chasedesk.
Join waitlist

Legal · privacy

Privacy Policy.

ChaseDesk is operated by Hollerlabs Technologies Private Limited (“Hollerlabs”, “we”, “us”, “our”).

Effective:
6 May 2026
Last updated:
6 May 2026

This policy explains what data ChaseDesk collects, why we collect it, how we use it, and your rights over it. If you have questions, email us at privacy@chasedesk.io.

1. Who this policy covers

ChaseDesk has two kinds of users:

  • Firms. Bookkeepers and accounting practices who sign up for an account and use ChaseDesk to chase their own clients.
  • SMB clients: the small businesses our Firm customers chase. They typically interact with us via a magic upload link and never create an account.

For data uploaded or synced through ChaseDesk on behalf of a Firm’s clients, the Firm is the data controller and Hollerlabs is the data processor. Our processing activities are governed by our Terms of Service and any applicable Data Processing Addendum.

2. What we collect

From Firms

  • Account details: firm name, owner email, branding assets, time zone.
  • Authentication: hashed credentials managed by our auth provider (Supabase Auth); we never see plaintext passwords.
  • Billing data: Stripe customer ID, plan, status, invoice history. Card details are stored by Stripe. We do not store card numbers.
  • Connected ledger data: Xero (and in future, QuickBooks Online) OAuth tokens, encrypted at rest with AES-256-GCM before being written to our database.
  • Usage logs: actions taken in the app for security and abuse-detection purposes.

From SMB clients (the people Firms chase)

  • Contact details synced from the Firm’s connected Xero organisation: name, email, phone, business name.
  • Documents uploaded via the magic-link client portal, email, or SMS reply: receipts, invoices, bank statements, and the metadata extracted from them by our AI.
  • Delivery and engagement metadata for chase messages we send on the Firm’s behalf (sent / delivered / opened / replied).

From your browser

  • Strictly-necessary cookies for authentication and CSRF protection.
  • Privacy-respecting product analytics (PostHog, EU-region) to understand which features are used. We do not use third-party advertising trackers.
  • Server-side error reports (Sentry), with PII scrubbed before transmission.

3. How we use it

  • Provide the service:chase clients, extract documents, categorize transactions, push records to Xero.
  • Improve the service:aggregate, de-identified metrics on extraction accuracy and chase response rates. We do not train third-party AI models on your customer documents.
  • Billing: charge for plan usage and overages, send invoices.
  • Security: detect abuse, prevent fraud, comply with our legal obligations.
  • Lifecycle email: trial reminders, onboarding tips, occasional product announcements (you can opt out at any time).

4. Legal bases (for users in the UK / EU)

  • Contract: to deliver the service you signed up for.
  • Legitimate interests:product security, abuse prevention, and improving the service. We balance these against your rights.
  • Consent: for non-essential cookies and marketing emails (always optional, always revocable).
  • Legal obligation: for tax, accounting, and other statutory record-keeping.

5. AI processing

Documents uploaded to ChaseDesk are processed by AI services (currently Mindee for receipt OCR and Anthropic Claude for fallback extraction and categorization). These processors are bound by data-processing agreements that prohibit them from training their models on your content.

Every AI output is validated against a strict schema before any side effect (e.g. posting to Xero) is taken. AI never directly drives a ledger write. Categorization is constrained to existing accounts in the Firm’s chart of accounts.

6. Sub-processors

We rely on the following third parties to operate ChaseDesk:

  • Supabase,Postgres database, authentication, file storage.
  • Vercel: application hosting.
  • Trigger.dev: background workers.
  • Stripe: payment processing.
  • Postmark: transactional email and inbound parsing.
  • Twilio (and 360dialog for India WhatsApp),SMS and WhatsApp messaging.
  • Mindee: receipt OCR.
  • Anthropic: large language model extraction and categorization.
  • OpenAI: embeddings for similarity search.
  • Sentry: error monitoring (with PII scrubbing).
  • PostHog: product analytics.
  • Better Stack: log retention.
  • Upstash: rate limit data store.

We will give reasonable advance notice of new sub-processors via this page or by email to account owners.

7. International transfers

Hollerlabs is incorporated in India. Our infrastructure is operated primarily in the United States and the European Union. When personal data crosses borders, we rely on Standard Contractual Clauses (or the UK equivalent) and apply technical safeguards including encryption in transit (TLS 1.2+) and at rest (AES-256-GCM).

8. Retention

  • Account data is retained for the lifetime of your account.
  • On cancellation, your firm’s data is retained for 30 days so you can export what you need, then permanently deleted from primary storage.
  • Backups are kept for up to 35 days and overwritten on rolling schedules. Deletion from backups is best-effort and propagates within that window.
  • Audit and security logs are retained for up to 12 months, then purged.
  • Invoicing records are retained for the duration required by applicable tax law (typically 7 years).

9. Security

  • All traffic is encrypted in transit using TLS 1.2 or higher.
  • OAuth tokens and other secrets are encrypted at rest with AES-256-GCM using keys we hold separately from our database.
  • Magic link upload tokens are hashed with SHA 256. We never store them in plaintext.
  • Multi-tenant isolation is enforced at the database layer (row-level security) and the application layer (every query is firm-scoped).
  • Tier 0 and tier 1 data (raw documents, message bodies, tokens) is never logged.
  • We never sell your data, and we never use it for advertising.

10. Your rights

Depending on where you live, you may have rights to access, correct, port, delete, or restrict processing of your personal data, and to object to certain processing. Firm administrators can exercise these rights for end users via in-app tools or by contacting us; SMB clients can contact the Firm that uploaded their data, or us directly if the Firm is unreachable.

To make a request, email privacy@chasedesk.io. We respond within 30 days.

11. Children

ChaseDesk is a B2B product not directed at anyone under 16. We do not knowingly collect data from children. If you believe a child has shared personal data with us, contact us and we will delete it.

12. Changes

We may update this policy from time to time. Material changes are announced by email to account owners at least 30 days before they take effect. The current version is always available at this URL with the “Last updated” date.

13. Contact

Email: privacy@chasedesk.io
Address: Hollerlabs Technologies Private Limited, Bangalore, Karnataka, India

See also our Terms of Service and Refund Policy.