Privacy Policy

Capitaale (the “Service”), available at capitaale.com, is a product of 13Venture (“we”, “us”, “our”). This Privacy Policy explains how we collect, use, and protect your personal data when you use the Service. We act as the data controller for the personal data described below and aim to comply with the EU General Data Protection Regulation (GDPR).

1. Who we are

Capitaale is built and operated by 13Venture, based in Serbia (13venture.com). For any privacy-related question or to exercise your rights, contact us at privacy@capitaale.com.

2. What data we collect

Account data

• Email address (required to create an account)
• Full name (required during signup)
• Profile picture (optional, uploaded by you or provided by Google when you sign in with Google)
• Password (stored as a salted hash by our authentication provider; we never see it in plain text)

Business and financial data you create

• Organization details: company name, address, tax IDs (PIB, VAT number), bank details for invoices
• Clients you add, projects, invoices, transactions, subscriptions, tax records
• Team members you invite (their email and role)

Subscription and billing data

• Your subscription tier (Starter, Pro, or Custom) and billing cycle
• A Polar customer ID and subscription ID linking your Capitaale organization to your Polar billing record
• Subscription status (active, past due, canceled) and current period end date

We do not store your card details. Card data is collected and stored directly by Polar (using Stripe as a sub-processor) under their PCI-DSS-compliant infrastructure.

Usage and technical data

• Page views and basic interaction events, collected through Google Analytics 4
• Error reports and performance traces, collected through Sentry when the app encounters a problem
• IP address, browser type, and device type (used by our hosting and analytics providers; we do not store these ourselves)

3. Why we use your data (legal basis)

• To provide the Service (contract performance, Art. 6(1)(b) GDPR) — creating your account, storing your business data, generating invoices, sending transactional emails like password resets and team invitations.
• To keep the Service secure and reliable (legitimate interest, Art. 6(1)(f) GDPR) — error monitoring, fraud prevention, abuse detection.
• To improve the Service (legitimate interest) — anonymous usage analytics that help us understand which features are useful.
• To comply with legal obligations (Art. 6(1)(c) GDPR) — for example, retaining invoices for the period required by tax law.

We use your business and financial data only to render the Service's functionality for you (display invoices, calculate totals, generate reports based on your entries). Capitaale is self-serve software, not an advisory service — we do not analyze your data to provide tax, financial, or legal advice, we do not produce personalized recommendations, and we do not share it with third parties for their own marketing or advisory purposes.

4. Who we share your data with (data processors)

We rely on a small set of trusted service providers to operate Capitaale. Each processes data on our behalf under a Data Processing Agreement:

• Supabase (database and authentication) — hosted in the EU. supabase.com/privacy
• Vercel (web hosting and CDN) — global edge, with EU regions for compute. vercel.com/legal/privacy-policy
• Resend (transactional email — password resets, team invitations, invoice emails) — EU region. resend.com/legal/privacy-policy
• Polar Software, Inc. (subscription billing and payment processing — receives your email, name, billing address, and payment method when you subscribe) — uses Stripe as a sub-processor for card processing. polar.sh/legal/privacy
• Sentry (error monitoring) — EU region. sentry.io/privacy
• Google Analytics 4 (usage analytics) — operated by Google Ireland Ltd. policies.google.com/privacy
• Google OAuth (if you sign in with Google) — operated by Google Ireland Ltd.
• Cloudflare (DNS) — cloudflare.com/privacypolicy

We do not sell your personal data, and we do not share it with third parties for their own marketing purposes.

5. International data transfers

Most of your data is stored in the European Union. Some of our providers (notably Google Analytics and parts of Sentry/Vercel infrastructure) may process data in the United States or other countries. Where this happens, transfers are protected by the European Commission's Standard Contractual Clauses and supplementary safeguards.

6. How long we keep your data

• Account data: for as long as your account exists. If you delete your account, we delete it within 30 days unless we're legally required to keep it longer.
• Invoices and tax records: retained for the period required by the applicable tax law in your country (typically 5 to 10 years), even after account deletion, to comply with our legal obligations.
• Analytics data: 14 months, then automatically deleted by Google Analytics.
• Error logs: 90 days in Sentry, then automatically deleted.

7. Your rights under GDPR

You have the right to:

• Access the personal data we hold about you
• Rectify data that is inaccurate or incomplete
• Erase your data (right to be forgotten), subject to legal retention requirements
• Restrict or object to certain processing activities
• Receive your data in a portable format (data portability)
• Withdraw consent at any time, where processing is based on consent
• Lodge a complaint with your local supervisory authority — in Serbia this is the Commissioner for Information of Public Importance and Personal Data Protection; in EU member states it is your national data protection authority.

To exercise any of these rights, email privacy@capitaale.com. We respond within 30 days.

8. Cookies and similar technologies

Capitaale uses cookies only where necessary:

• Essential cookies for authentication and session management — required for the Service to work, and used without consent.
• Analytics cookies set by Google Analytics 4, used to understand aggregate site usage. These can be disabled by your browser settings or by using browser extensions like Google Analytics Opt-out.

We do not use advertising cookies, retargeting pixels, or third-party tracking beyond what is described above.

9. Security

We protect your data with industry-standard measures: TLS encryption in transit, encryption at rest in our database, hashed passwords, role-based access control, regular backups, and Row-Level Security policies ensuring users can only access their own organization's data. No system is perfectly secure, but we work to keep yours safe.

10. Children

Capitaale is intended for business users 18 years and older. We do not knowingly collect personal data from anyone under 16. If you believe a minor has provided us with personal data, contact us and we will delete it.

11. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we'll notify you by email or via a notice in the app at least 30 days before the change takes effect. The “Last updated” date at the top of this page always shows the current version.

12. Contact us

Questions, requests, or concerns? Email us at privacy@capitaale.com and we'll get back to you.