Privacy Policy

Last updated: 2026-03-27

1. Who we are

VenDebta is a cash flow management tool operated by Onelab Oy (Business ID: 3354076-8), Helsinki, Finland. VenDebta helps businesses manage invoices and follow up on payments.

2. What data we collect

We collect only what is necessary to provide the service:

  • Account data: email address, name, organization name
  • Invoice data: customer names, amounts, due dates, contact information (provided by you)
  • Payment data: payment status, timestamps (card details are handled entirely by Stripe)
  • Usage data: token transactions, activity logs
  • Technical data: browser type, IP address (for security only)

3. How we use your data

  • To provide the invoicing and payment follow-up service
  • To process token purchases (via Stripe)
  • To generate reminders and legal documents you request
  • To improve the service and fix issues

We do not sell your data. We do not use your data for advertising. We do not share your data with third parties except as described below.

4. Third-party services

  • Supabase (database, authentication) — EU data center, SOC 2 certified
  • Vercel (hosting) — SOC 2 certified
  • Stripe (payments) — PCI DSS Level 1, SOC 2 certified
  • Anthropic Claude (AI message generation) — data not used for training

All sub-processors comply with GDPR and maintain appropriate security certifications.

5. Data storage and security

  • Data is stored in Supabase (EU region)
  • All data is encrypted in transit (TLS/HTTPS) and at rest
  • Access is controlled via Row Level Security — each organization can only see its own data
  • We never store credit card numbers (handled by Stripe)

6. Your rights (GDPR)

Under GDPR, you have the right to:

  • Access — download all your data (Settings → Export my data)
  • Rectification — edit your data at any time in the app
  • Erasure — delete your account and all data (Settings → Delete account)
  • Portability — export data in standard format (JSON/CSV)
  • Object — contact us to object to specific processing
  • Restrict — contact us to restrict processing

7. Data retention

We retain your data for as long as your account is active. When you delete your account, all data is permanently removed within 30 days. Token transaction logs may be retained for accounting purposes for up to 6 years as required by Finnish law.

8. Cookies

We use only essential cookies:

  • vendebta-lang — stores your language preference
  • sb-* — Supabase authentication session

We do not use tracking cookies, analytics cookies, or advertising cookies.

9. Children

VenDebta is a business tool. We do not knowingly collect data from anyone under 18.

10. Contact

For privacy questions or to exercise your rights:

Email: privacy@onelab.fi

Onelab Oy, Helsinki, Finland

11. Changes

We may update this policy. Significant changes will be communicated via email or in-app notification.