Privacy Policy

Data controller

The data controller is Invoid Vision B.V., a Belgian limited company registered in the Crossroads Bank for Enterprises (KBO/BCE) under number 0777.887.045, with registered office at Balegemstraat 17/7, 9860 Oosterzele, Belgium.

Privacy contact: privacy@dokus.tech

1. Data we collect

We only collect personal data we need to run dokus.tech and the Dokus product. The exact data depends on how you use the service:

• Account & contact data: name, email address, company name, role, country, and (for accounting firms) firm details you submit through the apply-accountant form.
• Waitlist & subscriber data: email address, selected plan, language preference, and the source page that led you to sign up.
• Customer-uploaded content: invoices, receipts, bank statements, credit notes and similar financial documents you submit to the product. These can contain personal data about you, your colleagues, your customers, and your suppliers.
• Usage & device data: pages viewed, clicks, referrer, language, approximate location derived from IP, browser and operating system, and timestamps. Collected via PostHog (EU) and Vercel Web Analytics with anonymised IPs.
• Support data: the content of any message you send to support@dokus.tech, privacy@dokus.tech, or via our contact form.

2. Why we process your data

We use personal data only for clearly defined purposes:

• To provide and operate the Dokus service: account creation, document ingestion, transaction matching, cash-flow overview, PEPPOL e-invoicing.
• To respond to waitlist sign-ups, accountant applications, contact-form messages, and direct emails.
• To improve the product: understand how features are used, debug issues, and prioritise fixes.
• To communicate with you: service updates, security notices, and (with your consent) product news.
• To comply with our legal obligations under Belgian and EU law, including bookkeeping, tax, and accounting record-keeping rules.

3. Legal bases (GDPR Art. 6)

Each processing activity rests on one of these legal bases:

• Performance of a contract — to deliver the Dokus service you signed up for and to handle account-related communication.
• Legitimate interests — to keep the service secure, prevent abuse, measure aggregate usage, and improve the product. We balance these interests against your rights before relying on them.
• Consent — for optional marketing emails and non-essential analytics. You can withdraw consent at any time without affecting prior processing.
• Legal obligation — when EU or Belgian law requires us to retain or disclose specific records (for example, accounting records or lawful authority requests).

4. Sub-processors we work with

We rely on a small number of vetted third-party providers to run the service. Each is bound by a data processing agreement (DPA) and processes personal data only on our instructions.

• SupabaseDatabase and authentication for waitlist, subscribers, and accountant applications.European Union
• PostHogProduct analytics, session-level usage data, and feature flags.European Union (eu.i.posthog.com)
• VercelHosting, edge delivery, Web Analytics, and Speed Insights for dokus.tech.Global edge network with EU regions; covered by DPA and Standard Contractual Clauses
• SlackInternal alerting webhooks notifying our team of new sign-ups and contact-form submissions.United States; covered by DPA and Standard Contractual Clauses

5. International transfers

Personal data is hosted within the European Economic Area (EEA) wherever possible. Where a sub-processor processes data outside the EEA (for example, Slack notifications), the transfer is covered by Standard Contractual Clauses (SCCs) and additional safeguards as required by the GDPR. We do not sell personal data, and we do not transfer it to advertisers.

6. How long we keep data

We retain personal data only for as long as needed for the purpose it was collected, then delete or anonymise it.

• Waitlist and subscriber emails: until you unsubscribe, or up to 24 months of inactivity, whichever comes first.
• Accountant applications: up to 24 months after the application, or until the firm becomes a Dokus customer.
• Contact-form and support messages: up to 24 months after the conversation closes.
• Customer-uploaded financial documents: while your account is active, and for the period required by Belgian bookkeeping law (typically 7 years) after account closure.
• Analytics and product-usage data: aggregated and retained for up to 24 months in PostHog and Vercel Analytics.

7. Your rights under the GDPR

You can exercise the following rights at any time by emailing privacy@dokus.tech. We respond within 30 days.

• Right of access — confirm whether we hold your data and request a copy.
• Right to rectification — correct inaccurate or incomplete data.
• Right to erasure — ask us to delete your personal data where the GDPR allows.
• Right to restriction — ask us to limit processing while a dispute is resolved.
• Right to data portability — receive your data in a structured, machine-readable format.
• Right to object — object to processing based on legitimate interests, including direct marketing.
• Right to withdraw consent — for any processing that relies on consent.
• Right to lodge a complaint with a supervisory authority — see below.

8. How we protect your data

We apply the technical and organisational measures appropriate for a financial product: encryption in transit (TLS), encryption at rest, role-based access controls, audit logging on production systems, least-privilege access for employees, and DPA-bound sub-processors. Access to customer-uploaded financial documents is restricted to a small number of authorised personnel, and only when needed for support, security, or compliance.

9. Cookies and similar technologies

Dokus uses strictly necessary cookies for authentication and security, and a limited set of analytics cookies (PostHog, Vercel Analytics) to understand how the site is used. We do not use advertising cookies. For full detail and how to manage your preferences, see our Cookie Policy.

Cookie Policy →

10. Automated decision-making

We do not make decisions that have legal or similarly significant effects on you based solely on automated processing. Dokus structures and classifies financial documents automatically, but those outputs are reviewed and validated by you (or your accountant) before being acted on.

11. Children

Dokus is a business tool intended for adults. We do not knowingly collect data from anyone under 16. If you believe a minor has provided personal data to us, please contact privacy@dokus.tech and we will delete it.

12. Changes to this policy

We may update this policy when our practices change. The "Last updated" date at the top reflects the most recent revision. Material changes will be communicated by email to active users at least 14 days before they take effect.

13. Contact us

Questions about this policy or how we handle your data? Email privacy@dokus.tech. Postal mail can be sent to Invoid Vision B.V., Balegemstraat 17/7, 9860 Oosterzele, Belgium.

Supervisory authority

If you believe we have not handled your personal data correctly, you have the right to lodge a complaint with the Belgian Data Protection Authority (Gegevensbeschermingsautoriteit / Autorité de protection des données).

gegevensbeschermingsautoriteit.be