Privacy Policy
Effective date: 3 May 2026
Version: privacy-2026-05-03
This Privacy Policy explains how APPKA SIA, registration No. 40203738777, legal address Gubu iela 6, Medemciems, Olaines pag., Olaines nov., LV-2127, Latvia (“APPKA”, “we”, “us”) processes personal data in connection with Declira (“Declira”, the “Service”).
The Service is a receipt, document, bank-statement and personal accounting workflow application. It uses Firebase and Google Cloud services, server-side OpenAI API processing, Google Sign-In, Firebase App Check, and may use Google Analytics after it is enabled.
We do not sell personal data. We do not rent personal data or disclose it to data brokers. We process personal data to provide, secure, improve and support the Service, and only share it as described in this Policy.
For privacy questions or data subject requests, contact us at info@rodlen.com. We have not appointed a separate data protection officer at this stage; this email is the privacy contact point.
1. Scope
This Policy applies to:
- Declira web pages and the Firebase-hosted public website;
- the authenticated Declira app at `/app/` and any mobile or desktop versions we release;
- account registration, login, workspace setup and settings;
- receipt/document capture, AI-assisted extraction, review, storage and dashboard features;
- annual bank statement analysis and export features;
- support, operational logs and security controls.
If another notice is shown for a specific feature, that notice applies together with this Policy.
2. Roles under data protection law
For most Service processing, APPKA SIA is the data controller because we decide why and how personal data is processed for the Service.
When you upload information about other people, such as names of counterparties in a bank statement or names appearing on receipts or documents, you are responsible for having a lawful basis or other right to provide that information to the Service. We process that information to provide the Service to you and your workspace.
Our infrastructure providers and AI providers usually act as processors or service providers for the parts of the Service they host or process, unless their own terms or applicable law state otherwise.
3. Personal data we process
Depending on how you use Declira, we may process the following categories of data.
3.1 Account and authentication data
This includes email address, Firebase user ID, display name, authentication provider, login state, password authentication metadata handled by Firebase Authentication, Google Sign-In profile information provided to Firebase, password reset activity, language preference, account status and workspace membership.
We do not see or store your password in plain text.
3.2 Legal acceptance records
When you register or accept updated terms, we may record the Terms version, Privacy Policy version, date and time of acceptance, language, user ID, email, source of acceptance, app/platform information, document checksums and user-agent. These records help prove which terms applied and protect both you and us in case of disputes.
When you manage privacy choices or submit a data subject request, we may record the selected consent state, consent version, request type, request status, due date, language, user ID, email and timestamps. These records are used to demonstrate consent, process withdrawals and handle access, portability, correction, restriction, objection and erasure requests.
3.3 Workspace and accounting content
This includes workspace identifiers, member roles, receipt and document images, uploaded file names, document status, merchant names, legal names, registration numbers, VAT numbers, issue dates, payment dates, currency, totals, tax amounts, discounts, line items, categories, payment method, last four card digits if visible, notes, warnings, review decisions, accepted records, deleted/cancelled status and dashboard totals.
3.4 Annual report and bank statement content
If you use annual report features, we may process bank statement files, file names, tax year, parsed transaction rows, dates, counterparties, payment descriptions, amounts, balances where present in the statement, income groupings, income source profiles, classification rules, review questions, user answers, final classifications, comments and generated export files.
Bank statements can contain information about third parties and may reveal sensitive context. You must review what you upload and avoid uploading information you are not entitled to provide.
3.5 AI input and output data
For AI-assisted features, the Service may send receipt images, document images, extracted fields, compact transaction group information and relevant context to server-side AI providers, including OpenAI API services. The Service receives structured extraction or classification suggestions, confidence values, warnings and other AI output.
AI output is a suggestion only. It may be wrong, incomplete or outdated. You remain responsible for reviewing, correcting and approving data before relying on it.
3.6 Technical, device, security and usage data
This includes IP address or related network metadata, device and browser type, operating system, app version, Firebase project identifiers, App Check and reCAPTCHA signals, timestamps, crash/error logs, function logs, security events, storage metadata, Firestore document metadata, request identifiers and diagnostic information.
3.7 Analytics data, if enabled
We may enable Google Analytics or Firebase/Google analytics tools to understand aggregate usage, improve product flows and measure public website performance. Analytics may process page views, app events, device/browser data, approximate location, session information, cookies, mobile identifiers or similar technologies.
We do not intentionally send receipt images, bank statement files, transaction contents or detailed financial document content to Google Analytics. Where consent is required for non-essential analytics cookies or identifiers, analytics will be enabled only after the required consent is obtained.
3.8 Communications
If you contact us, we process your email address, message content, attachments, metadata and any information needed to respond to your request.
4. Why we process personal data and legal bases
We process personal data for the following purposes and legal bases:
| Purpose | Examples | Legal basis |
|---|---|---|
| Provide the Service | account creation, login, workspace setup, receipt capture, annual report analysis, data storage, exports | performance of a contract or steps before entering into a contract |
| AI-assisted extraction and classification | sending selected content to server-side AI APIs and storing suggestions for user review | performance of a contract; legitimate interests in providing core functionality |
| Security and fraud prevention | authentication, App Check, reCAPTCHA, abuse prevention, logs, access controls | legitimate interests; legal obligations where applicable |
| Legal acceptance and records | Terms/Privacy acceptance audit logs, versioning, dispute evidence | performance of a contract; legitimate interests; legal obligations |
| Support and communication | replying to support requests and privacy requests | performance of a contract; legitimate interests; legal obligations |
| Product improvement | debugging, aggregated usage review, feature quality, reliability | legitimate interests; consent where required |
| Analytics, if enabled | public website analytics, app usage measurement, conversion events | consent where required; otherwise legitimate interests where legally permitted |
| Legal compliance | responding to lawful requests, enforcing rights, tax/accounting obligations if fees are introduced | legal obligations; legitimate interests |
You may object to processing based on legitimate interests where the law gives you that right.
5. AI processing and human review
Declira uses AI to assist with data extraction and classification. The Service may use AI to read receipt images, propose merchant names, dates, totals, categories, payment details, line items, warnings and bank-statement income classifications.
AI does not replace your review. Declira is not an official tax filing system, accountant, auditor, lawyer or financial adviser. We do not make final tax, accounting, legal or financial decisions for you. The Service is designed so that you can review and correct AI-generated suggestions before accepting records or using exports.
We may use safeguards such as server-side validation, structured output schemas, confidence values, warnings and review states. These safeguards reduce risk but do not guarantee correctness.
6. Cookies, local storage and similar technologies
Declira may use cookies, local storage, session storage, IndexedDB, mobile identifiers and similar technologies for:
- essential authentication and security;
- Firebase App Check and reCAPTCHA protection;
- language preference and user interface state;
- session continuity;
- analytics, if enabled and where legally permitted;
- debugging and fraud prevention.
On the public website, Declira provides a privacy choices banner and footer control before optional analytics is used. In the authenticated app, optional analytics consent can be granted or withdrawn in Settings. The current implementation keeps optional analytics off unless you allow it. We do not use marketing cookies.
The following technologies are treated as necessary for the Service or as functionality explicitly requested by you: authentication/session persistence, security and fraud prevention, App Check/reCAPTCHA, language preference, redirect state and upload/download workflow state. You can control cookies and storage through your browser or device settings, but disabling necessary technologies may prevent the Service from working.
7. Recipients and service providers
We may share personal data with the following categories of recipients only as needed:
- Google/Firebase/Google Cloud for Firebase Hosting, Firebase Authentication, Google Sign-In, Cloud Firestore, Cloud Storage, Cloud Functions, Firebase App Check, reCAPTCHA, logging and related infrastructure;
- OpenAI API services for server-side AI extraction and classification;
- Google Analytics, if enabled, for analytics and measurement;
- hosting, security, monitoring, email, support, development and operational service providers;
- professional advisers such as lawyers, accountants or auditors;
- public authorities, courts, regulators or law enforcement where required by law or necessary to protect rights, security or legal interests.
We do not sell personal data.
8. International transfers
The Service is operated from Latvia and uses providers that may process data in the European Economic Area and other countries. The current Firebase configuration uses European Firestore and Cloud Functions regions where configured, but some provider services, authentication, security, support or AI processing may involve processing outside the EEA.
Where personal data is transferred outside the EEA, we rely on appropriate safeguards such as adequacy decisions, standard contractual clauses, data processing agreements, provider security terms and other lawful transfer mechanisms as applicable.
9. Retention
We keep personal data only as long as reasonably necessary for the purposes described in this Policy, unless a longer period is required or permitted by law.
Current retention approach:
- Account and workspace profile: while your account or workspace is active, then up to 90 days after deletion request unless retention is needed for legal, security or dispute reasons.
- Receipt/document records and images: while you keep them in the Service. Deleted or cancelled document images are removed or made unavailable as technically feasible; residual backups and logs may remain for up to 90 days.
- Annual report files, parsed transactions and exports: while the related report remains in your workspace. Deleted/cancelled reports are removed or made unavailable as technically feasible; residual backups and logs may remain for up to 90 days.
- Legal acceptance and audit records: for the life of the account and up to 10 years afterwards where necessary to establish, exercise or defend legal claims.
- Security logs and function logs: normally up to 180 days, unless longer retention is needed for investigation, security or legal reasons.
- Support communications: up to 3 years after the last communication, unless a longer period is needed for legal claims or compliance.
- Analytics data, if enabled: normally up to 14 months unless a shorter or longer setting is required for a specific lawful purpose.
- Legal, accounting or tax records: for the period required by applicable law, if such records are created.
AI providers and other processors may retain limited logs or metadata under their own data processing terms and security policies. For example, API abuse monitoring logs may be retained by the provider for a limited period unless different controls are approved or required.
10. Security
We use technical and organizational measures designed to protect personal data, including Firebase Authentication, workspace-based access controls, Firestore and Storage security rules, server-side Cloud Functions, App Check, request validation, limited privileged backend access, encryption in transit, provider encryption at rest and operational logging.
No internet service can be guaranteed to be perfectly secure. You are responsible for keeping your account credentials safe, using a secure email account and maintaining your own copies of important receipts, statements and exports.
11. Your rights
Subject to legal conditions, you may have the right to:
- access your personal data;
- correct inaccurate or incomplete personal data;
- request deletion of personal data;
- restrict processing;
- receive certain data in a portable format;
- object to processing based on legitimate interests;
- withdraw consent where processing is based on consent;
- lodge a complaint with a supervisory authority.
You can submit privacy requests in the authenticated app Settings or by emailing info@rodlen.com. The in-app request flow records the request type and creates an audit trail so we can process it. A deletion request starts a review workflow; some data may be retained where necessary for legal obligations, security, fraud prevention, accounting records, backups or the establishment, exercise or defence of legal claims.
In Latvia, the supervisory authority is the Data State Inspectorate. You can contact us first at info@rodlen.com so we can try to resolve your request.
We will respond to data subject requests without undue delay and normally within one month, unless the law allows an extension.
12. Children
Declira is intended for adults who can enter into binding agreements. The Service is not intended for children under 18. We do not knowingly collect children’s personal data. If you believe a child has provided personal data to us, contact us at info@rodlen.com.
13. Your responsibilities when uploading data
You must not upload personal data that you are not entitled to process or provide. This is especially important for bank statements, receipts, invoices, medical or pharmacy receipts, donations, information about family members, counterparties and other third parties.
You should not upload special-category data, highly sensitive data or third-party data unless it is necessary for your use of the Service and you have a lawful basis or other right to do so.
14. Changes to this Policy
We may update this Policy from time to time. If changes are material, we will take reasonable steps to notify users, for example by showing an in-app notice, updating the public website or requesting acceptance of updated terms where appropriate.
The Latvian version is the primary version. Translations are provided for convenience. If translations conflict, the Latvian version prevails unless mandatory law provides otherwise.
15. Contact
APPKA SIA
Registration No.: 40203738777
Legal address: Gubu iela 6, Medemciems, Olaines pag., Olaines nov., LV-2127, Latvia
Product: Declira
Email: info@rodlen.com