Last updated: 13 March 2026
Effective date: 13 March 2026
1. Who we are
Arvello is a self-service accounting platform for Estonian OÜ companies, operated by:
Namasgo OÜ
Estonian registry code: 16747054
Address: Harku Tee 34, Rannamõisa, 76906
Email: info@arvello.ee
Website: https://arvello.ee
Throughout this policy, “Arvello,” “we,” “us,” and “our” refer to Namasgo OÜ.
2. What this policy covers
This Privacy Policy explains how we collect, use, store, share, and protect your personal data when you use the Arvello platform (the “Service”), visit our website, or communicate with us. It applies to all users of the Service, including Estonian e-residents.
Arvello acts as a data controller for your account information, billing data, and usage analytics. When you use Arvello to process your company's financial data (invoices, expenses, payroll, etc.), we act as a data processor on your behalf — you remain the data controller for that business data.
3. What data we collect and why
3.1 Account and profile data
| What we collect | Why we collect it | Legal basis |
|---|---|---|
| Name, email address | To create and manage your account, authenticate you, and communicate with you | Contractual necessity (Art. 6(1)(b)) |
| Company name, registry code, VAT number | To configure your accounting environment and enable regulatory filings | Contractual necessity (Art. 6(1)(b)) |
| Billing address and payment information | To process subscription payments via Stripe | Contractual necessity (Art. 6(1)(b)) |
3.2 Financial and business data you enter
| What we collect | Why we collect it | Legal basis |
|---|---|---|
| Invoices, expenses, receipts | To provide core accounting features | Contractual necessity (Art. 6(1)(b)) |
| Bank transactions (via Enable Banking) | To enable bank reconciliation and transaction matching | Contractual necessity (Art. 6(1)(b)) |
| Payroll data (employee names, salaries, tax IDs) | To calculate salaries, taxes, and generate payroll declarations | Contractual necessity (Art. 6(1)(b)) |
| VAT returns and annual report data | To generate and (where enabled) submit regulatory filings | Contractual necessity (Art. 6(1)(b)) and legal obligation (Art. 6(1)(c)) |
| Asset registers and depreciation schedules | To track fixed assets and calculate depreciation | Contractual necessity (Art. 6(1)(b)) |
3.3 Data from third-party sources
| What we collect | Source | Why we collect it | Legal basis |
|---|---|---|---|
| Bank account balances and transactions | Enable Banking (via your bank) | To import transactions for reconciliation | Contractual necessity (Art. 6(1)(b)), with your explicit authorisation |
| Company registry data | Estonian e-Ariregister (RIK API) | To pre-fill company details and support annual report generation | Contractual necessity (Art. 6(1)(b)) |
| Tax filing confirmations | Estonian Tax and Customs Board (EMTA) via X-tee | To confirm submission of VAT returns and other filings | Legal obligation (Art. 6(1)(c)) |
3.4 Usage and analytics data
| What we collect | Why we collect it | Legal basis |
|---|---|---|
| Page views, feature usage, session duration (collected via PostHog in cookieless mode) | To understand how the Service is used, identify issues, and improve the product | Legitimate interest (Art. 6(1)(f)) |
| Device type, browser type, operating system, screen resolution | To ensure compatibility and troubleshoot technical issues | Legitimate interest (Art. 6(1)(f)) |
PostHog is configured in cookieless mode, meaning no cookies or identifiers are stored on your device for analytics purposes. Analytics data is processed on PostHog's EU servers (Frankfurt, Germany).
3.5 Communication data
| What we collect | Why we collect it | Legal basis |
|---|---|---|
| Support requests and correspondence | To provide customer support and improve the Service | Contractual necessity (Art. 6(1)(b)) |
| Transactional emails (sent via Resend) | To send you receipts, filing confirmations, security alerts, and service updates | Contractual necessity (Art. 6(1)(b)) |
| Marketing communications | To inform you about new features, tips, and offers (only with your consent) | Consent (Art. 6(1)(a)) |
3.6 AI-assisted features
Arvello uses artificial intelligence (powered by Anthropic Claude) to provide features such as intelligent categorisation suggestions, tax optimisation insights, and report generation assistance.
When you use AI-assisted features:
- We send only the minimum data necessary for the specific feature to function.
- Your data is not used to train AI models. Anthropic does not use API inputs for model training.
- AI outputs are informational suggestions only — you are always responsible for reviewing and approving any AI-generated content before use.
- You can disable AI-assisted features at any time in your account settings.
4. How we share your data
We do not sell your personal data. We share data only in the following circumstances:
Service providers (sub-processors): We use carefully selected third-party providers to operate the Service. Each provider processes data only on our instructions and under contractual data protection obligations. See Section 5 for the full list.
Estonian government systems: When you use Arvello to file VAT returns, annual reports, or other regulatory submissions, we transmit the required data to Estonian government systems (EMTA, e-Ariregister) on your behalf and at your instruction.
Legal requirements: We may disclose data if required by law, court order, or a binding request from a competent authority.
Business transfers: In the event of a merger, acquisition, or sale of assets, your data may be transferred to the successor entity. We will notify you in advance and give you the option to delete your account.
5. Sub-processors
We maintain a list of sub-processors who help us deliver the Service. We will notify you at least 30 days before adding a new sub-processor. If you object to a new sub-processor, you may terminate your subscription.
| Provider | Purpose | Data processed | Location | Transfer mechanism |
|---|---|---|---|---|
| Supabase | Database hosting and authentication | All account and business data | EU (Frankfurt) | N/A (EU-to-EU) |
| PostHog | Product analytics | Anonymised usage data (cookieless) | EU (Frankfurt) | N/A (EU-to-EU) |
| Stripe | Payment processing | Name, email, billing address, payment method | Ireland (EU) and United States | EU-US Data Privacy Framework and Standard Contractual Clauses |
| Resend | Transactional email delivery | Email address, email content | United States | EU-US Data Privacy Framework and Standard Contractual Clauses |
| Vercel | Application hosting | Technical request data (IP address, headers) | EU (primary), United States (CDN) | EU-US Data Privacy Framework and Standard Contractual Clauses |
| Anthropic (Claude) | AI-assisted features | Minimal contextual data for AI features | United States | Standard Contractual Clauses and Transfer Impact Assessment |
| Enable Banking | Open banking connectivity | Bank account details and transactions | Finland / EEA | N/A (EU-to-EU) |
| Estonian Government Systems (EMTA, e-Ariregister) | Tax filing and company registry | Financial and company data as required by law | Estonia | N/A (domestic) |
You can subscribe to sub-processor change notifications by emailing info@arvello.ee.
6. International data transfers
Your data is primarily stored and processed within the European Economic Area (EEA). Where we use sub-processors that transfer data outside the EEA (see Section 5), we rely on one or more of the following safeguards:
- EU-US Data Privacy Framework (DPF): For transfers to US-based providers that are DPF-certified (Stripe, Resend, Vercel).
- Standard Contractual Clauses (SCCs): EU Commission-approved contractual clauses that bind the recipient to EU-equivalent data protection standards. Used as a supplementary safeguard alongside the DPF and as the primary mechanism for Anthropic.
- Transfer Impact Assessments (TIAs): We conduct and maintain assessments of the legal framework in each recipient country to ensure your data is adequately protected.
If the DPF is invalidated or a sub-processor loses its certification, we will rely on SCCs and, where necessary, implement additional technical or organisational measures.
7. How long we keep your data
We retain your data only for as long as necessary for the purpose it was collected, or as required by law. Specific retention periods vary by data category:
| Data category | Retention period | Reason |
|---|---|---|
| Financial transactions, invoices, and accounting records | 7 years after the end of the relevant financial year | Estonian Accounting Act (Raamatupidamise seadus) §12 |
| Tax filing records (VAT returns, annual reports) | 7 years after the end of the relevant financial year | Estonian Accounting Act §12 and EMTA requirements |
| Payroll records | 7 years after the end of the relevant financial year (10 years for employment contracts) | Estonian Accounting Act §12 and Employment Contracts Act |
| Account and profile data | Duration of account plus 30 days after deletion | Contractual necessity |
| Analytics data (PostHog) | Up to 2 years, anonymised where possible | Legitimate interest |
| Support and communication logs | 3 years from creation | Legitimate interest |
| AI interaction logs | 1 year, then deleted or anonymised | Legitimate interest |
| Marketing consent records | Until consent is withdrawn, plus 1 year as proof | Legal obligation (accountability) |
When retention periods expire, data is either permanently deleted or irreversibly anonymised within 90 days.
8. Your rights
Under GDPR, you have the following rights regarding your personal data:
Right of access (Art. 15): You can request a copy of the personal data we hold about you.
Right to rectification (Art. 16): You can ask us to correct inaccurate or incomplete data.
Right to erasure (Art. 17): You can ask us to delete your personal data. However, we cannot delete data that we are legally required to retain under Estonian accounting law (see Section 7). In such cases, we will anonymise identifying information where possible and restrict access to retained records.
Right to restriction (Art. 18): You can ask us to temporarily restrict processing of your data in certain circumstances.
Right to data portability (Art. 20): You can request your data in a structured, commonly used, machine-readable format (CSV, JSON). Arvello provides a self-service data export tool in your account settings.
Right to object (Art. 21): You can object to processing based on legitimate interest (including analytics). If you object, we will stop processing unless we demonstrate compelling legitimate grounds.
Right to withdraw consent: Where processing is based on your consent (e.g., marketing emails), you can withdraw consent at any time. This does not affect the lawfulness of processing before withdrawal.
Right not to be subject to automated decisions (Art. 22): Arvello does not make automated decisions that produce legal or similarly significant effects. AI features provide suggestions for your review — they do not automatically execute actions.
To exercise any of these rights, contact us at info@arvello.ee. We will respond within one month. If your request is complex or we receive many requests, we may extend this by up to two additional months, with notice.
9. Account deletion
You can request account deletion at any time through your account settings or by emailing info@arvello.ee. When you request deletion:
- You will be prompted to export your data before deletion begins.
- A 30-day grace period applies, during which you can cancel the deletion and restore your account.
- After the grace period, we will:
- Delete your profile, preferences, login credentials, and marketing data.
- Anonymise identifying information in financial records that must be retained under Estonian law (removing your name, email, and other personal identifiers while preserving the financial data in anonymised form).
- Retain anonymised financial records for the remainder of the statutory 7-year period, after which they will be permanently deleted.
10. Cookies and tracking
Arvello uses PostHog in cookieless mode for product analytics. In this mode, no cookies or other identifiers are stored on your device. PostHog uses a privacy-preserving server-side method that does not track you across sessions or devices.
The only cookies Arvello uses are strictly necessary cookies for:
- Maintaining your login session (authentication)
- Remembering your language preference
- Ensuring security (e.g., CSRF protection)
These cookies are essential for the Service to function and do not require your consent under the ePrivacy Directive. We do not use advertising cookies or third-party tracking cookies.
11. Data security
We implement appropriate technical and organisational measures to protect your data, including:
- Encryption in transit (TLS 1.2+) and at rest (AES-256)
- Row-level security in our database ensuring strict data isolation between accounts
- Regular security reviews and dependency updates
- Access controls limiting employee access to personal data on a need-to-know basis
- Secure authentication with support for multi-factor authentication
- Regular backups with encryption
While we take extensive precautions, no system is completely secure. If we discover a data breach that poses a risk to your rights, we will notify you and the Estonian Data Protection Inspectorate within 72 hours.
12. Children
Arvello is a B2B accounting service and is not intended for use by anyone under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child, we will delete it promptly.
13. Changes to this policy
We may update this Privacy Policy from time to time. When we make material changes, we will:
- Notify you by email at least 30 days before the changes take effect
- Post the updated policy on our website with a clear “last updated” date
- Where required, seek your renewed consent
If you do not agree with the updated policy, you may delete your account before the changes take effect.
14. Complaints and supervisory authority
If you believe we have not handled your data properly, you have the right to lodge a complaint with:
Andmekaitse Inspektsioon (Estonian Data Protection Inspectorate)
Tatari 39, 10134 Tallinn, Estonia
Email: info@aki.ee
Website: https://www.aki.ee
You may also lodge a complaint with the data protection authority in your country of residence if you are located in another EU/EEA member state.
15. Contact us
For any questions about this Privacy Policy or your personal data, please contact:
Email: info@arvello.ee
Postal address: Namasgo OÜ, Harku Tee 34, Rannamõisa, 76906, Estonia
We aim to respond to all enquiries within 5 business days.