Privacy Policy
This Privacy Policy explains how Tivanopilot OÜ collects, uses, stores, and discloses information in connection with AI Finance Team. The Service is business-only and is designed as a security-first, customer-controlled AI finance operations system.
Tivanopilot OÜ
Registry code: 16838874
Registered address: Harju maakond, Tallinn, Kesklinna linnaosa, Narva mnt 5, 10117, Estonia
Contact email: dev@tivano.eu
Privacy contact: dev@tivano.eu
1. Scope
This Privacy Policy applies to the Service, our website and onboarding materials, our integrations with Google services including Gmail, Google Sheets, Google Drive, and Google AI services where enabled by the customer, and our related support, security, compliance, billing, and operational activities.
2. Roles of the Parties
Depending on the context, we act as either controller for our own business operations, such as account management, billing, legal compliance, support, and security, or processor or similar service provider on behalf of our business customers when we process customer data solely to provide the Service under customer instructions. Customers remain responsible for determining what data they submit to the Service and for ensuring they have an appropriate legal basis to do so.
3. Information We Process
Business account information
- business name
- administrator and authorized user details
- business email addresses
- account, subscription, and billing records
Customer business data
- emails and attachments accessed through authorized Gmail integrations
- spreadsheet data and metadata accessed through authorized Google Sheets and Google Drive integrations
- financial records and documents, including invoices and bank statements
- workflow inputs, outputs, processing results, task records, and configuration data
Technical and operational data
- authentication and authorization metadata
- API access metadata
- logs, diagnostics, error records, and security events
- job execution records, scheduling records, and agent metrics
Limited personal data embedded in business records
Although the Service is designed for business use, customer business records may contain limited personal data, such as names, business email addresses, signatures, payment details, or similar information appearing in emails, invoices, or bank statements.
4. Sources of Information
We collect or receive information directly from customers and their authorized users, from Google services that customers authorize us to access, from customer-controlled environments and configurations, and from our hosting, infrastructure, database, and monitoring providers.
5. How We Use Information
We use information only as necessary to provide, operate, maintain, and secure the Service; connect to and synchronize with authorized Gmail, Google Sheets, and Google Drive resources; process invoices and related finance workflows; run AI agents, background jobs, validation, logging, error handling, and scheduling; communicate with customers regarding setup, support, billing, updates, incidents, and compliance; prevent abuse, misuse, unauthorized access, and security incidents; and comply with legal obligations and enforce our rights.
6. Google API and Google User Data
Where the Service accesses Google user data, it does so only based on customer authorization and only for the specific functionality requested by the customer.
- We access Google data only for the purposes disclosed to the customer and authorized through the applicable Google consent flow or configuration.
- We use Google Workspace data only to provide the requested Service functionality and related security, support, and compliance operations.
- We do not use Gmail, Google Sheets, or Google Drive customer data to train generalized AI or machine-learning models.
- We do not sell Google user data.
- We do not use Google user data for advertising.
- We do not use Google user data for unrelated cross-customer profiling or analytics.
- We limit human access to customer content to cases where access is necessary for support requested by the customer, security, legal compliance, or enforcement of our contractual rights.
7. AI and Model Processing
The Service may use AI and machine-learning components, including services provided by Google and OpenAI, depending on the relevant workflow.
- Customer financial documents are processed through Google Gemini via the Google Gen AI SDK where applicable.
- OpenAI does not process customer financial documents.
- Gmail, Google Sheets, and Google Drive customer data is not used to train generalized models.
- Customer data is not used to improve general services unrelated to the customer’s own requested workflow.
8. Legal Bases
Where applicable law requires a legal basis, we rely on one or more of the following: performance of a contract, legitimate interests in operating, securing, and improving a business service, compliance with legal obligations, and consent where required.
9. Disclosure of Information
We may disclose information only to the relevant customer and its authorized users, our service providers and subprocessors engaged to operate the Service, professional advisers, auditors, insurers, and transaction counterparties under appropriate confidentiality obligations, and regulators, courts, law enforcement, or other third parties where required by law or necessary to establish, exercise, or defend legal claims. We do not sell customer data.
10. Service Providers / Subprocessors
Depending on configuration and workflow, our service providers may include Google, OpenAI, and Render. A current subprocessor list may be provided separately by contract or on request.
11. Data Retention
- Emails accessed by the Service: up to 7 days
- Customer-controlled Google Sheets data: retained in the customer’s own Google environment unless modified or deleted by the customer
- Agent outputs: up to 7 days, unless retained longer in customer-controlled storage or where a workflow requires longer retention
- Logs: retained for the period applicable to our current Render workspace plan and deleted thereafter unless exported to an external log retention provider
- Database logical backups: retained for up to 7 days after creation unless separately exported for longer retention
- Task history, infrastructure events, and error records: retained in accordance with the retention settings and lifecycle of our infrastructure providers and deleted or overwritten in the ordinary course, unless longer retention is required for security, compliance, dispute handling, or legal obligations
Some data may remain temporarily in backup systems or provider-controlled infrastructure until deleted or overwritten in the ordinary retention cycle.
12. Security
We use administrative, technical, and organizational measures designed to protect information against unauthorized access, loss, misuse, alteration, and disclosure. The Service is designed with a security-first, customer-controlled, zero-trust model, including tenant-aware processing and isolated customer environments where applicable. We also rely in part on security controls provided by our infrastructure and cloud vendors, including encryption in transit, encryption at rest, centralized logging and monitoring, and access-control measures implemented by our providers. Customers remain responsible for securing their own Google accounts, credentials, internal permissions, API keys, environment variables, and customer-side access controls.
13. International Transfers
Because the Service is offered globally, information may be processed in countries other than the country where it was collected. Where required, we implement appropriate safeguards for cross-border transfers.
14. Data Subject Rights
Depending on applicable law, individuals may have rights such as access, correction, deletion, restriction, objection, portability, and withdrawal of consent where consent is the basis of processing. Requests may be sent to dev@tivano.eu. Where we process data on behalf of a customer, we may refer the request to that customer or assist the customer in responding, as appropriate.
15. Third-Party Services
The Service relies on third-party platforms and APIs, including Google services. Those third parties may process data under their own terms and privacy notices when acting independently of us.
16. Changes to this Policy
We may update this Privacy Policy from time to time. The updated version will be posted at privacy-policy.html with a revised “Last updated” date. Where required, we will provide additional notice.
17. Contact
Tivanopilot OÜ
Harju maakond, Tallinn, Kesklinna linnaosa, Narva mnt 5, 10117, Estonia
Registry code: 16838874
Email: dev@tivano.eu
Privacy: dev@tivano.eu