Privacy Policy

Bookbird

Last updated: March 25, 2026

This Privacy Policy explains how Bookbird ("Service", "we", "us", "our") collects, uses, stores, and shares personal data.

1. Controller and Contact

Data controller: EST EXPERIENCE SYSTEM TECHNOLOGY LTD
Registered address: Agias Fylaxeos, 104, PANAYIOTOPOULOS COURT, 3rd floor, office 301, Limassol 3087, Cyprus
Privacy contact: [email protected]

2. Scope

This Policy applies to personal data processed when you access or use Bookbird, including integrations you connect (for example QuickBooks Online, Gmail, or IMAP).

3. Data We Process

  • Account data: name, email, role, login/session details.
  • Financial data: balances, profiles, transactions imported from connected providers.
  • Accounting integration data: QuickBooks company/realm references and sync metadata.
  • Email and attachment data: message metadata/content and invoice files from Gmail or IMAP sources you connect.
  • Derived data: extracted invoice fields, categorization decisions, and review/audit records.
  • Technical data: logs, IP address, browser/device metadata, and security events.

4. Purposes and Legal Bases (UK/EU GDPR)

  • Contract performance: providing sync, reporting, invoice review, and accounting push workflows.
  • Legitimate interests: fraud prevention, reliability, product security, and service improvement.
  • Consent: where required for optional or specific processing activities.
  • Legal obligations: compliance, recordkeeping, and legal response duties.

5. AI-Assisted Invoice Extraction

If enabled, invoice extraction features may transmit relevant invoice/email content to an AI provider (for example OpenRouter and the selected model provider) strictly to produce structured extraction output. You are responsible for human review before using extracted results for accounting actions.

6. Sharing and Subprocessors

We may share data with providers required to operate the Service, such as:

  • QuickBooks Online (accounting sync)
  • Intuit QuickBooks Online (accounting sync)
  • Google APIs / Gmail (mail source processing)
  • AI providers via OpenRouter (invoice extraction)
  • Infrastructure, storage, monitoring, and support vendors

7. International Transfers

Some processors may handle data outside the UK/EEA. Where required, we rely on appropriate safeguards, such as contractual protections and transfer mechanisms recognized by applicable law.

8. Retention

We retain data while your account is active and as needed to provide the Service, resolve disputes, and meet legal obligations. Specific records (including invoice history and logs) may be retained longer where justified.

9. Security

We apply technical and organizational measures designed to protect personal data, including access controls, token protection, and role-based authorization. No internet service can be guaranteed fully secure.

10. Your Rights

Subject to applicable law, you may have rights to access, rectify, erase, restrict, object, and request portability of your personal data. You may also lodge a complaint with your local supervisory authority.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be published on this page with a revised "Last updated" date.