Privacy Policy

Last updated: April 14, 2026

1. Introduction and Scope

Pacium ("we," "us," or "our") provides an AI-powered communication automation and document processing platform designed specifically for accounting firms. We are committed to protecting the privacy and security of the data entrusted to us by our customers (Accounting Firms) and their clients (SMEs).

This Privacy Policy describes how we collect, use, process, and disclose data in compliance with:

  • The General Data Protection Regulation (GDPR) (EU) 2016/679
  • The Belgian Data Protection Act of 30 July 2018
  • The EU AI Act (Regulation laying down harmonised rules on artificial intelligence)
  • Ethical guidelines established by the ITAA (Institute for Tax Advisors and Accountants)

1.1 Company Information (Controller)

Pacium
Dalenstraat 2, 3020 Winksele, Belgium
VAT Number: BE1025608813
Email: contact@pacium.com

1.2 The Role of Pacium

Data Processor: Pacium acts as a Data Processor for the client data, financial documents, and communication history that Accounting Firms upload or sync to our platform ("Service Data"). The Accounting Firm acts as the Data Controller and retains ownership of this data.

Data Controller: Pacium acts as a Data Controller for the data we collect about our website visitors, our customers' employees (users), job applicants, and leads ("Business Data").

2. Processing Activities

2.1 Service Delivery (The SaaS Platform)

Role: Data Processor (on behalf of Accounting Firm)
Purpose: Providing AI-powered email agents, OCR document processing, intelligent drafting, client profiling, knowledge extraction from communications, and accounting software synchronization
Data Categories: Client data including email threads, WhatsApp messages, meeting transcripts, invoices, UBL XML. Semantic embeddings stored in our vector database. Client profiles and communication patterns extracted from email history. Knowledge nodes built by AI agents. Style profiles for communication tone and formality. RAG interactions including questions, AI-generated answers, user feedback and corrections.
Legal Basis: Performance of a Contract (GDPR Art. 6.1.b)
Retention: Configurable by the Firm. Default is 7 years (Belgian accounting standard) or until contract termination

2.2 Email Provider Integration

Role: Data Processor
Purpose: Syncing and sending emails on behalf of the user
Providers Supported: Microsoft Outlook (via Microsoft Graph API) and Google Gmail (via Google OAuth)
Access Scope: Read and send emails, access conversation threads and metadata
Legal Basis: Performance of a Contract (GDPR Art. 6.1.b)

2.3 Google User Data

When you connect your Google account, Pacium accesses the following data through Google OAuth:

  • Email messages: subject lines, body content, sender and recipient addresses, timestamps, conversation threads, and attachment metadata
  • Account information: your name and email address for authentication

How we use Google user data: Google user data is used solely to provide the Platform's email client functionality, including displaying your inbox, drafting AI-assisted replies, extracting client profiles, and building knowledge from your communications.

How we store Google user data: All Google user data is stored in EU-based data centers with AES-256 encryption at rest and TLS 1.3 encryption in transit. OAuth access tokens and refresh tokens are encrypted before storage.

How we share Google user data: Google user data is shared only with the AI sub-processors listed in Section 5 of this policy (Anthropic, Google Gemini, OpenRouter) solely to provide Platform functionality such as drafting emails and answering questions. These providers are contractually prohibited from retaining or using your data beyond processing the immediate request.

Pacium does not use Google user data for:

  • Serving, personalizing, retargeting, or delivering advertisements
  • Training artificial intelligence or machine learning models
  • Selling or transferring to third parties, data brokers, or information resellers
  • Determining creditworthiness or for lending purposes
  • Any purpose beyond providing or improving the Platform's core functionality

Data retention and deletion: Google user data is retained for the duration of your subscription or as configured by your organization. You may revoke Pacium's access to your Google account at any time through your Google Account settings (https://myaccount.google.com/permissions) or through the Platform. Upon revocation or account termination, your Google user data is deleted within 30 days, except where retention is required by law.

2.4 Microsoft User Data

When you connect your Microsoft account, Pacium accesses the following data through Microsoft Graph API:

  • Email messages: subject lines, body content, sender and recipient addresses, timestamps, conversation threads, and attachment metadata
  • Account information: your name and email address for authentication

Microsoft user data is used, stored, shared, retained, and deleted under the same terms as Google user data described in Section 2.3 above. You may revoke access through your Microsoft account settings or through the Platform.

2.5 AI Processing

Role: Data Processor
Purpose: Generating email drafts, answering regulatory questions, extracting knowledge from communications, classifying senders, and detecting hallucinations in AI-generated content
AI Providers: Anthropic (Claude), Google (Gemini), OpenRouter (Mistral). Email content and user queries are sent to these providers for processing.
No-Training Guarantee: Client data is not used to train third-party foundation models. All AI providers are contractually bound to not use input data for training.
Legal Basis: Performance of a Contract (GDPR Art. 6.1.b)

2.6 Brand Analysis During Onboarding

Role: Data Processor
Purpose: Analyzing the Accounting Firm's public website to extract brand personality, values, and communication style for AI-assisted drafting
Data Categories: Publicly available website content
Legal Basis: Performance of a Contract (GDPR Art. 6.1.b)

2.7 Account Management and Support

Role: Data Controller
Purpose: Managing user accounts, billing, authentication, and responding to support tickets
Data Categories: Accountant names, email addresses, hashed passwords, organization membership, role, support ticket history, activity logs
Legal Basis: Performance of a Contract (GDPR Art. 6.1.b) and Legitimate Interest (GDPR Art. 6.1.f)
Retention: Duration of contract + 2 years for support; 7 years for billing data

2.8 Marketing and Newsletters

Role: Data Controller
Purpose: Sending product updates, newsletters, and industry insights
Data Categories: Name, email address, interaction history
Legal Basis: Consent (GDPR Art. 6.1.a) for new leads; Legitimate Interest (GDPR Art. 6.1.f) for existing customers
Retention: Until the user unsubscribes

2.9 Website Usage and Analytics

Role: Data Controller
Purpose: Improving website performance, analyzing user journeys, and security monitoring
Data Categories: IP addresses (anonymized), browser type, device info, clickstream data. Tool: PostHog (EU-hosted)
Legal Basis: Legitimate Interest (GDPR Art. 6.1.f) for functional cookies; Consent (GDPR Art. 6.1.a) for tracking
Retention: Maximum 2 years after last activity

2.10 Recruitment

Role: Data Controller
Purpose: Evaluating candidates for employment
Data Categories: CVs, cover letters, LinkedIn profiles, interview notes
Legal Basis: Legitimate Interest (GDPR Art. 6.1.f) during selection; Contractual Necessity (GDPR Art. 6.1.b) for offers
Retention: 4 weeks after procedure ends, or 1 year with consent for recruitment reserve

3. Artificial Intelligence and Automated Decision Making

3.1 Human-in-the-Loop

  • Pacium is an assistive tool, not a fully autonomous agent
  • Our AI agents draft responses, but an accountant must review and approve before sending
  • Accountants verify the accuracy of AI-extracted data before it enters the ledger
  • Accountants can override AI classifications and suggestions at any stage

3.2 Hallucination Detection

AI-generated answers are validated against source material using automated groundedness checks. Answers that do not meet confidence thresholds are flagged for manual review.

3.3 Transparency

We clearly indicate when content has been generated by AI. The system provides citations explaining why the AI generated a specific draft, ensuring explainability.

4. Technical Architecture and Data Security

4.1 Data Residency and Storage

  • EU Localization: All databases hosted strictly within EU data centers. Data does not leave the EEA.
  • Multi-tenant Architecture: Strict logical isolation between Accounting Firms. All data is scoped by organization. Vector stores partitioned by Tenant ID.

4.2 Encryption and Security

  • Encryption in Transit: TLS 1.3 for all data transmission
  • Encryption at Rest: AES-256 for all stored data
  • OAuth Token Security: Access tokens and refresh tokens are encrypted before storage
  • Access Controls: Role-Based Access Control (RBAC)
  • Mandatory Multi-Factor Authentication (MFA/2FA)

5. Data Sharing and Third-Party Integrations

We do not sell data. Integration partners include accounting software (Yuki, Exact Online, Silverfin) and e-invoicing networks (Peppol).

Sub-processors include:

  • Convex (EU) - Database and backend infrastructure
  • Anthropic (US, with EU data processing agreements) - AI language models (Claude)
  • Google (EU/US) - AI language models (Gemini) and OAuth authentication
  • OpenRouter (US) - AI model routing
  • Microsoft (EU/US) - Email access via Graph API and OAuth authentication
  • Railway (EU) - Email intelligence service hosting
  • PostHog (EU) - Website and product analytics
  • Vercel (EU/US) - Website hosting

A current list of all sub-processors is available in our Data Processing Agreement.

6. Rights of Data Subjects

You have the right to: access your data, rectify incorrect data, delete your data, restrict processing, data portability, and object to processing. Contact contact@pacium.com to exercise these rights. We will respond within 30 days.

For End-Clients (SMEs): Requests regarding financial data should be directed to the Accounting Firm (Data Controller). We will assist them in fulfilling requests.

7. Regulatory Authority

Belgian Data Protection Authority (APD/GBA)
Rue de la Presse 35, 1000 Brussels
https://www.autoriteprotectiondonnees.be
+32 (0)2 274 48 00

8. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or in-app notification. Continued use of the platform after changes constitutes acceptance.

9. Contact Us

Pacium
Dalenstraat 2, 3020 Winksele, Belgium
Email: contact@pacium.com