Privacy Policy

1. Introduction & Scope

Qontab ("we", "us", or "our") is operated by ZeroKnowledge LTD, a company registered in Mauritius. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our web application, mobile application, API, and related services (collectively, the "Service").

This policy is designed to comply with the Mauritius Data Protection Act 2017 ("DPA 2017") and the European Union General Data Protection Regulation ("GDPR") where applicable to users within the European Economic Area ("EEA").

By accessing or using the Service, you acknowledge that you have read, understood, and agree to the collection and use of information in accordance with this policy.

Key Definitions

• Personal Data — any information relating to an identified or identifiable natural person.
• Data Controller — ZeroKnowledge LTD, which determines the purposes and means of processing Personal Data.
• Data Processor — any third party that processes Personal Data on our behalf.
• User — any individual who accesses or uses the Service.
• Tenant / Organization — the business entity under which one or more Users operate within the Service.

2. Information We Collect

2.1 Account Information

When you register, we collect your full name, email address, organization name, and optionally your organization's tax identification numbers and company logo. If you create an account on behalf of an organization, you represent that you have authority to bind that organization.

2.2 Third-Party Authentication

If you sign in via Google OAuth, we receive your name, email address, and profile picture from Google. If you use passkey (WebAuthn) authentication, we store a public key credential linked to your account. We do not receive or store your Google password or biometric data.

2.3 Financial Data

To provide accountancy services, you may enter or import financial data including but not limited to: transactions, journal entries, chart of accounts, invoices, receipts, contact records, payroll data, fixed asset registers, VAT returns, bank account details, and project cost allocations. This data is stored securely and is accessible only to authorized members of your organization in accordance with your configured role-based access controls.

2.4 Automatically Collected Data

We automatically collect standard technical information including your IP address, browser type and version, operating system, referring URL, pages visited, timestamps, and locale preferences. We use OpenTelemetry for application performance monitoring, which collects trace and metric data to help us maintain service reliability.

2.5 Mobile Application Data

Our mobile application may request access to your device's camera (for receipt capture) and photo library (for uploading existing receipt images). Authentication tokens are stored securely using your device's secure storage (Keychain on iOS, Keystore on Android). We also collect basic device information such as device model and OS version for compatibility and debugging purposes.

We do not collect or access your location data, contacts, microphone, or any other device sensors beyond camera and photo library access that you explicitly grant.

2.6 Cookies

We use a minimal set of essential cookies required for the Service to function:

• Session token — an HTTP-only secure cookie for authentication, valid for 30 days with 24-hour rolling refresh.
• Locale cookie (trakr_locale) — stores your language preference (e.g., "en" or "fr").
• 2FA trust cookie — if you enable two-factor authentication, a trust cookie may be set for recognized devices.

We do not use advertising cookies, tracking pixels, or third-party analytics cookies. No cookie consent banner is required because we only use strictly necessary cookies.

3. Legal Basis for Processing

We process your Personal Data under the following legal bases, in accordance with GDPR Article 6 and DPA 2017 Section 22:

• Contract performance — processing necessary to provide the Service you have subscribed to, including account management, financial data processing, and AI-assisted features.
• Legitimate interests — processing necessary for our legitimate interests, including security monitoring, fraud prevention, service improvement, and usage analytics, provided these do not override your fundamental rights.
• Legal obligation — processing necessary to comply with applicable laws, such as tax record-keeping requirements, anti-money laundering regulations, and responding to lawful requests from authorities.
• Consent — where we rely on your consent (e.g., optional communications), you may withdraw consent at any time without affecting the lawfulness of prior processing.

4. How We Use Your Information

We use the information we collect for the following purposes:

• Provide, maintain, and improve the Service, including double-entry bookkeeping, reporting, invoicing, payroll, asset management, and project tracking
• Authenticate your identity and manage your account, including email verification and admin approval during private beta
• Process financial data for bookkeeping, tax calculations, and regulatory reporting features
• Power AI-assisted features such as transaction categorization, receipt scanning, bank statement parsing, and smart suggestions
• Generate and deliver invoices via email using our transactional email provider
• Convert currencies using third-party exchange rate APIs to display multi-currency financial data
• Send transactional emails including account approval notifications, password reset links, and security alerts
• Enforce subscription plan limits and usage quotas
• Monitor for security threats, unauthorized access, and abuse prevention using rate limiting and audit logging
• Collect application performance metrics via OpenTelemetry to ensure service reliability
• Comply with legal obligations including tax record-keeping and regulatory requirements

5. AI Data Processing

Qontab uses artificial intelligence to enhance your experience with features such as automatic transaction categorization, receipt data extraction, bank statement parsing, and smart suggestions. We take your privacy seriously when processing data through AI systems.

AI Provider Chain

We use a multi-provider approach for resilience: Google Gemini (primary), Anthropic Claude (secondary), and OpenAI (tertiary fallback). Requests are routed to the next provider only if the primary provider is unavailable.

What Data Is Sent to AI Providers

• Receipt images and extracted text for data extraction
• Transaction descriptions and amounts for categorization
• Bank statement excerpts for parsing and matching
• Contextual information such as your chart of accounts for improved accuracy

What Data Is Never Sent

• Passwords, authentication tokens, or API keys
• Complete database contents or bulk data exports
• Personal identification documents beyond receipts
• Data from other tenants or organizations

AI Training & Retention

Your data is not used to train AI models. All AI providers process data under data processing agreements that prohibit using customer data for model training. AI responses include confidence scores where applicable, and all AI-generated results should be reviewed by you before reliance. AI usage is metered per tenant and subject to your subscription plan limits.

6. Data Storage & Security

We implement industry-standard security measures to protect your data:

• Encryption in transit — all data is transmitted over TLS 1.2 or higher.
• Encryption at rest — stored data is encrypted at rest using AES-256.
• Multi-tenant isolation — financial data is strictly isolated between organizations using row-level security. No tenant can access another tenant's data.
• Password security — passwords are hashed using bcrypt or Argon2 with appropriate cost factors. We never store plaintext passwords.
• Session management — sessions are valid for 30 days with automatic 24-hour rolling refresh. Sessions can be revoked at any time.
• Rate limiting — we enforce rate limits to prevent brute-force attacks, including 5 login attempts per 15 minutes and 3 signup attempts per hour per IP address.
• Role-based access control (RBAC) — access within your organization is controlled by roles (Owner, Admin, Member, Viewer) with appropriate permission boundaries.

Breach Notification

In the event of a personal data breach, we will notify the Mauritius Data Protection Commissioner in accordance with DPA 2017 Section 28 and, where applicable, the relevant supervisory authority under GDPR Articles 33 and 34, without undue delay and within 72 hours of becoming aware of the breach. Affected users will be notified directly if the breach is likely to result in a high risk to their rights and freedoms.

7. Data Sharing & Sub-processors

We do not sell, rent, or trade your personal or financial data to third parties. We share data only with the following categories of sub-processors, all of whom operate under data processing agreements:

• AI providers — Google (Gemini), Anthropic (Claude), and OpenAI for AI-powered features. Data shared is limited to what is described in Section 5.
• Authentication — Google (OAuth sign-in). We receive only basic profile information.
• Email delivery — Resend for transactional emails such as account notifications, password resets, and invoice delivery.
• Exchange rate APIs — open.er-api.com and openexchangerates.org for currency conversion. No personal data is shared with these services; only currency pair requests are made.

We may also disclose your information if required to do so by law, in response to valid legal process (such as a court order or subpoena), or to protect the rights, property, or safety of ZeroKnowledge LTD, our users, or the public. In the event of a merger, acquisition, or sale of assets, your data may be transferred to the successor entity, and we will notify you of any such change.

8. International Data Transfers

ZeroKnowledge LTD is based in Mauritius. Some of our sub-processors (including AI providers and email delivery services) are based in the United States. When your data is transferred outside of Mauritius or the EEA, we ensure appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs) approved by the European Commission for transfers from the EEA
• Data processing agreements with all sub-processors that include appropriate security and confidentiality obligations
• Compliance with DPA 2017 Section 35 regarding cross-border transfers of personal data from Mauritius

9. Data Retention

We retain your data according to the following schedule:

• Account data — retained for as long as your account is active and for a reasonable period thereafter to allow for reactivation.
• Financial data — retained in accordance with applicable legal and regulatory requirements, typically 5 to 7 years depending on jurisdiction and record type.
• Session data — authentication sessions expire after 30 days and are purged on expiry.
• Application logs — retained for 90 days for security monitoring and debugging, then automatically deleted.
• Account deletion — when you request account deletion, we will remove or anonymize your personal data within 30 days, except where retention is required by law. Financial records may be retained in anonymized form to meet legal obligations.

10. Your Rights

Under GDPR and DPA 2017 (Sections 38–40), you have the following rights regarding your personal data:

• Right of access — request a copy of the personal data we hold about you.
• Right to rectification — request correction of inaccurate or incomplete data.
• Right to erasure — request deletion of your personal data, subject to legal retention requirements.
• Right to restriction — request that we limit the processing of your data in certain circumstances.
• Right to data portability — receive your data in a structured, commonly used, machine-readable format (CSV, JSON).
• Right to object — object to processing based on legitimate interests or for direct marketing purposes.
• Right regarding automated decisions — you will not be subject to decisions based solely on automated processing that produce legal or similarly significant effects. AI features provide suggestions that require your review and approval.
• Right to withdraw consent — where processing is based on consent, withdraw at any time without affecting prior lawful processing.
• Right to lodge a complaint — file a complaint with the Mauritius Data Protection Commissioner or, if you are in the EEA, your local supervisory authority.

To exercise any of these rights, contact us at contact@qontab.com. We will respond to your request within 30 days. We may request verification of your identity before processing your request.

11. Children's Privacy

The Service is not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have inadvertently collected data from a child under 16, we will take steps to delete that information promptly. If you believe we have collected data from a child, please contact us at contact@qontab.com.

12. Third-Party Links

The Service may contain links to third-party websites or services that are not operated by us. We are not responsible for the privacy practices or content of these external sites. We encourage you to review the privacy policies of any third-party services you access through links on our Service.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. For material changes, we will notify you via email to the address associated with your account and through an in-app notification at least 30 days before the changes take effect.

The "Last updated" date at the top of this page indicates when the policy was most recently revised. Previous versions of this policy are available upon request by contacting contact@qontab.com.

14. Contact

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, contact us at:

ZeroKnowledge LTD
Mauritius

Email: contact@qontab.com