1. Who Is the Controller of Your Personal Data?
The controller of your personal data is ZenTreasury Oy (business ID: 2762104-2), located at Itämerenkatu 3, 00180 Helsinki, Finland. You can contact us via email at privacy@leaseaccounting.app or by phone at +358 9 424 68301.
This Privacy Policy applies to the following services operated by ZenTreasury Oy:
- ZenTreasury (zentreasury.com) — financial contract compliance and accounting platform
- LeaseAccounting.app (leaseaccounting.app) — self-service lease accounting software
2. What Personal Data Do We Process?
2.1. Data You Provide Directly
- Contact information: name, email address, phone number, job title
- Organization information: company name, address, industry, VAT ID
- Account credentials: email, password (hashed)
- Billing information: payment details processed via Stripe, invoicing data
- Communications: emails, support tickets, chat messages
2.2. Data Collected Automatically
- Device information: browser type, operating system
- Connection information: IP address (anonymized where possible), referral URL
- Cookie data: preferences, session identifiers (see our Cookie Policy)
- Usage data: features used, pages visited, session duration (analytics — with consent)
- Data Intelligence telemetry: features used, document types processed, workflow interactions, and AI interaction outcomes (at organisation level, not linked to individual users)
- AI operational data: AI token consumption per organisation (for billing and capacity management), extraction confidence scores
2.3. Data from Other Sources
- Publicly available business registries
- Our business partners
- Digital service providers
3. Why Do We Process Your Personal Data?
We process personal data during service provision and for business purposes including communications, marketing, service development, business partner relations, and legal compliance.
| Purpose | Legal Basis (GDPR Art 6) |
|---|---|
| Providing the Service | Performance of contract (Art 6(1)(b)) |
| Billing and payments | Performance of contract (Art 6(1)(b)) |
| Customer support | Performance of contract (Art 6(1)(b)) |
| Service improvement | Legitimate interest (Art 6(1)(f)) |
| Marketing communications | Legitimate interest or consent (Art 6(1)(f) or (a)) |
| Legal compliance | Legal obligation (Art 6(1)(c)) |
| Security and fraud prevention | Legitimate interest (Art 6(1)(f)) |
| AI-powered service delivery (document extraction, analytics) | Performance of contract (Art 6(1)(b)) |
| AI token consumption tracking (per organisation) | Performance of contract (Art 6(1)(b)) — contractual necessity for billing |
| Anonymised benchmark aggregation and service improvement | Legitimate interest (Art 6(1)(f)) — LIA conducted and available on request |
| AI feature telemetry and performance monitoring | Legitimate interest (Art 6(1)(f)) — LIA conducted and available on request |
Data subjects include potential customers, customer representatives, affiliates, jobseekers, contacts, and business partners.
4. Do We Transfer Your Personal Data?
4.1. Generally, personal data is not disclosed to third parties, except as required by law or governmental authority. Data transfers occur when using digital services including: data storage (cloud services), communications (email), payment processing, and financial management tools.
4.2. We do not sell personal data to third parties.
4.3. We use third-party service providers (sub-processors) to operate the Service. A list of current sub-processors is available upon request at privacy@leaseaccounting.app.
5. Do We Process Your Personal Data Outside the EU and the EEA Area?
Personal data may be processed outside the EU/EEA. When this occurs, adequate data protection is ensured through:
- Standard Contractual Clauses (EU SCCs, Commission Implementing Decision (EU) 2021/914)
- Adequacy decisions by the European Commission (including the EU-UK adequacy decision, renewed 19 December 2025)
- EU-US Data Privacy Framework (DPF) for certified US recipients
6. How Long Do We Retain Your Personal Data?
| Data Type | Retention Period | Reason |
|---|---|---|
| Account and service data | Duration of contractual relationship + 30 days | Service provision |
| Billing records | 6 years after last transaction | Finnish accounting law (Kirjanpitolaki 1336/1997) |
| Marketing contacts | Until unsubscribe, or 3 years of inactivity | Legitimate interest |
| Support communications | Duration of relationship + 1 year | Service quality |
| Website analytics | 14 months | Analytics tool default |
| Cookie consent records | 3 years | GDPR accountability (Art 7(1)) |
| Document content processed by Data Intelligence | Deleted within 24 hours of processing session completion | Data minimisation — raw content not needed after extraction |
| De-identified extraction corrections | 36 months | Required to capture sufficient correction patterns across annual reporting cycles to improve extraction accuracy |
| Workflow friction events | 12 months | Service improvement — identifying and resolving user experience issues |
| AI feature telemetry (per organisation) | 24 months | Service improvement and performance monitoring |
| AI interaction labels | Per existing AI interaction retention policy | AI feature improvement — no raw prompt text retained |
| Anonymised benchmark aggregates | Indefinite (not personal data per GDPR Recital 26) | Statistical outputs from which no individual can be identified |
7. AI Processing and Data Intelligence
Our services incorporate artificial intelligence and machine learning features ("Data Intelligence Features") for automated calculations, forecasts, analytics, document data extraction, and anonymised benchmark comparisons. When AI processes your data:
- It is used to provide the Service to you under your contract (Art 6(1)(b))
- We do not use your data to train general-purpose AI models
- AI outputs are informational and do not constitute professional advice
- Human oversight is maintained for significant decisions
- AI confidence values are processed internally and displayed only as review bands to end users
7.1. Document Processing
When you upload documents for data extraction, raw document content is processed in-session and deleted within 24 hours of processing completion. Only structured extracted data (e.g., lease terms, amounts, dates) is retained as part of your account data. No raw AI prompt text is retained by default.
7.2. Extraction Corrections
If you correct an AI extraction result, the correction may be retained in de-identified form (field name, AI-extracted value, human-corrected value, confidence score, correction type, and time to correct — stripped of all Customer-identifying information) for up to 36 months to improve extraction accuracy. This retention period is necessary to capture sufficient correction patterns across annual reporting cycles. You may request deletion of your organisation's correction data by visiting zentreasury.com/privacy/opt-out or emailing privacy@leaseaccounting.app.
7.3. Anonymised Benchmarks
We generate anonymised, aggregate benchmark data from Customer Data under our legitimate interest in service improvement (Art 6(1)(f)). A Legitimate Interest Assessment has been conducted and is available upon request. Benchmarks are only produced when a minimum cohort of 20 organisations is available and no single organisation contributes more than 5% of any aggregate. Because these outputs are anonymised and cannot identify any individual or organisation, they are not personal data under GDPR Recital 26. You may object to this processing at any time by visiting zentreasury.com/privacy/opt-out or emailing privacy@leaseaccounting.app. Opting out does not affect your use of the Service.
7.4. AI Feature Telemetry
We collect operational telemetry data (features used, processing volumes, workflow friction events, error rates) at the organisation level — not linked to individual users — under our legitimate interest in monitoring and improving AI feature performance (Art 6(1)(f)). A Legitimate Interest Assessment has been conducted and is available upon request. AI token consumption is tracked per organisation for billing and capacity management purposes under contractual necessity (Art 6(1)(b)).
7.5. AI Vendors
Data Intelligence Features utilise the following third-party AI model provider:
| Vendor | Purpose | Transfer Mechanism | Privacy Information |
|---|---|---|---|
| Anthropic PBC | AI-powered document data extraction | EU Standard Contractual Clauses (SCCs) | anthropic.com/privacy |
All AI vendors are contractually prohibited from using Customer Data for their own model training purposes. The full sub-processor register is available upon request at privacy@leaseaccounting.app.
7.6. EU AI Act Transparency
In accordance with Regulation (EU) 2024/1689 (the EU Artificial Intelligence Act), data used to improve AI extraction is logged with provenance, purpose, and retention period in ZenTreasury's AI disclosure register. Users may request a summary of AI-assisted decisions affecting their data by contacting privacy@leaseaccounting.app.
7.7. Your Rights Regarding AI Processing
In addition to the rights listed in Section 8, you have the right to object to processing based on legitimate interests (Art 21 GDPR), including benchmark aggregation and telemetry. You may also request deletion of your organisation's telemetry data independent of account deletion. To exercise these rights, visit zentreasury.com/privacy/opt-out or email privacy@leaseaccounting.app.
These disclosures apply to both ZenTreasury (zentreasury.com) and LeaseAccounting.app (leaseaccounting.app).
8. What Data Protection Rights Do You Have?
Under the General Data Protection Regulation (GDPR), you have the following rights:
- Right to inspect your personal data (Art. 15)
- Right to rectify inaccurate data (Art. 16)
- Right to erasure (Art. 17)
- Right to restriction of processing (Art. 18)
- Right to data portability (Art. 20)
- Right to object to processing, especially regarding legitimate interests (Art. 21)
- Right not to be subject to automated decision-making or profiling (Art. 22)
- Right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal
To exercise your rights or inquire about data protection, contact us at privacy@leaseaccounting.app. We will respond within thirty (30) days.
You have the right to lodge a complaint with the Finnish Data Protection Ombudsman (Tietosuojavaltuutetun toimisto, tietosuoja.fi).
9. Automated Decision-Making
We do not make decisions based solely on automated processing that produce legal effects or similarly significant effects on you. Data Intelligence Features (including document extraction, classification suggestions, and benchmark comparisons) are tools that support, not replace, human decision-making. All AI-generated outputs require human review before being relied upon for accounting, regulatory, or business decisions.
10. Cookies
Our use of cookies and similar technologies is described in our Cookie Policy at: https://leaseaccounting.app/cookies (also applicable via https://zentreasury.com/cookies).
11. Can This Privacy Policy Be Amended?
This Privacy Policy may be amended as necessary due to legislative changes or changes in our practices. Material changes will be communicated to registered users in advance before taking effect. The "Last Updated" date at the top of this page indicates the most recent revision. Amendments take effect upon posting updated versions to the website.