Privacy Policy

PRIVACY POLICY – LEDGERLOOP AI (B2B)
Last updated: 2025-02-01

For Swedish version: Integritetspolicy

1. Introduction

Riza Consulting AB (Reg. No. 559213-9090) (“we”, “us”) provides LedgerLoop AI (the “Service”), a B2B SaaS solution for bookkeeping, invoicing, payroll, and related financial workflows.

This Privacy Policy describes how we process personal data under the EU General Data Protection Regulation (GDPR) and applicable Swedish data protection law. It applies both when we act as a Processor for our Clients and when we act as a Controller for our own business operations.

2. Contact details

Riza Consulting AB
Skogslyckevägen 9, 436 55 Hovås, Sweden
Email: info@rizaconsulting.se / hello@ledgerloop.ai
Phone: +46 721515412

If we appoint a Data Protection Officer (DPO), we will publish the DPO contact details here or on our website.


PART A – When we act as Processor (in the Service)

3. GDPR roles

When the Client processes personal data in the Service, the Client is the Controller and we act as the Processor. We process personal data only on the Client’s documented instructions and in accordance with a Data Processing Agreement (DPA).

4. Personal data processed in the Service

The categories of personal data depend on the Client’s use of the Service and may include:

  • employee data (e.g., name, address, salary, national ID number, bank account details),

  • customer and supplier contact data (e.g., name, email, phone, address),

  • accounting and financial records that may contain personal data.

5. Data Processing Agreement (DPA)

Our Processor activities are governed by a DPA. We may require an executed DPA before enabling certain personal-data processing features.

6. Security and personal data breaches

We implement appropriate technical and organizational measures to protect personal data, such as access controls, logging, encryption in transit, and backup/restore routines.

If a personal data breach affects personal data we process as Processor, we will notify the Client without undue delay so the Client can meet its obligations.

7. Data subject rights (in the Service)

Data subjects (e.g., the Client’s employees, customers, or suppliers) should contact the Client to exercise their rights. If we receive a request directly, we will forward it to the Client in accordance with the DPA and applicable law.


PART B – When we act as Controller (our business)

8. Personal data we process as Controller

We may process personal data related to Client representatives, Users, and others who contact us, including:

  • account and contact details (name, email, phone, role, company),

  • billing and payment administration data (invoice details, transaction references),

  • support tickets (communications and attachments),

  • technical and security data (e.g., IP address, login events, device/browser data, logs) for security, operations, and troubleshooting.

9. Purposes and legal bases

When we act as Controller, we process personal data for the following purposes and legal bases:

  1. account and contract administration – Contract

  2. billing and payments – Contract and, in some cases, Legal obligation (e.g., accounting)

  3. customer support and relationship management – Contract and/or Legitimate interests

  4. security, abuse prevention, troubleshooting, and operations – Legitimate interests

  5. improvement and development (aggregated/statistical analytics) – Legitimate interests

  6. B2B marketing communications – Legitimate interests or Consent where required

10. Cookies and similar technologies

We use cookies and similar technologies on our website (and possibly in the Service) for:

  • essential functionality (e.g., security and session management),

  • analytics/statistics (to understand usage and improve the experience),

  • marketing (if enabled).

Non-essential cookies are set only after valid consent. You can change or withdraw your consent at any time via our cookie settings (e.g., banner or website link). Essential cookies cannot be disabled if required for basic website functionality.

11. Recipients, vendors, and sub-processors

We may share personal data with vendors that help us provide the Service and operate our business, such as:

  • Microsoft Azure (hosting/infrastructure),

  • Azure AI Document Intelligence (document extraction), where we use the West Europe region,

  • Mailgun (email services for document routing/ingestion),

  • billing/payment vendors (if applicable),

  • professional advisors (e.g., auditors/lawyers) when necessary,

  • public authorities where required by law.

When we act as Processor, sub-processors are used under the DPA.

12. Email ingestion of invoices and receipts (routing)

The Service may allow the Client or Users to send or forward invoices and expense receipts to a dedicated email address for automated processing.

We typically process email metadata (sender, recipient, timestamps) as well as email content and attachments (PDF/images) which may contain personal data.

The Client is responsible for submitting only necessary content and informing Users what should be sent. The Client is the Controller for personal data contained in the documents.

We use Mailgun to receive/deliver email and Azure AI Document Intelligence (West Europe) to extract document data as technical means, in accordance with the DPA where we act as Processor.

Incoming messages and attachments may (i) be stored in the Client account as documents, (ii) be temporarily cached for processing and troubleshooting, and (iii) appear in backups for limited periods under our routines.

13. International transfers (EU and the US)

We use vendors and services where processing of personal data may occur in the EU/EEA and in the United States.

Where personal data is transferred or made accessible outside the EU/EEA, we use lawful transfer mechanisms, typically:

  • the EU–U.S. Data Privacy Framework (DPF) where the recipient is certified, and/or

  • EU Standard Contractual Clauses (SCC) together with supplementary safeguards where required.

Supplementary safeguards may include strong encryption, strict access controls, organizational measures, and transfer risk assessments.

14. Retention and deletion

In the Service (Client-controlled): We store personal data according to the Client’s instructions. Upon termination or suspension, Client Data may be deleted after a reasonable period (e.g., 30 days) unless otherwise required by contract or law. The Client is responsible for exporting data before termination.

Controller retention: We retain billing/admin/support data as long as necessary for the purposes above and may retain data longer to comply with legal obligations or to handle disputes.

15. Rights and complaints

When we are Controller, you can exercise GDPR rights (access, rectification, erasure, restriction, objection, etc.).

You also have the right to lodge a complaint with the Swedish authority Integritetsskyddsmyndigheten (IMY).

16. Automated decision-making

We do not make decisions producing legal or similarly significant effects solely by automated processing about you, unless we explicitly inform you otherwise.

17. Changes to this Policy

We may update this Privacy Policy. Changes take effect 30 days after notice via our website, email, or another reasonable channel, unless required otherwise by law.

‹ Almänna Vilkor

Integritetspolicy ›