In-App Privacy Notice — Aquil Service
Sokigo AB, org.nr 556550-6309 Version: 1.1 Effective date: 2026-04-16
This notice explains how personal data is processed when you use the Aquil Service as an Authorised User (for example, as an employee of an organisation that subscribes to Aquil). It supplements our main Privacy Policy which covers Sokigo's processing as a data controller for website visitors, prospects and sales contacts.
1. Who is the controller of your data in Aquil?
For personal data processed inside the Aquil Service, the data controller is your employer — the organisation that has subscribed to Aquil and granted you access. This includes:
- Your account details (name, email, role, organisation)
- Your actions in the Service (documents you create, edits, comments, audit logs)
- Content you upload or generate, including content that may contain personal data about you or third parties
Sokigo is a data processor — we process this data on behalf of your employer and under their instructions, as set out in our Data Processing Agreement (DPA). Your employer is responsible for:
- Deciding what personal data is processed in Aquil and why
- Having a valid lawful basis under the GDPR
- Informing you about the processing (typically through their own privacy notice or HR materials)
- Responding to your requests to exercise your data subject rights
To exercise your rights, contact your employer's data protection contact in the first instance. If you cannot reach them, or your request relates to how Sokigo handles data as a processor, you may contact us at infosec@sokigo.com and we will forward the request to your employer or cooperate as required under the DPA.
2. What Sokigo processes as a controller
Even in the in-app context, there are narrow situations where Sokigo processes personal data as a controller for our own purposes:
| Purpose | Data | Lawful basis |
|---|---|---|
| Authentication and access security (via Auth0) | Email, hashed password, MFA factor metadata, login timestamps, IP address | Art. 6(1)(f) — legitimate interest in secure access; Art. 6(1)(c) where legally required |
| Service security, abuse prevention and integrity | Audit logs, security event metadata, IP addresses | Art. 6(1)(f) — legitimate interest |
| Service administration and billing between Sokigo and the Customer organisation | Name and contact details of billing/admin contacts; billing address; VAT / organisation number; invoice history | Art. 6(1)(b) — contract |
| Payment processing via Stripe (subscription billing, invoicing, fraud prevention) | Billing contact name and email, billing address, VAT / organisation number, payment method token (card PAN tokenised by Stripe — never stored by Sokigo), transaction metadata, IP at time of payment | Art. 6(1)(b) — contract; art. 6(1)(f) — legitimate interest in fraud prevention (Stripe Radar) |
| Statutory accounting retention | Invoices, payment records, transaction logs | Art. 6(1)(c) — legal obligation (Swedish Bokföringslagen 1999:1078 kap. 7; 7-year retention from end of the relevant calendar year, overriding erasure requests for accounting data) |
| Statistical analytics for product improvement, using aggregated and de-identified metadata only (feature usage counts, performance metrics) | Aggregated event and performance data — never your content | Art. 6(1)(f) — legitimate interest |
| Compliance and legal obligations (accounting, responding to supervisory authorities) | As required | Art. 6(1)(c) — legal obligation |
For these purposes, your rights under Sections 8–9 of the main Privacy Policy apply directly against Sokigo.
3. Where your data is processed
- Hosting: in Sweden, on Sokigo's own infrastructure.
- Authentication: in Auth0's EU tenant (Frankfurt, Germany).
- AI processing: on Microsoft Azure AI Foundry in Sweden Central, where content you submit to AI features is processed to generate responses. Content is not used to train any AI model and is not retained beyond the request.
- Transactional email: via Resend.
- Payment processing: by Stripe Payments Europe Ltd (Ireland). Card data is tokenised by Stripe; Sokigo does not see or store card numbers. Stripe may transfer billing metadata to its US parent for platform operations and fraud prevention, under SCCs and Data Privacy Framework certification. When you subscribe, you are redirected to Stripe's hosted Checkout (stripe.com), which is governed by Stripe's own privacy notice in addition to this one.
- Backups: at a separate geographic location within Sweden.
See our Sub-processor List for the complete list and transfer mechanisms.
4. AI features
Aquil uses AI to assist with compliance tasks such as drafting, summarising, gap analysis and requirement matching. When you use an AI feature:
- Your input is sent to a large language model deployed in Sokigo's own Azure tenant in Sweden.
- The model does not learn from your input. No prompts or completions are used to train any AI model.
- AI prompts and outputs are not retained by Sokigo beyond the user session, unless you explicitly save the output as part of your content.
- AI output is informational and must be reviewed by a qualified human before being relied upon. It is not legal, audit, regulatory or compliance advice.
Your employer has agreed that AI processing is an integral part of the Service. If you have concerns, raise them with your employer.
5. How long your data is kept
Your data is kept for as long as your employer remains a customer of Aquil. If your employer ends its subscription, Sokigo retains the data for a 30-day export grace period followed by deletion within a further 60 days (with backups rotating out within 90 days). See DPA §12.
Billing and invoice records are retained for 7 years from the end of the relevant calendar year as required by Swedish Bokföringslagen (1999:1078) kap. 7 § 2. This statutory retention applies to invoices, payment records and related accounting verifications even if the Customer has ended its subscription or a data subject has requested erasure of other personal data.
If you leave your employer, your employer is responsible for deactivating your account in accordance with their own access control policies. Sokigo does not receive notifications of individual employment changes automatically.
6. Your rights
Your GDPR rights (access, rectification, erasure, restriction, portability, objection, not to be subject to automated decision-making) apply. Exercise them primarily through your employer, who is the controller of the content you create in Aquil.
Where Sokigo is the controller for the narrow purposes in Section 2 above, you can contact infosec@sokigo.com directly.
You may also lodge a complaint with the Swedish supervisory authority:
Integritetsskyddsmyndigheten (IMY) Box 8114, 104 20 Stockholm imy@imy.se · 08-657 61 00
7. Automated decision-making
Aquil does not make solely automated decisions producing legal effects on you or similarly significantly affecting you. AI features suggest and draft content but require human review before any action is taken.
8. Security
Sokigo is ISO/IEC 27001:2022 certified. See our Trust page for details of technical and organisational measures, including encryption, tenant isolation, access control, monitoring and incident response.
9. Changes
We may update this notice. The effective date above shows when. Material changes will be notified via in-app notification and/or email.
10. Contact
- Primary: your employer's data protection contact
- Sokigo DPO: infosec@sokigo.com
- Sub-processor list: https://aquil.se/legal/subprocessors
- DPA: https://aquil.se/legal/dpa
[End of In-App Privacy Notice]