TRIVISAI ACCOUNTING

This Privacy Policy explains how Trivis OÜ (registry code 17531204, Estonia) collects, uses, and protects information when you use Trivis — our cloud-based ERP and business-management software, including the Trivis MCP connector for AI assistants.

1 What data we process

When your organisation uses Trivis, we store the following categories of data in your organisation's isolated account:

  • Organisation profile — name, address, VAT number, registry code, contact details
  • Contacts — customers and suppliers: legal name, address, registration codes, email, phone
  • Financial documents — sales invoices, purchase invoices, payments, journal entries, bank statements
  • User accounts — email address, name, hashed password or OAuth provider identifier, role
  • API keys — name, scope, expiry; the secret is stored only as a SHA-256 hash and is never retrievable
  • Audit logs — timestamped record of every data mutation, cryptographically chained

2 Trivis MCP — AI connector

Trivis provides a Model Context Protocol (MCP) server at https://ai-api.trivis.ee/mcp that allows AI assistants (such as Claude.ai) to read and write your organisation's accounting data on your behalf.

When you connect an AI client to Trivis via MCP:

  • You authenticate directly at login.trivis.ee; Trivis issues a short-lived OAuth 2.0 JWT scoped to either mcp:read or mcp:write
  • The AI assistant uses this token to call Trivis tools (list invoices, create contacts, etc.) on your behalf
  • Only your accounting data within Trivis is accessible — the AI cannot reach any other system or organisation
  • Trivis does not receive or store the content of your conversations with the AI assistant
  • Write operations that are flagged as requiring approval create a pending approval request that an administrator must confirm in Trivis before the action executes

You can revoke MCP access at any time by revoking the OAuth session or the API key in Settings → AI & Integrations.

3 Legal basis for processing

We process your data on the basis of the contract for use of Trivis services (GDPR Art. 6(1)(b)) and, where applicable, our legitimate interests in operating a secure and reliable service (Art. 6(1)(f)). Audit log data is retained to meet accounting and legal compliance obligations (Art. 6(1)(c)).

4 Third-party AI providers

When you use the Trivis built-in AI chat feature, your prompts and relevant excerpts of your accounting data are sent to your configured AI provider (Anthropic or OpenAI) for processing. These providers act as data processors under Data Processing Agreements and process data under their own privacy policies. Trivis does not store AI conversation content beyond the active session.

The Trivis MCP connector itself does not send any data to AI providers — the AI client calls Trivis tools and receives structured data responses directly.

5 Data storage and security

  • Each organisation's data is stored in an isolated PostgreSQL schema — no cross-tenant data access is possible at the database level
  • All traffic is encrypted in transit (TLS 1.2+)
  • API key secrets are hashed with SHA-256 and are never stored in plaintext or retrievable after creation
  • OAuth tokens are short-lived signed JWTs; refresh tokens are single-use
  • We do not sell, rent, or share your financial data with third parties for marketing or any other purpose

6 Data retention

We retain your data for as long as your account is active. Accounting records (invoices, journal entries, audit logs) are subject to the statutory retention period required by Estonian accounting law (7 years from the end of the financial year). You may request deletion of non-statutory personal data at any time.

7 Your rights

Under the General Data Protection Regulation (GDPR) you have the right to:

  • Access the personal data we hold about you
  • Rectify inaccurate personal data
  • Erase personal data that is no longer necessary (subject to legal retention obligations)
  • Restrict or object to processing
  • Data portability — receive your data in a structured, machine-readable format
  • Lodge a complaint with the Estonian Data Protection Inspectorate (AKI)

To exercise any of these rights, contact us at info@trivis.ee. We will respond within 30 days.

8 Cookies

Trivis keeps its use of cookies to a minimum:

  • Authentication — once you log in, Trivis stores a signed JWT session cookie containing your organisation ID and user identification. It is strictly necessary to keep you securely signed in to the application
  • Language preference — a lang cookie remembers your chosen language. We may add a similar preference cookie for light/dark theme in the future
  • Analytics — Google Analytics is used on the marketing site (trivis.ee) to measure page visits. This is the only third-party tracking tool we use; you can opt out via your browser's Do Not Track setting or a browser extension

We set no advertising cookies and no other third-party tracking cookies, and we do not sell any data collected through cookies.

9 Changes to this policy

We may update this policy from time to time. Material changes will be communicated by email to account holders or by a notice in the Trivis application. The effective date at the top of this page reflects the latest revision.

10 Contact

Trivis OÜ
Registry code 17531204, Tallinn, Estonia
Email: info@trivis.ee
Phone: +372 5223392