This Privacy Policy describes how Sandelia SRL (hereinafter “Sandelia”, “we”, “us”) collects, uses, stores and protects personal data in the context of the use of its website, its software platform and all its services (the “Services”).

This Privacy Policy supplements the General Terms and Conditions of Use (GTC). In the event of any inconsistency, the GTC shall prevail with respect to contractual matters.

1. Identity of the data controller

Data controller (GDPR)
Sandelia SRL
Avenue Louise 271, 1050 Ixelles, Belgium
Company number (CBE): BE 1027.733.509
Email: info@sandelia.be

Privacy / GDPR contact
📩 info@sandelia.be (subject: “GDPR – Sandelia”)

Sandelia has not appointed a Data Protection Officer (DPO) at this stage. Should a DPO be appointed in the future, this Privacy Policy will be updated accordingly.

2. Scope – Data subjects

This Privacy Policy applies in particular to the following categories of persons:

• users of the Sandelia platform (administrators, employees, invited users);
• prospects (contact requests, free trials, demonstrations);
• visitors to the website;
• persons contacting Sandelia by email or WhatsApp for support purposes;
• persons whose data appear in documents processed through Sandelia (customers, suppliers, partners of users).

The Services are strictly B2B and intended for professional use.
They are not intended for minors. Sandelia does not knowingly collect data relating to persons under the age of 18.

3. GDPR roles: controller and processor

3.1 Sandelia as data controller

Sandelia acts as data controller for processing activities relating in particular to:

• the creation and management of user accounts;
• the management of free trials, subscriptions and payments;
• Sandelia’s own invoicing;
• security, fraud prevention and technical logging;
• communications (transactional emails, newsletters);
• the use of cookies and advertising trackers on the website.

3.2 Sandelia as data processor

When a user processes, via Sandelia, data relating to their own customers, suppliers or partners (e.g. data appearing on invoices), the user generally acts as data controller and Sandelia as data processor, within the meaning of Article 28 GDPR.

In such cases, Sandelia processes the data solely for the purpose of providing the Services, in accordance with the user’s instructions and the GTC.
A Data Processing Agreement (DPA) may formalise this relationship.

4. Personal data processed

4.1 Identification and account data

• first name and last name (if provided);
• professional email address;
• telephone number (if provided);
• preferred language;
• account identifiers, roles and access rights;
• technical identifiers and login history.

4.2 Authentication and SSO

Users may log in via:

• Google (SSO),
• Microsoft (SSO),
• Apple (SSO),
  or via email and password.

In this context, Sandelia processes only the data strictly necessary for authentication (unique identifier, email address and minimal technical information).

4.3 Professional data

• company name and legal form;
• company and/or VAT number;
• professional address;
• invoicing and configuration settings.

4.4 Content data and documents

• invoices, quotations, credit notes;
• supporting documents, PDF files or images;
• data contained in such documents (names, addresses, VAT numbers, amounts, references, due dates, descriptions).

IBAN
Sandelia does not maintain a dedicated database of IBANs of customers or suppliers. However, an IBAN may appear within the content of an invoice or document uploaded or generated by the user. In such case, the IBAN is processed and stored as part of the relevant document for the applicable retention period.

4.5 Support and communications

• content of email exchanges with the support service;
• messages exchanged via WhatsApp for support purposes (content and metadata).

The use of WhatsApp involves processing by Meta Platforms in accordance with their own privacy policies. Sandelia recommends not transmitting sensitive information via WhatsApp.

4.6 Technical and security data

• IP address;
• access and activity logs;
• data relating to browser, operating system and device;
• performance, error and incident data.

4.7 Cookies and marketing data

Subject to your consent:

• cookies and advertising identifiers;
• browsing and interaction data;
• data relating to conversions and advertising campaigns.

5. Excluded data and usage restrictions

Sandelia is not intended for the processing of special categories of personal data within the meaning of Article 9 GDPR (health data, political opinions, biometric data, etc.).

It is prohibited to use Sandelia for:

• entering national register numbers (NISS);
• knowingly uploading documents containing sensitive personal data.

In the event of a breach, Sandelia reserves the right to take the measures provided for in the GTC (removal of content, suspension or termination of the account).

6. Purposes and legal bases of processing

6.1 Performance of the contract (Article 6(1)(b) GDPR)

• provision of the Services;
• management of accounts and subscriptions;
• processing of documents, OCR and automations;
• customer support.

6.2 Legal obligations (Article 6(1)(c) GDPR)

• accounting and tax obligations applicable to Sandelia;
• responses to lawful requests from competent authorities.

6.3 Legitimate interest (Article 6(1)(f) GDPR)

• system security and fraud prevention;
• improvement and stability of the Service;
• dispute management and defence of rights;
• retention of evidence and logs.

Sandelia ensures a fair balance between its legitimate interests and the rights of data subjects.

6.4 Consent (Article 6(1)(a) GDPR)

• cookies and advertising trackers;
• sending newsletters via Mailchimp.

Consent may be withdrawn at any time.

7. Artificial intelligence (AI)

Sandelia offers integrated AI assistants, provided via OpenAI.

7.1 Data transmitted

Depending on usage:

• user queries (prompts);
• contextual elements required to generate a response;
• extracts of documents or structured data.

7.2 No opt-out

The use of AI functionalities implies the transmission of data to OpenAI.
No opt-out option is available for these functionalities.

7.3 Responsibility

AI outputs are probabilistic and may contain errors.
The user remains fully responsible for verifying and using such outputs.

8. Cookies and advertising trackers

The Sandelia website uses a cookie banner with consent management.

8.1 Tools used (subject to consent)

• Google Ads;
• Meta Pixel (Facebook / Instagram);
• LinkedIn Insight Tag.

8.2 Consent management

Users may accept, refuse or customise cookies via the cookie banner and may change their preferences at any time.

9. Recipients of the data

9.1 Service providers and processors

Personal data may be processed by, among others:

• Amazon Web Services (AWS) – hosting (EU);
• Stripe (Europe) – payments;
• Mailchimp – newsletters;
• Recommand (BRBX – BE 1012.081.766, Belgium) – Peppol;
• Mindee – OCR;
• OpenAI – AI assistants.

9.2 Authorised personnel

Access is limited to authorised personnel, subject to confidentiality obligations.

9.3 Authorities

Where legally or judicially required.

10. International transfers

Sandelia prioritises processing and storage within the European Union.
However, certain service providers (such as OpenAI) may involve transfers outside the EEA.

In such cases, appropriate safeguards are implemented (standard contractual clauses, additional security measures).

11. Data retention periods

11.1 Accounts and user data

Data are retained for the duration of the contractual relationship.

11.2 After termination

After termination of the account and the last payment, data are retained for 90 days to allow export or recovery by the user.

After this period, data are deleted or purged, unless legal obligations or ongoing disputes require otherwise.

11.3 Logs and security

Technical and security logs are retained for as long as necessary for security, fraud prevention and evidentiary purposes, without a predefined fixed period.

12. Security

Sandelia implements appropriate technical and organisational measures, including:

• encryption of communications (TLS/HTTPS);
• access control and rights management;
• logging and monitoring;
• backups and recovery procedures.

Two-factor authentication (2FA/MFA) is not yet active but is planned for future implementation.

13. Rights of data subjects

In accordance with the GDPR, you have the following rights:

• right of access;
• right to rectification;
• right to erasure;
• right to restriction of processing;
• right to object;
• right to data portability (where applicable);
• right to withdraw consent.

Requests may be addressed to info@sandelia.be.
Proof of identity may be requested.

Supervisory authority

Belgium: Belgian Data Protection Authority (DPA/APD).

14. Communications and newsletters

Sandelia sends:

• transactional emails (account, billing, security) via providers such as AWS SES or SendGrid;
• newsletters via Mailchimp, with the possibility to unsubscribe at any time.

15. Amendments to this Privacy Policy

This Privacy Policy may be amended to reflect legal, technical or functional developments.
Material changes will be communicated via the website or the platform.

16. Governing law

This Privacy Policy is governed by Belgian law.
The courts of Brussels shall have jurisdiction.