Privacy Policy

Last updated: 2026-05-22

Company: Pacium ("Pacium", "we", "us", or "our")
Service: AI-powered email client and assistant for accounting firms
Website: https://pacium.com

1. Introduction

Pacium is a SaaS email client and AI assistant designed for accounting firms in the European Economic Area. This policy sets out, in plain terms, the personal data we handle when a firm and its staff use the Service, why we hold it, how we keep it safe, and what choices you have.

It applies to the marketing site at pacium.com, the product application, the desktop client, and any related features. The Service is built for professional users; it is not intended for or directed at children.

2. Definitions

  • "Personal Data" carries the meaning given in the EU General Data Protection Regulation (Regulation 2016/679, "GDPR"): any information relating to an identified or identifiable natural person.
  • "Processing" means any operation we perform on Personal Data, from collection through storage to deletion.
  • "Service" refers collectively to the Pacium application, the marketing site, the desktop app, the integrations, and the APIs we expose.
  • "User" is an individual that an accounting firm authorises to sign in to Pacium.
  • "Controller" and "Processor" carry the meanings given in GDPR. For mailbox content and the firm's client records the firm is the Controller and Pacium is the Processor acting on the firm's instructions. For the limited business data we hold about firm administrators, billing contacts, and website visitors, Pacium is the Controller.
  • "Mailbox Data" is the email, calendar, and attachment information a User authorises Pacium to read after connecting Microsoft Outlook or Gmail through OAuth.

3. What data we collect

3.1 Data you provide

When a firm signs up, configures the product, or contacts us, we receive:

  • Name and work email address
  • Firm name, role within the firm, and team membership
  • Authentication identifiers such as OAuth tokens and MFA factors
  • Billing and payment details, handled on our behalf by Stripe
  • The content of support requests and other messages you send us
  • Anything else you choose to upload or share through the Service

3.2 Mailbox data (authorised through OAuth)

Mailbox Data is only fetched after a User connects their Microsoft Outlook or Gmail account through OAuth and grants the specific scopes shown at the consent screen. Those scopes give Pacium read and, where the User keeps a generated draft, write access to:

  • Email content and attachments
  • Message metadata such as sender, recipient, subject, timestamps, and thread structure
  • Drafts Pacium generates and the User chooses to keep
  • Where enabled, calendar events and metadata

Mailbox Data is required for the assistant features to work. Pacium does not enrich contacts and does not pull external data about the firm's clients.

3.3 Usage data

As Users work in Pacium we record the technical signals we need to keep the Service running, secure, and improving:

  • Logins and timestamps
  • Device and browser information
  • IP address
  • Session and performance metrics
  • Feature usage
  • Error diagnostics

Inside the product application this telemetry is processed by PostHog EU and is tied to authenticated sessions; no third-party advertising trackers are loaded on the product domain.

4. How we use personal data

The processing we carry out falls into these purposes:

  • Running the Service: provisioning accounts, syncing mailboxes, and routing AI workflows
  • Generating drafts, classifications, summaries, knowledge extractions, and retrieval-augmented answers for the User to review
  • Operating and improving the platform: monitoring performance, fixing bugs, and shaping the roadmap
  • Keeping the Service safe: detecting abuse, fraud, and security incidents
  • Providing support to firm administrators and Users
  • Sending you product and security notices about the account
  • Meeting our legal and regulatory obligations

Mailbox content, client records, and other Customer Data are never used to train foundation AI models.

For Users and visitors in the EEA or the UK each processing activity rests on one of the lawful bases set out in GDPR Article 6:

  • Performance of a contract (Art. 6(1)(b)) for delivering the Service to the firm
  • Legitimate interests (Art. 6(1)(f)) for security, abuse prevention, and product analytics that improve the platform
  • Consent (Art. 6(1)(a)) for OAuth access to Outlook or Gmail, for non-essential cookies on the marketing site, and for optional marketing communications
  • Compliance with legal obligations (Art. 6(1)(c)), including applicable EU and national accounting and anti-money-laundering legislation

6. Sharing personal data

Personal Data leaves Pacium's environment only in a small number of well-defined situations:

  • To sub-processors that help us deliver the Service (hosting, database, analytics, AI inference, payment processing)
  • To the firm and its administrators when Users work in a shared workspace
  • To legal or regulatory authorities where disclosure is required by applicable law or court order
  • To an acquirer or successor in the event of a merger, acquisition, or asset transfer, subject to the same protections
  • To anyone else only with the relevant User's explicit consent at the moment of the action

Personal Data is not sold, rented, or made available for third-party advertising under any circumstances.

7. Sub-processors

The companies that process Customer Data on our behalf, with their purpose, location, and a link to each provider's DPA, are published on the sub-processor page. The list is updated before any new sub-processor begins processing Customer Data, and firm administrators are notified of material additions.

8. International transfers

Pacium operates from the EU and the bulk of processing takes place inside the EEA: Convex on aws-eu-west-1, Vercel functions pinned to fra1, AWS Bedrock and Google Vertex AI in EU regions, and PostHog EU Cloud.

Where Personal Data does leave the EEA or the UK, transfers rely on:

  • The EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914)
  • The UK International Data Transfer Addendum
  • Any other legally recognised mechanism, supplemented by appropriate technical and organisational measures

All current sub-processors process within the EEA. If a provider outside the EEA is added, we update the sub-processor page and rely on the safeguards above.

9. Data retention

Personal Data is kept only for as long as it is needed to run the Service, meet legal obligations, resolve disputes, and enforce agreements. Concretely:

  • Mailbox Data and the firm's client records: deleted on account closure after a 30-day grace period for recovery
  • Financial and accounting records subject to applicable EU and national accounting directives: retained for 7 years
  • Anti-money-laundering records subject to applicable EU and national legislation: retained for 10 years from the end of the business relationship
  • Operational logs and security telemetry: up to 90 days, longer if tied to an active incident

Once a retention period expires, the underlying data is deleted or anonymised so it can no longer be linked to an individual.

10. Security

The technical and organisational measures we apply under GDPR Article 32 include:

  • AES-256 encryption at rest and TLS 1.3 in transit
  • Tenant isolation enforced by organisation-scoped access controls
  • Encrypted OAuth access and refresh tokens, with key rotation
  • Role-based access control (owner, admin, member) and mandatory multi-factor authentication for Pacium staff
  • Centralised logging, anomaly detection, and rate limiting on public endpoints
  • Documented incident response procedures, post-incident reviews, and regular security reviews
  • Background-checked personnel bound by confidentiality, mirroring EU professional secrecy obligations

No system can be made absolutely secure; we cannot guarantee perfect protection but we treat every reported issue as a priority.

11. Breach notification

If we become aware of a personal data breach affecting the firm's data we notify the firm without undue delay and in any event within 48 hours, with the information required by GDPR Article 33: the nature of the breach, the categories and approximate number of data subjects and records affected, the likely consequences, and the measures taken or proposed to address it.

Where we act as Controller of our own breaches we also notify the competent supervisory authority within 72 hours where the breach is notifiable, and we inform affected data subjects directly when the risk to them is high. Where information is incomplete at first notification we provide phased updates as facts develop.

12. Cookies and tracking

The product domain (app.pacium.com) uses a small set of first-party cookies that are strictly necessary for authentication, session management, and security. Product analytics on that domain are processed by PostHog EU and tied to authenticated sessions; no third-party advertising trackers are loaded there.

The marketing site (pacium.com) may use additional measurement and conversion tools. Where those tools require consent under the ePrivacy Directive and applicable national implementations, the cookie banner asks for it before they load. You can withdraw or update your consent at any time through the cookie preferences link in the marketing site footer.

13. Your rights

Subject to the conditions in GDPR Chapter III, you have the right to:

  • Access the Personal Data we hold about you
  • Have inaccuracies corrected
  • Have your data erased, subject to legal retention obligations
  • Receive your data in a portable, machine-readable format
  • Object to or restrict processing based on legitimate interests
  • Withdraw consent at any time, including by disconnecting Outlook or Gmail or by closing your account

End clients whose data sits inside a firm's mailbox should contact that firm first, as the Controller of that data. To exercise your rights directly with Pacium write to contact@pacium.com; we aim to respond within 30 days.

14. Children's privacy

The Service is intended for professional adult users working at an accounting firm. We do not knowingly collect Personal Data from children. If you become aware that a child has used the Service, please contact us; we will delete any associated data on confirmation.

15. Changes to this policy

Material changes are announced in-app and by email to firm administrators at least 30 days before they take effect. Smaller edits such as clarifications and sub-processor list updates are reflected in the "last updated" date at the top of the page.

16. Contact us

Pacium
Dalenstraat 2, 3020 Winksele, Belgium
VAT: BE1025608813
Email: contact@pacium.com

If you believe we are not handling your data correctly you can lodge a complaint with the applicable EU Data Protection Authority. For example:

Gegevensbeschermingsautoriteit / Autorité de protection des données
Rue de la Presse 35, 1000 Brussels, Belgium
gegevensbeschermingsautoriteit.be
+32 (0)2 274 48 00