← Back

Privacy Policy

Last updated: March 2026

1. Introduction and Who We Are

This Privacy Policy explains how Rune Labs SAS, a company registered in France, collects and processes your personal data when you use Monquiro, our AI-powered accounting assistant.

Rune Labs SAS acts as the data controller for the processing activities described in this policy, unless stated otherwise for specific integrations.

This policy applies to the Monquiro web application, related support interactions, and connected features such as Google OAuth, Gmail invoice scanning, Pennylane synchronization, and billing.

We process data under Regulation (EU) 2016/679 (GDPR) and applicable French law, including the Loi Informatique et Libertes.

2. Definitions

For this policy, the following terms have these meanings:

  • Personal Data: any information relating to an identified or identifiable natural person.
  • Processing: any operation performed on personal data, including collection, storage, use, transmission, or deletion.
  • Data Controller: the entity that determines why and how personal data is processed. For Monquiro, this is Rune Labs SAS.
  • Data Processor: a third party that processes personal data on behalf of the data controller.
  • Data Subject: the individual whose personal data is processed.
  • GDPR: Regulation (EU) 2016/679.
  • Service: the Monquiro application and related features operated by Rune Labs SAS.
  • User: any person who creates an account, connects integrations, or otherwise uses the Service.
  • Cookies: small text files placed on your device to support session and product functionality.

3. Data We Collect

We collect the following categories of personal data depending on how you use Monquiro:

  • Account Data: name and email address received through Google OAuth.
  • Email Data: email metadata and attachments identified as invoices, accessed in read-only mode through the Gmail API when authorized by you.
  • Financial Document Data: vendor names, invoice totals, dates, categories, and tax information extracted by AI from uploaded files or Gmail attachments.
  • Chat Data: prompts and responses exchanged with the Monquiro assistant.
  • Integration Credentials: encrypted credentials such as Pennylane API keys.
  • Usage Data: pages visited, features used, and timestamps tied to your account activity.
  • Technical Data: IP address, browser type, and device metadata needed for secure operation.
  • Billing Data: subscription plan details and payment status or dates. Full payment card numbers are processed by Stripe and are not stored by us.

4. How We Collect Your Data

We collect personal data directly from you when you create an account, send chat messages, upload documents, configure integrations, or contact support.

We collect usage and technical data automatically through session mechanisms and service logs needed to operate and secure the platform.

We also receive data from third parties you choose to connect, such as profile information from Google OAuth and payment confirmations from Stripe.

5. Legal Bases for Processing (GDPR Article 6)

We process personal data only when a valid legal basis applies under Article 6 GDPR:

  • Contract performance: account provisioning, authentication, invoice scanning, document analysis, chat assistance, and requested integrations.
  • Legitimate interests: service security, abuse detection, fraud prevention, diagnostics, and product improvement that does not override your rights.
  • Consent: Gmail access scopes granted via OAuth and any optional communications that require consent.
  • Legal obligation: compliance with accounting, tax, and record-keeping requirements under applicable law.

6. How We Use Your Data

We use personal data to deliver and operate Monquiro, including to:

  • Authenticate users and maintain account security.
  • Scan invoices and receipts from authorized Gmail sources or uploaded files.
  • Extract and structure accounting data using AI models.
  • Synchronize invoice and accounting information with Pennylane when you connect it.
  • Provide AI chat assistance for bookkeeping and accounting workflows.
  • Manage subscriptions, invoicing, and billing administration.
  • Improve reliability, monitor performance, and prevent abuse.
  • Comply with legal and regulatory obligations.

7. Google API Services User Data Disclosure

Monquiro connects to Google services only after you explicitly authorize OAuth permissions.

Monquiro's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

  • We use Gmail data only to detect and process invoices at your explicit request.
  • We do not use Gmail data for advertising purposes.
  • We do not sell Gmail data to third parties.
  • We do not allow humans to read Gmail data except with your explicit consent, when necessary for security or abuse investigations, or when required by law.
  • We do not transfer Gmail data except as needed to provide the service you requested.

8. Data Sharing and Third-Party Processors

We share personal data only with processors needed to provide Monquiro and only under appropriate contractual and legal safeguards.

We require all processors to comply with GDPR and we maintain data processing agreements with relevant providers.

  • Google LLC (United States): OAuth authentication and Gmail API access. Transfers are protected by Standard Contractual Clauses and other applicable safeguards.
  • Mistral AI (France): AI processing of invoice text and chat messages. Processing is limited to service delivery and data is not retained beyond request handling.
  • Pennylane SAS (France): accounting synchronization, only when you connect your Pennylane account.
  • Stripe Inc. (United States): payment processing and subscription administration.

9. International Data Transfers

Monquiro infrastructure is primarily hosted and processed within the European Union, including our PostgreSQL data storage.

When data is transferred outside the EU, including to United States based providers such as Google and Stripe, we rely on recognized transfer mechanisms such as the EU-US Data Privacy Framework where available and Standard Contractual Clauses.

Mistral AI and Pennylane are based in France, so their standard processing for Monquiro does not require international transfer outside the EU.

10. Data Retention

We apply the following retention periods:

  • Account data: kept while your account is active, then deleted within 30 days after account deletion.
  • Invoice and financial document data: kept while your account is active.
  • Chat history: kept while your account is active.
  • Usage and technical logs: retained for up to 12 months.
  • Billing and accounting records: retained for 10 years to satisfy French legal obligations.
  • Integration credentials: deleted immediately when you disconnect the integration.
  • After account deletion, personal data is permanently removed within 30 days except where a longer retention period is required by law.

11. Data Security

We implement technical and organizational measures designed to protect personal data against unauthorized access, alteration, disclosure, or destruction.

If a personal data breach occurs, we notify CNIL within 72 hours when required under GDPR Article 33 and notify affected users without undue delay when Article 34 applies.

  • Encryption at rest for sensitive credentials using AES-256-GCM.
  • Encryption in transit using HTTPS and TLS 1.2 or higher.
  • Access control mechanisms and authenticated administrative access.
  • Regular security reviews and monitoring.
  • Secure development and deployment practices.
  • Incident response procedures and access logging.

12. Your Rights Under GDPR (Articles 15-22)

Subject to applicable conditions, you have the right to:

To exercise your rights, contact us at contact@monquiro.com. We respond within 30 days, unless a lawful extension applies.

We may request reasonable identity verification before fulfilling rights requests to protect your data.

  • Access your personal data (Article 15).
  • Rectify inaccurate or incomplete data (Article 16).
  • Request erasure of your data (Article 17).
  • Restrict processing in certain situations (Article 18).
  • Receive your data in portable form (Article 20).
  • Object to specific processing activities (Article 21).
  • Not be subject to decisions based solely on automated processing with legal or similarly significant effects (Article 22).
  • Withdraw consent at any time where processing relies on consent (Article 7).
  • Lodge a complaint with CNIL.

13. Cookies and Tracking

Monquiro uses essential session cookies required for authentication and secure operation of the service.

We also use localStorage for product preferences such as selected language or interface settings.

We do not use advertising cookies, third-party analytics trackers, or cross-site behavioral profiling. Cookie practices are aligned with the ePrivacy framework and applicable French guidance.

14. Children's Privacy

Monquiro is not intended for children under 16 years of age.

We do not knowingly collect personal data from children under 16. If we become aware that such data has been collected, we will delete it promptly.

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect legal, technical, or business changes.

When we make material changes, we will update the Last updated date and provide notice by email or in-app notification at least 30 days before the changes take effect where required.

16. Supervisory Authority

You have the right to lodge a complaint with the French supervisory authority: Commission Nationale de l'Informatique et des Libertes (CNIL), 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07, France.

Website: www.cnil.fr.

17. Contact Us

For any privacy or data protection request, contact: contact@monquiro.com.

Data Controller: Rune Labs SAS, 254 rue Vendôme, 69003 Lyon, France.