PRIVACY

Your data. Your rules.

Trase is built around one principle: we never see more than we need. Here is the full privacy policy.

Effective: 12 April 2026

1. Who is the data controller?

Bixel Ventures
CVR: 44897431
Email: hello@trase.work

Bixel Ventures is the data controller for the processing of personal data we receive about you as a user of Trase. If you have questions about our processing of your data, please do not hesitate to write to us.

Supervisory authority: Datatilsynet (the Danish Data Protection Authority).

2. What personal data do we process?

We only process data that is necessary to deliver the service:

Account information

  • Email address (from login via email or Google OAuth)
  • Name (if you provide it in your profile)
  • CVR number (if you provide it for billing)

Financial data

  • Bank statement (CSV): You upload your own bank statement. It contains transaction data (date, amount, vendor name). We use it to match transactions with vendors via AI Mapper. We do not access your bank account directly.
  • Invoice PDFs: Receipts that AI Fetcher retrieves from your vendor portals. Stored encrypted in your Cloud Vault.
  • Vendor mapping: Which vendors match your transactions, portal URLs and navigation information used by our AI agent.

Chrome Extension data

  • Session cookies: Session Keeper reads portal cookies to keep your logins active. Cookies stay in your browser — they are not sent to our servers.
  • Screenshots: During a retrieval, AI Fetcher takes screenshots of portal pages to navigate. These are used only in real time and are not stored permanently.

Payment data

  • Payments are handled by Stripe. We store your Stripe customer ID and subscription status. We never see your card number.

Usage and technical data

  • Analytics: Anonymised page views and usage patterns via PostHog (with your consent only).
  • Error reports: Technical error data via Sentry to improve stability.
  • Metadata: Number of retrievals, success/failure status and API costs (for billing and service improvement). Never receipt content.

3. What we never see

Transparency is also about what we do not do:

  • Your passwords. AI Fetcher rides on your existing Chrome session. We never see login credentials.
  • Your bank logins. We only handle CSV bank statements. Never account numbers, NemID/MitID or bank logins.
  • Your browsing history. We do not log which pages you visit.
  • Your content outside invoices. AI Fetcher navigates only to invoice pages on the portal.
  • Selling or sharing data. We never sell or share personal data with advertisers.
  • AI training with your data. Your data is used solely to fetch your receipts — never to train AI models.

4. Purposes and legal basis

We process your personal data for the following purposes and legal bases (cf. GDPR Article 6):

Contract performance (Art. 6(1)(b))

  • Creating and operating your account
  • Delivering receipt retrieval via AI Fetcher
  • AI Mapper matching of transactions to vendors
  • Storing receipts in Cloud Vault
  • Processing payments via Stripe

Legitimate interest (Art. 6(1)(f))

  • Error tracking and stability improvement via Sentry
  • Prevention of misuse and security management
  • Communication about important changes to the service

Consent (Art. 6(1)(a))

  • Analytics cookies via PostHog (you can withdraw consent at any time)
  • Newsletters and product updates (if you subscribe)

Legal obligation (Art. 6(1)(c))

  • Retention of billing and accounting data as required by Danish bookkeeping law (Bogføringsloven).

5. How the AI agent works

Trase uses a Cloud Computer Use Agent (CUA) to retrieve receipts from vendor portals. Here is what happens:

  1. You upload your bank statement (CSV) — we identify which vendors you have transactions with.
  2. AI Mapper automatically matches each transaction to the correct vendor and their invoice portal. The result is a suggestion — you always review and approve it yourself.
  3. When you start a retrieval, AI Fetcher navigates the portal (via screenshots and clicks) to find and download your receipt.
  4. The receipt is stored encrypted in your Cloud Vault in Supabase.

AI Fetcher runs in a sandboxed browser session via your Chrome Extension. It has no memory between sessions and cannot access data from other users. Each retrieval is a fresh session with your portal cookies.

6. Automated decision-making

Trase uses AI for two purposes:

  • AI Mapper automatically matches transactions on your bank statement to vendors. The result is a suggestion — you always review and approve it yourself.
  • AI Fetcher autonomously navigates vendor portals to retrieve receipts. It makes no legally binding decisions on your behalf.

Neither of these processes has legal effects or significantly affects you within the meaning of GDPR Article 22. You always have full control over the outcome.

7. Who do we share data with?

We only share personal data with third parties that are necessary to deliver the service. All sub-processors are subject to contractual data protection obligations.

VendorPurposeLocation
SupabaseDatabase, file storage, authenticationEU (Frankfurt)
VercelHosting of web app and marketing siteEU/Global (edge network)
Anthropic (Claude)AI processing (CUA navigation and vendor matching)US (data not stored)
StripePayment processingEU/US
ResendTransactional emailsUS
PostHogProduct analytics (with consent only)EU
SentryError tracking and crash reportsEU/US

The full sub-processor list with security measures is available on request.

8. Transfers to countries outside the EU/EEA

Certain sub-processors (Anthropic, Stripe, Resend, Sentry) process data in the USA. The transfer is based on:

  • EU-US Data Privacy Framework (adequacy decision from the European Commission, July 2023) for vendors certified under the DPF.
  • Standard Contractual Clauses (SCCs) approved by the European Commission, supplemented by a risk assessment.

Your primary data (database, files, auth) is stored in the EU (Frankfurt) with Supabase. AI calls to Anthropic send only the minimum data necessary to complete the retrieval — never your entire account.

9. How long do we retain your data?

Data typeRetention periodReason
Account informationUntil you delete your accountNecessary for service operation
Receipts (PDFs) in Cloud VaultUntil you delete them, or 5 yearsDanish bookkeeping law (Bogføringsloven §10)
Bank statements (CSV)Processed and deleted after 30 daysUsed only for vendor matching
Transaction metadataUntil account deletionOverview and history
Billing data5 yearsDanish bookkeeping law (Bogføringsloven)
Analytics data26 monthsPostHog default
Error reports (Sentry)90 daysDebugging

On account deletion, all your data is deleted within 30 days. Receipts you have retrieved may be subject to bookkeeping law retention requirements — it is your responsibility to ensure compliance.

10. Your rights under GDPR

As a data subject, you have the following rights:

  • Right of access (Art. 15): You can obtain a copy of all personal data we process about you.
  • Right to rectification (Art. 16): You can have inaccurate data corrected.
  • Right to erasure (Art. 17): You can delete all your data with one click in Settings, or by writing to us.
  • Right to restriction (Art. 18): You can request that we restrict the processing of your data.
  • Right to data portability (Art. 20): You can export your data in a machine-readable format.
  • Right to object (Art. 21): You can object to processing based on legitimate interest.
  • Right to withdraw consent: Consent to analytics cookies can be withdrawn at any time in Settings.

11. How to exercise your rights

You can exercise your rights in two ways:

  • In the app: Go to Settings for one-click deletion, data export and cookie preferences.
  • Via email: Write to hello@trase.work. We will respond within 30 days (as required by GDPR) — typically within 24 hours.

12. Complaint to the supervisory authority

If you believe we are not processing your personal data correctly, you have the right to lodge a complaint with:

Datatilsynet
Carl Jacobsens Vej 35
2500 Valby
Phone: 33 19 32 00
Email: dt@datatilsynet.dk
Web: datatilsynet.dk

13. Security measures

  • Encryption in transit: All connections are encrypted with TLS 1.3.
  • EU infrastructure: Primary data is stored with Supabase, Frankfurt region. Data is encrypted at rest.
  • Row-level security: At the database level — only you can access your own data.
  • SHA-256 deduplication: Receipts are verified with a cryptographic hash to avoid duplicates.
  • Encrypted secrets: API keys are stored as encrypted secrets — never in client-side code.
  • No credential storage: We never see your passwords. AI Fetcher rides on your existing Chrome session.
  • Breach notification: We notify affected users and Datatilsynet within 72 hours of discovering a data breach.
  • One-click deletion: All data can be permanently deleted from Settings.

14. Cookies

We use a minimum of cookies. Read the full cookie policy at trase.work/cookie.

15. Changes to this policy

We may update this privacy policy when necessary. For significant changes, we will notify you by email at least 30 days before they take effect. The current version is always available on this page with the date of the last update.

17. Contact

Questions about the privacy policy or your data?

Bixel Ventures
CVR: 44897431
Email: hello@trase.work
We typically respond within 24 hours.