1. Scope
This Privacy Policy explains how Arisius Software processes personal data through the Arisius Software website, BPS Pro registration, BPS Pro desktop software, password reset, support communication, subscription administration, invoicing, the accountant portal, file services, and connected services.
BPS Pro is offered only to businesses and professional users. Registration requires a valid VAT number for the registering business or professional user. Account administrators are responsible for ensuring that they and their users only enter and process data they are allowed to process.
2. Roles under GDPR
For website use, registration, account administration, billing, security, support, and our own legal obligations, Arisius Software acts as data controller.
For operational data that a customer enters into BPS Pro, such as customer, supplier, and invoice-recipient records, invoices, uploaded documents, planning data, worker data, jobsite data, and similar operational records, the customer is normally the controller and Arisius Software acts as processor. In that case we process the data to provide BPS Pro and related services to the customer, subject to the Terms of Service and the customer's lawful instructions.
Arisius Software has not appointed a Data Protection Officer at this time. Privacy questions can be sent to the contact details above.
3. Data we process
Depending on how BPS Pro is used, we may process business or professional details, VAT number, address, contact person details, account details, login details, subscription details, support messages, payment and invoicing information, Peppol identifiers, accountant portal permissions, uploaded documents, application settings, and technical logs.
Registration can include VAT number, country, legal or business name, address, contact first name and last name, email address, phone number, email communication preference, password, verification code, acceptance records, submission time, and technical request information such as remote address.
Password reset can include email address, reset code, new password, request language, and technical request information. Verification and reset codes are short-lived and protected in hashed form where they are temporarily stored by BPS Pro services.
Website contact forms open the visitor's own email application with the entered name, email address, and message. We process that information only if the visitor chooses to send the email.
BPS Pro may process business records entered by the customer or its users. Those records can contain personal data about employees, contractors, customers, suppliers, invoice recipients, customer contacts, supplier contacts, public organizations, self-employed professionals, private individuals, and other business relations.
When the accountant portal is used, we may process data about the invited accountant or accounting user, granted permissions, login and security information, invitation status, searches, downloads, exports, and access to purchase invoices, sales invoices, reinvoices, PDF files, and UBL/XML files.
Invoice documents made available through BPS Pro and the accountant portal can contain personal data, company or professional data, financial data, VAT data, bank details, supplier, customer, or invoice-recipient details, driver or worker references, and other confidential business information.
Connected mail setup can include provider type, mailbox email address, display name, provider account identifier, consent metadata, protected OAuth tokens, and message metadata needed to send messages selected by the user. BPS Pro does not collect mailbox listings or existing mailbox content for this feature.
Technical data can include IP address, device or browser information, operating system, BPS Pro version, login attempts, security events, API logs, file transfer logs, error reports, diagnostics, and audit logs.
4. Purposes and legal bases
- Registration and account creation: to verify professional eligibility, create the BPS Pro account, create the first administrator, and start a trial. The legal basis is taking steps to enter into and perform a professional service contract, and our legitimate interest in preventing misuse.
- VAT validation: to check whether a VAT number is valid and available for registration. The legal basis is pre-contractual steps, legitimate interest, and, where applicable, legal and accounting obligations.
- Email verification and password reset: to secure accounts and verify access to an email address. The legal basis is contract performance and legitimate interest in account security.
- BPS Pro service delivery: to provide software access, synchronization, file services, support, updates, Peppol features, email sending, accountant portal access, and related business workflows. The legal basis is contract performance for our customer relationship and, for customer-controlled business data, processing on the customer's instructions.
- Billing and subscriptions: to manage trials, subscriptions, invoices, payment status, taxes, and accounting. The legal basis is contract performance and legal obligation.
- Administrative and service messages: to send necessary account, security, subscription, and service communications. The legal basis is contract performance and legitimate interest.
- Optional marketing or non-essential email communication: to send information where a contact has chosen to receive it. The legal basis is consent where required, which can be withdrawn at any time.
- Security, abuse prevention, logging, diagnostics, and service reliability: to protect BPS Pro, customers, users, and infrastructure. The legal basis is legitimate interest and, where applicable, legal obligation.
- Legal compliance and dispute handling: to comply with accounting, tax, security, regulatory, or legal duties and to establish, exercise, or defend legal claims. The legal basis is legal obligation and legitimate interest.
Some information is required to register, use BPS Pro, administer a subscription, secure an account, provide support, or comply with accounting and tax obligations. If required information is not provided, registration, account access, billing, support, or the relevant feature may not be available.
5. Connected Gmail and Outlook/Microsoft mail access in BPS Pro
BPS Pro can let a user connect a Gmail, Outlook.com, Microsoft 365, or other Microsoft mailbox so BPS Pro can send outgoing emails from that mailbox. This connection is optional and must be started by the user.
For Gmail, BPS Pro uses the Gmail send-only permission https://www.googleapis.com/auth/gmail.send. This permission is limited to sending email messages that the user chooses to send through BPS Pro.
For Outlook and Microsoft accounts, BPS Pro uses Microsoft identity platform sign-in and Microsoft Graph delegated permissions. The relevant permissions are User.Read, Mail.Send, and offline_access. User.Read identifies the signed-in account, Mail.Send lets BPS Pro send the selected outgoing message as the signed-in user, and offline_access lets the connection remain active by refreshing access tokens.
BPS Pro does not use connected mail access to read, monitor, delete, analyze, or sell the inbox, sent folder, message lists, labels, contacts, existing mailbox attachments, calendar data, or other mailbox content.
BPS Pro may also use identity information returned by Google or Microsoft, such as email address, display name, account ID, or profile claims, to identify the connected account and show the connected mailbox correctly in BPS Pro.
Messages sent through a connected account are sent to the selected recipients and may be stored by the mail provider in the account's sent mail according to provider behavior and account settings.
OAuth tokens are stored so the mailbox can remain connected, and they are used only to maintain the sending connection requested by the user. These tokens are protected with technical and organizational security measures.
Connected mail account data is not sold, not used for advertising, profiling, credit decisions, data brokerage, or AI/model training, and not shared with third parties except as needed to send the selected email through Google/Gmail APIs or Microsoft Graph, to maintain security, or where legally required.
Users can remove the mail connection in BPS Pro or revoke access through their Google Account, Microsoft Account, or Microsoft 365/Entra consent controls. After the connection is removed or revoked, OAuth tokens are deleted or invalidated and BPS Pro makes no further provider API calls for that mailbox.
BPS Pro's use and transfer of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
6. Recipients and service providers
We use selected service providers to operate BPS Pro and the website. Depending on the feature used, data may be processed by hosting, storage, backup, security, email delivery, payment, Peppol, accounting, diagnostics, and support providers.
When a customer uses the accountant portal, authorized accountants or accounting users may access the invoice data, PDF files, and UBL/XML files that the customer makes available through BPS Pro. The customer decides who receives access and remains responsible for the lawfulness, necessity, accuracy, and withdrawal of that access.
Accountant portal access is password protected and based on invitations created by the customer's administrator. The customer is responsible for inviting the correct person, sending the invitation link safely, and revoking or deleting access when it is no longer required.
Payment and subscription information is processed through Stripe. Registration verification and password reset emails may be sent through Brevo. Optional connected mail sending uses Google APIs or Microsoft Graph when enabled by the user. Electronic invoicing may use Qvalia and other Peppol or accounting service providers when enabled for an account or business profile. VAT numbers may be checked through VIES, KBO/CBE, or other official VAT and business validation services.
We may also disclose data when required by law, to competent authorities, to professional advisers, or where necessary to protect rights, security, and legal interests.
7. Cookies and local storage
The public website is not intended to use advertising or behavioral tracking cookies. Technical logs may still be created by hosting and security systems to deliver the website and protect it.
Some pages use browser local storage or similar technology for functional reasons, such as remembering the selected registration language, remembering the accountant portal language preference, or, on mobile upload pages, saving the uploader's first and last name on that device so uploads can be labeled. These values are stored in the user's browser and can be cleared through browser settings.
If non-essential analytics, advertising, or tracking technologies are added later, we will update this policy and request consent where required.
8. International processing
Some providers may process data outside Belgium or the European Economic Area. Where GDPR requires safeguards for transfers outside the EEA, we rely on adequacy decisions, Standard Contractual Clauses, provider transfer safeguards, or another valid GDPR transfer mechanism.
9. Security
We use technical and organizational measures intended to protect data against unauthorized access, loss, misuse, and alteration. These can include access control, encryption or protected storage for secrets and tokens, logging, backups, rate limiting, and separation of customer data where applicable.
No system can be guaranteed to be completely secure. Customers and users must also keep credentials secure, manage user access carefully, and notify Arisius Software promptly if unauthorized access is suspected.
10. Retention
We keep personal data only as long as needed for the purposes described in this policy, for the customer's BPS Pro account, for legal or accounting obligations, for security, for backup integrity, or for resolving disputes.
Email verification and password reset codes are temporary and normally expire after 15 minutes. Billing, invoice, accounting, and tax records may be kept for the legally required retention period, which can be up to 10 years for Belgian accounting and VAT purposes. Technical logs, audit logs, accountant portal access/download/export logs, error reports, and registration records are kept as long as needed for security, diagnostics, administration, legal evidence, or service continuity and are then deleted or archived according to operational needs.
Customer business data in BPS Pro may be kept while the customer account remains active and for a reasonable period afterwards to allow export, deletion, legal compliance, dispute handling, and backup cleanup.
11. Your rights
Where GDPR applies and subject to its conditions, you may request access, rectification, erasure, restriction, objection, or portability of your personal data. Where processing is based on consent, you may withdraw that consent at any time without affecting processing that already took place lawfully before withdrawal.
You can contact us using the details above. We may need to verify your identity before handling a request. Where Arisius Software processes customer-controlled business data as processor, we may refer the request to the relevant customer or handle it according to that customer's instructions.
12. Complaint right
If you believe your personal data has been processed unlawfully, you can contact us first so we can try to resolve the issue. You also have the right to lodge a complaint with a supervisory authority. In Belgium, this is the Gegevensbeschermingsautoriteit / Autorité de protection des données, Drukpersstraat 35, 1000 Brussels, www.gegevensbeschermingsautoriteit.be.
13. Automated decision-making
Arisius Software does not use website registration or BPS Pro account data for automated decision-making or profiling that produces legal or similarly significant effects within the meaning of Article 22 GDPR.
14. Changes
We may update this Privacy Policy when our services, legal requirements, or processing practices change. The latest version is published on this page.