Privacy & Cookie Policy

Last updated: 09/06/2025

1.      Data Processed as Controller
2
1.1    Categories of Personal Data
2
1.2    Purposes and Legal Bases
2
          Review tracker
2
1.3    Customer Consent Workflow
2
1.4    Data Retention
3
1.5    Information Received from Third-Party Controllers
3
2.      Data Processed as Processor
3
2.1    Categories of Personal Data
3
2.2    Roles, Purposes & Legal Bases
3
2.3    Sub-processors & Transfers
4
2.4    Security & Encryption
4
2.5    Data Subject Requests & Breaches
4
2.6    Data Return & Deletion
4
3.      Cookies and Similar Technologies
4
3.1    What Are Cookies?
4
3.2    Categories of Cookies
4
3.3    Cookie Banner & Consent
4
3.4    Managing Cookies
5
4.      Your Rights
5
5.      Contact & Updates
5

This Privacy & Cookie Policy ("Policy") describes how Anyscript Ltd and its affiliates ("Anyscript," "we," "us," or "our") collect, use, share, and protect personal data when you:
1. Access or use the Balabook platform or website ("Platform");
2. Interact with us as a Controller (e.g., when you sign up for a free trial or subscription); and
3. Interact with us as a Processor on behalf of our customers (e.g., accountants using Balabook to process financial and payroll data).

We distinguish three categories of processing:
- Data processed as Controller: personal data we collect and use in our capacity as a data controller, including customer registrations, marketing communications, and free-trial referrals.
- Data processed as Processor: personal data we process on behalf of our customers (accountancy firms) under a Data Processing Agreement ("DPA"), including bookkeeping, payroll, and bank-integration data.
- Cookies and similar technologies: data collected via cookies, pixels, and local storage to operate and enhance our Platform.


1. Data Processed as Controller

1.1 Categories of Personal Data
- Contact and identity data: name, email, phone, company name, job title.
- Account credentials: username, password hashes.
- Marketing and referral data: consent records, referral source, opt-in preferences.
- Usage data: log-ins, feature usage, IP address, device and browser information.

1.2 Purposes and Legal Bases

Purpose
Data Categories
Account registration and authentication
Contact, identity, credentials
Performance of contract (Art 6(1)(b) GDPR)
Free-trial invitations and referral marketing
Contact, consent records
Consent (Art 6(1)(a) GDPR)
Direct marketing (newsletters, updates)
Contact, usage
Contact
Performance of contract (Art 6(1)(b) GDPR


1.3   Customer Consent Workflow

We require our third-party partners / clients  to obtain explicit, documented consent from their end-clients before we send free-trial invitations. Consent is logged in our CRM with timestamp, scope, and version of Policy.

Liability Exemption: Anyscript relies on the validity of the consent obtained by the accountant. Anyscript shall not be liable for any loss, claim, or damage arising from an accountant’s failure to procure or document valid consent. The accountant agrees to indemnify, defend, and hold Anyscript harmless against any third-party claims, fines, or regulatory actions resulting from invalid or missing consent.

1.4   Data Retention

Logs are retained for one year after contract termination. Marketing data is retained for two years after termination, unless otherwise required by applicable law. Customer Data, as defined in our Terms of Service and DPA, is deleted 30 days after termination, unless a longer retention period is required by applicable law. Controller Data may be retained in accordance with the Controller’s written instructions, subject to applicable legal requirements.

Notwithstanding the above, if required by EU and/or Cyprus law, we may retain any relevant data for up to 7 years following termination for legal, tax, or regulatory compliance or other purposes.

1.5    Information Received from Third-Party Controllers

When Anyscript receives personal data from a third party (e.g., an accountant or other service provider) rather than directly from you, we are required under Article 14 GDPR to inform you of the following information if not already provided:
- The categories of personal data received
- The source of the data (the Controller name and contact details)
- The purposes and legal bases for our processing (as set out in Section 1.2)
- Your rights under the GDPR (as set out in Section 4)
- Any recipients or categories of recipients of the data
- The retention period or criteria for determining the retention period

We will provide this information to you within one month of receiving your data, unless you were already informed by the original Controller or one of the exceptions in Article 14(5) GDPR applies.


2. Data Processed as Processor

2.1 Categories of Personal Data
- Financial transactions: invoices, expenses, payments.
- Payroll and HR data: employee names, national identifiers, salaries, bank account details.
- Bank-integration data: transaction history, account balances (via GoCardless, banks).

2.2    Roles, Purposes & Legal Bases


2.3   Sub-processors & Transfers

All sub-processors used (including AI model providers, Cloudflare and GoCardless) are listed in our Section 4 and 6 (DPA). Cross-border transfers rely on Standard Contractual Clauses (SCCs) and supplementary measures.

Note: Some of the processing may be performed by our sub-processor, Cloudflare, whose servers may reside outside the EEA. We rely on Standard Contractual Clauses and supplementary measures (encryption, minimal data retention) to safeguard any transfer.

2.4  Security & Encryption

We implement technical and organizational measures per Art 32 GDPR, including encryption at rest and in transit, MFA, access controls, audit logs, and data segregation for special-category data. The special-category data protected at Art 9 GDPR encompasses for the purpose of this service “salary details” and “national identifiers”.

2.5   Data Subject Requests & Breaches

As Processor, we will notify Customers of any personal data breach within 24 hours. We assist Customers with DSARs under Art 28(3)(e) GDPR.

2.6   Data Return & Deletion

Upon contract termination, we securely delete or return Customer Data within 30 days and provide certification of deletion.


3. Cookies and Similar Technologies

3.1 What Are Cookies?
Cookies are small text files placed on your device to store information about your activity.

3.2   Categories of Cookies

Category
Purpose
Example
Consent Required
Strictly Necessary
Platform functionality
Session ID
Session ID, Cloudflare CDN
No
Preferences
Remember settings
Language preference
Statistics
Google Analytics
Yes
Personalised ads
Ad network tracking
Yes


3.3 Cookie Banner & Consent

On first visit, a banner prompts:

We use cookies
We and our partners use cookies and similar technologies to personalize content,    analyze site traffic, and deliver targeted ads. By selecting ‘Accept all’ or ‘Reject non-essential’, you consent to our use of cookies as described below.

[Accept all] [Reject non-essential] [Cookie preferences]

Read our Privacy & Cookie Policy to learn more.

Only strictly necessary cookies are set before consent. All other cookies deploy only after active opt-in. Consent is logged with category, timestamp, and Policy version.

3.4  Managing Cookies

You may change or withdraw consent via the "Cookie preferences" link in the website footer. You can also delete or block cookies via your browser settings.


4. Your Rights

Under the GDPR, you have the right to access, rectify, erase, restrict, or port your personal data, as well as to object to processing or withdraw consent. To exercise these rights, contact us at privacy@balabook.com.

5. Contact & Updates

If you have questions or complaints, contact our Data Protection Officer at dpo@balabook.com. We may update this Policy; we will post changes with a new "Last updated" date.

If you consider our processing infringes GDPR, you have the right to lodge a complaint with the Office of the Commissioner for Personal Data Protection in Cyprus (https://www.dataprotection.gov.cy).”
This Policy is available in English; a Greek translation will be provided upon request.

Anyscript Ltd.

Address: Spyrou Kyprianou 40, Economides House, 2nd Floor, 3076 Limassol, Cyprus.

Email: privacy@balabook.com
Website: https://www.balabook.com

Control your finances even from the taverna.

Download Balabook app on Google Play Store.Download Balabook app on the Apple App Store.
FOR BUSINESSES
Small Businesses
Medium Businesses
Self-Employed
Startups
FEATURES
All Features
Bills & Expenses
Invoices
Multi-Company
Reports
Payroll
Multi-Currency
VAT Returns
Bank Reconciliation
COMPANY
Help Center
Tutorials
About
Pricing
Contact
POLICIES
Terms of Service
Privacy & Cookie Policy
Data Processing
© 2024 Anyscript ltd. All rights reserved.
Balabook Brand Strategy, Identity, Go to Market, Design, and Development by Factory 39.
Close Cookie Popup
Cookie Preferences
By clicking “Accept All”, you agree to the storing of cookies on your device to enhance site navigation, analyse site usage and assist in our marketing efforts as outlined in our privacy policy.
Strictly Necessary (Always Active)
Cookies required to enable basic website functionality.
Cookies helping us understand how this website performs, how visitors interact with the site, and whether there may be technical issues.
Cookies used to deliver advertising that is more relevant to you and your interests.
Cookies allowing the website to remember choices you make (such as your user name, language, or the region you are in).
Customize
Save
Decline All
Accept All