Privacy Notice
booq — operated by Pacioli Tech BV · Version 1.0 · Effective date: 25 June 2026
This Privacy Notice explains how booq ("we", "us") processes personal data, the rights you have, and how to contact us. It covers personal data for which booq is the controller — primarily the account and authentication data of the people who use the booq application, and visitors to our website. For the financial and personal data that our customers (Financial Due Diligence firms) upload or connect to the platform, booq acts as a data processor on the customer's behalf; that processing is governed by our customers' own privacy notices and our Data Processing Agreement (DPA) with them — see "booq as a processor" below.
1. Who we are
booq is a multi-tenant Financial Due Diligence (FDD) platform, operated by Pacioli Tech BV. For the personal data described in §3, booq is the data controller. Our Security / Data Protection contact is Stephen Huang — stephen@booq.finance.
2. Scope
This notice applies to:
- Application users — staff of our customers who sign in to the booq application (account and authentication data, and usage/security logs).
- Website visitors — people who visit our public website.
It does not govern the client/engagement data that customers process through booq — for that, booq is a processor (§7).
3. Personal data we process (as controller)
- Account & identity data — name, work email address, authentication identifiers, profile attributes (e.g. role/seniority), and the customer organisation you belong to.
- Usage & security data — sign-in events, application and security logs, correlation identifiers, and technical metadata needed to operate and protect the service.
- Website data — standard server logs and, where used, cookies/analytics (see §9).
- Support communications — information you provide when you contact us.
We do not intentionally collect special-category data for these purposes, and we apply data minimisation — only what is needed to provide and secure the service.
4. Why we process it, and our legal bases
| Purpose | Legal basis (GDPR Art. 6) |
|---|---|
| Provide and operate the application (authentication, access) | Performance of a contract / legitimate interests |
| Secure the service (logging, monitoring, abuse/fraud prevention) | Legitimate interests |
| Support and communications | Legitimate interests / performance of a contract |
| Comply with legal obligations | Legal obligation |
We never sell personal data, never share it except with the sub-processors in §6, and never use customer or personal data to train AI models. There is no secondary or incompatible use.
5. Where your data is held (residency)
booq is EU-resident by design. The service and its data run within the EU/EEA — Microsoft Azure in France Central and Belgium Central (geo-redundant copy in France South) and an EU identity tenant. Where a sub-processor entails a transfer outside the EEA, appropriate safeguards (Standard Contractual Clauses) are in place (§8).
6. Sub-processors
We use a defined set of sub-processors to deliver the service; each is bound by a data-processing agreement with EU residency / SCCs as applicable:
| Sub-processor | Purpose |
|---|---|
| Microsoft Azure | Cloud hosting & storage (EU) |
| Auth0 (Okta) | Authentication / identity (EU tenant) |
| Cloudflare | Edge security, DNS, WAF/DDoS |
| SendGrid | Transactional email |
A current list is maintained in our Sub-processor Register, available to customers on request.
7. booq as a processor (client/engagement data)
When our customers upload or connect financial data (which may contain personal data of their own clients), booq processes that data only on the customer's documented instructions and solely for the contracted FDD purpose, under a Data Processing Agreement. For that data the customer is the controller; data subjects should direct requests to the relevant customer, and booq assists the customer in fulfilling them.
8. International transfers
Personal data is kept in the EU/EEA. Where any sub-processor involves a transfer to a country without an EU adequacy decision, the transfer is protected by Standard Contractual Clauses and supplementary measures as appropriate.
9. Cookies & analytics
booq does not use advertising, tracking, or third-party analytics cookies — on either the public website or the application. The application uses only strictly-necessary technical cookies/storage required for authentication and security (e.g. maintaining session integrity); these are essential to provide the service and do not require consent. No non-essential cookies are set, so no cookie-consent banner is required.
10. Retention
We retain account and security data for as long as the related customer relationship is active and as required to operate and secure the service, then delete or anonymise it in line with our retention schedule and legal obligations. Client/engagement data is retained and deleted per the customer's instructions and the DPA.
11. How we protect personal data
booq enforces multi-tenant isolation on every data path, encryption at rest (AES-256) and in transit (TLS 1.2+), least-privilege access with multi-factor authentication, and edge protection. Full details are in booq's Information Security Policy (available to customers on request).
12. Your rights
Subject to applicable law, you have the right to access, rectify, erase, restrict, or object to the processing of your personal data, and to data portability. To exercise a right, contact stephen@booq.finance; we respond within the timeframes required by law. If you are an application user provided by a customer organisation, you may also contact that organisation. You have the right to lodge a complaint with your supervisory authority.
13. Changes to this notice
We may update this notice; the current version and effective date are shown in the header, and material changes are communicated as appropriate.
14. Contact
Stephen Huang — Security / Data Protection contact.