Softbooq
Last updated: May 2026
Everbright & Co. ("Softbooq", "we", "our", or "us"), operating from Germany, European Union, is committed to protecting your personal data in accordance with the EU General Data Protection Regulation (GDPR) and applicable data protection laws. This policy explains what data we collect, why, how it is processed, and your rights.
The data controller responsible for personal data processed through the Softbooq platform is: Cypran Akubude, operating as Everbright & Co. (Softbooq) c/o Postflex #10549, Emsdettener Str. 10, 48268 Greven, Germany Email: info@softbooq.com
We collect and process the following categories of data: Account and identity data: name, work email, organisation name, country, and workspace credentials. Employee and HR data (Pro plan): full name, contact details, job title, employment type, salary and compensation, bank account details (IBAN, sort codes) for payroll, emergency contacts, attendance and clock-in/out records, leave requests, payslips, deductions, bonuses, and payroll run history. Customer and contact data: customer names, email addresses, phone numbers, postal addresses, and company details entered by you or synchronised from connected CRM platforms (HubSpot). Financial and transaction data: invoice amounts, payment status, purchase orders, expense records, vendor details, bank connection data (via open banking), payment run records, and accounting journal entries synchronised with connected accounting platforms (Xero, QuickBooks Online, DATEV, Pennylane, Lexoffice, ZohoBooks, SevDesk). E-commerce data: orders, products, inventory levels, and customer records synchronised from connected online stores (Shopify, WooCommerce). Project and task data: project names, task assignments, due dates, and status updates synchronised with connected project management tools (Asana, Jira, Trello, Microsoft Planner). IT and device data: managed device names, serial numbers, compliance status, and assigned user information retrieved read-only from connected IT management platforms (Microsoft Intune, Jamf Pro). Contract and legal data: contract parties, dates, values, payment terms, and document content. Travel data: trip destinations, dates, accommodation, per diem claims, expense reports, and booking data synchronised from connected travel management platforms (TravelPerk). Document and file data: images and content of documents you submit for AI processing (receipts, invoices, contracts, ID documents, business cards, resumes); file names and metadata from connected cloud storage accounts. Calendar data: event metadata from connected Google Calendar or Outlook Calendar accounts (read-only access). Directory data: employee names, email addresses, department and job title information, and managed device inventory retrieved read-only from connected Google Workspace accounts. Usage data: pages visited, feature usage, error logs, and session metadata used to maintain and improve the platform.
We process your personal data on the following legal bases under GDPR Article 6: Contract performance (Art. 6(1)(b)): to provide, operate, and maintain the Softbooq service you have subscribed to. Legitimate interests (Art. 6(1)(f)): to ensure platform security, prevent fraud, and improve the service. Legal obligation (Art. 6(1)(c)): where required by applicable German, EU, or other applicable law. Consent (Art. 6(1)(a)): where explicitly provided by you, such as when enabling optional integrations. For special categories of data (e.g., where salary data intersects with health-related deductions), processing is based on explicit consent or as necessary for employment law obligations under Art. 9(2)(b).
Softbooq's AI features are powered by the following large language model services: Anthropic Claude (Anthropic PBC, San Francisco, USA): The Softbooq AI assistant (conversational AI, financial queries, document summarisation, and agentic tool use within the platform) is powered by Claude. When you use the AI assistant, the following data may be sent to Anthropic: your questions and conversation history, summarised records from your workspace (invoices, contracts, employee profiles, projects) to generate context-aware responses, and document content when you ask the assistant to analyse a specific record. Google Gemini (Google LLC): Document OCR and extraction, AI-generated analytical narrations (e.g., reorder radar), and vector embedding generation for semantic search are powered by Google Gemini. When you use these features, document images and content (receipts, invoices, contracts, expense photos, ID documents, business cards, resumes) may be sent to Google. Important disclosures: - Softbooq does not use your business data to train AI models - Anthropic processes data under its API Terms of Service and does not use API input/output to train its models by default - Google processes data under Google's API Terms of Service; by default, Google does not use API input/output to train its models - AI-generated responses may contain errors and should be reviewed before acting on them - You can disable AI features at any time in Settings > Intelligence - Standard Contractual Clauses (SCCs) are in place with both Anthropic PBC and Google LLC for international data transfers Data transmitted to AI providers is used solely to generate responses to your queries and is not retained by those providers beyond the API session.
We use the following third-party services to operate the platform. Each acts as a sub-processor of personal data under its own privacy policy and a data processing agreement with Softbooq. Core infrastructure: - Supabase / AWS (eu-central-1, Frankfurt): database, authentication, file storage, and serverless functions. All tenant data is stored within the EU. - Stripe (Stripe Inc.): subscription billing, payment processing, and Stripe Connect marketplace payments. AI and document processing: - Anthropic (Anthropic PBC): AI assistant, conversational queries, and document analysis (see Section 4). - Google Gemini (Google LLC): document OCR/extraction, analytical narrations, and embedding generation (see Section 4). Email delivery: - Brevo (Sendinblue SAS): default transactional email delivery. - User-configurable SMTP (optional): SendGrid, Google Workspace, Microsoft 365, or custom SMTP, configured by the account administrator and subject to those providers' terms. Payment and banking (user-activated): - Wise (Wise Payments Limited): bank details and payment amounts are transmitted when payment runs are submitted. - Revolut Business (Revolut Ltd): bank details and payment amounts are transmitted when payment runs are submitted. - Enable Banking (Enable Banking Oy): PSD2/Open Banking connections for live bank transaction feeds; authorisation is handled via redirect to Enable Banking. Cloud file storage (user-connected, optional): - Google Drive (Google LLC): file browsing, upload, and download via OAuth. - Microsoft OneDrive and SharePoint (Microsoft Corporation): file browsing, upload, and download via MSAL OAuth. - Dropbox (Dropbox Inc.): file browsing, upload, and download via OAuth. - Box (Box Inc.): file browsing, upload, and download via OAuth. Calendar (user-connected, optional): - Google Calendar (Google LLC): read-only calendar event access via OAuth. - Microsoft Outlook Calendar (Microsoft Corporation): read-only calendar event access via OAuth. E-commerce (user-connected, optional): - Shopify (Shopify Inc.): bidirectional sync of orders, products, inventory, and customer records via OAuth. Customer names, email addresses, and order data are transmitted. - WooCommerce (Automattic Inc.): bidirectional sync of orders, products, inventory, and customer records via API key. Customer names, email addresses, and order data are transmitted. Accounting and finance (user-connected, optional): - Xero (Xero Limited): contact and invoice sync via OAuth. Business contact and financial data are transmitted. - QuickBooks Online (Intuit Inc.): contact and invoice sync via OAuth. Business contact and financial data are transmitted. - DATEV eG: invoice and journal entry export via OAuth. Financial records are transmitted for German tax accounting. - Pennylane (Pennylane SAS): contact and invoice sync via API key. Business contact and financial data are transmitted. - Lexoffice (Haufe-Lexware GmbH & Co. KG): contact and invoice sync via API key. Business contact and financial data are transmitted. - ZohoBooks (Zoho Corporation): payment sync via OAuth. Financial records are transmitted. - SevDesk (sevDesk GmbH): accounting sync via API key. Financial records are transmitted. CRM (user-connected, optional): - HubSpot (HubSpot Inc.): bidirectional contact and deal sync, automated invoice creation on deal close. Contact names, email addresses, company data, and deal amounts are transmitted via OAuth. Project management (user-connected, optional): - Asana (Asana Inc.): bidirectional task and project sync, team out-of-office and time tracking. Task names, assignments, and due dates are transmitted via OAuth. - Jira (Atlassian Corporation): bidirectional issue and project sync. Issue names, assignments, and status data are transmitted via OAuth. - Trello (Atlassian Corporation): board and card sync. Card names and assignment data are transmitted via personal API token. - Microsoft Planner (Microsoft Corporation): task and plan sync. Task names, assignments, and due dates are transmitted via Microsoft 365 OAuth. Directory and identity (user-connected, optional): - Google Workspace (Google LLC): read-only employee directory sync (names, emails, departments, job titles) and managed device inventory (ChromeOS and mobile devices) via OAuth. See also the Google API Disclosure at softbooq.com/google-api-disclosure. Travel (user-connected, optional): - TravelPerk (TravelPerk S.L.): business trip booking data, itineraries, and expense records are synchronised via OAuth. Traveller names, destinations, and booking details are transmitted. - Amadeus Travel API (Amadeus IT Group SA): flight, hotel, and car rental search. Search parameters (destination, dates, passenger count) are transmitted; no personal profile data is stored by Amadeus. - Travelpayouts: affiliate redirect links only; no personal data is transmitted. IT management (user-connected, optional): - Microsoft Intune (Microsoft Corporation): managed device compliance status, names, serial numbers, and assigned user information are retrieved read-only via Microsoft Graph API OAuth. - Jamf Pro (Jamf Software LLC): managed Apple device compliance status, names, serial numbers, and assigned user information are retrieved read-only via API key. Bot protection: - Cloudflare Turnstile (Cloudflare Inc.): bot protection on login forms using strictly necessary cookies. No cross-site tracking.
Your data is stored and processed in AWS Europe (Frankfurt, eu-central-1). All database, authentication, and serverless infrastructure is hosted within the EU. API credentials and secrets are stored in Supabase Vault (encrypted at rest). We do not transfer your personal data outside the European Economic Area without appropriate safeguards. Standard Contractual Clauses (SCCs) are in place with providers based outside the EEA, including Anthropic PBC (USA), Google LLC (USA), Shopify Inc. (Canada), HubSpot Inc. (USA), Atlassian Corporation (Australia/USA), Intuit Inc. (USA), and Jamf Software LLC (USA).
We retain your data for as long as your account is active or as needed to provide the service. Upon account deletion, personal data is anonymised or permanently deleted within 30 days, except where we are required by law to retain it - for example, financial records may be retained for up to 10 years under German commercial law (HGB § 257). You may request an export of your data at any time prior to deletion by contacting info@softbooq.com.
Under the GDPR, you have the following rights: Right of Access (Art. 15): request a copy of your personal data. Right to Rectification (Art. 16): correct inaccurate or incomplete data. Right to Erasure (Art. 17): request deletion of your data ('right to be forgotten'). Right to Restriction (Art. 18): restrict how we process your data. Right to Data Portability (Art. 20): receive your data in a structured, machine-readable format. Right to Object (Art. 21): object to processing based on legitimate interests. Right to withdraw consent (Art. 7): where processing is based on consent, you may withdraw it at any time. To exercise any of these rights, contact us at info@softbooq.com. We will respond within 30 days.
In the event of a personal data breach, Softbooq will: - Notify the relevant supervisory authority (Bundesbeauftragter für den Datenschutz und die Informationsfreiheit, or the authority of the affected EU member state) within 72 hours of becoming aware of the breach, where it is likely to result in a risk to your rights and freedoms (GDPR Art. 33). - Notify affected users without undue delay where the breach is likely to result in a high risk to their rights and freedoms (GDPR Art. 34). - Maintain an internal record of all data breaches, including those not meeting the notification threshold. Notifications will be sent to the primary account email address on file.
Softbooq uses the following technologies to maintain session state and platform functionality: Strictly necessary cookies: session authentication tokens set by Supabase to maintain your logged-in state. Browser local storage: OAuth access tokens for user-connected third-party services (Google Drive, OneDrive, Dropbox, Box, Google Calendar, Outlook Calendar, Shopify, HubSpot, Xero, QuickBooks Online, Asana, Jira, TravelPerk, and others) are stored in your browser's local storage to maintain those connections. These tokens are not transmitted to Softbooq's servers beyond the initial authorisation flow. Cloudflare Turnstile: a bot protection script used on login forms. It uses cookies strictly necessary to verify you are a human and does not track your browsing activity across sites. We do not use advertising cookies, cross-site tracking cookies, or analytics cookies.
Softbooq enables account administrators to grant their clients access to a client portal (to view invoices, projects, support tickets, and make payments) and their suppliers access to a supplier portal (to view purchase orders, submit documents, and communicate on procurement workflows). As an administrator granting portal access, you are the data controller for your clients' and suppliers' personal data and are responsible for: - Obtaining any necessary consent from clients or suppliers before granting portal access - Ensuring portal users are informed about how their data is processed - Complying with applicable data protection law in your relationships with clients and suppliers Softbooq processes client and supplier portal data on behalf of the account administrator (as data processor). Softbooq is not a party to the relationship between you and your clients or suppliers.
When you connect third-party services to Softbooq - such as payment providers (Wise, Revolut), cloud storage, calendar services, accounting platforms, CRM, project management tools, or email providers - you are responsible for: - Ensuring you have the authority to connect those accounts to Softbooq - The security of API credentials, access tokens, and passwords you provide - Any transactions, data access, or costs incurred through those connected accounts - Complying with those third-party providers' terms of service - Where connecting services that process personal data of third parties (e.g., Shopify customer records, HubSpot contacts), ensuring you have a lawful basis under GDPR for that data processing Softbooq acts as a conduit when accessing connected third-party accounts. Disconnecting a service within Softbooq does not automatically revoke OAuth permissions granted to the third-party provider - you must also revoke access in that provider's own settings.
We may update this Privacy Policy from time to time. We will notify you of material changes via email or in-app notification. Your continued use of the platform after such notification constitutes acceptance of the updated policy.
For privacy-related questions or to exercise your data rights, contact us at info@softbooq.com. If you believe your rights have been violated, you have the right to lodge a complaint with your national data protection authority. In Germany: Bundesbeauftragter für den Datenschutz und die Informationsfreiheit (BfDI), Graurheindorfer Str. 153, 53117 Bonn.
© 2026 Softbooq by Everbright & Co. - Germany, European Union