Privacy Policy

Effective date: March 10, 2026

Bilustek, LLC ("Company", "we", "us") operates KasaBook ("Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the Service.

1. Information We Collect

1.1 Account Information

When you create an account, we collect your name, email address, and password (hashed). If you sign in with Google, we receive your Google account ID, name, and email address.

1.2 Financial Data

You may upload or enter financial data including expense records, vendor names, categories, amounts, currencies, payment methods, reference numbers, and notes. This data is stored securely and is only accessible within your workspace.

1.3 Uploaded Documents

When you use Smart Scan or AI Import, you may upload files (PDF, images, spreadsheets). These files are processed in memory for data extraction and are not permanently stored on our servers after processing is complete.

1.4 Usage Data

We automatically collect information about how you interact with the Service, including AI token consumption, feature usage patterns, timestamps, and session metadata. This data is used for billing, analytics, and service improvement.

1.5 Device & Browser Information

We collect standard technical information such as your IP address, browser type, operating system, and device identifiers through server logs and cookies.

2. How We Use Your Information

Purpose	Data Used
Provide and operate the Service	Account info, financial data
AI-powered features (chat, insights, scan)	Financial data summaries sent to OpenAI API
Process payments	Email, subscription plan (via Stripe)
Authenticate your identity	Email, password hash, Google ID
Monitor usage and enforce quotas	Token consumption, feature usage
Improve the Service	Aggregated, anonymized usage patterns
Communicate with you	Email address

3. Third-Party Services

We share limited data with the following third-party providers:

• OpenAI — Financial data summaries and user queries are sent to OpenAI's API for AI-powered features. OpenAI's data usage policies apply. We do not send raw uploaded documents for permanent storage; data is processed in real-time.
• Stripe — Handles payment processing. We do not store your credit card details. Stripe's privacy policy governs payment data.
• Google — If you use Google Sign-In, Google shares your basic profile information (name, email, Google ID) with us. Google's privacy policy applies.
• Slack — If you configure a Slack integration, messages are sent to your configured webhook URL. Slack's privacy policy applies.

4. Data Security

We implement industry-standard security measures to protect your data, including:

• Encrypted data transmission (TLS/HTTPS)
• Hashed passwords (bcrypt)
• JWT-based authentication with token expiration
• Database access restricted to application services only
• Regular security updates and monitoring

While we strive to protect your data, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.

5. Data Retention

We retain your data for as long as your account is active. If you delete your account, we will delete your personal data and financial records within 30 days, except where retention is required by law (e.g., billing records for tax compliance).

Aggregated, anonymized data that cannot identify you may be retained indefinitely for analytics and service improvement.

6. Your Rights

Depending on your jurisdiction, you may have the right to:

• Access — Request a copy of the personal data we hold about you
• Correction — Request correction of inaccurate data
• Deletion — Request deletion of your account and associated data
• Export — Export your financial data in standard formats
• Restriction — Request restriction of processing in certain circumstances
• Objection — Object to processing based on legitimate interests

To exercise any of these rights, contact us at info@bilustek.com.

7. Cookies

The Service uses essential cookies and local storage for authentication (JWT tokens) and user preferences. We do not use third-party tracking cookies or advertising cookies.

8. Children's Privacy

The Service is not intended for use by children under 16. We do not knowingly collect personal information from children. If we learn that we have collected data from a child, we will delete it promptly.

9. International Data Transfers

Your data may be processed in the United States where our servers are located. By using the Service, you consent to the transfer of your data to the United States. We ensure appropriate safeguards are in place for international transfers.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or through the Service at least 30 days before they take effect. The "Effective date" at the top of this page indicates when the policy was last revised.

11. Contact

If you have questions or concerns about this Privacy Policy or your data, contact us at info@bilustek.com.

Bilustek, LLC
Delaware, USA