PRIVACY POLICY FOR THE CARBOOK CRM/ERP PLATFORM

Last Updated: July 1, 2026

This Privacy Policy (the "Policy") describes how Carbook Soft LLC (referred to as "Carbook Soft", "we", "us", or "our") processes personal data in connection with the use of our cloud-based CRM/ERP SaaS platform designed for car service stations (the "Platform").

This Policy applies exclusively to the authorized users of our Platform (our Business Customers and their personnel). Our public website (carbook.pro) and related marketing activities are governed by a separate privacy notice.

1. DATA CONTROLLER & CONTACT DETAILS

For the processing activities described in Section 3 of this Policy, Carbook Soft acts as an independent Data Controller under the General Data Protection Regulation (GDPR).

  • Full Legal Name: Carbook Soft LLC (ТОВ «Карбук Софт»)
  • Registered Address: Kharkivske Shose, 19, off. 2005, Kyiv, 02090, Ukraine
  • Registration Number (EDRPOU): 44322813
  • Data Privacy Email: [email protected] (Main contact point for data protection inquiries)

1.1 EU Representative (Art. 27 GDPR)

Since Carbook Soft is established outside the EU/EEA (in Ukraine) and offers services to customers in the EU, we have appointed an EU Representative. For any inquiries regarding GDPR and your privacy rights, you may also contact:

2. CARBOOK SOFT AS A DATA PROCESSOR (CRITICAL NOTICE)

Please note that when our Business Customers (car service stations / STO) use the Platform to manage their daily business operations, they upload personal data relating to their end-line clients (car owners, drivers) and their own workshop staff into the CRM.

With respect to such data, our Customer acts as the Data Controller, and Carbook Soft acts strictly as a Data Processor. As a Data Processor, we handle the following activities on behalf of the Customer:

  • Customer and contact management
  • Vehicle tracking and registration logs
  • Work orders, service history, and scheduling
  • Integrated telephony, call logs, and SMS features
  • Cash flow and fiscal operation logging
  • Automated end-client processing notifications
  • Data import via external files (ETL processes)
  • Customer reviews and feedback management
  • Processing of the Customer’s workshop staff data

The processing of this data is strictly governed by a separate Data Processing Agreement (DPA) executed between Carbook Soft and the Customer, and is not covered by the terms of this Privacy Policy.

3. RECORD OF PROCESSING ACTIVITIES (ROPA) — AS A CONTROLLER

Below is the structured overview of how we process personal data where Carbook Soft acts as a Data Controller (primarily concerning the administrative and technical account data of our Customers and their users).

Purpose of Processing Categories of Personal Data GDPR Legal Basis Retention Period
Account Registration & Platform Authentication Full name, company name, corporate email address, phone number, login credentials, encrypted password, assigned system role. Art. 6(1)(b) GDPR — Performance of a contract (Platform Terms of Service). Duration of the contractual relationship + 3 years.
Invoicing & Corporate Accounting Company name, tax ID (VAT/payer identifier), corporate banking details (IBAN), transaction records.
*Note: We do not use third-party payment gateways; payments are processed solely via direct bank transfer to our IBAN.
Art. 6(1)(c) GDPR — Compliance with a legal obligation (accounting and tax laws). 7 years (in compliance with mandatory financial retention statutory laws).
Platform Analytics & Performance Optimization De-identified and anonymized usage data, statistical metrics, interactions with features. Art. 6(1)(f) GDPR — Our Legitimate Interest to analyze software performance and improve our SaaS product features. Maintained only in an anonymous form that does not identify any individual.
Marketing and Business Communications Name, business email, business phone number.
*Note: We do not send automated bulk service/marketing emails. All communications are handled manually by our account managers through the channels requested by the client.
Art. 6(1)(f) GDPR — Our Legitimate Interest to maintain active business relationships and inform existing clients about platform enhancements. Until the customer objects to receiving marketing communications or requests deletion.
Security Logs & Fraud Prevention IP addresses, browser types, operating systems, login timestamps, platform activity logs, and technical security event data. Art. 6(1)(f) GDPR — Our Legitimate Interest to ensure technical security, prevent malicious activities (hacking, fraud), and maintain platform uptime. Technical security server logs are automatically deleted after 12 months.
Personnel Management (Carbook HR) Full name, contact data, contractual details, payroll data of Carbook Soft employees and contractors. Art. 6(1)(b) & (c) GDPR — Contract execution and compliance with labor/tax laws. For the duration of employment/contract + statutory retention periods.

4. DATA RECIPIENTS AND SUB-PROCESSORS

We do not sell, rent, or trade personal data to third parties. To provide the Platform functionalities seamlessly, we share data only with trusted service providers under strict data protection terms:

  • Infrastructure & Hosting Provider: All production databases and user data are securely hosted in the European Union on servers provided by Hetzner Online GmbH (Germany).
  • Messenger and Communication Platforms: If you choose to enable third-party communication integrations within the Platform (such as Telegram Bot API or UserBot API), necessary delivery data (e.g., phone numbers, processing notification text) will be transferred to the respective communication provider (e.g., Telegram Group Inc.) solely to execute the delivery as requested by you.
  • Public Authorities: Data may be shared with law enforcement or regulatory authorities only when we are legally compelled to do so under an explicit, enforceable statutory request or court order.

5. INTERNATIONAL DATA TRANSFERS (OUTSIDE THE EU/EEA)

The core technical infrastructure of the Platform is physically located in Germany (Hetzner). However, Carbook Soft LLC is legally incorporated in Ukraine, which is currently classified under GDPR as a third country without a full European Commission adequacy decision.

To legally secure the access and administrative technical support provided by our staff based in Ukraine, all data transfers and remote access are fully covered by Standard Contractual Clauses (SCCs) approved by the European Commission, combined with strict supplementary organizational and technical safety measures.

6. DATA SECURITY MEASURES

We implement comprehensive technical and organizational safeguards to shield your data against unauthorized access, loss, or alteration, including:

  • Encryption in Transit: All connections to the Platform are forcefully encrypted using Industry-standard Transport Layer Security (TLS/HTTPS) protocols.
  • Secret-Store Management: System keys, credentials, and configuration tokens are strictly isolated and managed using dedicated secure secret-store solutions.
  • Role-Based Access Control (RBAC): Access to database clusters is strictly limited to authorized technical personnel on a "need-to-know" basis.
  • Secure Erasure: Data stored within our hosting provider (Hetzner) undergoes audited, secure electronic wiping procedures upon infrastructure decommission.

7. ESSENTIAL COOKIES POLICY

The Platform uses strictly necessary (essential) session cookies. These cookies are mandatory for user authentication, maintaining secure stateful sessions, and remembering your basic UI preferences during a logged-in session. Because these cookies are required to technically deliver the service you explicitly requested, they do not require prior user consent under the ePrivacy Directive.

The Platform does not utilize any third-party marketing, tracking, behavioral, or analytical cookies.

8. YOUR RIGHTS UNDER THE GDPR

As an individual located within the EU/EEA, you possess the following legally enforceable data rights under Chapter III of the GDPR:

  • Right of Access (Art. 15): Request a copy of the personal data we hold about you.
  • Right to Rectification (Art. 16): Request correction of inaccurate or incomplete data.
  • Right to Erasure / "Right to be Forgotten" (Art. 17): Request permanent removal of your data where valid legal grounds exist.
  • Right to Restriction of Processing (Art. 18): Ask us to temporarily pause processing your data.
  • Right to Data Portability (Art. 20): Receive your data in a structured, machine-readable format.
  • Right to Object (Art. 21): Object to processing carried out based on our legitimate interests.

To exercise any of these rights, please contact us directly at [email protected]. We will verify your identity and respond to your valid request within 30 calendar days as mandated by law.

9. AMENDMENTS TO THIS POLICY

We reserve the right to modify this Privacy Policy to match evolving technical practices or legal requirements. In the event of material changes, we will notify you inside the Platform user interface or via direct communication at least 30 days before the modifications take effect.

10. RIGHT TO LODGE A COMPLAINT

If you believe that our processing of your personal data breaches the provisions of the GDPR, you have the absolute legal right to lodge a formal complaint with a competent Supervisory Authority in your EU Member State of residence or place of work. You can find a complete list of national data protection authorities at: https://edpb.europa.eu.

© 2026 Carbook Soft LLC. All rights reserved.