Privacy & Cookie Policy

1.Data We Process as Controller

When you register, contact us, or use LedgiFlow as an account holder, we process the following personal data as a controller:

• Account data — name, email, organisation, role and authentication details, to create and secure your account (legal basis: performance of contract, Art. 6(1)(b) GDPR).
• Billing data — subscription and payment metadata handled through our payment provider (Art. 6(1)(b)).
• Usage and device data — logs, IP address and product analytics used to operate and improve the service (legitimate interest, Art. 6(1)(f)).
• Marketing data — where you opt in, to send product updates (consent, Art. 6(1)(a)).

2.Data We Process as Processor

When you upload invoices, bank statements and other documents, those may contain personal data of your clients, suppliers or employees. We process this Customer Data only on your documented instructions and solely to provide the service, as your processor under our Data Processing Agreement. You remain the controller of that data. Where employee or payroll data is involved, the relevant legal basis (such as Art. 9(2)(b) GDPR for employment-law processing) rests with you as controller.

3.Cookies and Similar Technologies

We use cookies and similar technologies. You can accept, reject or adjust non-essential categories at any time through the cookie preferences control. The categories are:

• Strictly necessary — required to run the service and keep you signed in. Always on; no consent required.
• Preferences — remember choices such as theme and language (consent required).
• Statistics — help us understand how the service is used (consent required).
• Marketing — measure and improve our communications (consent required).

4.Third Parties and International Transfers

We share personal data with the service providers (sub-processors) needed to operate LedgiFlow — currently: Oracle Cloud Infrastructure, Anthropic, Brevo, Stripe, VIES (European Commission). The full registry, including each provider’s role and location, is maintained in Schedule 1 of our Data Processing Agreement. Where data is transferred outside the European Economic Area, the transfer is protected by appropriate safeguards such as the EU Standard Contractual Clauses together with supplementary measures.

5.How Long We Keep Data

• Operational and security logs — up to 12 months after account termination.
• Marketing data — up to 24 months after the relationship ends.
• Customer Data — deleted within 30 days of account termination.
• Records required by law — up to 7 years where required by applicable law.

6.Your Rights

Where we are the controller, you have the right to access, rectify, erase, restrict or port your personal data, and to object to processing or withdraw consent at any time. Where LedgiFlow is the processor, please direct such requests to the controller (your accountant or the organisation that holds the account); we will assist them as required. You also have the right to lodge a complaint with a supervisory authority — in Cyprus, the Office of the Commissioner for Personal Data Protection.

Contacting us

For any privacy question or to exercise your rights, contact us at privacy@ledgiflow.com. Controller: Woocargo Ltd, Reg. No. HE 403674, VAT CY10403674R, 4A Andrea Assioti, Akropoli, 2007 Nicosia, Cyprus. Tel. +357 22397742.

7.Updates to This Policy

We may update this policy from time to time. Material changes will be notified through the service or by email, and the “last updated” date above will reflect the latest version.