Privacy Policy

This privacy policy applies to the marketing website https://sandbank.cloud as well as the Sandbank web application (app), opt‑in features (waitlist, newsletter, product updates, discounts, blog updates) and our internal admin area (Admin Console).

We process data in accordance with the GDPR and applicable e‑privacy rules (e.g. TDDDG).

The website is aimed exclusively at businesses.

Sandbank is a B2B SaaS application. Depending on the processing activity, we act either as controller or as processor.

• As controller we process account, security, billing and support data that is required to provide and operate the service.
• For data that customers connect or upload to Sandbank (“Customer Content”), the customer typically acts as controller. We process such data as a processor under a DPA (Art. 28 GDPR).

Data subject rights note: If your data is included in a customer’s Customer Content (e.g. as an employee), please contact the respective customer (e.g. your employer). For requests about your Sandbank account data you can use the DSAR features in the in‑app privacy panel or contact us (support@sandbank.cloud).

No DPO appointed (not legally required).

We process personal data on the following legal bases:

• Art. 6(1)(a) GDPR (consent): web analytics (PostHog), newsletter/marketing (opt‑in).
• Art. 6(1)(f) GDPR (legitimate interests): operation and security of the website, WAF filtering, rate‑limits, anti‑abuse, documentation of double opt‑in.
• Art. 6(1)(b) GDPR: pre‑contractual communications (email/phone).

You may withdraw consent at any time, e.g. via “Cookie settings” in the footer or by emailing support@sandbank.cloud.

Right to object (Art. 21 GDPR): You may object at any time to processing based on legitimate interests (Art. 6(1)(f) GDPR), e.g. by emailing support@sandbank.cloud.

Some data is required to provide certain functionality:

• Account/sign-in: without a business email and required authentication data we cannot provide an account.
• Billing: without contract and invoice data (e.g. company name, billing address; VAT ID where provided) we cannot correctly bill paid services.
• Optional: consent-based web analytics (PostHog) and newsletter/opt-in are optional; the service can generally be used without this consent.

Our website servers run in European data centres provided by OVHcloud S.A.S. (EU). Domain management and our email inboxes are provided by mittwald CM Service GmbH & Co. KG (Germany/EU).

We use an OVHcloud load balancer with Web Application Firewall (OWASP CRS) plus self‑hosted observability (OTEL/SigNoz, EU) and a dedicated Redis database for rate‑limits (EU).

When visiting our website and API we process:

• IP address
• date and time
• hostname, path, HTTP method, HTTP status
• user‑agent, referrer (if any)
• request/trace ID, rate‑limit decision
• no request bodies

Purposes: delivery, stability, security, abuse detection, rate‑limits.

IP addresses are not anonymized but used exclusively for security and operational purposes.

Legal basis: Art. 6(1)(f) GDPR (legitimate interests: stability, security, abuse prevention).

Transport encryption according to current best practice.

We use locally hosted Klaro! to obtain and document consent for analytics cookies.

Processed data

• consent status
• timestamp
• pseudonymous browser identifier

Storage entry

• Name: klaro
• Lifetime: 365 days
• SameSite=Lax, Secure, host‑only
• Category: essential

Legal basis: e‑privacy (technical storage), Art. 6(1)(c/f) GDPR.

7.1 Essential cookies

• klaro – stores consent status (365 days).
• WAF security cookie (OVHcloud) – attack detection, ~30 minutes.
• No session/CSRF cookies for opt‑in (stateless API).

7.2 Analytics (only with consent)

• PostHog cookies/storage: pseudonymous IDs, events, technical data.

For login and security of the Sandbank app we use essential cookies. They are required to provide the service you explicitly requested.

• app session cookie (__Host-sandbank.session-token, up to 4 hours)
• device identifier (__Host-sandbank.device-id, up to 180 days)
• CSRF protection (e.g. __Host-sandbank.csrf-token and __Host-sandbank.csrf-bff-token)
• language/locale (sandbank.locale)

Cookie names, lifetimes and categories are listed in the cookie overview (annex).

We process pseudonymous IDs, events, and technical data. No third‑country transfers. Session replay is disabled by default. Event retention: up to 180 days.

Legal basis: consent (Art. 6(1)(a) GDPR; applicable e‑privacy rules).

You can withdraw consent at any time via the cookie settings.

Public API /api/public/opt‑in processes:

• email address, optional name, locale
• preferences (categories), UTM parameters, path/referrer
• double‑opt‑in token (hash only), DOI status
• worker/job metadata (PgBoss), delivery status at the mail service

• Brevo: no open/click tracking enabled.

Legal basis: consent (Art. 6(1)(a) GDPR); proof/blacklist: Art. 6(1)(f) GDPR.

Retention: active subscriptions remain stored until withdrawn/unsubscribed. After unsubscribing, we delete email/name (PII) and keep only pseudonymous DOI proof (e.g. email hash, timestamps, status) for up to 3 years.

The Sandbank app allows you to connect external data sources (integrations) via OAuth2 to build BI analytics and dashboards.

Core principles: tokens are processed server-side only, stored encrypted, and never exposed to the browser. Provider API calls are executed server-side only via allow-listed egress destinations.

Important: For OAuth integrations you are redirected to the respective provider (e.g. Google/LinkedIn) for authentication/authorization. Those providers process your data as independent controllers. Sandbank processes OAuth-derived data only to deliver the requested product functionality.

Processed data (typically)

• OAuth tokens (access/refresh/expiry), stored encrypted
• account/provider identifiers (e.g. providerSubject) and resource IDs (e.g. property/site/account)
• aggregated metrics and optional dimension slices as BI read-models (no tokens, no secrets)

Deletion on disconnect (full purge)

When you disconnect an integration, we start an async purge job and delete the related tokens, bindings, discovery snapshots/indexes, and all derived analytics data (full purge), unless statutory retention obligations apply. Depending on data volume, deletion may take a few minutes.

Integrations overview (incl. planned)

Additional integrations may be planned and will only be activated after approval/terms review.

For billing and statutory obligations we process contract and invoice data (e.g. company, contact person, billing address, VAT ID where provided). Payment processing may be handled via Mollie; we do not store full card/bank details in our systems.

Retention: invoices and accounting evidence are typically retained for 10 years (statutory retention).

We store personal data only as long as required for the respective purposes or as required by law. For the app, technical backup retention also applies.

For operations, support, and administration we use an internal admin area (Admin Console). Access is restricted to authorized personnel only and protected by technical controls (e.g. access-restricted network environment, rate-limits) as well as authentication and role-based access control (RBAC).

Processed data

• Admin account: user ID, email address, roles/permissions, session key, MFA claims (as provided by the IdP).
• Tenant & user administration: organization/tenant IDs, user IDs, invites (email, role, status, timestamps, invitedBy/revokedBy), suspension/deactivation reasons (if provided).
• Support inbox: support case IDs, organization reference, requester email address, status/category, snippets and reply texts; where applicable ticket references (e.g. Zammad ticket ID/link).
• Marketing/opt‑in administration: opt‑in status/preferences, sending status (outbox), template key, delivery status (no open/click tracking).
• API keys (admin): name, prefix, permissions, rate-limits, expiration (plain key only on issuance).
• Technical & audit data: IP address, user‑agent, request ID, timestamps, actions/resources (audit logs).

Cookies/storage (admin area)

The admin area uses essential, host-only cookies/storage keys for authentication and session security (session, CSRF, device identifier). Cookie/storage details for public surfaces (marketing site + app) are listed in the cookie overview (annex).

Legal bases: Art. 6(1)(b) GDPR (contract performance/support) and Art. 6(1)(f) GDPR (operations, security, abuse prevention, auditability). Where required, legal obligations may apply as well (Art. 6(1)(c) GDPR), e.g. compliance/retention duties.

Recipients/processors: ZITADEL (authentication/IdP), OVHcloud (hosting) and – where applicable – ticketing (self-hosted; tool: Zammad). No marketing analytics/tracking is performed in the admin area.

Note: The admin area is an internal area for employees/operators and not intended for customers/end users.

Some personal data is not collected directly from you, but comes from customer contexts or connected providers.

• Customer Content: data processed by a customer in Sandbank is provided to us by that customer.
• Integrations/OAuth: after your authorization, connected providers (e.g. Google/LinkedIn) deliver data to our server-side interfaces.
• System events: audit, security and workflow metadata is generated technically during service usage.

Where Art. 14 GDPR applies, we provide transparent information on categories, purposes, recipients and retention periods. For customer content, the respective customer is typically responsible for primary notice.

Data: name (if provided), email address, content, meta/header data.

Recipient: our email provider mittwald CM Service GmbH & Co. KG (Germany/EU).

Storage: until completion of the request and up to 12 months thereafter unless longer statutory retention applies.

Legal basis: Art. 6(1)(b) GDPR (contract/pre-contract) and Art. 6(1)(f) GDPR (legitimate interest in replying to requests).

Static links. No data transfer without click.

• no videos
• no maps
• no chat widgets
• no social plugins

• access
• rectification
• erasure
• restriction
• data portability
• objection
• withdraw consent

How to exercise rights: In the app, the privacy panel provides DSAR features for data export and account deletion. You can also contact us via email: support@sandbank.cloud.

If your data is included in a customer’s Customer Content, please direct requests to the respective customer as controller, as we usually cannot associate data subjects without a customer reference.

Sandbank is operated in the EU by default. For specific integrations, provider-side processing outside the EU/EEA may still occur.

• Where an adequacy decision of the EU Commission exists, we rely on that transfer mechanism.
• Otherwise we rely on EU Standard Contractual Clauses (Art. 46 GDPR) and supplementary technical/organizational safeguards.
• The exact transfer scenario depends on the connected provider and its product configuration.

We provide additional details on transfer safeguards on request (support@sandbank.cloud).

You may lodge a complaint with a supervisory authority. The authority competent for our company is the Independent State Centre for Data Protection Schleswig-Holstein (ULD), Holstenstraße 98, 24103 Kiel, Germany.

No profiling, no automated decisions.

We update this policy when services, legal requirements or technical processes change. The current version is always available on this page.

Subprocessors process personal data on our behalf where necessary for hosting, operations and support. At this time, we only use subprocessors located within the EU.