1. Sandelia’s GDPR Commitment

Sandelia SRL attaches the utmost importance to the protection of personal data and is committed to fully complying with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, known as the General Data Protection Regulation (GDPR).

The purpose of this page is to present, in a transparent and educational manner, the measures implemented by Sandelia to ensure GDPR compliance, safeguard the security of processed data, and respect the rights of data subjects.

This page is informational and non-contractual. It complements the Privacy Policy, the Cookie Policy, and the General Terms and Conditions of Use (GTC).

2. Scope of Application

Sandelia’s services are exclusively intended for a professional audience (B2B).

• ✔ Self-employed professionals
• ✔ Companies and legal entities
• ❌ Never intended for consumers (B2C)
• ❌ Never intended for minors

Any use of the Sandelia platform by a minor or for personal purposes is strictly prohibited.

3. Identification of the Data Controller

Data Controller:
Sandelia SRL
Avenue Louise 271, 1050 Ixelles – Belgium
Company number: BE 1027.733.509

Internal GDPR Contact Point:
📩 legal@sandelia.be

Sandelia is not required to appoint a Data Protection Officer (DPO) within the meaning of the GDPR, but has designated an internal contact point responsible for data protection matters.

4. Sandelia’s Role under the GDPR

Depending on the processing activities, Sandelia may act:

4.1 As Data Controller

For data relating to:

• user account management;
• Sandelia billing;
• the contractual relationship;
• support and communications.

4.2 As Data Processor

For data processed on behalf of clients, in particular:

• accounting documents;
• invoices, quotations and credit notes;
• professional data entered by the user.

In this context, Sandelia acts solely on the client’s instructions.

5. Categories of Data Processed

5.1 Identification and Contact Data

• first and last name;
• professional email address;
• professional phone number;
• professional address.

5.2 Professional Data

• company name;
• company registration number;
• VAT number;
• professional activity.

5.3 Financial Data

• invoices, quotations and credit notes;
• data appearing in documents (e.g. IBAN shown on an invoice).

⚠️ Sandelia currently does not offer direct bank connectivity.
Such functionality may be added later via Ponto / Ibanity, with a corresponding update of the GDPR documentation.

6. Strictly Prohibited Data

It is strictly prohibited to import, store or process the following categories of data via Sandelia:

• health data;
• national register number (NISS);
• criminal or judicial data;
• biometric data;
• data revealing political, religious or trade-union opinions.

The user remains solely responsible for the data they upload to the platform.
Sandelia reserves the right to suspend or delete any non-compliant content.

7. Purposes and Legal Bases of Processing

Data are processed for the following purposes:

8. Artificial Intelligence and Automation

Sandelia uses artificial intelligence technologies notably for:

• automatic document recognition (OCR);
• administrative assistance;
• accounting and analytical assistance;
• certain general functionalities of the application.

Important

• Outputs generated by AI constitute automated assistance.
• They never replace human analysis.
• The user remains solely responsible for verifying and using the results.

AI technologies may involve third-party providers, in compliance with the GDPR and appropriate safeguards.

9. Processors and Partners

Sandelia relies on carefully selected service providers, in particular for:

• hosting (AWS – Europe);
• billing and payments (Stripe – Europe);
• OCR (Mindee);
• AI (OpenAI);
• electronic invoicing / Peppol (Recommand – Belgium).

Each provider is subject to contractual confidentiality and security obligations in line with the GDPR.

10. Data Security

Sandelia implements appropriate technical and organisational measures, including:

• hosting on secure AWS infrastructures located in Europe;
• encryption of data in transit (HTTPS);
• strictly limited internal access;
• logging for security and traceability purposes;
• incident management procedures.

Multi-factor authentication (MFA) is not yet active but is planned as part of the platform’s evolution.

11. Data Retention

• Active data: for the duration of the contract.
• After termination:
  
  • retention for 1 year;
  • deletion thereafter.
• Technical logs:
  
  • retained until the expiry of legal obligations;
  • for security and legal defence purposes.

12. Rights of Data Subjects

In accordance with the GDPR, you have the following rights:

• right of access;
• right to rectification;
• right to erasure;
• right to restriction;
• right to object;
• right to data portability (where applicable).

Exercising Your Rights

📩 legal@sandelia.be
Response time: 30 days
Identity verification may be requested.

13. Supervisory Authority

You may lodge a complaint with:

Belgian Data Protection Authority
Rue de la Presse 35, 1000 Brussels
📞 +32 (0)2 274 48 00
🌐 https://www.autoriteprotectiondonnees.be

14. Amendments and Updates

This GDPR page may be updated at any time, in particular in the event of:

• functional developments;
• regulatory changes;
• the addition of new service providers.

The version published on the website shall prevail.

15. Related Documents

• Privacy Policy
• Cookie Policy
• General Terms and Conditions of Use