Privacy Policy

Privacy Policy

This Privacy Policy explains how Cleero ("Cleero", "we", "us", "our") processes personal data when you use our website [object Object], our web application at [object Object] (together: the "Platform"), and when you otherwise interact with us. We are committed to protecting your privacy and to processing personal data in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and applicable Belgian data protection laws.

Who We Are (Data Controller)

The Cleero application and website are operated by Peakdesigns CommV, acting under the brand name Cleero. For the purposes described in this Privacy Policy, Peakdesigns CommV acts as the data controller for the personal data of users of the Platform and website visitors.

Peakdesigns CommV ("Cleero")
Voortstraat 72
3580 Beringen
Belgium
VAT: BE 0759.767.742
Email: [email protected]

Depending on how you use our services, you may also act as an independent data controller, for example when you upload or enter personal data of your own customers, suppliers, or employees into the Platform. In those cases, you are responsible for ensuring that such processing is compliant with the GDPR (for example by providing your own privacy notice to those data subjects).

Scope of This Policy

This Privacy Policy applies when we process personal data of:

• Visitors of our website cleero.be;
• Users of our Platform (app.cleero.be) such as entrepreneurs, companies, accountants, and their staff;
• Individuals whose data are included in documents and data processed via the Platform (e.g. customers, suppliers, contact persons, employees);
• People who contact us via email, support channels, or social media;
• Prospective customers and newsletter subscribers.

If you want information on how we use cookies and similar technologies, please refer to our separate Cookie Policy.

Categories of Personal Data

We process the following categories of personal data, depending on your relationship with us and how you use the Platform:

Account and Profile Data

• Identification data: first name, last name, title;
• Contact data: email address, telephone number;
• Account data: username, password (stored in hashed form), authentication logs;
• Language preferences and communication preferences;
• Company information: company name, VAT number, business address, industry, role/function.

Data in the Platform (Business and Financial Data)

The core of our service is to process and store business and financial data. This data may contain personal data of you and of third parties (such as your customers, suppliers, and employees). Examples include:

• Invoices, credit notes, quotes, reminders and other documents;
• Customer and supplier records (names, contact details, VAT numbers, bank details where relevant);
• Expenses and purchase records (including uploaded receipts, invoices and similar documents);
• Bank transaction data obtained via connected bank feeds or imported statements;
• Accounting and reporting data derived from the above.

You are responsible for the accuracy, lawfulness and up-to-date nature of the personal data you upload or enter into the Platform. Where you input personal data of third parties (e.g. your customers), you must ensure you have a valid legal basis to do so and that those individuals have been appropriately informed. Our Platform is not designed for the systematic processing of special categories of personal data within the meaning of Article 9 GDPR (such as data concerning health, religious beliefs or trade-union membership). You should avoid including such sensitive data in documents or fields processed via the Platform unless this is strictly necessary, lawful and in line with your own obligations as controller.

Technical and Usage Data

• IP address, browser type and version, operating system, device information;
• Date and time of access, pages visited, actions performed within the application (audit logs), approximate location (based on IP address);
• Cookie identifiers and similar tracking identifiers (as described in our Cookie Policy);
• Log data related to performance, errors and security events.

Communication and Support Data

• Content of emails and messages you send to us (e.g. support requests, feedback, complaints);
• Support ticket metadata (timestamps, internal notes related to your request);
• Call notes (if you contact us by phone) to the extent necessary to handle your request.

Marketing and Prospect Data

• Newsletter subscription details (name, email, language and interests, if provided);
• Information you provide at events or via forms (e.g. lead forms, demo requests);
• Preferences regarding receiving marketing communications.

Purposes and Legal Bases of Processing

We process personal data for the purposes listed below and rely on the following legal bases under the GDPR:

Providing and Operating the Platform

We process personal data to:

• Create and manage user accounts and organizations;
• Provide invoicing, expense management and related accounting features;
• Issue and send documents (e.g. invoices, reminders, quotes) by email or via Peppol;
• Connect to banking partners to synchronize transactions (only with your explicit set-up and authorization);
• Import and reconcile bank statements and accounting documents from third-party providers where you activate those integrations;
• Enable collaboration with accountants or other authorized users;
• Provide customer support and incident management.

Legal basis: Article 6(1)(b) GDPR (performance of a contract) and, where you act as a representative of a company, our legitimate interest in communicating with our customers and users (Article 6(1)(f) GDPR).

Compliance with Legal Obligations

We process personal data to comply with legal obligations, in particular under Belgian accounting, tax and anti-money laundering laws. This includes:

• Retention of accounting documents and records for the legally required period (typically 7–10 years, depending on the specific obligation);
• Providing information to competent authorities where we are legally obliged to do so;
• Implementing measures to prevent fraud, abuse and money laundering, where applicable.

Legal basis: Article 6(1)(c) GDPR (compliance with a legal obligation).

KYC and Risk Checks

For certain organizations and use cases (for example in the context of Peppol connectivity, banking integrations or subscription billing), we may perform Know Your Customer (KYC) and related risk checks using specialized third-party providers. This typically involves verifying organization details and, where applicable, information about representatives or contact persons.

When you start a KYC flow, you will be redirected to a secure verification environment operated by such a provider. In that environment, they may ask you to provide identity information, including images of your identity document (for example an ID card or passport), selfie photos or short videos for liveness checks, and other data necessary to confirm your identity and role. This evidence (which may include biometric data such as facial templates or liveness signals) is collected and stored on the infrastructure of that verification provider under its own terms and privacy notice. We receive the outcome and relevant status information (for example whether the verification was successful, needs additional information, or was declined), together with limited metadata needed to link the result to your organization and account, but we do not systematically store the raw ID document or selfie images in our own systems.

Where you submit individuals to KYC checks as an independent controller (for example your own directors or representatives), you are responsible for ensuring that there is an appropriate lawful basis for the processing (including explicit consent for biometric data where required by law) and that those individuals receive adequate information about the use of KYC providers and the potential processing of biometric identifiers.

Legal basis: Our legitimate interest in safeguarding our services and complying with contractual and regulatory requirements (Article 6(1)(f) GDPR), and, where checks are required by law or by our financial partners, Article 6(1)(c) GDPR (legal obligation).

Security, Fraud Prevention and Service Improvement

We process technical and usage data to:

• Secure the Platform and underlying infrastructure (e.g. monitoring, access logs, anomaly detection);
• Prevent, detect and investigate (attempted) abuse, fraud or security incidents;
• Monitor performance and reliability of the Platform;
• Improve and optimize existing features and develop new ones (e.g. by analyzing anonymized or aggregated usage data).

Legal basis: Our legitimate interest in keeping our services secure, reliable and continuously improving them (Article 6(1)(f) GDPR).

Marketing and Communication

We may use your contact details to:

• Send service-related communications (e.g. changes to the Platform, security alerts, important updates);
• Send newsletters and marketing communications about Cleero, new features and offers;
• Invite you to surveys, webinars or events.

Legal basis:

• For service-related and transactional communications: our legitimate interest and/or contract performance (Article 6(1)(b) and (f) GDPR);
• For electronic direct marketing to non-customers: your prior consent (Article 6(1)(a) GDPR and applicable e-privacy rules);
• For marketing to existing customers about similar services: our legitimate interest, with an easy opt-out in each message (Article 6(1)(f) GDPR).

Handling Requests, Questions and Complaints

When you contact us (e.g. via [email protected] or through the in-app support), we process the information you provide in order to respond and to follow up your request.

Legal basis: Our legitimate interest in answering your questions and providing support (Article 6(1)(f) GDPR) and, where applicable, performance of a contract (Article 6(1)(b) GDPR).

Consent-Based Processing

Where we rely on your consent (e.g. for certain cookies, for specific marketing communications, or where exceptionally sensitive data would be processed), you are free to withdraw that consent at any time.

Legal basis: Article 6(1)(a) GDPR (consent). Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

Peppol and Banking Integrations

Peppol E-Invoicing

Cleero supports sending and receiving e-invoices via the Peppol network. When you enable Peppol in your organization settings, we process personal data that appear in your invoices and registration details in order to deliver and receive documents via the Peppol infrastructure.

This involves:

• Sharing invoice data (including possible personal data of contact persons) with our Peppol access point provider and the recipient's Peppol endpoint;
• Processing identifiers such as your Peppol ID, VAT number, and organization details;
• Receiving status updates and delivery reports from the Peppol network.

Legal basis: Performance of the contract (Article 6(1)(b) GDPR) and compliance with legal obligations relating to e-invoicing.

Bank Connections

If you connect your bank account or enable bank feeds, we will receive transaction data from the selected accounts via secure banking APIs or files you upload. This data may include transaction descriptions containing personal data.

We use this data to:

• Synchronize and reconcile bank transactions with your invoices and expenses;
• Import and process bank statements and related accounting documents from providers such as Codabox, if you enable those connections;
• Generate financial overviews and reports within the Platform;
• Support you in your bookkeeping and collaboration with your accountant.

Legal basis: Performance of the contract (Article 6(1)(b) GDPR) and compliance with applicable financial and accounting obligations (Article 6(1)(c) GDPR).

Data Sharing and Recipients

We do not sell your personal data. We only share data in the following situations:

Processors (Service Providers)

We work with carefully selected service providers who process personal data on our behalf ("processors"), for example for:

• Cloud hosting and infrastructure;
• Database backup and monitoring;
• Email delivery and tracking for transactional and notification emails (for example via providers such as Postmark, which process delivery, open, bounce and complaint events);
• Payment processing for subscriptions (for example via providers such as Mollie);
• Analytics, error tracking and logging;
• Customer support tooling;
• OCR and document processing providers used to extract data from invoices and receipts (for example Google Cloud Document AI and Google Cloud Storage in EU regions);
• Peppol access point providers and related e-invoicing infrastructure;
• Banking connectivity providers (for example Ponto) and bank statement/document providers (for example Codabox), where you enable those integrations;
• Identity verification, KYC and compliance providers we use to verify organizations and, where relevant, their representatives in specific cases. In those flows, these providers may collect and host identity documents and biometric evidence (such as ID card scans and selfies) in their own environments while sharing verification results and limited metadata back to us.

These processors may only process personal data according to our documented instructions, within the framework of a data processing agreement as required by Article 28 GDPR. They are not allowed to use the data for their own purposes.

Accountants and Other Authorized Users

You can invite accountants, colleagues or other third parties to your organization or share specific documents with them via the Platform. In that case, you control which data is shared and with whom. You are responsible for ensuring that such sharing is lawful and, where necessary, covered by an appropriate agreement between you and that third party.

Integrations and Webhooks Configured by You

You can choose to connect Cleero to other software tools (for example accounting, CRM or payment applications) or to configure outbound webhooks that send events from Cleero to URLs you control. When you activate these integrations, we will transmit the data you select (such as document, customer or transaction data) to those third parties on your behalf. Those third parties process the data under their own terms and privacy policies, and you are responsible for configuring and maintaining those integrations in a GDPR-compliant manner. For some integrations (for example Codabox "Sales Invoice – Copy to Accountant"), you may accept separate terms directly with the integration provider. In those cases, that provider may act as an independent controller for the processing it performs under its own conditions and is responsible for its own compliance with data protection law.

Authorities and Legal Obligations

We may disclose personal data to public authorities, regulators, law enforcement agencies or courts when required by law or when we have a good-faith belief that such disclosure is reasonably necessary to comply with legal processes, to respond to claims, or to protect our rights, users, or the public.

Business Transfers

In the context of a corporate transaction (e.g. merger, acquisition, restructuring), personal data may be disclosed to the relevant third parties involved in the transaction, subject to appropriate confidentiality safeguards.

International Transfers

As a rule, we aim to store and process personal data within the European Economic Area (EEA). If personal data are transferred to countries outside the EEA that do not provide an adequate level of protection, we will ensure that appropriate safeguards are in place, such as the European Commission's Standard Contractual Clauses or any other mechanism recognized by the GDPR.

Data Retention

We do not keep personal data longer than necessary for the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law. In particular:

• Accounting and financial data (including invoices, supporting documents and bank transactions): retained for the period required by Belgian accounting and tax law (typically 7–10 years after the end of the financial year);
• Account data: retained for as long as your account is active. After closure, we will retain limited information for a reasonable period (e.g. up to 3 years) for legal claims and record-keeping, and for as long as required by legal retention duties;
• Support and correspondence data: retained for the duration necessary to handle your request and for a reasonable period thereafter for evidence and quality assurance (e.g. up to 3 years, unless a dispute requires longer retention);
• Marketing data: retained until you withdraw your consent or object to the processing, or until we determine that the data is no longer accurate or relevant;
• Technical logs: retained for security and operational purposes, typically between several weeks and a maximum of 12 months, unless a longer period is required in the context of an incident or legal obligation.

After the applicable retention periods, personal data will be deleted or irreversibly anonymized so that individuals are no longer identifiable.

Your Rights Under the GDPR

Subject to the conditions and limitations under the GDPR, you have the following rights with respect to your personal data:

• Right of access: you can request confirmation as to whether we process your personal data and obtain a copy of those data;
• Right to rectification: you can request correction of inaccurate or incomplete personal data;
• Right to erasure: you can request deletion of your personal data in certain circumstances (e.g. if the data are no longer needed, if you withdraw consent and there is no other legal basis, or if the processing is unlawful);
• Right to restriction: you can request that we restrict processing in certain situations (e.g. while we assess an objection or verify accuracy);
• Right to data portability: for data that you have provided to us and that we process by automated means on the basis of consent or contract, you can request a structured, commonly used and machine-readable copy, or ask us to transmit it to another controller where technically feasible;
• Right to object: you can object, on grounds relating to your particular situation, to processing based on our legitimate interests. You can always object to processing for direct marketing without giving any reason;
• Right to withdraw consent: where processing is based on your consent, you may withdraw that consent at any time, without affecting the lawfulness of processing before withdrawal.

You can exercise these rights by contacting us at [email protected]. We may ask you for additional information to confirm your identity where necessary. We aim to respond within one month of receiving your request, in accordance with Article 12 GDPR.

Data Subject Rights Related to Data You Control

If you are a customer of Cleero and you store personal data of third parties in the Platform (e.g. your own customers, suppliers or employees), you act as an independent data controller for that data. Any data subject requests those individuals make to us regarding such data will, where appropriate, be forwarded to you. You are responsible for handling those requests in accordance with the GDPR.

Security of Personal Data

We take appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access. These measures include, among others:

• Encrypted connections (HTTPS/TLS) between your browser and our Platform;
• Encryption of data at rest for core infrastructure where applicable;
• Access controls and authentication mechanisms, including support for strong passwords and additional security measures;
• Role-based access within our organization so that only authorized staff have access to data on a need-to-know basis;
• Regular backups and mechanisms for disaster recovery;
• Monitoring, logging and alerting to detect unusual activity;
• Internal policies and staff training on data protection and confidentiality.

We also apply automated routines and scheduled jobs to enforce our retention rules and to implement soft-deletion and obfuscation where appropriate, in line with our legal obligations.

Despite these measures, no system can be fully secure. If you suspect any misuse, loss or unauthorized access to your personal data, please contact us immediately at [email protected].

Data Breaches

In the event of a personal data breach, we will assess the potential risks to individuals and, where required by law, notify the Belgian Data Protection Authority and, where applicable, the affected individuals, in accordance with Articles 33 and 34 GDPR.

Children

The Platform is not intended for use by children under 18 years of age. We do not knowingly collect personal data from children under 18. If we become aware that we have collected such data, we will take steps to delete it.

Changes to This Privacy Policy

We may amend this Privacy Policy from time to time, for example to reflect changes in the law or in our services. The most recent version will always be available on https://www.cleero.be and within the Platform. Where changes are material, we will provide a clear notice (for example via email or an in-app notification).

Questions and Complaints

If you have questions about this Privacy Policy or how we process personal data, or if you wish to exercise your rights, you can contact us at:

Email: [email protected]

You also have the right to lodge a complaint with the competent supervisory authority. In Belgium, this is the Belgian Data Protection Authority:

Gegevensbeschermingsautoriteit (GBA) / Autorité de protection des données (APD)
Drukpersstraat 35, 1000 Brussels, Belgium
Website: www.gegevensbeschermingsautoriteit.be

Annex – Data Processing Terms (Controller–Processor)

This Annex applies where, in the context of providing the Platform, we process personal data as a data processor on behalf of you as data controller within the meaning of the GDPR. It forms part of the agreement between you and Cleero and is incorporated by reference into our Terms of Service and this Privacy Policy.

Subject Matter, Duration and Nature of Processing

• Subject matter: processing of personal data included in Customer Data that you upload or generate in the Platform (such as invoices, expenses, bank transactions and contact data) for the purpose of providing and supporting the Cleero services.
• Duration: for the duration of your subscription or contractual relationship with us, plus any retention period required by law or contract as described in this Privacy Policy and our Terms of Service.
• Nature and purpose: hosting, storage, organization, viewing, use, transmission and other operations on personal data as necessary to provide, maintain, secure and improve the Platform, to provide support and to comply with applicable legal obligations.
• Types of personal data: as described in Sections 3 and 5 of this Privacy Policy (e.g. identification and contact details, financial and transaction data, data contained in documents, technical and usage data where relevant).
• Categories of data subjects: your representatives and staff, your customers and suppliers, and other individuals whose data are included in the Customer Data you process via the Platform.

Roles and Instructions

• You act as data controller with respect to Customer Data processed in the Platform for your own business purposes.
• Cleero acts as data processor for such Customer Data and will only process it on your documented instructions, which are primarily set out in our Terms of Service, this Privacy Policy, your configuration of the Platform and any written instructions you reasonably provide to us from time to time (to the extent consistent with the contract and technical capabilities).
• If we are required by EU or Member State law to process personal data beyond your instructions, we will inform you of that legal requirement before processing (unless that law prohibits such information on important grounds of public interest).

Confidentiality and Security

• We ensure that persons authorized to process personal data on our behalf are bound by an appropriate duty of confidentiality (whether contractual or statutory).
• We implement appropriate technical and organizational measures to protect personal data as described in Section 11 (Security of Personal Data) of this Privacy Policy, taking into account the state of the art, costs of implementation and the nature, scope, context and purposes of processing.

Subprocessors

• We may engage subprocessors (other processors) to process personal data on our behalf for the purposes described in this Privacy Policy (for example hosting providers, email delivery, payment processors, banking connectivity providers, OCR/document processing providers, Peppol access points and KYC providers).
• We will enter into written agreements with such subprocessors that impose data protection obligations no less protective than those set out in this Annex, as required by Article 28(4) GDPR.
• We remain responsible towards you for the performance of our subprocessors in relation to the obligations under this Annex.

Assistance and Data Subject Requests

• Taking into account the nature of the processing and the information available to us, we will provide reasonable assistance to you, upon request, in fulfilling your obligations to respond to requests from data subjects exercising their rights under the GDPR (for example access, rectification, erasure, restriction, portability and objection).
• Where a data subject contacts us directly in relation to data that you control, we will, where appropriate, either direct them to you or notify you so that you can handle the request, unless we are legally required to respond directly.

Assistance with Security, Breaches and DPIAs

• Taking into account the nature of the processing and the information available to us, we will provide reasonable assistance to you in ensuring compliance with your obligations under Articles 32 to 36 GDPR (security of processing, data breach notifications, data protection impact assessments and prior consultation), insofar as such obligations relate to the processing we carry out on your behalf.
• We will notify you without undue delay after becoming aware of a personal data breach affecting Customer Data, in accordance with Section 12 of this Privacy Policy, and provide you with information reasonably required to meet your legal obligations.

Deletion or Return of Data

• Upon termination or expiry of your subscription or upon your written request, we will delete or return to you the personal data processed on your behalf, in accordance with our data retention practices described in Section 8 of this Privacy Policy and our Terms of Service, unless a longer retention period is required by law.
• We may retain copies of personal data to the extent required for compliance with legal obligations, for evidence in case of legal claims, or as otherwise permitted by applicable law, in which case such data will be handled in accordance with this Privacy Policy.

International Transfers

Where we or our subprocessors transfer personal data to a country outside the EEA that does not provide an adequate level of protection, we will ensure that such transfer is covered by appropriate safeguards under Chapter V GDPR, such as the European Commission's Standard Contractual Clauses or any other transfer mechanism recognized by the European Commission.

Audits and Information

• We will make available to you all information reasonably necessary to demonstrate compliance with the obligations set out in Article 28 GDPR and this Annex, for example by providing documentation or security summaries and, where appropriate, responses to reasonable questionnaires.
• Where required by law and subject to reasonable notice, confidentiality and security requirements, you (or an independent auditor mandated by you) may carry out audits or inspections of our relevant processing activities, limited to what is necessary to verify compliance with this Annex and Article 28 GDPR. The scope, timing and practical modalities of such audits will be agreed in advance, and audits will be carried out in a manner that minimizes disruption to our operations.