Beebole Privacy Policy
1. Who we are and scope
This Privacy Policy explains how Beebole s.r.l. (“Beebole”, “we”, “us”, “our”) collects, uses, and protects personal data.
It applies to:
our website — beebole.com (including the help documentation at beebole.com/help); and
our services — the Beebole time-tracking and planning application and related offerings (together, the “Offerings”).
Controller identity and contact.
Beebole s.r.l.
Brussels, Belgium
Email: legal@beebole.com
Two distinct roles. Beebole acts in two capacities, depending on the data:
Controller — for our own employee data, account/registration data of the people who administer or contact us, and website-visitor data. This Privacy Policy governs that processing.
Processor — for Customer Data (timesheets, absences, project records, and other data submitted into the Offerings) that we process on behalf of our business customers, who are the controllers of that data. Our processing of Customer Data is governed by our Data Processing Agreement (DPA) and the customer’s instructions, not by this Privacy Policy. Where this Policy describes Customer Data (for example, hosting location and retention), it does so for transparency only.
2. Data Protection Officer and contact
Beebole has appointed an external (outsourced) Data Protection Officer (DPO). You may contact our DPO directly at dpo@beebole.com on any matter relating to the processing of your personal data or the exercise of your rights.
For general questions about this Policy, you may also contact us at legal@beebole.com.
3. Personal data we collect
Registration and contact data — username, name, email address, postal address, phone number.
Payment data — billing identifiers and payment-method details, collected and processed directly by our payment processor (see Section 7). We do not receive or store full payment-card numbers.
Technical and usage data — IP address, date and time of access, browser, operating system, device information, and modules used; collected via cookies and similar technologies. This technical/usage data is automatically deleted from our systems after 90 days.
Website-interaction and product-analytics data — how visitors and users interact with our websites and application, collected via our product-analytics provider, PostHog (see Section 8). In the application, this tracks signed-in users to operate and improve the Service; on our commercial website, it runs only after consent. Session replay is not enabled.
Customer Data — data submitted into the Offerings by or on behalf of a business customer (including data about that customer’s end users/employees, such as recorded hours and absences). We process this as a processor, on the customer’s instructions, under the DPA.
4. Purposes and legal bases
We process personal data for the purposes below. For each, the GDPR Art. 6 legal basis (and, where relevant, Art. 9 condition) is stated.
Purpose | Personal data | Legal basis |
|---|---|---|
Provide, maintain, and operate the Offerings and websites | Registration/contact, technical/usage | Contract (Art. 6(1)(b)) — necessary to perform our agreement with you or take pre-contract steps |
Account administration, authentication, and security | Registration/contact, technical/usage | Contract (Art. 6(1)(b)) and legitimate interests (Art. 6(1)(f)) — securing the Offerings and preventing abuse |
Process payments and billing (incl. e-invoicing) | Payment, billing-identity | Contract (Art. 6(1)(b)) and legal obligation (Art. 6(1)©) — invoicing, tax, and accounting duties |
Customer support | Registration/contact, technical/usage | Contract (Art. 6(1)(b)) and legitimate interests (Art. 6(1)(f)) |
In-app product analytics — operate and improve the Service (signed-in users only) | Technical/usage, product-analytics | Legitimate interests (Art. 6(1)(f)) — understanding and improving how the Service is used. This first-party analytics runs only behind login for signed-in users and is not gated by a cookie-consent banner. |
Commercial-website analytics | Technical/usage, product-analytics | Consent (Art. 6(1)(a)) — on our commercial website, our analytics provider (PostHog) runs only after you consent via the cookie banner. See the Cookie Policy. |
Service and security communications | Registration/contact | Contract (Art. 6(1)(b)) and legitimate interests (Art. 6(1)(f)) |
Marketing communications (newsletters/promotions) | Registration/contact | Consent (Art. 6(1)(a)), withdrawable at any time |
Comply with legal obligations and respond to lawful requests | As relevant | Legal obligation (Art. 6(1)©) |
Establish, exercise, or defend legal claims | As relevant | Legitimate interests (Art. 6(1)(f)) |
Where we process Customer Data as a processor, the legal basis is determined by our business customer (the controller); Beebole processes it only on documented instructions under the DPA. Customer Data may include special-category data (for example, absence/leave records that can reveal health information); processing of such data is the controller’s responsibility, supported by Beebole’s heightened safeguards under the DPA (GDPR Art. 9).
5. Whether providing data is required
Providing registration, contact, and payment data is a contractual requirement necessary to create an account and use the Offerings. If you do not provide it, we cannot establish or maintain your account or provide the Offerings. Marketing-communication data is optional and based on consent; declining it does not affect your use of the Offerings.
6. Retention
We keep personal data only as long as necessary for the purposes above, then delete or anonymize it.
Technical / usage data: 90 days
Logs: 90 days
Backups: 30 days
Account and registration data: retained while your account exists (including after a subscription lapses, so you can return and reactivate); deleted when you choose to delete your account, subject to statutory retention (e.g., billing/accounting — see below)
Customer Data (including audit trails): retained while your account exists (including after a subscription ends, so you can return and reactivate); you can delete it at any time, and on termination, it is deleted or returned at the customer’s election per the DPA — we do not automatically delete it
Statutory retention carve-out. Notwithstanding the shorter periods above, account, billing, and invoice data are retained for 10 years where required to meet Belgian tax and accounting law. This statutory obligation overrides the shorter deletion periods for the data concerned.
7. Payments
Payment-card details are collected and processed directly by our payment processors. We never receive or store your full payment-card information. Under the new platform (V2), payments are processed by Stripe (EU-hosted); under the legacy platform (V1), during coexistence, payments are processed by Adyen. Our payment processors maintain PCI-DSS compliance.
8. Sub-processors
We use a limited set of vetted sub-processors to operate the Offerings. We currently run two platforms in parallel during a coexistence period: the legacy platform (V1 — Linode hosting, Adyen payments) and the new platform (V2 — Google Cloud hosting, Stripe payments). Both are described concurrently.
Our key sub-processors for Customer Data include Google Cloud (hosting, logs, backups, audit trails), Stripe (V2 payments), Intercom (support), PostHog (product analytics — this processes personal data; session replay is not enabled), Factures.com (PEPPOL e-invoicing — customer billing identities), and n8n Cloud (billing-system sync). During coexistence, Linode (hosting) and Adyen (payments) remain in use for V1.
PostHog operates in two distinct contexts. Inside the application, PostHog provides product analytics for signed-in users only, to operate and improve the Service; this first-party, behind-login analytics relies on our legitimate interests (Art. 6(1)(f)) and is not gated by a cookie-consent banner. On our commercial website, PostHog runs only after you consent through the cookie banner (see the Cookie Policy and Section 14). Session replay is not enabled in either context.
Separately, our website uses Vercel (marketing-website hosting) and Mintlify (beebole.com/help documentation). These do not host Customer Data.
For the current, complete list and details, see the Sub-processor List. We give advance notice of changes to sub-processors and customers may object on reasonable grounds, as set out in the DPA.
9. Sharing personal data
We share personal data only as needed:
with the sub-processors described above and in the Sub-processor List;
where required to comply with law or respond to lawful requests, and to protect against fraud and security threats;
in a merger, acquisition, or sale of assets (subject to this Policy);
with your consent.
We do not sell personal data and do not share it for advertising. Aggregated or anonymized data that does not identify you may be shared.
10. International transfers
EU customers’ Customer Data stays in the EU. Under the new platform (V2), Customer Data of EU companies is hosted on regional Google Cloud servers in the EU and does not transfer to the United States. Customer Data of US companies is hosted on US servers.
The only elements that may involve an EU→US transfer are (i) legacy US-hosted logs and audit trails, and (ii) the data of US customers. Where personal data is transferred outside the EEA, we rely on the EU-US Data Privacy Framework (for certified recipients) and, as a backstop, the EU Standard Contractual Clauses together with appropriate supplementary measures.
Beebole may access and process personal data from Belgium, Spain, and the United States in the course of operating the Offerings.
11. Automated decision-making
Beebole does not carry out automated decision-making, including profiling, that produces legal effects concerning you or similarly significantly affects you (GDPR Art. 22).
12. Your rights
Subject to GDPR conditions, you have the right to:
access your personal data (Art. 15);
rectify inaccurate or incomplete data (Art. 16);
request erasure (“right to be forgotten”) (Art. 17);
request restriction of processing (Art. 18);
data portability — receive your data in a structured, commonly used, machine-readable format (Art. 20);
object to processing based on legitimate interests, and to object to direct marketing at any time (Art. 21);
withdraw consent at any time, where processing is based on consent, without affecting prior processing (Art. 7(3)).
To exercise these rights, contact legal@beebole.com. We may need to verify your identity and may decline manifestly unfounded or excessive requests. Where you are an end user/employee of a Beebole business customer, your data is processed on that customer’s instructions; we will refer your request to the relevant customer (controller) or assist them in responding.
13. Right to lodge a complaint
You may lodge a complaint with a supervisory authority. Beebole’s lead authority is the Belgian Data Protection Authority (Autorité de protection des données / Gegevensbeschermingsautoriteit — APD-GBA), Rue de la Presse 35, 1000 Brussels (autoriteprotectiondonnees.be). You may also lodge a complaint with the supervisory authority in your own country of residence or work.
14. Cookies
We use cookies and similar technologies for essential operation, security, support, and product analytics. On our commercial website, non-essential analytics (PostHog) run only after you consent via the cookie banner. In-app product analytics for signed-in users operates on a legitimate-interests basis behind login and is not gated by the cookie banner. See our Cookie Policy for details and controls.
15. Security
We apply appropriate technical and organizational safeguards to protect personal data. Access is limited on a need-to-know basis, and data is encrypted in transit using TLS. Beebole is pursuing ISO 27001 and SOC 2 (in progress via Vanta); these are not yet achieved.
16. Changes to this Policy
We may update this Policy. We will post the new effective date and, for material changes, notify affected users by email or in-product notice.
17. Contact
Questions about this Policy or your personal data: legal@beebole.com.