Skip to content

Privacy Policy

Last updated: April 2026

1. Introduction

Kvik is an AI bookkeeping assistant that helps Danish businesses with bookkeeping via phone calls and SMS. Kvik uses artificial intelligence (AI) to understand and execute bookkeeping tasks in your Dinero accounting software. This privacy policy explains how we collect, use, and protect your personal data.

2. Definitions

In this policy, we use the following terms:

  • Personal Data — information that can identify you or your business (e.g., name, CVR, email, phone number)
  • Communications Data — text transcripts and summaries from calls with Kvik
  • Financial Data — bookkeeping data in your Dinero account (remains in Dinero, we do not store it)
  • Account Data — login credentials, subscription status, and settings

3. Data Controller

Fakturos I/S (CVR 45962245), Aalborg, Denmark, is the data controller for the processing of your personal data. You can contact us at privacy@kvik.pro. The supervisory authority is Datatilsynet, Carl Jacobsens Vej 35, 2500 Valby.

4. What data do we collect?

We collect the following categories of data:

  • Account information — company name, CVR number, address, email, phone number, VAT registration status, industry
  • Financial information — Dinero organization number and OAuth access credentials (encrypted, never your actual accounting data)
  • Communications data — call transcripts (automatically deleted after 30 days) and summaries of the last 5 conversation topics
  • Payment information — processed by Stripe, we only store the Stripe customer ID (never card data)
  • Usage data — number of calls, call duration, task types performed
  • Technical data — IP address, browser type (only when visiting kvik.pro)

5. How do we collect data?

  • Directly from you — when you create an account and call Kvik
  • Public registries — CVR lookup via cvrapi.dk
  • OAuth connections — when you connect your Dinero account via Visma Connect
  • Automatically — technical data when visiting our website

6. AI and voice calls

Kvik is an AI service. The following applies to all calls:

  • AI disclosure — Kvik identifies itself as AI at the start of every call, in compliance with the EU AI Act (Art. 50)
  • No audio recording — we never record voice calls. Calls are processed by ElevenLabs' AI voice technology in real time without storing audio
  • Text transcripts — conversations are converted to text and stored for a maximum of 30 days, after which they are automatically deleted
  • No AI model training — your data is never used to train AI models. ElevenLabs' audio data storage is disabled, and training opt-in is declined
  • Conversation memory — the last 5 conversation topics are stored so Kvik can remember context for your next call. These are deleted upon account deletion
  • Dinero access — Kvik only performs the bookkeeping tasks you specifically request during calls. All actions are logged in our audit trail

7. Purposes and legal basis

We process your data for the following purposes with the stated legal bases:

  • Providing bookkeeping service — Contract, GDPR Art. 6(1)(b)
  • Storing business contact information — Contract, GDPR Art. 6(1)(b)
  • Retaining accounting records (5 years) — Legal obligation, GDPR Art. 6(1)(c), Danish Bookkeeping Act § 12
  • CVR registry lookup — Legitimate interest, GDPR Art. 6(1)(f)
  • AI call transcripts (service delivery) — Contract, GDPR Art. 6(1)(b)
  • Call analysis for service improvement — Legitimate interest, GDPR Art. 6(1)(f)
  • SMS (onboarding, confirmations) — Contract, GDPR Art. 6(1)(b)
  • Stripe payment processing — Contract, GDPR Art. 6(1)(b)
  • Dinero OAuth token storage — Contract, GDPR Art. 6(1)(b)
  • Marketing communications — Consent, GDPR Art. 6(1)(a)

8. How we share data

We share data with the following processors, which are necessary to deliver Kvik:

  • Stripe (USA, DPF-certified) — payment processing
  • Twilio (Ireland/USA, SCCs) — SMS messages and phone number
  • ElevenLabs (USA, DPA signed) — AI voice technology for calls
  • Supabase (EU, eu-central-1) — secure storage of account information
  • Inngest (USA, SCCs) — asynchronous task queue
  • Clerk (USA, DPF-certified) — email verification during signup
  • Vercel (EU/USA, SCCs) — website and API hosting

9. International data transfers

Some of our processors are based in the USA. We ensure the lawfulness of transfers via the European Commission's Standard Contractual Clauses (SCCs), the EU-US Data Privacy Framework (DPF), or adequacy decisions. You can request a copy of the relevant safeguards by contacting us.

10. Data retention periods

We retain data for the following periods:

  • Accounting records — 5 years from the end of the financial year (Danish Bookkeeping Act § 12)
  • Business contact information — contract duration + 5 years (Bookkeeping Act)
  • Call transcripts — 30 days (automatically deleted)
  • Call summaries — contract duration
  • Dinero OAuth tokens — contract duration (revoked on cancellation)
  • Stripe customer ID — contract + tax compliance period
  • PKCE verifiers — 10 minutes
  • Error logs — 90 days

11. Data security

We protect your data with the following measures: AES-256-GCM encryption of Dinero access credentials, TLS encryption of all data transmission, Row Level Security (RLS) in the database, HMAC-signed webhooks to verify data integrity, and timing-safe comparison of API keys to prevent timing attacks.

12. Your rights

Under GDPR, you have the following rights: Access (Art. 15) — you can request a copy of your data. Rectification (Art. 16) — you can request correction of inaccurate data. Erasure (Art. 17) — you can request deletion of your data. Restriction (Art. 18) — you can request that we restrict processing. Data portability (Art. 20) — you can request your data in a machine-readable format. Objection (Art. 21) — you can object to processing based on legitimate interest. We respond to all requests within 30 days. You can also file a complaint with Datatilsynet, Carl Jacobsens Vej 35, 2500 Valby, dt@datatilsynet.dk.

13. Account deletion

You can delete your account via the account page or by contacting us. Upon deletion: we revoke Dinero OAuth access, delete your access credentials, and remove your personal data. Accounting records are retained for up to 5 years after deletion in accordance with the Danish Bookkeeping Act.

14. Cookies

Kvik.pro only uses technically necessary cookies to maintain your session and language preference. We do not use tracking cookies or third-party cookies for marketing.

15. Children

Kvik is not intended for persons under 18 years of age. We do not knowingly collect personal data from minors.

16. Changes

We may update this privacy policy. For material changes, we will notify you via email at least 14 days before they take effect. The latest version is always available on this page.

17. Contact

Fakturos I/S, Aalborg, Denmark. CVR 45962245. Email: privacy@kvik.pro. Datatilsynet: Carl Jacobsens Vej 35, 2500 Valby, dt@datatilsynet.dk.