1. Introduction 
We, VKontrol vGmbH, with our registered office at 29, Boulevard Grande-Duchesse Charlotte, L-1331 Luxembourg ("VKontrol", "we", "us"), respect your privacy and are committed to protecting your personal data. This Privacy Policy explains how we collect, use, and store your personal data in connection with the use of our services and your rights under applicable data protection law, particularly the General Data Protection Regulation (GDPR). Our company is registered in the Luxembourg Trade and Companies Register (RCS) under number B296555, with the legal form Société à responsabilité limitée simplifiée (vGmbH).  

2. Scope of Application 
This Privacy Policy applies to the processing of personal data in the context of the use of our platform and services. This Privacy Policy applies to your use of VKontrol’s services through all platforms, including our website and mobile applications (iOS and Android). 

3. Categories of Personal Data Processed 
When using our services, we may collect and process the following categories of personal data: Contact details (e.g., name, email address, company name) Uploaded documents (e.g., invoices, receipts) which may contain personal data Metadata associated with uploads (e.g., upload timestamps, file size, file format)  

4. Purpose and Legal Basis of Processing 
We process personal data for the following purposes: To provide, operate, and improve our services To ensure the functionality of automated document processing To comply with applicable legal obligations Based on your consent, where required (Art. 6(1)(a) GDPR) Based on our contractual obligations (Art. 6(1)(b) GDPR) Based on our legitimate interests in operating a secure and efficient platform (Art. 6(1)(f) GDPR) 

5. Recipients and Subprocessors 
We use the following subprocessors to deliver and enhance our services: Amazon Web Services S3 (Frankfurt Region, EU)  All uploaded and processed documents are stored securely in AWS S3 in the EU (Germany). 

Amazon Textract (Frankfurt Region, EU)  Used for OCR processing of uploaded documents entirely within the EU. 

OpenAI (EU Region)  Used for intelligent extraction of financial values from structured and semi-structured documents.  All API requests are routed to https://eu.api.openai.com and data residency is configured per project to remain within the EU. No personal data is transferred outside of the European Economic Area (EEA). All subprocessors are GDPR-compliant.  

6. Data Encryption and Security 
We implement strict technical and organizational measures to protect your data:

At Rest

• Encryption Status: Encrypted

• Method: AWS-managed encryption at rest using AWS KMS

• Notes: Applies to S3, DynamoDB, Lambda logs, etc.

In Transit

• Encryption Status: Encrypted

• Method: HTTPS (TLS 1.2+) enforced for all data transmission

• Notes: Ensures secure transfer between user, VKontrol, AWS & OpenAI

Client Side

• Encryption Status: Not encrypted

• Method: Data is not encrypted prior to upload

• Notes: No sensitive data is stored locally

Infrastructure certifications: ISO/IEC 27001, SOC 1, SOC 2, SOC 3 (via AWS)

7. Data Retention Period 
Documents and extracted data are stored for up to 8 years, in line with statutory requirements (e.g., accounting and tax obligations). After the retention period, data will be securely deleted or anonymized.  

8. Your Rights Under the GDPR
You have the right to: Access your data (Art. 15 GDPR) Correct inaccurate data (Art. 16 GDPR) Request deletion (Art. 17 GDPR) Restrict processing (Art. 18 GDPR) Receive your data in a portable format (Art. 20 GDPR) Object to data processing (Art. 21 GDPR) You can contact us to exercise your rights via:  v.kangelidis@vkontrol.co  

9. Right to Lodge a Complaint 
You may file a complaint with the competent supervisory authority: Commission Nationale pour la Protection des Données (CNPD)  15, Boulevard du Jazz  L-4370 Belvaux  Luxembourg  info@cnpd.lu  https://cnpd.public.lu  

10. Use of Cookies 
We use only strictly necessary cookies to ensure website functionality and security. No marketing or tracking cookies are used without prior consent. If additional cookies are introduced, a detailed cookie banner will be displayed. 

11. Changes to This Privacy Policy 
We may update this Privacy Policy in the future. Significant changes will be communicated via email or in-app notifications.  

12. Governing Law 
This Privacy Policy is governed by the laws of the Grand Duchy of Luxembourg. 

13. Mobile App Permissions and Device Data 
The VKontrol mobile application may request access to the following device features, solely to support service functionality: 

Camera: for scanning and uploading documents. 

Push Notifications: to inform you of critical events (e.g., document upload status). 
We do not collect or transmit location data or use third-party tracking libraries. All data access is strictly permission-based and limited to service delivery.