Privacy Policy
Last updated: April 3, 2026
1. Data Controller
The data controller for your personal data is Victor Berthelius, with tax ID (NIF) 54052380B, operating as a self-employed professional under the trade name Frihet, with fiscal address at C/ Cervera n9, Radazul 38109, S/C de Tenerife, Spain. You can contact us regarding data protection matters at [email protected].
2. Data We Collect
We collect the following types of data: Account data: name, email address, password (encrypted), company name, and tax details you provide when registering. Usage data: information about how you use the Service, including pages visited, features used, frequency of use, and configuration preferences. Payment data: your credit or debit card details are processed directly by Stripe; Frihet does not store full card numbers on its servers. Technical data: IP address, browser type, operating system, device identifiers, and connection data. Business data: information you store in Frihet as part of your business operations, including client and vendor records (names, email addresses, phone numbers, postal addresses), invoices, quotes, expenses, products, CRM contact persons, activity logs, notes, and financial summaries. This data is accessible via the Frihet web app, REST API, and MCP server based on your authentication credentials.
3. Legal Basis for Processing
We process your personal data on the following legal bases: Contractual performance (Art. 6(1)(b) GDPR): processing is necessary to provide the Service you have subscribed to. Consent (Art. 6(1)(a) GDPR): for sending marketing communications and newsletters, which you can withdraw at any time. Legitimate interest (Art. 6(1)(f) GDPR): for Service improvement, fraud prevention, and platform security. Legal obligation (Art. 6(1)(c) GDPR): to comply with applicable tax and legal obligations.
4. Purposes of Processing
We use your data for the following purposes: providing and managing the contracted Service; processing payments and billing; communicating with you about your account, Service updates, and technical support; sending marketing communications (with prior consent); improving and personalizing the user experience; statistical and aggregated analysis of Service usage; complying with legal and tax obligations; detecting and preventing fraud and abuse.
5. Data Recipients
We share your data only with the following service providers, necessary for delivering the Service: Stripe (payment processing, based in the US, DPF certified). Firebase/Google Cloud (infrastructure and authentication, based in the US, DPF certified). Resend (transactional email delivery, based in the US). Google Analytics 4 (web analytics with cookies, activated only after explicit user consent, based in the US, DPF certified). Vercel Inc. (web hosting and cookieless analytics, based in the US). PostHog (product analytics, activated only after explicit user consent, based in the US). Umami (web analytics, self-hosted in the EU, cookieless, privacy-friendly). All providers have been selected to ensure they offer adequate security measures and comply with applicable data protection regulations. OpenAI (ChatGPT integration, only when you connect Frihet to ChatGPT; based in the US, DPF certified). Google Gemini (AI-powered features within Frihet such as document analysis and smart categorization; based in the US, DPF certified, governed by Google Cloud data processing terms).
6. International Transfers
Some of our service providers are located outside the European Economic Area, specifically in the United States. These transfers are made under: the EU-US Data Privacy Framework for certified providers; standard contractual clauses approved by the European Commission; or adequacy decisions by the European Commission, where applicable. You can request additional information about the safeguards applied to these transfers by writing to [email protected].
7. Data Retention Period
We retain your personal data for as long as necessary for the purposes for which it was collected: Account data and user content: for the duration of your account and up to 30 days after cancellation, to allow data export. Billing data: for the legally required period for tax compliance (currently 4 years under the Spanish General Tax Law). Usage and analytics data: in anonymized and aggregated form, without time limit. Marketing communications: until you withdraw your consent.
8. Your Rights
Under the GDPR and the Spanish LOPDGDD, you have the following rights: Access: know what personal data we process about you. Rectification: correct inaccurate or incomplete data. Erasure (right to be forgotten): request deletion of your data when it is no longer needed. Objection: object to the processing of your data in certain circumstances. Portability: receive your data in a structured, commonly used format (CSV, JSON). Restriction: request limitation of processing in certain cases. You can exercise these rights by sending an email to [email protected] with a copy of your identity document. We respond within a maximum of 30 days. You also have the right to file a complaint with the Spanish Data Protection Agency (www.aepd.es).
9. Cookies and Analytics
On frihet.io we use the following analytics tools: Umami (self-hosted in the EU, cookieless, no personally identifiable data, GDPR-compliant without requiring consent). Google Analytics 4 (uses tracking cookies, activated only after explicit user consent via our cookie banner). PostHog (product analytics, activated only after consent). Vercel Analytics and SpeedInsights (cookieless, anonymous performance metrics). When you first visit our website, a cookie consent banner is displayed. Tools that use cookies (GA4, PostHog) are only activated if you expressly accept. You can withdraw your consent at any time from the cookie settings. In our web application (app.frihet.io), we use local storage (localStorage) to save your language preferences and session, which is strictly necessary for the operation of the Service.
10. AI, API, and Developer Integrations
Frihet provides programmatic access to your business data through a REST API (api.frihet.io) and an MCP server (mcp.frihet.io) that can be used with AI assistants such as Claude, ChatGPT, Cursor, and other compatible tools. Data accessible via API and AI tools: When you or an authorized AI assistant connects to Frihet via API or MCP, the following data categories may be accessed based on your API key permissions: business profile information (company name, plan type); client and vendor contact data (names, email addresses, phone numbers, postal addresses); invoice and quote details (line items, amounts, dates, status); expense records (descriptions, amounts, categories); product catalog (names, prices); CRM data (contact persons, activity logs, notes); financial summaries (monthly revenue, expenses, profit); and webhook configurations (endpoint URLs, subscribed events). Data minimized in third-party AI integrations: When Frihet is accessed through third-party AI platforms (such as OpenAI ChatGPT), certain sensitive data categories are automatically excluded or redacted from tool responses. Specifically, government-issued tax identifiers (NIF, CIF, VAT numbers) and signing credentials are not transmitted through these integrations. Users who need to manage tax identifiers should use the Frihet web application directly at app.frihet.io. AI processing: Frihet uses Google Gemini for AI-powered features including document analysis, smart categorization, and business intelligence. Your business data processed by these AI features is not used to train AI models. Data sent to AI services is governed by our data processing agreements with the respective providers. OAuth and API authentication: API access requires authentication via API key (fri_ prefix) or OAuth 2.0 with PKCE. OAuth access tokens expire after 1 hour; refresh tokens after 30 days. Tokens can be revoked at any time from your Frihet account settings. No training on your data: Neither Frihet nor any of our AI service providers use your business data to train, fine-tune, or improve AI or machine learning models. Your data is processed solely to provide the requested service functionality.
11. Data Controller Contact
For any questions regarding the processing of your personal data or the exercise of your rights, you can contact the data controller at: [email protected]. Victor Berthelius, C/ Cervera n9, Radazul 38109, S/C de Tenerife, Spain. We are committed to addressing your requests with the utmost diligence and transparency.