Privacy Policy

1. Data controller and scope

The data controller is Soolve.

This notice applies to processing activities carried out through the website, contact forms, demo booking flow, and opt-in/unsubscribe links sent by email.

2. Categories of personal data

We only process data required to handle commercial, operational, and security-related requests.

• Identity and contact data submitted in forms: first name, last name, email, company, role, phone, message, and area of interest.
• Booking data: date, time, and optional note used to organize demo appointments.
• Strictly necessary technical security data: IP address and user-agent used in a limited way for anti-spam and rate-limiting controls.
• Technical session and language-preference data through strictly necessary cookies (see Cookie Policy).

3. Purposes and legal bases

Processing is performed for specific purposes and under GDPR-compliant legal bases.

• Managing requests submitted by users and pre-contractual communications (Art. 6(1)(b) GDPR).
• Operational handling of bookings and related follow-up interactions (Art. 6(1)(b) GDPR).
• Service security, abuse prevention, spam mitigation, and API protection (Art. 6(1)(f) GDPR - legitimate interest).
• Managing opt-in and unsubscribe links with signed tokens for user-requested communications (Art. 6(1)(b)/(f) GDPR).

4. Processing methods and security measures

Data is processed using electronic tools, following minimization, integrity, and confidentiality principles.

We apply defense-in-depth controls: server-side validation, HMAC-signed protection cookies, origin checks, honeypot fields, time-trap checks, and rate limiting.

We do not sell personal data and we do not share it for profiling or advertising purposes.

5. Recipients and processors

Data may be processed by technical providers required to operate the service, appointed as processors where applicable.

• Hosting and application infrastructure providers.
• Microsoft Graph for transactional email delivery and booking calendar operations.
• Upstash Redis (when configured) for technical rate-limiting only.

6. Data retention

We retain data for periods proportionate to each purpose and minimize technical retention windows.

• Contact/booking form data: retained for the time needed to handle the request and related pre-contractual/commercial follow-up.
• Technical anti-spam/rate-limit data: short technical window, typically a few minutes.
• Opt-in/unsubscribe signed tokens: maximum validity 7 days.
• Cookie '__soolve_api_sig': short technical lifetime (about 5 minutes).
• Cookie 'soolve_locale': up to 12 months.

7. Data subject rights

Data subjects may exercise GDPR rights under Articles 15-22: access, rectification, erasure, restriction, objection, and portability where applicable.

Data subjects may also lodge a complaint with their competent supervisory authority.

8. Transfers outside the EEA

When a provider involves transfers outside the EEA, we rely on appropriate safeguards under GDPR (such as standard contractual clauses) and reasonable technical controls.

9. Policy updates

We may update this notice to reflect legal or technical changes. The version published on this page is always the current one.