Accounting Software Scandinavia AB ("Lerry.ai") is a provider of software and cloud services for accounting and finance, including document and image uploading, analysis and automated checks (the "Services").
Lerry.ai is the data controller for the processing of personal data that you share with us when, for example:
The data controller for personal data within the Services themselves is the registered customer ("Customer") – for example an accounting firm, a company or an association. Users (employees or contractors of the Customer) with their own logins are referred to below as "Users". The role of "System Administrator" represents the Customer in the Services, manages users and permissions and may issue instructions to us regarding the processing of data – including personal data – within the Services.
In these cases, Lerry.ai acts as data processor on behalf of the Customer. Our organizational and technical security measures are set out in our General Terms and Conditions, our Data Processing Agreement (DPA) and the information on our website.
Our processing of personal data is subject to applicable laws, such as the GDPR, including the lawfulness of processing according to its Art. 6(1)(a) (consent), Art. 6(1)(b) (contract), Art. (6.1)(c) (legal obligation) and (Art. 6(1)(f)) (legitimate interests).
The data processed depends on your relationship with us (customer, user, visitor) and the type of entity. Company details may constitute personal data if you are a sole trader. When you place an order, we collect contact and company details. All Users have registered contact details, login credentials and online identifiers held by us in order to use the Services.
For event and webinar registrations, we need your email address and sometimes your name, company and title. When contacting support, the categories may vary by channel; typically contact details, online identifiers, company details and the subject matter of the query (unstructured material).
A detailed list of categories, occasions, legal basis and retention periods is provided in Annex 1.
We process personal data in order to provide the Services, fulfill agreements, provide access and support, improve the user experience in Lerry.ai and on the web, and for security, statistics and (voluntary) marketing:
If you choose to use features for uploading images or documents from your device, the Services may – with your consent – access the camera or photo library to enable uploading.
The Services use artificial intelligence, including large language models (LLM), to generate communications on behalf of the Customer. We would like to inform you of the following:
Model Training: We do not use the Customer's content or communications generated through the Services to train our own or third-party basic models, beyond what is necessary to provide the Services to the individual Customer.
We may share personal data with our suppliers (data processors and sub-processors) within the EU for the operation, support, storage, analysis and delivery of the Services. An overview of recipients and storage locations for each processing activity within the Services is provided upon request and/or in the DPA.
Our suppliers are bound by agreements that ensure protection equivalent to that required under the GDPR. For e-invoicing or the activation of external integrations, the necessary data is shared with the selected service provider – at your or the Customer's request.
We may also share data within our group when necessary to provide the Services and fulfill our obligations. Authorities may receive access to data, if we are legally required to disclose it.
We retain data for as long as the customer relationship exists or as long as is necessary for the purposes described in this policy. Upon termination of the agreement, we delete or anonymize data within 90 days, unless relevant law, court order or authority requires longer retention. Certain data may be anonymized for statistical purposes.
Data may be retained on the basis of a balancing of interests for security or financial reasons, and to establish, assert or defend legal claims (e.g. in accordance with statutes of limitation). In the Services, the System Administrator can delete data; where this is not technically possible (e.g. locked verification series), the System Administrator must contact us.
Right to information – You have the right to be informed when your personal data is processed.
Right of access – You may request confirmation and receive a copy of your personal data.
Right to rectification – You may have inaccurate data corrected and completed.
Right to erasure – In certain cases, you may have data erased (with exceptions such as legal obligations).
Right to restriction – In certain cases, you may request restriction of processing (e.g. where you object or where there is inaccuracy).
Right to object – You may object to processing carried out on the basis of legitimate interest.
Right to data portability – Where processing is based on consent or contract, you may receive data in a structured format.
Right to object to automated decision-making – You have the right in certain cases not to be subject to automated decisions with legal consequences; Lerry.ai does not currently use such processing.
Right to withdraw consent – Where processing is based on consent, you may withdraw it at any time (e.g. cookies or camera access in the app).
Right to lodge a complaint – You may lodge a complaint with the relevant authority for privacy protection. We would appreciate the opportunity to resolve the matter if you contact us first.
Contact for rights and queries: [email protected]
If you have questions about this policy or our processing of personal data, or wish to delete or correct data, please contact us at [email protected].
| Purpose | Establish and provide the Services, invoice, manage accounts and licenses, communicate, document the contractual relationship, and analyze and improve the Services. |
|---|---|
| Personal data | Name, email, company name, reg. no., phone, address, country, login credentials, customer number, uploaded files/images, correspondence, user data, technical info (IP address, browser settings, device and log data). |
| Legal basis | Contract and legitimate interests. |
| Retention period | Throughout the entire contract period and 90 days after termination of the customer relationship, unless longer retention is required by law. |
| Recipients | Data processors/sub-processors for operations, storage and support. Authorities when we are required to disclose data. |
| Purpose | Develop and maintain business relationships, handle enquiries regarding services and products. |
|---|---|
| Personal data | Name, email, company name, reg. no., phone, address, title, correspondence, user data, technical info (IP address, browser settings, timestamps). |
| Legal basis | Legitimate interests |
| Retention period | For as long as the relationship is current; reviewed on an ongoing basis and upon deregistration or deletion request. |
| Recipients | Data processors/sub-processors for CRM and communications. |
| Purpose | Receive registrations, plan and carry out events, webinars and training courses, and inform about our activities. |
|---|---|
| Personal data | Name, email, company, phone, title. Photos and videos may be used for communications and marketing. |
| Legal basis | Legitimate interests. For photos/videos in marketing: legitimate interests; consent used when required. |
| Retention period | From registration to completion. Photos and videos may be processed for up to three (3) years after the event or pursuant to consent. |
| Recipients | Data processors/sub-processors for registration, broadcasting and distribution. |
| Purpose | Manage financial transactions in accounting and reporting and accounting, administer invoices and payments, report taxes. |
|---|---|
| Personal data | Name, email, address, company name, phone, billing details. |
| Legal basis | Legal obligation (Accounting Act, VAT Act). |
| Retention period | Seven (7) years from the end of the calendar year in which the financial year ended, or as required by applicable law. |
| Recipients | Data processors/sub-processors for accounting systems. Authorities (e.g. the tax agency) where required. |
| Purpose | Secure, exercise or defend legal claims. |
|---|---|
| Personal data | Name, contact details, company details, billing details and relevant case details. |
| Legal basis | Legitimate interests. |
| Retention period | For as long as necessary pursuant to statutes of limitation and to protect rights. |
| Recipients | Data processors/sub-processors (e.g. legal counsel). Authorities (e.g. the Police) where required. |
| Purpose | Website operation, security, analysis and marketing via cookies and similar technologies. |
|---|---|
| Personal data | Online identifiers (cookies, IP address), device and browser data, usage and log data. |
| Legal basis | Consent for non-essential cookies; legitimate interests for necessary and operational cookies. |
| Retention period | According to each cookie category and lifespan see cookie settings on the website. |
| Recipients | Suppliers for analysis, operations and advertising as described in the cookie information. |
| Purpose | Operation and improvement of the Services' AI features, quality assurance, traceability of AI output, and prevention of misuse and fraud. |
|---|---|
| Personal data | Aggregated and anonymized performance data, technical logs, and error analyses. No data is used to train basic models beyond what is necessary to provide the Services. |
| Legal basis | Legitimate interest. |
| Retention period | Aggregated data: unlimited. Technical logs linked to an individual: up to seven (7) days. |
| Recipients | Suppliers of AI models and cloud infrastructure (data processors/sub-processors). |