy of financial data extracted via OCR before it is committed to the accounting ledger
3.2 Transparency
We clearly indicate when content has been generated by AI. The system provides citations (references to past emails or documents) explaining why the AI generated a specific draft, ensuring explainability.
4. Technical Architecture and Data Security
We utilize a robust security framework designed to meet the standards of the financial services industry.
4.1 Data Residency and Storage
- EU Localization: All application logic and databases, including our Convex database deployment, are hosted strictly within European Union data centers. Data does not leave the EEA
- Multi-tenant Architecture: We enforce strict logical isolation between Accounting Firms. Data from Firm A cannot be accessed by Firm B. Vector stores are partitioned by Tenant ID
4.2 Encryption and Security Measures
- Encryption in Transit: All data transmission (API calls, web portal access, email forwarding) is encrypted via TLS 1.3
- Encryption at Rest: All stored data, including vector embeddings and file blobs, is encrypted at rest using AES-256 standards
- Access Controls: We implement Role-Based Access Control (RBAC). Only authorized personnel within the Accounting Firm can access their client data
5. Data Sharing and Third-Party Integrations
We do not sell data. We share data only with the following categories of recipients to fulfill our service obligations:
5.1 Integration Partners
To function, Accaio pushes data to the software specifically connected by the Accounting Firm, including:
- Accounting Software: Yuki, Exact Online, Silverfin
- E-Invoicing Networks: The Peppol network (Access Point providers) for B2B mandate compliance
5.2 Sub-processors (Cloud & Infrastructure)
We engage trusted third-party vendors to support our technical infrastructure. Cloud Hosting & Database: Convex (real-time database, EU-hosted), Node.js runtime environment. AI & Machine Learning: OpenAI API (GPT models), Google AI SDK (Gemini), Vercel AI SDK. Authentication & Identity: WorkOS AuthKit, Microsoft Graph API (Office 365/Azure AD). Communication & Messaging: WhatsApp Business API, Meta (Facebook) APIs for WhatsApp platform. Analytics & Monitoring: PostHog (analytics), Web Vitals (performance monitoring). Document Processing: Mammoth.js, PDF Parse, MSGReader for various document formats. Development & Testing Infrastructure: Vitest, Testing Library, JSDOM. A current list of Sub-processors with their data processing roles is available in our Data Processing Agreement (DPA).
6. Rights of Data Subjects
6.1 Your Rights
You have the right to: Access your data, Rectify incorrect data, Delete your data ("Right to be forgotten"), Restrict processing, Portability of your data, Object to processing based on legitimate interest. To exercise these rights regarding your account or marketing preferences, contact privacy@accaio.com.
6.2 Note for End-Clients (SMEs)
Because Accaio is a Data Processor for client financial data, requests from SME clients regarding their documents or emails should be directed to the Accounting Firm (Data Controller). We will assist the Accounting Firm in fulfilling these requests.
7. Regulatory Authority and Complaints
If you believe that your rights have been violated, you have the right to lodge a complaint with the Belgian Data Protection Authority:
Address: Rue de la Presse 35, 1000 Brussels
Website: https://www.autoriteprotectiondonnees.be
Tel: +32 (0)2 274 48 00
8. Contact Us
For any questions regarding this Privacy Policy, please contact:
Accaio BV
Address: Dalenstraat 2, 3020 Winksele
Email: privacy@accaio.com