Privacy Policy
This Privacy Policy describes how Aquil (the "Service") processes personal data in accordance with the EU General Data Protection Regulation (GDPR) and applicable national law. It applies to business users and visitors in the European Economic Area (EEA) and elsewhere where we offer the Service.
The data controller is the legal entity that determines the purposes and means of processing. For the Service, the controller is: [Company legal name], [Address]. For the avoidance of doubt, where your organization has a separate data processing agreement with us, that agreement applies to the processing we do on your behalf.
Data we collect
We collect: (1) Account and profile data (name, email, organization affiliation) necessary to provide the Service and manage your account; (2) Organization and usage data (e.g. documents, process definitions, audit and compliance-related content) that you or your organization upload or create; (3) Technical and log data (IP address, browser type, session identifiers) for security, fraud prevention, and operation of the Service; (4) Communication and support data when you contact us; (5) Billing data when your organization subscribes to a paid plan (billing contact name and email, billing address, VAT / organisation number, transaction metadata and payment method token). Card numbers are handled directly by our payment processor Stripe and never stored by Sokigo. We do not sell your personal data.
Legal basis for processing (GDPR Art. 6)
We process personal data on the following bases: (a) Contract — performance of our agreement with you or your organization (provision of the Service, account management); (b) Legal obligation — where we must retain or disclose data to comply with law; (c) Legitimate interests — improving the Service, security, analytics (where applicable), and defending our rights, where these interests are not overridden by your rights; (d) Consent — where we rely on consent (e.g. optional cookies or marketing), you may withdraw it at any time.
Purposes of processing
Personal data is used to: deliver and operate the Service; authenticate users and enforce access control; provide support and communicate with you; improve product quality and security; comply with legal and contractual obligations; and, where applicable and with your consent, for analytics or marketing.
Recipients and sub-processors
We may share data with: (1) Sub-processors that help us run the Service, including Microsoft Azure (hosting, AI inference — Sweden), Auth0/Okta (authentication — EU tenant in Frankfurt, US parent), Resend (transactional email — EU), Nordlo (managed IT services — Sweden) and Stripe Payments Europe Ltd (subscription billing and payment processing — Ireland, with US parent Stripe, Inc.). We use processors that provide appropriate safeguards and only process data on our instructions. (2) Authorities when required by law. We do not share your data with third parties for their own marketing. The complete, up-to-date sub-processor list is published at /legal/subprocessors.
International transfers
Your data is primarily processed within the EEA (Sweden and Ireland). Some sub-processors — Auth0/Okta, Resend and Stripe — have US parent companies that may have administrative access, and Stripe transfers billing metadata to its US parent entity for platform operations and fraud prevention. For any transfer outside the EEA we rely on EU Standard Contractual Clauses and, where applicable, EU-US Data Privacy Framework certification, so that your data remains protected in line with GDPR Chapter V. Transfer impact assessments for each relevant sub-processor are maintained internally and summarised in our Trust page.
Retention
We retain personal data only as long as necessary for the purposes above: account data for the duration of the contract and a reasonable period after termination; log and security data as required for security and legal compliance (typically up to a defined period in our internal policies); support communications as needed to resolve requests and comply with legal obligations; and billing and invoice records for seven (7) years from the end of the relevant calendar year as required by the Swedish Bokföringslagen (1999:1078) kap. 7 § 2. This accounting retention applies to invoices, payment records and related verifications and overrides erasure requests for that data. After retention periods expire, we delete or anonymise data.
Your rights (GDPR Arts. 15–22)
You have the right to: access your personal data; rectify inaccurate data; request erasure (subject to legal exceptions); restrict processing; data portability where applicable; object to processing based on legitimate interests; and withdraw consent where processing is based on consent. To exercise these rights, contact us using the details below. You also have the right to lodge a complaint with a supervisory authority.
Supervisory authority
If you are in the EEA, you may lodge a complaint with the data protection supervisory authority in your country of residence or place of work. In Sweden, the authority is the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten), imy.se.
Security
We implement appropriate technical and organisational measures to protect personal data against unauthorised access, loss, or alteration, in line with the risk and nature of the data, and in accordance with applicable law and our contractual commitments.
Changes to this policy
We may update this Privacy Policy from time to time. We will post the current version on this page and, where required by law, we will notify you of material changes. The "last updated" date is set out at the bottom of this page.
Contact and data protection enquiries
For privacy-related requests, to exercise your rights, or for questions about this policy, contact us at infosec@sokigo.com
Last updated: [Date]. This policy is provided for information and does not replace any data processing agreement that may apply between you and us.