This Privacy Policy explains how Luminyst Estates, Lda ("ExpenseCaptureAI", "we", "us", or "our") processes personal data in connection with the ExpenseCaptureAI service.
ExpenseCaptureAI is a business-use service for collecting, extracting, reviewing, organising, and exporting business expense documents such as receipts, bills, and invoices.
1. Who We Are
- Operator: Luminyst Estates, Lda
- Registered address: Lisbon, Portugal
- VAT / Tax code: PT518398811
- Support:
support@expensecaptureai.com - Privacy:
privacy@expensecaptureai.com - Legal:
legal@expensecaptureai.com - Security:
security@expensecaptureai.com
2. Scope of This Policy
This Privacy Policy applies to:
- our website and product pages
- account registration and authentication
- the ExpenseCaptureAI application
- customer support communications
- billing and subscription management
- business documents submitted through the web app or through the email-upload workflow
This Privacy Policy does not replace any separate agreement between us and a business customer, including our Terms of Service or Data Processing Addendum.
3. Our Roles: Controller and Processor
ExpenseCaptureAI does not always act in the same role for all data.
3.1 When we act as controller
We act as a controller for personal data we use to run and secure our own business and service, including:
- account and user profile data
- sign-in and session data
- billing, invoicing, and subscription administration data
- support and service communications
- legal, fraud-prevention, and security records
3.2 When we act as processor or service provider
When a business customer uploads or emails receipts, invoices, or similar documents to ExpenseCaptureAI for that customer's own business purposes, we typically act as that customer's processor or service provider for the personal data contained in that Customer Content.
In that context:
- the customer decides why the data is submitted to the Service
- the customer is generally responsible for making sure it has a lawful basis to use the Service for that data
- our processing is governed by the customer's instructions, our contract with the customer, and our Data Processing Addendum
If you are an employee, contractor, supplier, customer, or other individual whose personal data appears inside a business customer's documents, you should usually contact that business customer first.
4. The Personal Data We Process
Depending on how the Service is used, we may process the following categories of personal data.
4.1 Account and identity data
- name or display name
- email address
- password hash and authentication status
- user ID, company/workspace membership, and account state
4.2 Session and technical data
- sign-in and refresh-token data
- session cookie identifiers
- selected company/workspace identifiers
- IP address, browser metadata, device metadata, request logs, and security events
4.3 Customer Content
- receipts, invoices, bills, and related source documents
- images, PDFs, and email attachments submitted to the Service
- structured extraction outputs derived from those documents
- review, correction, export, and duplicate-resolution data
Customer Content may contain personal data relating to:
- the customer and its personnel
- suppliers and merchants
- travellers, employees, contractors, or reimbursement recipients
- other individuals whose details appear on the documents
4.4 Email-upload metadata
- sender email address
- recipient company alias address
- subject line
- message identifiers and delivery metadata
- accepted or rejected attachment outcome data
4.5 Billing and finance data
- subscription or credit-plan details
- invoice and payment status
- limited billing metadata provided by our payment processor
We do not intentionally store full payment card numbers in our systems. Payment card handling is delegated to our payment processor.
4.6 Support and communications data
- messages you send us
- support case notes
- operational notices and billing notices
5. How We Collect Personal Data
We collect personal data:
- directly from you when you create an account, use the Service, or contact us
- from your organisation or account administrator
- from documents and attachments that you or your authorised users submit to the Service
- from inbound email uploads sent to your assigned company upload alias
- from our service providers, such as hosting, email, AI, or payment providers
- automatically through normal operation of the Service and security logging
6. Why We Process Personal Data and Our Legal Bases
Where we act as controller, we rely on the following legal bases under applicable law, depending on the situation.
6.1 To provide and operate the Service
We process personal data to:
- create and manage accounts
- authenticate users and maintain sessions
- let users create and manage companies or workspaces
- ingest uploaded or emailed documents
- extract, review, store, search, and export business expense data
Legal basis: performance of a contract, or steps taken at your request before entering into a contract.
6.2 To bill, collect payment, and manage subscriptions
We process personal data to:
- manage subscriptions and credits
- send invoices and payment confirmations
- prevent payment abuse or fraud
Legal basis: performance of a contract and legitimate interests in administering the Service and getting paid.
6.3 To secure, monitor, and improve the Service
We process personal data to:
- detect misuse, fraud, and security incidents
- maintain logs and diagnostics
- debug failures and preserve service integrity
- assess service reliability and product operations
Legal basis: legitimate interests in operating a secure and reliable business service.
6.4 To comply with legal obligations
We may process personal data to comply with accounting, tax, regulatory, law-enforcement, or other legal requirements.
Legal basis: compliance with a legal obligation.
6.5 To communicate with you
We use personal data to:
- respond to support requests
- send account, service, billing, or security notices
- send legally required communications
Legal basis: performance of a contract, legitimate interests, or legal obligation, depending on the communication.
6.6 Marketing
At launch, we do not treat the Service as a marketing-tracking product and we do not rely on non-essential cookies for advertising.
If we later send optional promotional communications or use optional tracking technologies, we will do so only on an appropriate lawful basis and update this Privacy Policy as needed.
7. How We Share Personal Data
We share personal data only where reasonably necessary for the purposes described above.
7.1 Service providers and subprocessors
We may share data with service providers that support the Service, including:
- cloud infrastructure and storage providers
- email delivery and inbound email processing providers
- AI and document-processing providers
- payment processors
- hosting, logging, monitoring, and security providers
- professional advisers such as lawyers, accountants, auditors, and insurers
At launch, the principal vendor categories and named providers we expect to use include:
- Amazon Web Services for object storage, email infrastructure, and related cloud services
- OpenRouter and the underlying model providers selected through our AI configuration for document extraction requests
- Stripe for live payment processing
- an EEA-based VPS hosting provider for application-runtime hosting
7.2 Customer-directed sharing
We may share data when you or your organisation instruct us to do so, for example through exports, accountant handoffs, or support interactions that you request.
7.3 Legal and safety disclosures
We may disclose personal data where required or reasonably necessary to:
- comply with law or lawful requests
- enforce our contracts
- investigate misuse, fraud, or security incidents
- protect our rights, users, or the public
7.4 Business transactions
If we are involved in a merger, financing, acquisition, reorganisation, or sale of assets, personal data may be disclosed as part of that transaction subject to appropriate confidentiality and legal safeguards.
8. International Data Transfers
Our primary cloud storage design is EU-based. However, some of our service providers, especially AI or payment providers, may process personal data outside the European Economic Area.
Where we transfer personal data internationally, we aim to rely on an appropriate lawful transfer mechanism, such as:
- an adequacy decision
- standard contractual clauses
- or another lawful safeguard recognised by applicable data-protection law
Because some AI processing may involve OpenRouter and underlying model providers selected through our configuration, Customer Content and extraction-related metadata may be processed outside the EEA.
9. Cookies and Similar Technologies
At launch, ExpenseCaptureAI uses strictly necessary cookies and similar technologies needed to operate the Service, such as:
- authentication cookies
- refresh/session continuity cookies
- selected-company or workspace state cookies
- basic security-related state
We do not rely on non-essential cookies for behavioural advertising or cross-site tracking at launch.
10. How Long We Keep Personal Data
We keep personal data for as long as reasonably necessary for the purposes described in this Privacy Policy, including to provide the Service, resolve disputes, enforce contracts, maintain security, and comply with legal obligations.
In practice, this usually means:
- account data is kept while the account is active and for a reasonable period afterwards
- Customer Content is kept until deleted by the customer, deleted through standard product functionality, or removed following account termination and our normal operational processes
- billing and transaction records are kept for as long as required by accounting, tax, and legal obligations
- logs and diagnostics are kept for a limited operational and security period, subject to business need and legal requirements
- backups may persist for a limited period until they are rotated or overwritten in the ordinary course
11. Your Rights
Depending on the law that applies to you, you may have rights to:
- access personal data
- correct inaccurate personal data
- delete personal data
- restrict processing
- object to certain processing
- receive a portable copy of certain personal data
- withdraw consent where processing relies on consent
- complain to a supervisory authority
If we process your personal data as a processor on behalf of one of our business customers, you should usually contact that customer first. We may also require proof of identity or authority before acting on a request.
To make a privacy request, contact privacy@expensecaptureai.com.
12. Security
We use administrative, technical, and organisational measures designed to protect personal data appropriate to the nature of the Service and the risks involved. Those measures may include access controls, authentication, logging, private cloud-storage configuration, encryption in transit, and vendor-management controls.
No system can be guaranteed to be perfectly secure. You are responsible for maintaining the confidentiality of your account credentials and for notifying us promptly of any suspected misuse.
13. Business Use Only
ExpenseCaptureAI is offered on a business-use-only basis. In this Privacy Policy and our related legal documents, business use includes use by:
- companies
- sole traders
- freelancers
- consultants
- other natural persons acting in a professional, trade, craft, or business capacity
The Service is not intended to be a general consumer document-storage product.
14. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. The "Last Updated" date above shows the latest revision date. If we make a material change, we may also provide notice through the Service or by email where appropriate.
15. Contact Us
For support questions:
support@expensecaptureai.com
For privacy requests or data-protection questions:
privacy@expensecaptureai.com
For legal notices:
legal@expensecaptureai.com
For security reports:
security@expensecaptureai.com