Privacy Policy

Your receipts, your data. Always.

What we collect, why we collect it, who we share it with, and how to get it back. Written in plain English, then in the formal version Verohallinto and your DPO will want.

Summary

In plain English

We store your receipts and invoices on EU servers in Germany. We use them to do the job you hired us for — extract the line items, calculate the VAT, and hand the result back to you and your accountant. We do not sell your data, we do not feed your private receipts into anyone else's AI training set, and you can export or delete everything at any time.

This Privacy Policy explains how Fidanet Solution Oy ("Baslic", "we", "us") collects and processes personal data when you visit baslic.com, use the Baslic web and mobile applications at app.baslic.com, or interact with us by email. It applies to founders, employees, accountants, and anyone whose personal data we process in the course of delivering the Baslic service (the "Service").

For data we process on behalf of our business customers (for example, receipts submitted by their employees), we act as a processor under Article 28 of the EU General Data Protection Regulation (the "GDPR"). Those processing activities are governed by the Data Processing Agreement and the obligations there take precedence over this Policy where they conflict.

Who we are

The data controller for personal data processed under this Policy is:

  • Fidanet Solution Oy
  • Marinkallio 6b, 02320 Espoo, Finland
  • Business ID (Y-tunnus): 3497432-1
  • Email: privacy@baslic.com

We have not appointed a Data Protection Officer because we are not required to under Article 37 GDPR. Privacy matters are handled by the founder; you can reach us directly at privacy@baslic.com.

Data we collect

Account data

When you sign up we collect your name, work email address, the company you represent (if any), the language you use Baslic in, and a password hashed with a one-way function. We never see your password in plain text.

Receipt and invoice content

The core of the Service is processing the receipts, invoices, and travel-expense entries you forward, upload, or photograph. This content typically contains the merchant name, line items, prices, tax rates, payment method, and sometimes the names or roles of people in your business (for example, "lunch with the team"). Where the file you submit contains personal data of third parties, you are responsible for ensuring you have a lawful basis to share it with us for processing.

Email metadata

If you use email forwarding, you receive a workspace-specific address at mail.baslic.com (for example, your-workspace-code@mail.baslic.com). When you forward a receipt to that address, we receive the sending address, the subject line, and the timestamps of the message you forward. We use this only to attach the receipt to the right account.

Usage and device data

When you use the Service, we automatically collect log data such as IP address, browser type, operating system, the pages you view, the actions you take, and the timestamps. We use this for security, debugging, and to understand which features are working.

Billing data

Subscription payments are processed by Stripe Payments Europe Ltd. We receive the last four digits of the card, the card brand, the country, and the billing address you provide. We do not store full card numbers on our infrastructure.

Support communications

When you write to us we keep the email, your address, and any attachments you choose to share so we can answer and refer back to the conversation later.

How we use it

We use the data above to:

  • Deliver the Service — ingest receipts, extract line items, classify VAT, generate exports, and return the results to you.
  • Bill you, send subscription receipts, and handle taxes.
  • Send service-critical email — password resets, payment failures, security alerts, scheduled downtime.
  • Improve and debug the Service, with personal data minimised or pseudonymised whenever the engineering task permits.
  • Comply with our own legal obligations — Finnish bookkeeping law, tax reporting, sanctions screening, and responses to lawful requests from authorities.
  • Defend ourselves in disputes and prevent fraud, abuse, and unauthorised access.

Legal bases (GDPR Article 6)

  • Performance of a contract — to deliver the Service you have signed up for and to bill you for it (Article 6(1)(b)).
  • Legal obligation — to keep accounting records, answer authorities, and meet our tax obligations (Article 6(1)(c)).
  • Legitimate interests — to keep the Service secure, prevent abuse, improve features, and communicate with existing customers about meaningful product updates (Article 6(1)(f)).
  • Consent — for optional analytics cookies, product newsletters, and any data use that goes beyond the bases above. You can withdraw consent at any time without affecting past processing.

AI and model training

Baslic uses large language models to translate your natural-language instructions to Timo into structured accounting entries and to reason about line items, VAT rates, and travel allowances. Optical character recognition — turning a receipt photo into text — runs on our own infrastructure inside the EU; your receipt images are not sent to a third party for OCR. The third-party AI providers we use for the reasoning step are listed on our Sub-processors page.

We do not allow our AI sub-processors to use your data to train their models. This is enforced through enterprise contracts that turn off training-data retention. Where a sub-processor offers a no-retention mode, we use it. Where a sub-processor only retains data for short periods to detect abuse, we accept the shortest available retention.

We may use de-identified and aggregated patterns derived from the Service — for example, "how often customers in restaurants have free-meal reductions" — to improve our own classification heuristics. Aggregation here means data that cannot be linked back to an individual or business.

Sharing and sub-processors

We share personal data only with parties who help us deliver the Service, all of whom are bound by data-processing agreements with us. The full list is on the Sub-processors page.

We will disclose personal data to public authorities when we are legally required to do so, after taking reasonable steps to assess the lawfulness of the request. We will notify you of the request unless legally prohibited.

We do not sell your personal data, and we do not share it with advertising networks.

International transfers

Your account data and receipt content are stored on EU servers located in Germany. Where a sub-processor processes data outside the European Economic Area, we rely on the European Commission's Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) together with supplementary technical and organisational measures such as encryption in transit and at rest.

You can request a copy of the safeguards we use for any specific sub-processor by writing to privacy@baslic.com.

Retention

  • Receipts and invoices — kept for as long as your subscription is active, plus the statutory retention period required by Finnish bookkeeping law (currently six years from the end of the accounting period). If you live in a jurisdiction with a longer requirement, the longer period applies.
  • Account data — after you close your account, you can export your data for 60 days through the Service's self-service tools. After that export window, we delete account data within 30 days (90 days total from closure), unless we are required to keep it longer for legal reasons. Encrypted backups containing your data may persist for up to 90 days after deletion before being overwritten in line with our backup-rotation schedule.
  • Support emails — kept for up to three years from the last contact.
  • Server and application logs — kept for up to 90 days, longer only when needed for an active investigation.
  • Billing records — kept for the statutory accounting period (six years).

Your rights under GDPR

Under the GDPR, you have the right to:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — correct data that is inaccurate or incomplete.
  • Erasure — request deletion where the legal basis for processing no longer applies.
  • Restriction — ask us to limit how we process your data while a dispute is resolved.
  • Portability — receive your data in a structured, machine-readable format, or have it sent to another provider.
  • Objection — object to processing based on legitimate interests.
  • Withdraw consent — at any time, for any processing based on consent.

To exercise any of these rights, write to privacy@baslic.com. We will respond within 30 days, and free of charge unless the request is manifestly unfounded or excessive.

Security

We protect your data with technical and organisational measures appropriate to the risk, including:

  • TLS 1.2 or higher for all data in transit.
  • AES-256 encryption at rest for receipt files and database backups.
  • Role-based access control with multi-factor authentication for all employee access to production systems.
  • Least-privilege access — engineers receive access to customer content only when actively investigating an issue you have reported.
  • Daily encrypted backups stored in a separate EU region.
  • Continuous vulnerability scanning of our infrastructure and third-party dependencies.
  • Documented incident-response process with breach-notification timelines aligned to Article 33 GDPR.

No security control eliminates risk completely. If we become aware of a personal data breach that is likely to result in a risk to your rights, we will notify the relevant supervisory authority within 72 hours and, where the risk is high, we will notify you without undue delay.

Cookies and tracking

We use a small number of strictly necessary cookies to keep you signed in, remember your language choice, and protect against cross-site request forgery. These do not require your consent under the EU ePrivacy Directive.

We do not run a product-analytics tool, and we do not embed advertising or cross-site tracking pixels. The operational metrics we need to keep the Service running are computed from our own server logs and discarded on the schedule described under retention. Full details, including the names of each strictly necessary cookie and how long they last, are on our Cookies page.

Children

Baslic is a tool for businesses and the professionals who work in them. We do not knowingly process personal data of children under 16. If you believe we have, write to us and we will delete it.

Changes to this Policy

We may update this Policy as the Service evolves. When the changes are material — a new category of data, a new processing purpose, a new sub-processor handling content — we will notify you at least 30 days in advance, by email or through an in-app banner. The version you are reading is dated 17 May 2026.

Contact and complaints

The fastest way to reach us about privacy is privacy@baslic.com.

You also have the right to lodge a complaint with the supervisory authority in your country of residence. If you are in Finland, the authority is the Office of the Data Protection Ombudsman (Tietosuojavaltuutetun toimisto), Lintulahdenkuja 4, 00530 Helsinki — tietosuoja.fi.

Plain language commitment

We aim to write our legal documents in language that a small-business owner can understand without a lawyer. If something in this Policy is unclear, tell us and we will rewrite it — that is part of the job.