Login Book a demo
Legal

Privacy Policy

How Calitem collects, processes, and protects personal data, for our customers, for people whose data appears on the invoices our customers upload, and for visitors to this site.

Last updated: 24 April 2026Governing law: Spain · GDPR (EU) 2016/679 · LOPDGDD (LO 3/2018)

1. Data controller

The entity responsible for the processing described in this policy is:

Calitem SL
Calle de Elvira 27, 1B, 28028 Madrid, Spain
CIF: Y6341476
Contact: info@calitem.com

If we expand into Italy and appoint a local establishment or GDPR Art. 27 representative, details will be added below in the Italy addendum.

2. Data Protection Officer

Calitem has not appointed a Data Protection Officer. Under Art. 37 GDPR and Art. 34 LOPDGDD, we are not required to appoint one given the nature, scope and purposes of our processing. For any data-protection matter, write to info@calitem.com.

We review this designation periodically against the criteria in Art. 37 GDPR and Art. 34 LOPDGDD, and will update this page if it changes.

3. Categories of personal data we process

Account and billing data

  • Identifiers: name, work email, job title, company name.
  • Authentication: hashed password or federated-identity identifier.
  • Billing: company tax ID, billing address, payment method reference (Stripe token, we do not store raw card numbers).

Customer Content, invoices and accounting documents

When you upload invoices, receipts, delivery notes or similar documents, these files typically contain personal data of third parties: your vendors, their employees, self-employed contractors, and sometimes your own staff. Typical fields include:

  • Names, tax IDs (NIF, CIF, VAT number), addresses, email addresses, phone numbers.
  • Bank account identifiers (IBAN) where visible on the document.
  • Transaction data: amounts, line items, dates, payment terms.

We process this data as a processor on your behalf, under the Data Processing Addendum incorporated into our Terms.

Technical and telemetry data

  • IP address, browser, operating system, device fingerprint.
  • Application logs, error traces, performance metrics.
  • Authentication events and audit logs.

Communications

  • Support requests, email correspondence, in-app messages.
  • Survey and feedback responses.

4. Purposes and legal basis

For each processing purpose we identify the legal basis under Art. 6 GDPR:

  • Providing the service (ingestion, OCR, categorization, export to your ERP), Art. 6(1)(b), performance of a contract.
  • Billing, accounting and tax compliance: Art. 6(1)(c), legal obligation (Código de Comercio, Ley General Tributaria).
  • Service improvement, security, fraud prevention, debugging: Art. 6(1)(f), legitimate interest. We perform a balancing test; you can request a summary.
  • Marketing to existing customers for similar products, Art. 6(1)(f) plus LSSI-CE Art. 21 soft opt-in, with an opt-out in every message.
  • Marketing to non-customers / prospects: Art. 6(1)(a), consent.
  • Non-essential cookies and trackers: Art. 6(1)(a) GDPR and LSSI-CE Art. 22.2, consent. See our Cookie Policy.

For invoice content you upload, the relevant legal basis between you and the people whose data appears on those invoices is your responsibility as controller (typically legal obligation or legitimate interest in accounting).

5. Controller vs. processor roles

Calitem acts as:

  • Controller for account data, billing data, website analytics and support communications, meaning we decide the purposes and means of that processing.
  • Processor for the content of the documents you upload. You remain the controller; we act on your documented instructions under a Data Processing Addendum. If you need the DPA, write to info@calitem.com.

6. Recipients and sub-processors

We share personal data only with vendors we have contractually bound under GDPR Art. 28. Current sub-processors include:

  • Supabase (EU region), database, authentication, object storage.
  • Microsoft Azure, Document Intelligence: OCR and document-layout parsing.
  • OpenAI / Anthropic (via API), language-model inference for extraction and categorization. Enterprise agreements apply; see §7.
  • Stripe: payment processing.
  • Postmark: transactional email.
  • Google Analytics 4, HubSpot: website analytics and marketing (only where you have given consent).
  • Intercom: customer support.

The current, authoritative list of sub-processors is available on request by writing to info@calitem.com. We notify customers of material changes at least 30 days in advance, with a right to object as set out in the DPA.

7. AI and large-language-model processing

The core of Calitem is an AI pipeline. We want to be explicit about how it handles your data:

  • When you upload a document, we send the image and parsed text to document-AI and large-language-model providers for inference only, to extract structured fields and suggest a category.
  • Under our enterprise agreements with those providers, your content is not used to train their foundation models. We also do not use your content to train any Calitem-owned model.
  • Some providers retain prompts and responses for up to 30 days for abuse-monitoring purposes, unless zero-retention has been granted. Where this applies to your data, it is listed in our sub-processor record.
  • Outputs from the AI pipeline are reviewable by you before posting to your accounting system. No decision with legal or similarly significant effects on a natural person is made solely by automated means, see §11.

8. International transfers

We aim to keep personal data within the European Economic Area. Where a sub-processor operates outside the EEA, or where a service (such as Azure Global deployments) may route processing outside the EEA even when data is stored within it, we rely on one of the following safeguards:

  • Standard Contractual Clauses (Commission Implementing Decision 2021/914), with transfer-impact assessments and supplementary technical measures such as encryption at rest and in transit.
  • EU–US Data Privacy Framework certifications, where applicable to US-based providers.

You can request a copy of the safeguards in place for any specific transfer by writing to info@calitem.com.

9. Retention periods

  • Account and Customer Content: kept for the duration of the contract. After termination, you have 30 days to export, after which Customer Content is deleted from active systems within a further 30 days and from backups within 90 days.
  • Billing and accounting records: six years, as required by Art. 30 of the Código de Comercio. Tax records follow the four-year limitation in Art. 66 LGT where longer retention is not mandated.
  • Logs and telemetry: 12 months.
  • Marketing data: until you withdraw consent or opt out.
  • Support tickets: 24 months after resolution.

10. Your rights

Under the GDPR and LOPDGDD you have the right to:

  • Access the data we hold about you (Art. 15).
  • Rectify inaccurate or incomplete data (Art. 16).
  • Erasure / "right to be forgotten" (Art. 17), subject to legal retention obligations.
  • Restrict processing (Art. 18).
  • Portability of data you provided, in a structured, machine-readable format (Art. 20).
  • Object to processing based on legitimate interest, including profiling (Art. 21).
  • Withdraw consent at any time, without affecting the lawfulness of prior processing (Art. 7).
  • Not be subject to decisions based solely on automated processing with legal or similarly significant effects (Art. 22), see §11.

You can exercise any of these rights by writing to info@calitem.com. We may ask you to verify your identity. We respond within one month, extendable by two further months for complex requests.

You also have the right to lodge a complaint with the Spanish Data Protection Agency (AEPD): C/ Jorge Juan 6, 28001 Madrid, www.aepd.es. Italian users may address the Garante per la protezione dei dati personali: www.garanteprivacy.it.

11. Automated decision-making and profiling

Calitem uses automated processing to extract fields from your documents and to suggest a category. These outputs are advisory: they are surfaced in your workspace for human review before being posted to your accounting system. We do not make decisions that produce legal or similarly significant effects on a natural person solely by automated means within the meaning of Art. 22(1) GDPR.

If this changes, for example, if we introduce automated fraud scoring with binding effects, we will update this policy and provide meaningful information about the logic involved, the significance, and the envisaged consequences.

12. Security

We implement appropriate technical and organisational measures under Art. 32 GDPR, including:

  • Encryption in transit (TLS 1.2+) and at rest.
  • Role-based access controls, least-privilege principles, audit logging.
  • Regular vulnerability scanning and dependency review.
  • Separation of production and non-production environments; pseudonymisation for analytics where practicable.
  • Defined incident-response procedures, with tested escalation paths.

13. Data-breach notification

If we become aware of a personal-data breach, we notify the AEPD without undue delay and, where feasible, within 72 hours of becoming aware of it (Art. 33 GDPR). If the breach is likely to result in a high risk to affected individuals, we also notify them directly without undue delay (Art. 34).

14. Children

Calitem is a business product not directed at children. We do not knowingly collect personal data from children under the age of 14 (the digital-consent threshold under Art. 7 LOPDGDD in Spain and D.Lgs. 101/2018 in Italy). If you believe a minor has provided us personal data, please contact us so we can delete it.

15. Italy addendum

When Calitem is available to Italian users, the following apply in addition to the rest of this policy:

  • An Italian-language version of this informativa is provided for Italian users.
  • The Italian supervisory authority is the Garante per la protezione dei dati personali (garanteprivacy.it). National legislation: D.Lgs. 196/2003 as amended by D.Lgs. 101/2018.
  • Calitem has not appointed a representative under GDPR Art. 27 at this time. If one is appointed ahead of the Italian launch, details will be published here.

16. Changes to this policy

We keep a version history of this page. The "Last updated" date at the top reflects the most recent substantive change. For material changes, such as the addition of a new sub-processor that receives Customer Content, or a change in legal basis, we will notify you by email or in-product at least 30 days in advance where feasible.