Softbooq Enterprise Cloud
Last updated: April 2026
Everbright & Company ("Softbooq", "we", "our", or "us"), operating from Germany, European Union, is committed to protecting your personal data in accordance with the EU General Data Protection Regulation (GDPR) and applicable data protection laws. This policy explains what data we collect, why, how it is processed, and your rights.
The data controller responsible for personal data processed through the Softbooq platform is: Everbright & Company, operating as Softbooq c/o Postflex #10549, Emsdettener Str. 10, 48268 Greven, Germany Email: info@softbooq.com
We collect and process the following categories of data: Account and identity data: name, work email, organisation name, country, and workspace credentials. Employee and HR data (Pro plan): full name, contact details, job title, employment type, salary and compensation, bank account details (IBAN, sort codes) for payroll, emergency contacts, attendance and clock-in/out records, leave requests, payslips, deductions, bonuses, and payroll run history. Customer and contact data: customer names, email addresses, phone numbers, postal addresses, and company details entered by you. Financial and transaction data: invoice amounts, payment status, purchase orders, expense records, vendor details, bank connection data (via open banking), and payment run records. Contract and legal data: contract parties, dates, values, payment terms, and document content. Travel data: trip destinations, dates, accommodation, per diem claims, and expense reports. Document and file data: images and content of documents you submit for AI processing (receipts, invoices, contracts, ID documents, business cards, resumes); file names and metadata from connected cloud storage accounts. Calendar data: event metadata from connected Google Calendar or Outlook Calendar accounts (read-only access). Usage data: pages visited, feature usage, error logs, and session metadata used to maintain and improve the platform.
We process your personal data on the following legal bases under GDPR Article 6: Contract performance (Art. 6(1)(b)): to provide, operate, and maintain the Softbooq service you have subscribed to. Legitimate interests (Art. 6(1)(f)): to ensure platform security, prevent fraud, and improve the service. Legal obligation (Art. 6(1)(c)): where required by applicable German, EU, or other applicable law. Consent (Art. 6(1)(a)): where explicitly provided by you, such as when enabling optional integrations. For special categories of data (e.g., where salary data intersects with health-related deductions), processing is based on explicit consent or as necessary for employment law obligations under Art. 9(2)(b).
Softbooq's AI features are powered by Google Gemini, a third-party large language model service operated by Google LLC. When you use AI features, the following data may be sent to Google Gemini: - Your questions and conversation history within the AI assistant - Document images and content (receipts, invoices, contracts, expense photos, ID documents, business cards, resumes) when using document scanning and extraction - Summarised records from your workspace (invoices, contracts, employee profiles, projects) to generate context-aware responses Important disclosures: - Softbooq does not use your business data to train AI models - Google processes this data under Google's API Terms of Service and data processing agreements, under which Google does not use API input/output to train its models by default - AI-generated responses may contain errors and should be reviewed before acting on them - You can disable AI features at any time in Settings → Intelligence Data transmitted to Gemini is used solely to generate responses to your queries.
We use the following third-party services to operate the platform. Each acts as a sub-processor of personal data and operates under its own privacy policy and data processing agreements. Core infrastructure: - Supabase / AWS (eu-central-1, Frankfurt): database, authentication, file storage, and serverless functions - Stripe: subscription billing, payment processing, and Stripe Connect marketplace payments AI and document processing: - Google Gemini (Google LLC): AI assistant, document OCR/extraction, and record embeddings (see Section 4) Email delivery: - Brevo (Sendinblue): default transactional email delivery - User-configurable SMTP (optional): SendGrid, Google Workspace, Microsoft 365, or custom SMTP — configured by the account administrator and subject to those providers' terms Payment and banking (user-activated): - Wise: bank details and payment amounts are transmitted when payment runs are submitted - Revolut Business: bank details and payment amounts are transmitted when payment runs are submitted - Enable Banking: PSD2/Open Banking connections for bank transaction feeds — authorisation is handled via redirect to Enable Banking Cloud file storage (user-connected, optional): - Google Drive (Google LLC): file browsing, upload, and download via OAuth - Microsoft OneDrive and SharePoint (Microsoft Corporation): file browsing, upload, and download via MSAL OAuth - Dropbox (Dropbox Inc.): file browsing, upload, and download via OAuth - Box (Box Inc.): file browsing, upload, and download via OAuth Calendar integrations (user-connected, optional): - Google Calendar (Google LLC): read-only calendar event access via OAuth - Microsoft Outlook Calendar (Microsoft Corporation): read-only calendar event access via OAuth Travel: - Amadeus Travel API: flight, hotel, and car rental search parameters transmitted (no personal data stored) - Travelpayouts: affiliate redirect links only (no personal data transmitted) Bot protection: - Cloudflare Turnstile: bot protection on login forms using strictly necessary cookies (no cross-site tracking)
Your data is stored and processed in AWS Europe (Frankfurt, eu-central-1). All database, authentication, and serverless infrastructure is hosted within the EU. API credentials and secrets are stored in Supabase Vault (encrypted at rest). We do not transfer your personal data outside the European Economic Area without appropriate safeguards. Standard Contractual Clauses (SCCs) are in place with Google LLC for Gemini and Google Calendar services.
We retain your data for as long as your account is active or as needed to provide the service. Upon account deletion, personal data is anonymised or permanently deleted within 30 days, except where we are required by law to retain it — for example, financial records may be retained for up to 10 years under German commercial law (HGB § 257). You may request an export of your data at any time prior to deletion by contacting info@softbooq.com.
Under the GDPR, you have the following rights: Right of Access (Art. 15): request a copy of your personal data. Right to Rectification (Art. 16): correct inaccurate or incomplete data. Right to Erasure (Art. 17): request deletion of your data ('right to be forgotten'). Right to Restriction (Art. 18): restrict how we process your data. Right to Data Portability (Art. 20): receive your data in a structured, machine-readable format. Right to Object (Art. 21): object to processing based on legitimate interests. Right to withdraw consent (Art. 7): where processing is based on consent, you may withdraw it at any time. To exercise any of these rights, contact us at info@softbooq.com. We will respond within 30 days.
In the event of a personal data breach, Softbooq will: - Notify the relevant supervisory authority (Bundesbeauftragter für den Datenschutz und die Informationsfreiheit, or the authority of the affected EU member state) within 72 hours of becoming aware of the breach, where it is likely to result in a risk to your rights and freedoms (GDPR Art. 33). - Notify affected users without undue delay where the breach is likely to result in a high risk to their rights and freedoms (GDPR Art. 34). - Maintain an internal record of all data breaches, including those not meeting the notification threshold. Notifications will be sent to the primary account email address on file.
Softbooq uses the following technologies to maintain session state and platform functionality: Strictly necessary cookies: session authentication tokens set by Supabase to maintain your logged-in state. Browser local storage: OAuth access tokens for user-connected third-party services (Google Drive, OneDrive, Dropbox, Box, Google Calendar, Outlook Calendar) are stored in your browser's local storage to maintain those connections. These tokens are not transmitted to Softbooq's servers beyond the initial authorisation flow. Cloudflare Turnstile: a bot protection script used on login forms. It uses cookies strictly necessary to verify you are a human and does not track your browsing activity across sites. We do not use advertising cookies, cross-site tracking cookies, or analytics cookies.
Softbooq enables account administrators to grant their clients access to a client portal where clients can view invoices, projects, support tickets, and make payments. As an administrator granting client portal access, you are the data controller for your clients' personal data and are responsible for: - Obtaining any necessary consent from clients before granting portal access - Ensuring clients are informed about how their data is processed - Complying with applicable data protection law in your relationship with your clients Softbooq processes client portal data on behalf of the account administrator (as data processor). Softbooq is not a party to the relationship between you and your clients.
When you connect third-party services to Softbooq — such as payment providers (Wise, Revolut), cloud storage, calendar services, or email providers — you are responsible for: - Ensuring you have the authority to connect those accounts to Softbooq - The security of API credentials, access tokens, and passwords you provide - Any transactions, data access, or costs incurred through those connected accounts - Complying with those third-party providers' terms of service Softbooq acts as a conduit when accessing connected third-party accounts. Disconnecting a service within Softbooq does not automatically revoke OAuth permissions granted to the third-party provider — you must also revoke access in that provider's own settings.
We may update this Privacy Policy from time to time. We will notify you of material changes via email or in-app notification. Your continued use of the platform after such notification constitutes acceptance of the updated policy.
For privacy-related questions or to exercise your data rights, contact us at info@softbooq.com. If you believe your rights have been violated, you have the right to lodge a complaint with your national data protection authority. In Germany: Bundesbeauftragter für den Datenschutz und die Informationsfreiheit (BfDI), Graurheindorfer Str. 153, 53117 Bonn.
© 2026 Softbooq by Everbright & Co. - Germany, European Union