Privacy Policy

1. Scope

This Privacy Policy explains how Arisius Software processes personal data through the Arisius Software website, BPS Pro registration, BPS Pro desktop software, password reset, support communication, subscription administration, invoicing, file services, and connected services.

BPS Pro is offered only to businesses and professional users. Registration requires a valid VAT number belonging to, or legally represented by, the registering company. Company administrators are responsible for ensuring that the company and its users only enter and process data they are allowed to process.

2. Roles under GDPR

For website use, registration, account administration, billing, security, support, and our own legal obligations, Arisius Software acts as data controller.

For business data that a customer company enters into BPS Pro, such as customer and supplier records, invoices, uploaded documents, planning data, worker data, jobsite data, and similar operational records, the customer company is normally the controller and Arisius Software acts as processor. In that case we process the data to provide BPS Pro and related services to the customer company, subject to the Terms of Service and the customer's lawful instructions.

Arisius Software has not appointed a Data Protection Officer at this time. Privacy questions can be sent to the contact details above.

3. Data we process

Depending on how BPS Pro is used, we may process company details, VAT number, address, contact person details, account details, login details, subscription details, support messages, payment and invoicing information, Peppol identifiers, uploaded documents, application settings, and technical logs.

Registration can include company VAT number, country, company name, address, contact first name and last name, email address, phone number, email communication preference, password, verification code, acceptance records, submission time, and technical request information such as remote address.

Password reset can include email address, reset code, new password, request language, and technical request information. Verification and reset codes are short-lived and protected in hashed form where they are temporarily stored by BPS Pro services.

Website contact forms open the visitor's own email application with the entered name, email address, and message. We process that information only if the visitor chooses to send the email.

BPS Pro may process business records entered by the customer company or its users. Those records can contain personal data about employees, contractors, customers, suppliers, customer contacts, supplier contacts, and other business relations.

Technical data can include IP address, device or browser information, operating system, BPS Pro version, login attempts, security events, API logs, file transfer logs, error reports, diagnostics, and audit logs.

4. Purposes and legal bases

• Registration and account creation: to verify company eligibility, create the company account, create the first administrator, and start a trial. The legal basis is taking steps to enter into and perform a B2B contract, and our legitimate interest in preventing misuse.
• VAT validation: to check whether a VAT number is valid and available for registration. The legal basis is pre-contractual steps, legitimate interest, and, where applicable, legal and accounting obligations.
• Email verification and password reset: to secure accounts and verify access to an email address. The legal basis is contract performance and legitimate interest in account security.
• BPS Pro service delivery: to provide software access, synchronization, file services, support, updates, Peppol features, email sending, and related business workflows. The legal basis is contract performance for our customer relationship and, for customer-controlled business data, processing on the customer's instructions.
• Billing and subscriptions: to manage trials, subscriptions, invoices, payment status, taxes, and accounting. The legal basis is contract performance and legal obligation.
• Administrative and service messages: to send necessary account, security, subscription, and service communications. The legal basis is contract performance and legitimate interest.
• Optional marketing or non-essential email communication: to send information where a contact has chosen to receive it. The legal basis is consent where required, which can be withdrawn at any time.
• Security, abuse prevention, logging, diagnostics, and service reliability: to protect BPS Pro, customers, users, and infrastructure. The legal basis is legitimate interest and, where applicable, legal obligation.
• Legal compliance and dispute handling: to comply with accounting, tax, security, regulatory, or legal duties and to establish, exercise, or defend legal claims. The legal basis is legal obligation and legitimate interest.

5. Google Gmail access in BPS Pro

BPS Pro can let a user connect a Gmail mailbox so BPS Pro can send outgoing emails from that mailbox. This connection is optional and must be started by the user.

The Gmail permission used by BPS Pro is https://www.googleapis.com/auth/gmail.send. This permission is limited to sending email messages that the user chooses to send through BPS Pro.

BPS Pro does not use Gmail access to read, monitor, delete, analyze, or sell the inbox, sent folder, message lists, labels, contacts, existing mailbox attachments, or other Gmail mailbox content.

BPS Pro may also use the Google identity scopes openid, email, and profile to identify the connected Google account and show the connected mailbox email address or display name correctly in BPS Pro.

OAuth tokens are stored so the mailbox can remain connected, and they are used only to maintain the sending connection requested by the user. These tokens are protected with technical and organizational security measures.

Google user data is not sold, not used for advertising, profiling, credit decisions, data brokerage, or AI/model training, and not shared with third parties except as needed to send the selected email through Google/Gmail APIs or where legally required.

Users can remove the Gmail connection in BPS Pro or revoke access through their Google Account. After the connection is removed or revoked, OAuth tokens are deleted or invalidated and BPS Pro makes no further Gmail API calls for that mailbox.

BPS Pro's use and transfer of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

6. Recipients and service providers

We use selected service providers to operate BPS Pro and the website. Depending on the feature used, data may be processed by hosting, storage, backup, security, email delivery, payment, Peppol, accounting, diagnostics, and support providers.

Payment and subscription information is processed through Stripe. Registration verification and password reset emails may be sent through Brevo. Optional Gmail sending uses Google APIs when enabled by the user. Electronic invoicing may use Qvalia and other Peppol or accounting service providers when enabled for a company. VAT numbers may be checked through VIES or other official VAT validation services.

We may also disclose data when required by law, to competent authorities, to professional advisers, or where necessary to protect rights, security, and legal interests.

7. Cookies and local storage

The public website is not intended to use advertising or behavioral tracking cookies. Technical logs may still be created by hosting and security systems to deliver the website and protect it.

Some pages use browser local storage or similar technology for functional reasons, such as remembering the selected registration language or, on mobile upload pages, saving the uploader's first and last name on that device so uploads can be labeled. These values are stored in the user's browser and can be cleared through browser settings.

If non-essential analytics, advertising, or tracking technologies are added later, we will update this policy and request consent where required.

8. International processing

Some providers may process data outside Belgium or the European Economic Area. Where GDPR requires safeguards for transfers outside the EEA, we rely on adequacy decisions, Standard Contractual Clauses, provider transfer safeguards, or another valid GDPR transfer mechanism.

9. Security

We use technical and organizational measures intended to protect data against unauthorized access, loss, misuse, and alteration. These can include access control, encryption or protected storage for secrets and tokens, logging, backups, rate limiting, and separation of customer data where applicable.

No system can be guaranteed to be completely secure. Customers and users must also keep credentials secure, manage user access carefully, and notify Arisius Software promptly if unauthorized access is suspected.

10. Retention

We keep personal data only as long as needed for the purposes described in this policy, for the customer's BPS Pro account, for legal or accounting obligations, for security, for backup integrity, or for resolving disputes.

Email verification and password reset codes are temporary and normally expire after 15 minutes. Billing, invoice, accounting, and tax records may be kept for the legally required retention period, which can be up to 10 years for Belgian accounting and VAT purposes. Technical logs, audit logs, error reports, and registration records are kept as long as needed for security, diagnostics, administration, legal evidence, or service continuity and are then deleted or archived according to operational needs.

Customer business data in BPS Pro may be kept while the customer account remains active and for a reasonable period afterwards to allow export, deletion, legal compliance, dispute handling, and backup cleanup.

11. Your rights

Where GDPR applies and subject to its conditions, you may request access, rectification, erasure, restriction, objection, or portability of your personal data. Where processing is based on consent, you may withdraw that consent at any time without affecting processing that already took place lawfully before withdrawal.

You can contact us using the details above. We may need to verify your identity before handling a request. Where Arisius Software processes customer-controlled business data as processor, we may refer the request to the relevant customer company or handle it according to that company's instructions.

12. Complaint right

If you believe your personal data has been processed unlawfully, you can contact us first so we can try to resolve the issue. You also have the right to lodge a complaint with a supervisory authority. In Belgium, this is the Gegevensbeschermingsautoriteit / Autorité de protection des données, Drukpersstraat 35, 1000 Brussels, www.gegevensbeschermingsautoriteit.be.

13. Automated decision-making

Arisius Software does not use website registration or BPS Pro account data for automated decision-making or profiling that produces legal or similarly significant effects within the meaning of Article 22 GDPR.

14. Changes

We may update this Privacy Policy when our services, legal requirements, or processing practices change. The latest version is published on this page.