PRIVACY POLICY

Updated: April 7, 2026

1. Controller and contact details

This Privacy Policy describes how Blackreef Oy (Business ID 3555182-2), the provider of the tulos.ai service (“tulos.ai”, “we”, “us” or the “Service Provider”), processes personal data.

For data protection related questions, please contact: personal_data@tulos.ai

2. Our role in personal data processing

tulos.ai acts as a controller particularly when we process personal data needed for user accounts, contracts, billing, customer relationship management, support, security, service administration, and the development of our own business.

When a Customer uses tulos.ai to process its own accounting, invoicing, payroll, banking or other financial administration material, the Customer or the accounting firm designated by the Customer usually acts as the controller and tulos.ai acts as the processor. Separate data processing terms may also apply in those situations.

3. Who this policy applies to

This policy primarily applies to the following persons:

  • representatives of customers, prospective customers, and partners
  • primary users and other users of the service
  • billing, contract, and support contacts
  • persons who contact us for example through demo requests, sales, or customer support

If your personal data is processed only within accounting or other material stored in the service by a Customer, the Customer or its designated accounting firm is usually the primary controller. In that case, requests concerning your rights should generally be directed first to that Customer.

The separate website privacy policy applies to cookies and visitor analytics on the public website.

4. What personal data we process

As controller, we process in particular the following categories of data:

  • name, email address, phone number, role, language, and other contact details
  • company or organisation name, Business ID, billing and contract details, and order history
  • user account information, login and authentication data, and access roles
  • customer service and communication records, such as contacts, support requests, and feedback
  • data relating to use of the service, devices, logs, security events, cookies, and other technical identifiers

At the Customer’s instruction, the service may also process for example:

  • accounting records, receipts, invoices, VAT and tax filing related data, and reports
  • contact and identification data of customers, suppliers, employees, and other business counterparties to the extent stored in the service by the Customer
  • payment, posting, payroll, cost centre, and other financial administration data
  • bank account identifiers, balances, transaction data, reference numbers, payer and payee data, and technical metadata relating to bank connections when the Customer enables the bank integration

5. Where the data comes from

We receive personal data primarily from the following sources:

  • the Customer, the User, or another authorised representative during registration, ordering, onboarding, or the customer relationship
  • material uploaded to or integrated with the service
  • banks and other account servicing payment service providers when the User grants the authorisation required for the bank connection
  • public registers, authorities, or other reliable data sources to the extent needed to provide the service, verify data accuracy, or comply with legal obligations
  • logs, analytics, and security data generated through use of the service

We process personal data for the following purposes:

  • creating user accounts, onboarding customers, managing access rights, and delivering the service. Processing is based on performance of a contract and steps taken prior to entering into a contract.
  • managing the customer relationship, customer support, billing, service communications, and contract administration. Processing is based on the contract and in part on legitimate interest.
  • processing accounting, banking, and other financial administration material on behalf of the Customer in order to provide the service features. Processing is based on the Customer’s instructions, the service agreement, and where applicable separate data processing terms.
  • establishing bank connections, retrieving balances and transaction data, reconciliation, and accounting automation when the User enables the feature. Processing is based on performance of the contract and on the authorisation and consent required by the bank or bank connectivity service.
  • ensuring security, preventing misuse, logging, fraud prevention, and service quality assurance. Processing is based on legitimate interest and in part on legal obligations.
  • managing our own accounting, taxation, legal obligations, and regulatory requests. Processing is based on legal obligation.
  • analysing, developing, testing, measuring, and improving the service. Processing is based on legitimate interest. Where possible, we use anonymised or aggregated data for these purposes.
  • direct marketing and newsletters to the extent permitted. Processing is based on legitimate interest or consent depending on the type of communication and applicable law.

7. Bank connections and Enable Banking

When a Customer enables a bank connection, tulos.ai may retrieve balance and transaction data for selected bank accounts through Enable Banking Oy (Business ID 2988499-7). Enable Banking acts as the technical provider of the bank integration.

The User authenticates through an authorisation process approved by the bank or other account servicing payment service provider and grants access only to the extent covered by that authorisation. The data received is used for importing bank transactions, reconciliation, accounting automation, reporting, and other service features enabled by the Customer.

The Customer is responsible for ensuring that it and its Users have the right to connect the relevant bank account to the service. The bank connection can be disconnected or the authorisation can be withdrawn through the bank, the service, or customer support. Withdrawal of the authorisation stops future retrieval of data, but material already imported into the service may be retained as part of the Customer’s accounting records, audit trail, and legal obligations in accordance with the agreement and applicable law.

8. Who we disclose data to

We may disclose or grant access to data to the following parties to the extent necessary:

  • Users, accounting firms, and other authorised parties designated by the Customer
  • our technology, hosting, storage, communication, analytics, OCR, AI, support, payment service partners, and other subprocessors
  • Enable Banking Oy to the extent required to implement the bank connection
  • authorities, courts, insurers, auditors, and advisors where required by law or legitimate interest
  • relevant parties in connection with a corporate transaction, business transfer, or financing arrangement subject to appropriate safeguards

We do not sell personal data to third parties for their own marketing purposes.

9. Transfers outside the EU/EEA

We aim to process personal data primarily within the EU/EEA. If we use service providers or technical solutions involving transfers of data outside the EU/EEA, we implement appropriate safeguards such as the European Commission’s standard contractual clauses or another transfer mechanism required under applicable law.

10. Data retention

We retain personal data only for as long as necessary for the purposes described in this policy.

Retention periods depend on the category of data. For example:

  • user account, contract, and billing data is retained during the customer relationship and thereafter for as long as needed for contractual obligations, claims handling, debt collection, accounting, and legal obligations
  • customer service records and log data are retained for as long as needed for support, security, audit trail, and investigation of misuse
  • accounting material, bank transaction data, and other financial administration data are retained in accordance with the Customer’s instructions, the service agreement, and applicable accounting and tax legislation
  • marketing related data is retained until the recipient withdraws consent or objects to marketing, or until the data is no longer needed

11. Data security

We protect personal data with appropriate technical and organisational measures. These include for example access control, passwords and strong authentication, logging, backups, secure data transmission, staff guidance, and restricting access to persons who need the data for their work tasks.

12. Data subject rights

Under applicable law, you have the right to:

  • be informed about the processing of your personal data
  • request access to your data
  • request rectification of inaccurate or incomplete data
  • request erasure where permitted by law
  • request restriction of processing
  • object to processing in certain situations
  • request data portability where that right applies
  • withdraw consent for the future where processing is based on consent
  • lodge a complaint with the competent supervisory authority

If the request concerns data that we process on behalf of a Customer as processor, we may direct the request to the Customer or ask you to submit the request directly to that controller.

13. Changes to this policy

We may update this Privacy Policy when the service, legislation, or our processing practices change. The updated version will be published on this page, and material changes may also be communicated through the service or by email.