Legal · data protection

GDPR and data protection.

What data we process, why, for how long, who has access to it, and how to exercise your rights. The controller is PASIQA OÜ; we process the data on servers in the EU.

  1. 1. Controller

    The controller of personal data within the meaning of Art. 4(7) GDPR is PASIQA OÜ, Sepapaja tn 6, 15551 Tallinn, Estonia. 1FAKTURA is a trademark of the controller.

    Contact for personal data protection matters: privacy@1faktura.sk.

  2. 2. What data we process

    We process the following categories of personal data:

    • Identification and contact data of the User — name, e-mail, phone (optional), Company ID / Tax ID / VAT ID (if relevant).
    • Billing data of the User — subscription data, payment history (the card token is held by Stripe; we only keep the last 4 digits and card type).
    • Technical data — IP address, browser type, access time (logs for security and diagnostics, retention 30 days), cookies (see section 8).
    • Data about the User’s clients (invoice recipients) — here the User acts as the controller and we act as the processor (Art. 28 GDPR). We process name / company name, Company ID, address and e-mail according to the User’s instructions.

  3. 3. Purposes and legal bases

    • Provision of the service (issuing invoices, archive, export) — performance of contract, Art. 6(1)(b) GDPR.
    • Accounting and tax obligations (invoice archive 10 years) — compliance with a legal obligation, Art. 6(1)(c) GDPR in conjunction with Slovak / Estonian VAT regulations.
    • Payment processing — performance of contract + legitimate interest in fraud prevention.
    • Marketing e-mails about product news — only with consent (opt-in) or on the basis of legitimate interest for existing customers (with the option to unsubscribe at any time).
    • Security logs and antifraud — legitimate interest.

  4. 4. Retention period

    • Billing data and issued invoices — 10 years under statutory archival periods.
    • User account data — for the duration of the contract and afterwards under limitation periods (up to 4 years after account closure).
    • Technical logs — 30 days.
    • Marketing consents — until consent is withdrawn.

  5. 5. Recipients (processors)

    The following processors may handle the data:

    • Stripe Payments Europe, Ltd. (Ireland) — payment processing.
    • Vercel Inc. / Vercel GmbH — application hosting (EU servers, primarily Frankfurt).
    • Prisma Data, Inc. — Prisma Postgres database (EU servers).
    • Resend, Inc. — transactional e-mails (confirmations, reminders, issued invoices).
    • Functional Software, Inc. (Sentry) — application error and performance monitoring. We send technical metadata (URL, stack trace, browser); personal data from the session is redacted before sending.
    • OpenAI, Ireland Ltd. — optional OCR and structured extraction of data from expense documents (receipts, invoices) when importing expenses via OCR. We process only the content of the document the user actively uploads; for storing images for OpenAI training, we have opted out.

    All processors are bound by a processing agreement under Art. 28 GDPR. We do not transfer data outside the EU / EEA except to OpenAI (USA, adequacy via DPF or standard contractual clauses under Art. 46 GDPR). If the scope of transfers outside the EU expands, we will inform you again.

  6. 6. Your rights as a data subject

    You have the right to:

    • access your personal data (Art. 15 GDPR);
    • rectification of inaccurate data (Art. 16);
    • erasure (the “right to be forgotten”), unless we are required to retain the data on legal grounds (Art. 17);
    • restriction of processing (Art. 18);
    • data portability (Art. 20);
    • object to processing (Art. 21);
    • withdraw consent at any time where processing is based on it.

    Exercise these rights by e-mail at privacy@1faktura.sk. We respond within 30 days (in exceptional cases extended by 60 days with notice).

    You may lodge a complaint with a supervisory authority:<br/>• Slovak Republic — Úrad na ochranu osobných údajov SR, Hraničná 12, 820 07 Bratislava (dataprotection.gov.sk).<br/>• Republic of Estonia — Andmekaitse Inspektsioon, Tatari 39, 10134 Tallinn (aki.ee).

  7. 7. Security

    We encrypt data both at rest and in transit (AES-256, TLS 1.2+). Database access is restricted, authorised and logged. We back up regularly with 30-day retention. In the event of a security incident that may pose a risk to your rights, we will inform you within 72 hours in accordance with Art. 33 / 34 GDPR.

  8. 8. Cookies

    We use necessary cookies for the application to function (session, CSRF token, language preferences). We use analytics cookies with your consent. We do not store third-party cookies without explicit opt-in.

    A full cookies statement is in preparation; until it is published, necessary cookies are stored on the basis of legitimate interest (technical functioning of the service), and marketing / analytics only with consent.

  9. 9. Changes to these rules

    We may update these personal data protection rules. We notify you of material changes by e-mail and via a banner in /dashboard. The version of these rules is valid from the last-updated date shown below. The Slovak language version of this document is the legally binding one.

Last updated: 11 May 2026 · Version 1.0 · Operator PASIQA OÜ, Sepapaja tn 6, 15551 Tallinn, Estonia