Arbeitly
Arbeitly

Privacy Policy

Last updated: March 1, 2026

1. Introduction

Welcome to Arbeitly ("we", "us", or "our"). We operate the invoicing and business management platform available at arbeitly.com (the "Service"). We are committed to protecting your personal data and respecting your privacy rights under the General Data Protection Regulation (GDPR) and other applicable EU data protection laws.

This Privacy Policy describes what data we collect, why we collect it, how we use it, and your rights regarding that data. By using the Service, you agree to the terms of this Policy.

2. Data Controller

Syscobyte AB is the data controller for personal data processed through this Service. If you have any questions about data processing, you can contact us at:

  • Email: privacy@arbeitly.com
  • Address: European Union

3. Data We Collect

3.1 Account Data

When you register, we collect:

  • Full name and email address
  • Password (stored as a secure bcrypt hash — never in plain text)
  • Profile information (business name, address, VAT number)
  • OAuth identifiers if you sign in via Google

3.2 Business Data

To provide the invoicing service, we store:

  • Client names, email addresses, and postal addresses
  • Invoice data: line items, amounts, VAT rates, payment status
  • Job and project records, time entries, and resource information
  • Uploaded contract files and attachments

3.3 Usage Data

We automatically collect limited technical data when you use the Service:

  • IP address (for rate limiting and security)
  • Browser type and operating system
  • Pages visited and actions taken (for error logging and analytics)
  • Timestamps of key actions (last login, invoice created, etc.)

3.4 Communication Data

If you contact us via the support form or email, we retain your messages to respond and improve our Service. If you subscribe to our newsletter, we store your email and subscription date.

4. Legal Basis for Processing

We process your personal data under the following legal bases (GDPR Article 6):

  • Contractual necessity (Art. 6(1)(b)): Processing required to provide the Service you signed up for, including storing invoices, clients, and business data.
  • Legitimate interests (Art. 6(1)(f)): Security monitoring, fraud prevention, error logging, and improving our platform.
  • Consent (Art. 6(1)(a)): Newsletter subscriptions and optional marketing communications — which you can withdraw at any time.
  • Legal obligation (Art. 6(1)(c)): Retaining financial records as required by applicable EU law.

5. How We Use Your Data

  • To create and maintain your account
  • To generate, store, and send invoices on your behalf
  • To authenticate you and protect your account (including 2FA)
  • To send transactional emails (password reset, email verification, invoice copies)
  • To respond to support requests
  • To detect and prevent fraud, abuse, or security incidents
  • To improve the Service through aggregated, anonymised analytics
  • To send newsletters if you have subscribed (with opt-out available in every email)

6. Data Sharing and Third Parties

We do not sell your personal data. We share data only with trusted processors under GDPR data processing agreements:

  • Hosting provider: Our servers are located in the European Union. Your data is stored in the EU.
  • Stripe: For subscription billing. Stripe is PCI-DSS certified. We do not store credit card details — these are handled entirely by Stripe.
  • Email delivery: Transactional emails are sent via a configured SMTP provider. Only recipient email and message content are transmitted.
  • Google (OAuth): If you sign in with Google, we receive your name, email, and profile picture from Google's OAuth service.

7. Data Retention

  • Account data: Retained while your account is active. Deleted within 30 days of a deletion request, subject to legal retention requirements.
  • Invoice data: Retained for 7 years to comply with EU accounting and tax regulations.
  • Error logs and security logs: Retained for 90 days, then purged.
  • Newsletter subscriptions: Retained until you unsubscribe. Unsubscribed records are deleted within 30 days.

8. Security

We implement appropriate technical and organisational measures to protect your data:

  • All data in transit is encrypted using TLS 1.2+
  • Passwords are hashed with bcrypt (cost factor 12)
  • Sensitive keys (e.g., payment integration keys) are encrypted at rest using AES-256-GCM
  • Two-factor authentication (TOTP) is available and recommended
  • Access to production systems is restricted to authorised personnel
  • Regular security reviews and dependency updates

No method of transmission over the internet is 100% secure. In the event of a personal data breach, we will notify affected users and relevant supervisory authorities as required by GDPR (within 72 hours).

9. Your Rights Under GDPR

If you are located in the European Economic Area, you have the following rights regarding your personal data:

  • Right of access (Art. 15): Request a copy of the data we hold about you.
  • Right to rectification (Art. 16): Correct inaccurate or incomplete data.
  • Right to erasure (Art. 17): Request deletion of your data ("right to be forgotten"), subject to legal retention requirements.
  • Right to restriction (Art. 18): Request that we limit how we process your data.
  • Right to data portability (Art. 20): Receive your data in a structured, machine-readable format.
  • Right to object (Art. 21): Object to processing based on legitimate interests.
  • Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time without affecting prior processing.

To exercise any of these rights, email us at privacy@arbeitly.com. We will respond within 30 days. You also have the right to lodge a complaint with your local supervisory authority (e.g., your national data protection authority).

10. Cookies

We use only strictly necessary cookies to maintain your session and authentication state. We do not use advertising cookies or third-party tracking cookies. The cookies we set are:

  • next-auth.session-token: Secure, HTTP-only session cookie required for authentication. Expires on browser close or after 30 days.
  • __Secure-next-auth.callback-url: Stores the return URL during OAuth flows. Short-lived.

11. Children's Privacy

The Service is intended for use by businesses and is not directed at children under 16 years of age. We do not knowingly collect data from children. If you believe we have inadvertently collected such data, please contact us immediately.

12. International Data Transfers

Your data is stored and processed within the European Union. We do not transfer personal data outside the EEA except where required (e.g., Google OAuth), in which case we rely on adequacy decisions or Standard Contractual Clauses as permitted by GDPR Chapter V.

13. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top and notify registered users via email if the changes are material. Continued use of the Service after such notice constitutes acceptance of the updated Policy.

14. Contact Us

For privacy-related questions or to exercise your rights, contact us at: