Privacy Policy - Moniary

We collect information about you in various ways when you use our Service:

We use the collected information for the following purposes:

To Provide and Operate the Service: Create and manage your account, process your email data and uploaded files to extract invoice information, display organized data, and provide other core features.

To Improve and Optimize the Service: Understand how users interact with the Service, analyze trends, troubleshoot issues, and develop new features.

To Communicate With You: Send service-related communications (e.g., account verification, technical notices, updates, security alerts), respond to your support requests.

For Security and Fraud Prevention: Monitor for suspicious activity, prevent fraud, enforce our Terms of Service.

For Legal Compliance: Comply with applicable laws, regulations, legal processes, or governmental requests.

Our legal basis for collecting and using personal data depends on the information concerned and the context:

Performance of a Contract: We process your account information, connected email data, and usage data as necessary to provide the Service you requested under our Terms of Service.

Consent: We rely on your consent to connect your email accounts to the Service and to send you marketing communications. You can withdraw your consent at any time.

Legitimate Interests: We process information for security, fraud prevention, service improvement (using anonymized/aggregated data) based on our legitimate interests.

Legal Obligation: We may process information to comply with legal requirements.

We use artificial intelligence (AI) and automated processing to provide core features of the Service:

Invoice Data Extraction: When you connect your email account or upload invoice files, our AI system automatically scans and extracts structured data from invoices, including supplier details, amounts, due dates, line items, and VAT information. This process is fully automated and does not involve human review of your documents.

Logic Involved: Our AI models use machine learning and natural language processing to identify and extract relevant fields from invoice documents. The system recognizes common invoice formats and structures to map data into standardized fields.

Significance and Consequences: The extracted data is presented to you for review in your dashboard. The AI extraction is an assistive tool — it does not make any legal, financial, or binding decisions on your behalf. You remain responsible for reviewing, verifying, and approving all extracted data before using it in your accounting systems. Extraction accuracy may vary depending on document quality and format.

No Automated Decision-Making with Legal Effects: Our automated processing does not produce legal effects or similarly significantly affect you within the meaning of Article 22 of the GDPR. The AI extracts and organizes data, but all decisions regarding the use of that data are made by you.

No AI Training: We do not use your data to train, fine-tune, or improve our AI models. Your data is processed solely for the purpose of extracting invoice information for your use.

Your Rights: You have the right to request information about the automated processing of your data. If you have concerns about the accuracy of AI-extracted data or wish to request human review of specific processing results, please contact us using the details in the Contact section below.

We do not sell your personal data. We may share your information in the following circumstances:

Service Providers: We share information with third parties who provide services on our behalf, such as hosting services, payment processors, analytics services.

Legal Requirements: We may disclose your information if required by law or if we have a good faith belief that disclosure is necessary.

With Your Consent: We may share your information with third parties when we have your explicit consent.

We implement technical and organizational measures designed to protect your personal information from unauthorized access, use, alteration, or destruction. These measures include encryption (e.g., HTTPS for data in transit, encryption for sensitive data at rest), access controls, and regular security assessments.

We use cookies and similar tracking technologies to operate and improve the Service:

Strictly Necessary Cookies: These cookies are essential for the Service to function properly. They include session cookies, authentication tokens, and security cookies. These cannot be disabled.

Analytics Cookies: We use Vercel Analytics to understand how users interact with the Service. Analytics data includes anonymized usage information such as page views and web vitals.

Legal Basis: Strictly necessary cookies are placed based on our legitimate interest in providing a functional service. Analytics cookies are placed only with your consent, which you can provide or withdraw through our cookie banner.

Managing Preferences: You can manage your cookie preferences at any time through: (a) our cookie consent banner, which appears when you first visit the Service; (b) your browser settings, where you can block or delete cookies. Please note that disabling strictly necessary cookies may prevent you from using the Service.

Notification to Supervisory Authority: In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals, we will notify the Office for Personal Data Protection (ÚOOÚ) without undue delay, and no later than 72 hours after becoming aware of the breach, in accordance with Article 33 of the GDPR.

Notification to Data Subjects: If a data breach is likely to result in a high risk to your rights and freedoms, we will communicate the breach to you without undue delay, describing the nature of the breach, the likely consequences, and the measures we have taken or propose to take to address the breach.

Processor-to-Controller Notification: Where Moniary acts as a data processor, we will notify the relevant controller without undue delay after becoming aware of a personal data breach, in accordance with our Data Processing Agreement.

We retain your personal information for specific periods depending on the type of data and the purpose of processing:

Account Data: We retain your account information (name, email, password hash) for the duration of your active account plus 30 days after account deletion for recovery purposes.

Extracted Invoice Data: Invoice data extracted through the Service is retained for the duration of your active account plus 30 days after account deletion.

Email Content: Email content is processed in real-time for invoice extraction purposes. We do not store the full content of your emails beyond the extraction process.

Support Communications: Records of support requests and communications are retained for 3 years from the date of the last communication.

Billing Records: Billing and payment records are retained for 10 years in accordance with Czech tax and accounting legislation (Act No. 563/1991 Coll., on Accounting).

After the applicable retention period expires, personal data is securely deleted or anonymized.

Depending on your location, you may have the following rights regarding your personal information:

Right to Access: Request access to the personal information we hold about you.

Right to Rectification: Request correction of inaccurate or incomplete information.

Right to Erasure (Right to be Forgotten): Request deletion of your personal information, subject to certain exceptions.

Right to Restrict Processing: Request restriction of how we process your information in certain circumstances.

Right to Data Portability: Request a copy of your information in a structured, commonly used format.

Right to Object: Object to processing based on legitimate interests or for direct marketing.

Right to Withdraw Consent: Withdraw your consent at any time where we rely on consent as the legal basis.

How to Exercise Your Rights: To exercise any of these rights, please contact us using the details provided in the "Contact Us" section below. We will respond to your request in accordance with applicable laws.

Your information may be transferred to, stored, and processed in countries other than your own, including the United States, where our servers or service providers may be located. If we transfer personal information from the EEA, UK, or Switzerland to other countries, we rely on appropriate safeguards, such as the European Commission's Standard Contractual Clauses (SCCs).

The Service is not intended for children under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that we have collected personal information from a child without parental consent, we will take steps to delete that information.

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new Privacy Policy on this page and updating the "Last Updated" date. For material changes, we will also notify you by email or through a notification in the Service.

If you have any questions about this Privacy Policy or wish to exercise your rights, please contact us at:

You have the right to lodge a complaint with a data protection supervisory authority. In the Czech Republic, the competent authority is: