Privacy Policy

1. Introduction

Soqqet ("we", "our", "us") respects your privacy and is committed to protecting your personal data. This privacy policy explains how we collect, use, and safeguard information when you use our website (soqqet.com) and messaging platform services.

2. Data We Collect

2.1 Customer Account Data

• Account information: name, email address, phone number, company name when you sign up or contact us
• Payment information: processed securely by our payment provider; we do not store credit card details
• Contact form submissions: name, email, phone, and message content when you reach out via our contact form

2.2 Usage Data

• Usage data: pages visited, features used, session duration
• Device data: browser type, operating system, screen resolution
• Log data: IP address, access times, referring URLs

2.3 Messaging Data

As a Software-as-a-Service (SaaS) platform for transactional notifications, Soqqet processes message content and recipient data on behalf of our customers, who are the Data Controllers under GDPR. Soqqet acts as a Data Processor under Article 28 GDPR.

We process the following data on behalf of customers:

• Recipient contact information (phone numbers, names, emails)
• Message content (templates and dynamic variables)
• Delivery status, timestamps, and channel responses
• Consent records and opt-out events
• Audit logs of workflow runs

This data is processed solely for the purpose of executing notification workflows on behalf of the customer. We do not use customer data for advertising, profiling, training of AI models, or any purpose other than service delivery.

Data Processing Agreement (DPA) is automatically incorporated into our Terms of Service when customers register. A standalone signed DPA is available upon request via [email protected].

3. How We Use Data

• To provide and maintain our messaging platform services
• To process your transactions and send related information
• To respond to your inquiries and support requests
• To send service-related notices and updates
• To monitor and analyze usage patterns to improve our services
• To detect, prevent, and address technical issues and abuse

4. Legal Basis for Processing

Purpose	Legal Basis
Providing our services	Performance of contract (Art. 6(1)(b))
Processing messages on behalf of clients	Legitimate interest / Data Processing Agreement (Art. 6(1)(f) / Art. 28)
Marketing communications	Consent (Art. 6(1)(a))
Legal compliance	Legal obligation (Art. 6(1)(c))

5. Data Sharing

We engage the following sub-processors to deliver our services:

For an up-to-date list with locations and processing scope, see our Sub-processors page.

Notification of new sub-processors: We notify customers at least 30 days before adding new sub-processors. Customers may object to a new sub-processor by contacting [email protected].

6. International Data Transfers

We retain your personal data only for as long as necessary to fulfill the purposes described in this policy. Account data is retained while your account is active. After account closure, data is deleted within 90 days, except where retention is required by law.

7. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes described in this policy. Account data is retained while your account is active. After account closure, data is deleted within 90 days, except where retention is required by law.

8. Security

We implement appropriate technical and organizational measures to protect your data, including encryption in transit (TLS), access controls, and regular security reviews. Our infrastructure is hosted on European servers.

9. Cookies

Our website uses essential cookies necessary for core functionality (authentication, security, language preference). We may use limited analytics cookies (e.g., Google Analytics 4) that respect Do Not Track signals and only fire after explicit opt-in via our cookie banner.

A cookie consent banner is presented to first-time visitors. You can manage your cookie preferences at any time via the Cookie Settings page.

10. Your Rights Under GDPR

Under GDPR, you have the right to:

• Access your personal data
• Rectify inaccurate data
• Request deletion of your data ("right to be forgotten")
• Restrict or object to processing
• Data portability
• Withdraw consent at any time

To exercise these rights, contact us at [email protected].

11. Contact

For any questions about this privacy policy or our data practices, contact our Data Protection Officer at [email protected].

Soqqet OÜ
Harju maakond, Tallinn, Kesklinna linnaosa, Tornimäe tn 5, 10145, Estonia

12. Rights of End Recipients (Notification Recipients)

If you received a notification through Soqqet from one of our customers and you wish to exercise your data protection rights:

• Stop receiving notifications: Reply STOP, UNSUBSCRIBE, or CANCEL to the message. The blocklist is enforced across all our customers.
• Access your data: Contact the sender directly. They are the Data Controller. Soqqet can assist by routing your request to the appropriate customer.
• Report abuse: If you believe a notification was sent without your consent or violates our Acceptable Use Policy, email [email protected]. We investigate all reports within 5 business days.

13. Privacy Rights for Other Jurisdictions

While this policy primarily reflects GDPR (EU/EEA), Soqqet honours equivalent data subject rights for residents of other jurisdictions. Residents of any jurisdiction may request access, correction, or deletion of their data by contacting [email protected].

California (CCPA / CPRA)

California residents have the right to know what personal information is collected, the right to delete that information, the right to opt out of the sale of personal information (Soqqet does not sell personal information), and the right to non-discrimination for exercising these rights.

United Kingdom (UK GDPR)

UK residents have the same rights as EU/EEA residents under the UK GDPR and Data Protection Act 2018, including access, rectification, erasure, restriction, portability, and objection.

Brazil (LGPD)

Brazilian residents have rights under the Lei Geral de Proteção de Dados, including confirmation of processing, access, correction, anonymization, portability, and deletion.

Canada (PIPEDA)

Canadian residents have rights under the Personal Information Protection and Electronic Documents Act, including access to personal information held about them and the ability to challenge accuracy.

Australia (Privacy Act)

Australian residents have rights under the Privacy Act 1988, including access, correction, and complaint procedures via the Office of the Australian Information Commissioner.