Loading…
Legal

Privacy Policy

Effective December 5, 2025. This statement describes how IndexBox S.a r.l. (controller), 29 Boulevard Grande-Duchesse Charlotte, L-1331 Luxembourg, collects and processes personal data in line with the EU GDPR.

1. Data controller & scope

IndexBox S.a r.l. is the controller for personal data obtained through the website, web application, APIs, and customer support. Payments are processed via Stripe Payments Europe, Ltd. acting as our processor. This policy applies to trial users, paying customers, invited collaborators, and website visitors.

2. Data we collect

  • Account data: name, email address, phone numbers, organisation details, plan selections, and billing contacts provided during signup or onboarding.
  • Usage & telemetry: login timestamps, IP address, device/browser characteristics, API usage, and workspace actions needed to secure the service and enforce limits.
  • Payment data: last four digits of cards, billing country, tax identifiers, and invoice history recorded by Stripe. Full payment credentials are stored only by Stripe.
  • Content: documents, comments, metadata, and analytics you upload to the workspace.

3. Purpose & legal basis

We process personal data to deliver contracted services (Art. 6(1)(b) GDPR), comply with legal/risk obligations such as sanctions screening and tax rules (Art. 6(1)(c)), and pursue legitimate interests such as platform analytics, fraud prevention, and product communications (Art. 6(1)(f)). Marketing emails rely on consent (Art. 6(1)(a)) and may be withdrawn at any time.

4. Sharing, transfers & retention

Personal data is shared only with vetted sub-processors (hosting, monitoring, email, payments, CRM) under written agreements. Where data is transferred outside the EEA, we rely on EU Standard Contractual Clauses. Active customer data is retained for the duration of the subscription and archived for up to 12 months for audit and disaster recovery before deletion.

5. Your rights

  • Request access, correction, portability, or deletion of your personal data.
  • Object to processing based on legitimate interests or restrict specific processing activities.
  • Submit complaints to the Luxembourg CNPD if you believe your data protection rights are infringed.

Requests can be sent to tenders@indexbox.io. We will respond within one month.

6. Contact

Data Protection Officer: tenders@indexbox.io — IndexBox S.a r.l., 29 Boulevard Grande-Duchesse Charlotte, L-1331 Luxembourg.