EU data residency
Your data lives on servers in Helsinki and Falkenstein (Hetzner, Germany) — both inside the EU. Nothing crosses to the US. We never use SaaS that requires data export outside the EEA.
Security & data handlingYour data is yours.
Your data is yours.
We hold it. You can take it back.
You're trusting us with tax records, ID copies and bank details. This page lays out exactly where that data lives, who touches it, how long we keep it, and how you take it back.
Four pillars
The promises this page commits us to.
Encryption at rest + in transit
TLS 1.3 for every connection. AES-256 disk encryption on every database. Backups encrypted with age before they leave the host. The only people who can read your data are you and the staff member you authorise.
Tax-practitioner authority
Filings go to VID under a qualified tax-practitioner number. The pilnvara (authorisation) you sign is scoped to filing and inquiry response — never to spending money on your behalf.
GDPR by default
You can request export, correction, or full deletion of your data at any time via WhatsApp. We honour requests within 7 days. We never sell your data. We never train ML models on it.
Data lifecycle
What happens to your data, end to end.
- 1
You send us data
Weekly earnings PDFs and cash-tip entries come in over WhatsApp or our app. WhatsApp messages stay on the WhatsApp network — we copy the relevant numbers into your dashboard and delete the chat-side attachments after capture.
- 2
We process + file
Income + expense numbers are stored encrypted in a Latvian Postgres database. We build your VSAOI XML, validate against the EDS XSD, submit through our practitioner login. The XML and the EDS receipt are kept for the audit trail.
- 3
We retain only as long as needed
Tax records: 5 years (legal minimum). Receipts + supporting documents: 5 years. Marketing data (email, name): until you unsubscribe or delete your account. Payment data: held by Stripe (PCI-DSS), never by us.
- 4
You can leave anytime
Cancel via WhatsApp or in your account. Request export and we send you a JSON archive within 7 days. Request deletion and we anonymise your record within 30 days (retaining only the legally-required tax-filing audit trail).
Sub-processors
The third parties we trust with parts of your data.
A sub-processor is any vendor that touches customer data. Every one of ours is EU-based and bound by a data-processing agreement.
| Vendor | What for | Where | Policy |
|---|---|---|---|
| Hetzner Online | Hosting + database | Helsinki, FI / Falkenstein, DE | View |
| Stripe | Card payments + billing | Ireland (EU) | View |
| Cloudflare | CDN + DDoS protection | EU (Frankfurt) per data-localisation | View |
| Resend | Transactional email | EU | View |
| Plausible | Privacy-first analytics | Self-hosted on our infra · EU | View |
Your GDPR rights
Eight rights you have. Four we honour automatically.
Under GDPR you have eight rights over your personal data. We honour the four that don't require evidence-of-identity proof on our side. For the rest, request via WhatsApp with a copy of your ID and we'll process within 7 days.
- Right of accessDownload a JSON export from your account — automatic.
- Right to rectificationUpdate name, email, phone, address in your profile — automatic.
- Right to data portabilityJSON export available anytime — automatic.
- Right to withdraw consentCancel the subscription, opt out of marketing — automatic.
- Right to erasureWhatsApp request + ID copy → 30 days. Tax-filing audit trail retained per Latvian law.
- Right to restrictionWhatsApp request → 7 days.
- Right to objectWhatsApp request → 7 days.
- Right re: automated decision-makingNo automated decisions affect your service. N/A.
Incident response
Notify within 72 hours. Tell you first.
GDPR requires notifying the Latvian Data State Inspectorate within 72 hours of a breach we're aware of. We do that. More importantly, we notify you first — on WhatsApp, with what was affected, what we did, and what you should do.
Report a security concern: WhatsApp Santa or email security@rozofinance.com.
Read the full policies
Privacy & Terms.
The full legal text — what data we collect, why, what we promise, how to complain.
Updated quarterly
Ready to start?
€7 a month. First month free.
Stop worrying about filings, debts, permits. We hold the file. You sleep at night.
Cancel anytime · No card to start