Privacy Policy

1. Introduction

This Privacy Policy explains how LAZO (“we,” “us,” or “our”), the operator of AI Računovođa (the “Service”), collects, uses, shares, and protects your personal data when you use our Service.

AI Računovođa is an automated expense tracking and invoice categorization tool for Croatian flat-rate sole traders. This policy applies to all users of the Service, including visitors to our website at aiaccountant.lazo.build.

We are committed to protecting your privacy and handling your personal data in accordance with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

2. Data Controller

The data controller for the purposes of this Privacy Policy is:

LAZO
Sole proprietorship / Individual
Podgorica, Montenegro
Email: support@lazo.build

If you have any questions or concerns about how we process your personal data, or if you wish to exercise any of your data protection rights, please contact us at the email address above.

3. Data We Collect

We collect the following categories of data:

3.1 Account Data

When you create an account, we collect:

• Email address
• Name
• Password (stored in hashed form only — we never store plaintext passwords)

3.2 Financial Data

When you use the Service, you may upload or enter:

• Invoice data (vendor name, amounts, dates, descriptions)
• Expense records and transaction amounts
• Business income and revenue figures

Important: All financial data is provided voluntarily by you. We only process financial data that you actively upload or enter into the Service.

3.3 Usage Data

We automatically collect certain information about how you use the Service:

• Pages visited and features used
• Session duration and frequency of use
• Actions taken within the Service (e.g., creating invoices, generating reports)

3.4 Device and Technical Data

• Browser type and version
• Operating system
• IP address
• Device type (desktop, mobile, tablet)

4. How We Use Data

We use your data for the following purposes:

• Service Provision: To provide, maintain, and operate the Service, including processing and categorizing your uploaded financial data, generating tax summaries and reports, and delivering core functionality
• Payment Processing: To process subscription payments through Paddle, our payment processor and Merchant of Record
• Communications: To send service-related communications, including account notifications, security alerts, and important updates about the Service
• Service Improvement: To analyze usage patterns and improve, optimize, and enhance the Service's functionality and user experience
• Security: To detect, prevent, and address fraud, unauthorized access, and other security issues
• Legal Compliance: To comply with applicable laws, regulations, and legal obligations

We do NOT:

• Sell your personal data or financial data to third parties
• Use your financial data for advertising or marketing purposes
• Share your individual financial data with advertisers or data brokers
• Use your data for profiling or automated decision-making that produces legal effects

5. Legal Basis for Processing (GDPR)

We process your personal data on the following legal bases:

• Contract Performance (Article 6(1)(b) GDPR): Processing is necessary for the performance of our contract with you — i.e., providing the Service you signed up for, including expense tracking, categorization, and report generation
• Legitimate Interests (Article 6(1)(f) GDPR): Processing is necessary for our legitimate interests, including service improvement, security, fraud prevention, and analytics, provided that such interests are not overridden by your data protection rights
• Consent (Article 6(1)(a) GDPR): Where we rely on your consent (e.g., for optional marketing communications), you may withdraw your consent at any time by contacting us at support@lazo.build
• Legal Obligations (Article 6(1)(c) GDPR): Processing is necessary to comply with applicable tax, regulatory, or other legal obligations

6. AI Data Processing

To provide AI-powered features such as automatic expense categorization and invoice data extraction, your data may be processed by artificial intelligence models. Specifically:

• AI Provider: We use the Claude API by Anthropic, PBC for AI processing
• How it works: When you use AI features (available on Starter and Pro plans), relevant data from your invoices and expenses is sent to Anthropic's API via secure API calls. The data is processed by the AI model and the results (categorizations, extracted data) are returned to our Service
• Data retention by AI provider: Per Anthropic's commercial API terms, data sent through the API is NOT used by Anthropic to train their AI models. API inputs and outputs may be retained for a limited period (typically 30 days) for trust and safety purposes, after which they are deleted
• What data is sent: Only the specific invoice or expense data needed for the processing task is sent to the AI. We do not send your entire account data, personal information, or unrelated financial records
• Output retention: AI-generated outputs (categorizations, extracted invoice data) are stored as part of your account data within our Service

7. Data Sharing

We share your data with the following categories of third-party service providers, solely for the purposes of operating and providing the Service:

• Supabase (Supabase, Inc.) — Database hosting and backend infrastructure. Your account data and financial data are stored in Supabase-managed databases. Data may be stored on servers in the EU or US
• Vercel (Vercel, Inc.) — Application hosting and edge network. The Service is deployed on Vercel's infrastructure, which routes requests through its global edge network
• Anthropic (Anthropic, PBC) — AI processing. Invoice and expense data is processed via Anthropic's Claude API for AI-powered features (Starter and Pro plans only)
• Paddle (Paddle.com Market Limited) — Payment processing. Paddle acts as the Merchant of Record and processes subscription payments, billing, and tax collection
• Resend (Resend, Inc.) — Transactional email delivery. We use Resend to send account-related emails such as verification, password reset, and service notifications

We do NOT share your individual financial data with any parties other than those listed above. We may share anonymized, aggregated statistical data that cannot be used to identify any individual user.

8. Data Retention

• Active accounts: Your data is retained for as long as your account remains active and you continue to use the Service
• Free plan accounts: Financial data (invoices, expenses) is retained for 30 days from the date of entry. After 30 days, financial data is automatically deleted. Account data (email, name) is retained for as long as the account exists
• After cancellation: Upon cancellation of your account, all personal data and financial data associated with your account will be deleted within 30 days
• Anonymized data: We may retain anonymized, aggregated data that cannot identify individual users indefinitely for analytics and service improvement purposes
• Backup copies: Backup copies of your data may persist in our backup systems for up to 90 days after deletion from production systems
• Legal requirements: We may retain certain data for longer periods where required by applicable law or regulation

9. Your Rights (GDPR)

Under the General Data Protection Regulation, you have the following rights with respect to your personal data:

• Right of Access (Article 15): You have the right to request a copy of the personal data we hold about you and information about how we process it
• Right to Rectification (Article 16): You have the right to request correction of inaccurate or incomplete personal data
• Right to Erasure (Article 17): You have the right to request deletion of your personal data (“right to be forgotten”), subject to applicable legal obligations
• Right to Restriction of Processing (Article 18): You have the right to request that we restrict the processing of your personal data under certain circumstances
• Right to Data Portability (Article 20): You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller
• Right to Object (Article 21): You have the right to object to the processing of your personal data based on legitimate interests or for direct marketing purposes
• Right to Withdraw Consent (Article 7(3)): Where processing is based on your consent, you have the right to withdraw that consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal
• Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority in the EU member state of your habitual residence, place of work, or place of the alleged infringement

To exercise any of these rights, please contact us at support@lazo.build. We will respond to your request within 30 days. We may request verification of your identity before processing your request.

10. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

• Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS/HTTPS
• Encryption at rest: Data stored in our databases is encrypted at rest using industry-standard encryption algorithms
• Row-level security: Database access is controlled through row-level security policies, ensuring that users can only access their own data
• Access controls: Access to production systems and user data is restricted to authorized personnel only
• Regular security reviews: We conduct periodic reviews of our security practices and infrastructure

Despite our efforts, no method of transmission over the Internet or method of electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your personal data, we cannot guarantee its absolute security.

11. International Transfers

Your personal data may be transferred to and processed in countries outside the European Economic Area (EEA), including the United States, where our service providers (Supabase, Vercel, Anthropic) maintain infrastructure.

Where data is transferred outside the EEA, we ensure that appropriate safeguards are in place to protect your personal data in accordance with GDPR requirements. These safeguards may include:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions by the European Commission for the recipient country
• Other appropriate safeguards as permitted under applicable data protection laws

12. Cookies

We use only essential cookies that are strictly necessary for the operation of the Service:

• Authentication cookies: To maintain your logged-in session and verify your identity
• Session cookies: To enable core functionality and maintain session state

We do NOT use:

• Tracking cookies
• Advertising cookies
• Third-party analytics cookies
• Social media cookies

Because we only use essential cookies that are strictly necessary for the operation of the Service, consent is not required under GDPR and the ePrivacy Directive.

13. Children's Privacy

The Service is not directed at, and is not intended for use by, anyone under the age of 18. We do not knowingly collect personal data from children under 18. If we become aware that we have collected personal data from a child under 18, we will take steps to delete such data as soon as practicable.

If you believe that we may have collected data from a minor, please contact us immediately at support@lazo.build.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will indicate the date of the latest revision at the top of this page.

Your continued use of the Service after any changes to this Privacy Policy constitutes your acceptance of the updated policy. For material changes that significantly affect how we process your personal data, we will make reasonable efforts to notify you via email or through a notice within the Service.

15. Contact

If you have any questions about this Privacy Policy, our data practices, or if you wish to exercise any of your data protection rights, please contact us at:

Email: support@lazo.build

LAZO
Podgorica, Montenegro