Skip to content
Rekonto Logo

Privacy Policy

We treat your company data the same way we treat our own. It's secure, it's confidential, and it's never sold.

Last updated: April 14, 2026

At Rekonto, we take your privacy incredibly seriously. This Privacy Policy describes how we collect, use, and handle your data when you use our services.

Data Controller

Rekonto (operated by System D AB) acts as the Data Controller under the General Data Protection Regulation (GDPR).

What Data We Collect

To provide you with our bookkeeping automation service, we collect the following limited data sets:

  • Account Data: Email address, your name, company name, and organization number.
  • Financial Documents: Invoices, receipts, and supporting documents that you upload for processing.
  • Accounting Data: Synchronization data pulled from Fortnox strictly based on your connected integrations.
  • Banking Data: Transaction data read from Open Banking connections (like Enable Banking) utilizing your explicit consent.
  • Usage & Technical Data: High-level product telemetry (e.g., login times, features utilized, error logs, and IP addresses for security auditing).

Why We Collect It

  • To provide, secure, and maintain the bookkeeping automation service.
  • To synchronize data seamlessly with Fortnox and banking providers strictly on your behalf.
  • To identify anomalies, perform cash flow analysis, and provide financial advisor intelligence.
  • To improve our document extraction AI models accuracy isolated within your company domain.
  • To send mandatory service-related communications (We do not send unsolicited marketing).

How We Process It

We leverage highly secure, enterprise-grade cloud partners located physically within the European Union.

  • AI Processing: Documents read by the system rely on Google Vertex AI (Gemini). Your documents are not used to train Google's core models. Data flows remain completely ephemeral during inference operations.
  • Banking Data: Open Banking operations (AIS) are routed securely through Enable Banking (A PSD2-licensed Third Party Provider). We strictly hold read-only ledger privileges. We cannot and do not initiate payments.
  • Storage: All primary databases and blob storage assets reside in Google Cloud's europe-north1 region (Finland).

Data Sharing

We do NOT sell your data. Ever.

We share data exclusively for operational necessities utilizing the following service providers under strict Data Processing Agreements:

  • Google Cloud: Primary infrastructure and compute provider (EU-based).
  • Fortnox AB: Your designated accounting software ledger. Data passes to them only via your active OAuth token.
  • Enable Banking: For secure PSD2 bank connection abstraction when you choose to connect a European banking establishment.

Your Rights (GDPR)

Under European law, you possess vast control over your digital footprint:

  • Right to access: You may request a complete copy of all data tracing to your organization.
  • Right to rectification: You may correct inaccurate or incomplete data points.
  • Right to erasure (Right to be forgotten): You may request complete, irrecoverable deletion of your account and all associated tenant records.
  • Right to data portability: You can export data uniformly out of Rekonto.
  • Right to withdraw consent: You may disconnect Fortnox, Enable Banking, or delete your account outright any time via your Settings Dashboard.

To exercise any of these capabilities, please email support@rekon.to. We will honor your request within 30 days.

Data Retention

  • Active accounts: We retain data conditionally linked to active system subscriptions.
  • Deleted accounts: Once triggered, all data vectors are permanently scrubbed from active databases within 30 days.
  • Compliance mandates: You are the ultimate custodian of your financial records under the Swedish Accounting Act ("Bokföringslagen"), requiring 7-year retention. Fortnox represents your authoritative archive; Rekonto operates as middleware.

Cookies

We use Essential Cookies Only (e.g., authentication tokens, CSRF protection logic, and critical session identifiers).

We do not deploy marketing cookies, invasive trackers, or cross-site tracking analytic networks. Therefore, annoying cookie consent banners are not necessary nor present within our software boundaries.

Security Measures

  • Encryption uniformly across data in transit (TLS 1.3) and at rest (AES-256).
  • Architectural multi-tenant row-level security isolation.
  • Routine automated vulnerability audits and logging analysis.

Changes to This Policy

We may modify this document occasionally as operational boundaries evolve. We'll formally notify you by email preceding any material changes.