Legal
Privacy Policy
Last updated: 13 July 2026
Draft for review: this document has not been reviewed by qualified counsel and must be reviewed before commercial use.
AktaBook is double-entry bookkeeping and financial reporting software for businesses, operated by an individual owner (“the operator”, “we”). This policy describes, in plain language, what the software actually stores and does — nothing more. If something is not listed here, the software does not do it.
The short version
- We set exactly one cookie, and only when you sign in.
- There are no analytics, no trackers, and no third-party scripts on any page.
- Your data lives in a database the operator runs — it is not sent to, sold to, or shared with anyone else.
- The system does not process payments and does not send email.
What we collect
Everything stored is either something you (or a colleague in your business) typed in, or a record the system keeps so the books can be audited:
- Account details. Your email address, name, and role (owner or accountant). Your password is never stored — only a bcrypt hash of it.
- The financial records you enter. Your chart of accounts, transactions and their journal entries, inventory balances, expense templates, and period locks.
- Audit stamps. Who did what: the email of the user who posted each transaction, who closed an accounting period, and a log of every sync-API run (what it posted, or why it failed).
- API tokens. If your business uses the sync API, we store the token’s name and a SHA-256 hash of it — the token itself is shown once at creation and never kept.
What we deliberately don’t collect
- No analytics or usage tracking of any kind.
- No third-party scripts, fonts served from third parties, ad tech, or social widgets.
- No payment details — the system does not process payments.
- No marketing profiles: the system never sends email, and your data is never sold or shared with third parties.
The one cookie
Visitors who never sign in get no cookie at all. When you sign in, we set a single cookie named lf_session:
- It exists solely to keep you signed in — nothing else reads or uses it.
- It is httpOnly (invisible to scripts in the page) and cryptographically signed, so it cannot be forged or tampered with.
- It expires after 7 days, and is removed immediately when you sign out.
Where your data lives
All data is stored in a database (SQLite or PostgreSQL) hosted and administered by the operator. There is no third-party analytics backend, no external data warehouse, and no cloud service that receives a copy of your books.
Who can see your data
- People in your business. Each business’s data is fully isolated from every other business in the system. Within your business there are two roles — owner and accountant — and only users the operator has granted access can sign in.
- The operator. Because the operator runs the server and database, they have technical access to the data — the same way any hosting administrator would.
- Nobody else. No third parties receive your data.
Retention and the immutable ledger
The ledger is append-only by design: posted financial entries are never edited or deleted, and a mistake is corrected by posting a reversal alongside the original. This is what makes the books auditable — and it means ledger records (including the audit stamp of who posted them) are retained indefinitely.
Removing a user account or a business is not currently self-service. If you want an account removed or have questions about what can be deleted, contact the operator — non-ledger data such as expense templates and API tokens can be deleted at any time from within the app.
Your choices
- Export. You can export your business’s full ledger from the app at any time, as CSV or JSON.
- Passwords and sessions. You can change your own password; the business owner can reset any user’s password, which also revokes all of that user’s active sessions. API tokens can be revoked at any time.
- Questions or requests. Email the operator at [email protected].
Changes to this policy
If the software changes in a way that affects anything written here, this page and its “last updated” date will be updated. We will not quietly change what the system does with your data — this document is meant to stay an accurate description of the code.
Contact
The operator: [email protected].