Privacy policy

1. Who we are

Doqubox is a product of Aer Software Solutions BV, based in Amsterdam. For privacy questions, contact us at support@doqubox.com.

2. Scope and roles (users and external parties)

Doqubox is used by two groups: (a) users from customer organizations and (b) external parties, such as uploaders, recipients, and people submitting documents through request links.

Depending on the processing activity, Doqubox acts as:

• Controller for activities such as account management, billing, service security, abuse prevention, and legal compliance.
• Processor for process data related to document requests and transfers, processed on behalf of customer organizations under their instructions.

Where Doqubox acts as processor, the relevant customer organization is generally the controller for that processing.

3. Personal data we process

• Account and profile data (such as name, email address, role, and language).
• Authentication and security data (such as session data, IP address, and user agent).
• Email or SMS verification data (such as OTP challenges and verification status).
• Process data related to document requests and transfers (such as sender/recipient details, subject lines, status, request metadata, and transfer metadata), not the file content itself.
• Files, attachments, and related metadata.
• Billing and payment data needed for subscriptions and payments.
• Support communication and operational logs.

4. Purposes and legal bases

We process personal data to provide and secure the service, perform authentication and verification, provide support, manage billing, and comply with legal obligations.

Depending on context, we rely on:

• contract performance (GDPR Art. 6(1)(b)),
• legal obligation (GDPR Art. 6(1)(c)),
• legitimate interests (GDPR Art. 6(1)(f)),
• or consent where required (GDPR Art. 6(1)(a)).

5. Security and encryption

Doqubox applies security controls including encryption in transit and at rest, access restriction, and monitoring. Certain workflows support encrypted transfers with additional encryption metadata.

This does not mean every workflow is fully end-to-end encrypted in every situation.

More detail is available on our security page.

6. Recipients and subprocessors

We share personal data only where necessary to provide the service, for example with providers supporting storage, email, SMS verification, and payments.

You can find an up-to-date overview on our subprocessors page. For business customers, additional terms are available in our Data Processing Addendum (DPA).

7. International transfers

If personal data is processed outside the EEA, we apply appropriate safeguards under GDPR, such as an adequacy decision or Standard Contractual Clauses (SCCs), where required.

8. Retention

We apply retention periods by data category and purpose. Where relevant, retention is linked to security, operational necessity, and legal obligations (for example accounting requirements).

For data processed by us as a processor, retention generally follows customer instructions and contractual terms.

See the retention page for a practical overview of current retention categories.

9. Your rights

Depending on context, you may have rights of access, rectification, erasure, restriction, objection, and portability, and the right to lodge a complaint with your supervisory authority.

Where Doqubox acts as a processor, requests should generally be addressed first to the relevant customer organization as controller. We support our customers as required by law.

10. Changes

We may update this privacy policy. The latest version is always available on this page.