Privacy Policy

Privacy Policy

Effective date: March 9, 2026 · Last updated: March 9, 2026

This Privacy Policy describes how Leiko AI Oy (“Leiko”, “we”, “us”, or “our”) collects, uses, stores, shares, and protects your personal data when you use the Leiko mobile application and related services (collectively, the “Service”). This policy applies to all users of the Service regardless of location, with additional rights for users in the European Economic Area (“EEA”), the United Kingdom, and other jurisdictions with applicable data protection laws.

By accessing or using the Service, you acknowledge that you have read, understood, and agree to the practices described in this Privacy Policy. If you do not agree, you must not use the Service.

1. Data Controller

The data controller responsible for your personal data is:

  • Entity: Leiko AI Oy
  • Registered in: Finland (Business ID pending)
  • Contact: privacy@leiko.ai
  • Data Protection Officer: dpo@leiko.ai

2. Data We Collect

We collect and process the following categories of personal data. The scope of data collected depends on the features you choose to activate and the integrations you enable.

2.1 Data You Provide Directly

  • Account registration data: name, email address, and authentication credentials
  • Business entity information: company name, business ID (Y-tunnus), VAT identification number, registered address, bank account details (IBAN, BIC), and related corporate information
  • Invoice and financial data: invoice line items, amounts, currencies, customer details, payment terms, and payment status
  • Task and project data: task descriptions, deadlines, priorities, project names, time entries, and associated notes
  • Customer/contact data: names, email addresses, phone numbers, postal addresses, and communication history of your clients and business contacts
  • Receipt and expense data: photographed receipts, vendor names, amounts, dates, expense categories, and extracted text from optical character recognition (OCR) processing
  • Voice input data: audio recordings when using voice features, and the resulting transcriptions
  • Chat and conversation data: all messages, prompts, instructions, and interactions you have with the Leiko AI assistant
  • User preferences and settings: language preferences, notification settings, onboarding choices, and feature configuration
  • Feedback and support communications: any correspondence you send to us

2.2 Data Collected Through Integrations

When you connect third-party services, we access and process data from those services as described below. You may revoke access at any time through the Service settings.

  • Google Calendar: calendar event titles, descriptions, times, locations, attendee information, meeting links, and event metadata. Access is two-way: we read events and may create, modify, or delete events on your behalf when you instruct us to do so.
  • Gmail: email headers (sender, recipient, subject, date), email body content, attachments metadata, labels, and thread information. We access emails to provide AI-powered summaries, search, and action extraction. We do not modify or send emails without your explicit instruction.
  • Camera and photo library: images you capture or select for receipt processing, including EXIF metadata (location, timestamp, device information) embedded in those images.

2.3 Data Collected Automatically

  • Device information: device model, operating system version, unique device identifiers, screen resolution, and language settings
  • Usage analytics: features used, interaction patterns, session duration, navigation paths, error logs, and performance metrics
  • Network data: IP address, approximate geolocation derived from IP address, internet service provider, and connection type
  • AI interaction metadata: timestamps, response latencies, tool calls invoked, token consumption, model versions used, and conversation thread identifiers

2.4 AI-Learned Data

The Service includes AI features that learn from your interactions to improve personalization. This includes:

  • Behavioral patterns: inferred working hours, preferred meeting durations, lunch times, communication tone preferences, and routine task patterns
  • Business context: learned client relationships, recurring invoicing patterns, typical hourly rates, preferred expense categories, and project associations
  • Preference models: accumulated understanding of your communication style, formatting preferences, and decision-making patterns

You may view, modify, and delete AI-learned data at any time through the Service settings.

3. How We Use Your Data

3.1 Primary Purposes

We process your personal data for the following purposes:

  • To provide and operate the Service, including AI-assisted invoicing, receipt processing, task management, email summarization, calendar management, time tracking, and conversational assistance
  • To personalize and improve the AI assistant's responses, accuracy, and contextual understanding based on your usage patterns and explicit preferences
  • To process and execute actions you request, including creating and sending invoices, scheduling events, logging expenses, and managing tasks
  • To facilitate integrations with third-party services you authorize
  • To communicate with you regarding service updates, security notices, and administrative messages

3.2 Legitimate Interest Purposes

We process certain data based on our legitimate interests, balanced against your rights:

  • To analyze aggregated and anonymized usage patterns for product development, feature prioritization, and Service improvement
  • To detect, investigate, and prevent fraud, abuse, security incidents, and technical issues
  • To generate aggregated, anonymized insights about market trends and user behavior for internal analytics and potential publication (no individual identification possible)
  • To maintain and improve the performance, reliability, and security of the Service infrastructure
  • To develop new features, products, and services based on observed usage patterns
  • To train, evaluate, and improve our AI models using anonymized and aggregated interaction data, subject to Section 5

3.3 Legal Compliance

  • To comply with applicable laws, regulations, legal processes, or governmental requests
  • To enforce our Terms of Service and protect our legal rights
  • To meet accounting, tax reporting, and financial regulatory obligations

4. Legal Bases for Processing (GDPR)

For users in the EEA and UK, we rely on the following legal bases under Articles 6 and 9 of the General Data Protection Regulation:

  • Contract performance (Art. 6(1)(b)): Processing necessary to provide the Service you have requested, including account management, core features, and integration functionality.
  • Consent (Art. 6(1)(a)): Where required, we obtain your explicit consent before processing, including for optional integrations (Google Calendar, Gmail), voice recording and transcription, and marketing communications. You may withdraw consent at any time without affecting the lawfulness of prior processing.
  • Legitimate interests (Art. 6(1)(f)): Processing necessary for our legitimate interests, including Service improvement, analytics, fraud prevention, security, and AI model development, provided these interests are not overridden by your fundamental rights. We conduct balancing tests for each legitimate interest processing activity.
  • Legal obligation (Art. 6(1)(c)): Processing necessary to comply with legal obligations to which we are subject, including financial reporting, tax compliance, and data retention requirements under applicable law.

5. AI Processing and Automated Decision-Making

5.1 How AI Processing Works

The Service uses artificial intelligence models provided by Anthropic (Claude) and Google (Gemini) to process your instructions and generate responses. When you interact with the Service:

  • Your messages, relevant context, and applicable business data are sent to AI model providers for processing
  • AI providers process this data to generate responses, execute tool calls, and perform requested actions
  • We maintain conversation context within sessions to enable coherent multi-turn interactions
  • AI-learned patterns are stored locally in your account to improve future interactions

5.2 AI Model Training

We may use anonymized, aggregated, and de-identified interaction data to evaluate and improve our AI system prompts, tool configurations, and overall Service quality. This processing involves removing all personally identifiable information before any analysis.

We do not provide your identifiable personal data to third-party AI providers for the purpose of training their foundation models. Our contractual agreements with AI providers (Anthropic, Google) include data processing terms that restrict their use of customer data for model training.

However, AI providers may process and temporarily cache conversation data as part of providing inference services, subject to their respective data processing agreements and retention policies.

5.3 Automated Decision-Making

The Service involves AI-assisted recommendations and automated processing, including:

  • Automatic categorization of expenses and receipts
  • Suggested invoice amounts based on time entries and historical patterns
  • Task priority suggestions and deadline recommendations
  • Email importance scoring and action item extraction
  • Smart scheduling suggestions based on calendar patterns

These features provide suggestions and drafts for your review. A human-in-the-loop principle applies to all significant actions: the Service will not send invoices, create calendar events, modify contacts, or execute financial actions without your explicit confirmation. You have the right to contest automated decisions and request human review under Article 22 of the GDPR.

6. Data Sharing and Third Parties

6.1 Service Providers (Data Processors)

We share personal data with the following categories of service providers who process data on our behalf under data processing agreements:

  • Cloud infrastructure: Supabase (database and authentication hosting, EU region)
  • AI model providers: Anthropic (Claude API for conversational AI), Google Cloud (Gemini API for AI processing, Cloud Vision API for OCR)
  • Analytics: anonymized usage data with analytics providers for product improvement
  • Communication: email delivery services for sending invoices and notifications

6.2 Third-Party Integrations

When you connect integrations (Google Calendar, Gmail), data flows between Leiko and Google according to Google's terms and our integration requirements. You can review and revoke access at any time. Our use of Google user data complies with Google API Services User Data Policy, including the Limited Use requirements.

6.3 Other Disclosures

We may disclose personal data in the following circumstances:

  • Legal compliance: when required by law, regulation, legal process, or governmental authority
  • Safety and rights protection: to protect the safety, rights, or property of Leiko, our users, or the public
  • Business transfers: in connection with a merger, acquisition, reorganization, bankruptcy, or sale of all or part of our assets, where personal data may be transferred as a business asset
  • With your consent: when you explicitly authorize disclosure to a specific third party

We do not sell your personal data. We do not share personal data with advertisers or for advertising purposes.

7. International Data Transfers

Our primary data storage is within the European Union (Supabase, EU region). However, certain processing activities involve transfers to countries outside the EEA:

  • AI processing: Conversation data is transmitted to Anthropic (United States) and Google (United States) for AI inference. These transfers are protected by Standard Contractual Clauses (SCCs) and/or the EU-US Data Privacy Framework, where applicable.
  • Ancillary services: certain operational tools and services may involve data processing in jurisdictions outside the EEA.

We implement appropriate safeguards for all international transfers, including Standard Contractual Clauses approved by the European Commission, supplementary measures as necessary following transfer impact assessments, and contractual data protection provisions with all recipients.

8. Data Retention

We retain your personal data for as long as necessary to provide the Service and fulfill the purposes described in this policy. Specific retention periods are as follows:

  • Account data: retained for the duration of your account and up to 30 days after account deletion to allow for recovery
  • Conversation and chat data: retained for the duration of your account. You may delete individual conversations at any time.
  • Invoice and financial data: retained for a minimum of 6 years after the relevant fiscal year, as required by Finnish accounting legislation (Kirjanpitolaki)
  • Receipt and expense data: retained for a minimum of 6 years after the relevant fiscal year for tax compliance
  • AI-learned patterns: retained until you delete them or delete your account
  • Voice recordings: processed for transcription and deleted within 24 hours. Transcriptions are retained as chat data.
  • Usage analytics: retained in anonymized, aggregated form indefinitely
  • Server logs: retained for up to 90 days for security and debugging purposes

After the applicable retention period, data is either securely deleted or irreversibly anonymized.

9. Data Security

We implement appropriate technical and organizational measures to protect your personal data, including:

  • Encryption in transit (TLS 1.2+) and at rest (AES-256)
  • Row-level security in our database ensuring users can only access their own data
  • OAuth 2.0 for third-party integrations with minimal necessary scopes
  • Regular security assessments and vulnerability monitoring
  • Access controls limiting employee access to personal data on a need-to-know basis
  • Incident response procedures for data breach detection, assessment, and notification

No method of electronic storage or transmission is perfectly secure. While we strive to protect your data, we cannot guarantee absolute security.

10. Your Rights

10.1 Rights Under GDPR (EEA/UK Users)

If you are located in the EEA or UK, you have the following rights under the GDPR:

  • Right of access (Art. 15): obtain confirmation of processing and a copy of your personal data
  • Right to rectification (Art. 16): correct inaccurate or incomplete personal data
  • Right to erasure (Art. 17): request deletion of your personal data, subject to legal retention obligations
  • Right to restriction (Art. 18): restrict processing in certain circumstances
  • Right to data portability (Art. 20): receive your data in a structured, machine-readable format
  • Right to object (Art. 21): object to processing based on legitimate interests, including profiling
  • Right to withdraw consent (Art. 7): withdraw consent at any time for consent-based processing
  • Right regarding automated decisions (Art. 22): not be subject to solely automated decisions with legal or significant effects, and to request human review
  • Right to lodge a complaint: file a complaint with your local supervisory authority. In Finland, the supervisory authority is the Office of the Data Protection Ombudsman (Tietosuojavaltuutetun toimisto).

10.2 Exercising Your Rights

You can exercise many of these rights directly within the Service (e.g., viewing, editing, and deleting your data in Settings). For requests that cannot be handled through the Service, or for formal data subject access requests, contact us at privacy@leiko.ai. We will respond to verified requests within 30 days, or notify you of any extension (up to 60 additional days for complex requests) as permitted under GDPR.

We may need to verify your identity before processing your request. If your request is manifestly unfounded or excessive (particularly if repetitive), we may charge a reasonable fee or refuse to act on the request, as permitted under GDPR Article 12(5).

11. Children's Privacy

The Service is not intended for individuals under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected data from a child under 16, we will take steps to delete it promptly. If you believe a child has provided us with personal data, please contact us at privacy@leiko.ai.

12. Cookies and Similar Technologies

The Service is primarily a mobile application and does not use browser cookies. We may use local storage and device identifiers for authentication and session management. If we introduce a web version of the Service, we will update this policy to address cookie usage and provide appropriate consent mechanisms.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes through the Service, by email, or by other appropriate means at least 14 days before the changes take effect. Your continued use of the Service after the effective date of any updated policy constitutes your acceptance of the revised terms. If you do not agree to the revised policy, you must stop using the Service and delete your account.

We encourage you to review this policy periodically for the latest information on our privacy practices.

14. Contact Information

  • Data Controller: Leiko AI Oy
  • Email: privacy@leiko.ai
  • Data Protection Officer: dpo@leiko.ai
  • Supervisory Authority: Office of the Data Protection Ombudsman (Tietosuojavaltuutetun toimisto), Helsinki, Finland

This Privacy Policy is governed by the laws of Finland and the European Union, without regard to conflict of law provisions.