Privacy Policy

1. Data Controller

ServiceLeaf is operated by ITone Ltd. EU (registered office: [registered office address, EU member state]; company registration number: [company registration number]; VAT ID: [EU VAT ID]). ServiceLeaf acts as the data controller for personal data it processes in relation to users and visitors (e.g. account management, billing, security, communications). When we process Customer Data on behalf of a customer organization (workspace/tenant), we typically act as a data processor, and the customer organization is the data controller. This Privacy Policy describes how we collect, use, disclose and protect your data in accordance with the General Data Protection Regulation (GDPR) and applicable data protection laws.

Data Protection Officer: You can reach our Data Protection Officer at dpo@serviceleaf.app with any data protection questions.

2. Legal Basis for Processing

We process your personal data on the following legal bases under Article 6 of the GDPR:

• Performance of a contract (GDPR Article 6(1)(b)): Processing necessary to perform our service agreement
• Legitimate interest (GDPR Article 6(1)(f)): Service improvement, security and fraud prevention
• Consent (GDPR Article 6(1)(a)): Marketing communications and optional features
• Legal obligation (GDPR Article 6(1)(c)): Compliance with applicable laws and regulations

3. Information We Collect

3.1 Personal Data

• Account data: Name, username, email address, password hash, user role
• Workspace/tenant data: Company/workspace name, country, subdomain, plan and settings
• Billing and subscription data: Billing address, tax number/tax ID, invoices and payment status
• Technical data: IP address, browser type and version, time zone setting, operating system and platform
• Profile data: Preferences, feedback, survey responses
• Usage data: Information about how you use our website and services
• Marketing and communications data: Your preferences for receiving marketing communications and your communication preferences
• Authentication data: Multi-factor authentication settings, recovery codes (encrypted), SSO provider connections
• Security logs: IP addresses, user agents and timestamps from authentication and security events

3.2 Special Categories of Data

We do not intentionally collect special categories of personal data (sensitive personal data) within the meaning of Article 9 of the GDPR, including data revealing racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, health data, or data concerning sexual orientation.

3.3 Business Data

• Asset management information and work orders
• Project data, schedules and maintenance records
• Company information, vendor and supplier data
• Reports, analytics and performance metrics
• Communication logs and support tickets

4. How We Collect Personal Data

• Direct interactions: You provide data when you register, use our services, or contact us
• Automated technologies: When you interact with our website, we automatically collect technical data
• Third parties: We may receive data from analytics providers, such as Google Analytics

5. How We Use Personal Data

6. Google Analytics

Description and purpose of the service

On our website we use the Google Analytics 4 (hereinafter: "GA4") web analytics service, provided by Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland). GA4 allows us to analyze website usage patterns, which helps us improve our services and the user experience of our website.

Legal basis for processing

The legal basis for processing by Google Analytics is our legitimate interest under GDPR Article 6(1)(f). Our legitimate interest is to understand website usage patterns, improve service quality, identify technical issues and optimize the user experience. You have the right to object to processing based on our legitimate interest under Article 21 of the GDPR (see opt-out options below).

Scope of data collected

GA4 uses cookies and similar technologies to collect information about how you use our website. The data collected includes:

• Pages viewed and time spent on individual pages
• Traffic source and user acquisition channels (how you found our website)
• Device and browser information (screen size, operating system, browser version)
• Geographic location (at country/city level, based on the IP address)
• User interaction events (clicks, scrolls, page load time)
• Session data (session duration, bounce rate)

Cookies used by GA4

Google Analytics 4 places the following cookies on your device:

• _ga — Used to distinguish users. Retention period: 2 years
• _ga_<container-id> — Used to persist session state. Retention period: 2 years
• _gid — Used to distinguish users over the short term. Retention period: 24 hours

These cookies fall into the "Performance cookies" category and are not suitable for directly identifying you personally.

Handling and anonymization of IP addresses

By default, GA4 does not store the full IP address. IP addresses are truncated within the member states of the European Union or in other states party to the Agreement on the European Economic Area before being transferred to the United States. The full IP address is only transferred to Google's servers in the United States in exceptional cases, where it is then shortened.

Data processor and international data transfers

Google Ireland Limited acts as a data processor on our behalf within the GA4 service. A Data Processing Agreement is in place between us and Google, which meets the requirements set out in Article 28 of the GDPR.

The data may be processed outside the European Economic Area, including in the United States. Google LLC complies with the EU–U.S. Data Privacy Framework, which the European Commission recognized in its adequacy decision of 10 July 2023 (C(2023) 4745 final). This ensures an adequate level of protection for personal data when transferred to the United States.

Exclusion of advertising purposes

We have configured Google Analytics so that we do not use the personal data collected for advertising purposes, and we have disabled data sharing with Google for advertising and remarketing purposes. The Google Signals feature is not enabled in our GA4 property.

Opt-out and objection

You have the right to prevent Google Analytics from collecting data using the following methods:

• By installing the Google Analytics opt-out browser add-on
• By disabling or deleting cookies in your browser settings
• By rejecting performance cookies in our cookie consent banner

References

For more information, please see the following documents:

• Google Analytics Terms of Service
• Google Privacy Policy
• Google Analytics data privacy practices

6.5 Google Search Console

Description and purpose of the service

Google Search Console (hereinafter: "GSC") is a web service provided by Google Ireland Limited that we use to monitor, maintain and troubleshoot how our website appears in search engines. GSC helps us check the website's indexing status, analyze its search performance and identify technical SEO issues.

Legal basis for processing

The legal basis for processing in connection with the use of Google Search Console is our legitimate interest under GDPR Article 6(1)(f). Our legitimate interest is search engine optimization of the website, identifying technical issues, resolving indexing problems and improving the website's visibility in search results.

Nature of the data processed

Google Search Console primarily processes aggregated and anonymized data. The service handles the following data:

• Search performance data: Aggregated search queries, impression frequency, click-through rates and average search positions — this data does not contain information traceable to individual users
• Indexing information: The crawl and indexing status of the website's pages, URL availability and status
• Technical data: Crawl statistics, server response times, mobile usability signals and Core Web Vitals performance metrics
• Security signals: Notifications of potential security issues (e.g. malware, phishing)

Handling of personal data

It is important to emphasize that Google Search Console does not directly collect personal data from our website's visitors. The search query data available in GSC is aggregated and anonymized, meaning it is not suitable for identifying individual users. The URL data that GSC processes could in principle contain personal data if the website's URL structure contains such data; our website's URL structure does not contain personal data.

Website verification

To verify our website in Google Search Console, we use one of the verification methods provided by Google (e.g. DNS record, HTML file or meta tag). This verification process does not involve any personal user data.

Data processor and data processing

Within the GSC service, Google Ireland Limited provides the processing of data. The Google Data Processing Terms and the EU–U.S. Data Privacy Framework apply to data transfers arising from the use of the service. For more information, please see the Google Data Processing Terms document.

6.6 Other Google Services

Google reCAPTCHA v3

We use Google reCAPTCHA v3 to protect our service against automated abuse and spam. When you access pages containing authentication forms (sign-in, registration, password reset), reCAPTCHA may collect:

• Your IP address
• Browser and device information
• Interaction patterns (mouse movements, keystrokes)

This data is processed by Google to generate a risk score that helps prevent automated attacks. For more information, see the Google Privacy Policy.

Google Maps Platform

We use Google Maps to display asset locations and provide address autocomplete. When you use location-based features, Google may receive:

• The geographic coordinates viewed or searched
• The address search queries entered
• Your IP address

7. Amazon Web Services (AWS)

We use Amazon Web Services (AWS) as our cloud infrastructure provider. We may process and store your data on AWS servers located within the European Union. AWS complies with the GDPR and provides appropriate technical and organizational measures to protect your data.

AWS acts as a data processor on our behalf and only processes your data according to our instructions. We have entered into Data Processing Agreements with AWS, which include the Standard Contractual Clauses approved by the European Commission.

File storage (Amazon S3)

All files uploaded to ServiceLeaf are stored on Amazon S3 within the European Union. This includes:

• Document attachments on work orders, assets and tickets
• Asset photos and images
• Imported files and reports

Files remain linked to your tenant account until users explicitly delete them or until the account is closed.

7.3 Single Sign-On (SSO) Providers

If your organization uses Single Sign-On, authentication is handled by your identity provider. We support the following integrations:

• Microsoft Azure Active Directory (Entra ID)
• Google Workspace
• SAML 2.0 compatible identity providers

Data Received from Identity Providers

• Your unique identifier from the identity provider
• Email address and display name
• Profile information configured by your organization

SSO Data We Store

• The link between your SSO account and your ServiceLeaf account
• SSO authentication audit logs (timestamp, IP address, success/failure status)

The SSO configuration is controlled by your organization's administrator.

7.5 AI-powered Features (Anthropic/Claude)

ServiceLeaf offers an optional AI Assistant feature, powered by Claude developed by Anthropic, PBC. When you use the AI Assistant, data is processed as follows:

Data Sent to Anthropic

• Your messages: Questions and requests entered in the AI chat
• Business context: Relevant data from assets, work orders or inventory that is needed to answer your queries
• Conversation history: Earlier messages from the current session for context

Important: No AI Training

Anthropic does NOT use your data to train their AI models. As stated in Anthropic's Commercial Terms of Service: "Anthropic may not train models on Customer Content from the Services." Anthropic acts as a data processor and only processes your data to generate responses to queries.

Locally Stored Data

• Conversation history: Stored in your tenant database. ServiceLeaf may read and analyze conversation data to improve service quality
• Usage statistics: Token counts and timestamps for billing and rate limiting
• Settings: Your AI Assistant preferences

Your Rights

• Requesting that the AI Assistant feature be disabled through your administrator
• Accessing detailed AI privacy information through the privacy icon in the AI Assistant interface

For more information about Anthropic's data handling practices, visit the Anthropic Privacy Policy.

7.6 Electronic Invoicing Services

Invoicing and payment processing are handled by a third-party payment and invoicing processor, [payment/invoicing processor], acting as a separate data processor under the GDPR. This processor processes billing data on our behalf in order to issue invoices that comply with the legal requirements of the customer's jurisdiction.

When invoices are generated through this service, the following data is transferred:

• Invoice details (line items, amounts, dates, invoice numbers)
• Customer billing data (name, address, tax number)
• The company's billing details

The processor handles the data in accordance with the applicable legal requirements for electronic invoicing in the relevant EU member state. This integration is configured as part of your subscription and billing setup.

8. Disclosure of Personal Data

We may share your personal data with the following categories of recipients:

• Service providers: Third parties providing IT and system administration services
• AI processing provider: Anthropic, PBC for AI Assistant functionality (data processor, no training on your data)
• Security services: Google (reCAPTCHA for bot protection)
• Location services: Google (Maps Platform for asset mapping features)
• Identity providers: Microsoft, Google or your SAML provider for SSO authentication
• Payment and invoicing processor: [payment/invoicing processor] for issuing compliant invoices and processing billing data (as a separate data processor)
• Professional advisers: Lawyers, bankers, auditors and insurers
• Government authorities: Tax authorities, regulators and other authorities where we are required by law to disclose data
• Third parties to whom we may sell or transfer our business: In the event of a merger, acquisition or sale

We require all third parties to respect the security of your personal data and to handle it in accordance with the law. We only permit third parties to process your personal data for specified purposes and in accordance with our instructions.

9. International Data Transfers

Some of our external third parties are located outside the European Economic Area (EEA). When we transfer your personal data outside the EEA, we ensure a similar level of protection by applying at least one of the following safeguards:

• European Commission adequacy decisions
• Standard Contractual Clauses approved by the European Commission
• Binding corporate rules or certification schemes

AI Assistant queries are processed by Anthropic's infrastructure, which may include servers located in the United States. Appropriate safeguards, including Standard Contractual Clauses, are in place.

Google services (reCAPTCHA, Maps) may process data on servers globally, including in the United States. Google participates in the EU–U.S. Data Privacy Framework and applies appropriate safeguards.

10. Data Security

We have implemented appropriate technical and organizational measures to protect your personal data against unauthorized access, modification, disclosure or destruction:

• TLS 1.3 encryption for data in transit
• AES-256 encryption for data at rest
• Multi-factor authentication for administrative access
• Regular security assessments and penetration testing
• Employee training on data protection and security
• Regular security updates and patch management
• Pseudonymization and anonymization where appropriate

11. Data Retention

We only retain your personal data for as long as necessary to fulfil the purposes for which it was collected, including:

• Account data: For the duration of the contractual relationship plus 3 years for legal claims
• Financial records: 10 years under tax laws
• Communication logs: 2 years for customer support purposes
• Marketing data: Until consent is withdrawn or 2 years of inactivity
• Technical logs: 90 days for security and troubleshooting purposes
• AI conversation history: Retained until deleted or until the account is closed
• Security audit logs: 2 years for SSO events, permission changes and authentication logs
• MFA settings: Until disabled by the user or until the account is deleted
• Uploaded files: Until explicit deletion or until the account is closed
• Activity logs: 2 years for compliance and security audit purposes

When we no longer need your personal data, we securely delete or anonymize it.

11.5 Account Deletion and Data Anonymization

When your user account is deleted (whether by request or by your administrator):

• Your email address and personal identifiers are anonymized (replaced with non-identifying values)
• SSO connections and MFA data are permanently deleted
• The AI conversation history associated with your account is permanently deleted
• Business records you created (work orders, assets, tickets) retain anonymized user references to maintain the integrity of the audit trail
• Files associated solely with your account can be deleted at the request of the tenant administrator

This process ensures that your personal data cannot be restored, while maintaining the integrity of the business records needed for compliance purposes.

12. Your Rights Under the GDPR

In certain circumstances, under data protection laws you have the following rights in relation to your personal data:

• Right of access (GDPR Article 15): Requesting access to your personal data
• Right to rectification (GDPR Article 16): Requesting the correction of inaccurate personal data
• Right to erasure (GDPR Article 17): Requesting the deletion of your personal data
• Right to restriction of processing (GDPR Article 18): You can request that the processing of your personal data be restricted
• Right to data portability (GDPR Article 20): Requesting the transfer of your personal data to another party
• Right to object (GDPR Article 21): You can object to the processing of your personal data
• Right to withdraw consent: You can withdraw your consent at any time where we rely on consent

To exercise these rights, please contact us at privacy@serviceleaf.app. We will respond to your request within one month.

13. Cookies and Similar Technologies

We use cookies and similar tracking technologies to track activity on our service and store certain information. You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent.

Detailed list of cookies used:

Google Analytics 4 cookies:

• _ga — Purpose: Unique visitor identification for analytics. Type: Performance cookie. Retention period: 2 years. Provider: Google Ireland Limited
• _ga_<container-id> — Purpose: Persisting session state in GA4. Type: Performance cookie. Retention period: 2 years. Provider: Google Ireland Limited
• _gid — Purpose: Distinguishing visitors over the short term. Type: Performance cookie. Retention period: 24 hours. Provider: Google Ireland Limited

Strictly necessary cookies:

• cookie_consent — Purpose: Storing the user's cookie consent choices. Type: Strictly necessary cookie. Retention period: 1 year. Provider: ServiceLeaf

You can manage your cookie preferences through our cookie consent banner or by contacting us directly.

14. Data Breach Notification

In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay and no later than 72 hours after becoming aware of the breach, in accordance with Article 34 of the GDPR.

15. Supervisory Authority

Without prejudice to any other administrative or judicial remedy, you have the right under Article 77 of the GDPR to lodge a complaint with a supervisory authority, in particular in the EU member state of your habitual residence, place of work or the place of the alleged infringement, if you consider that the processing of your personal data infringes the GDPR.

You may also contact the lead supervisory authority for ITone Ltd. EU, which is the data protection authority of [EU member state of establishment].

A complete list of the national data protection authorities in the European Union and the European Economic Area, with their contact details, is maintained by the European Data Protection Board (EDPB) and is available at: https://edpb.europa.eu/about-edpb/about-edpb/members_en

16. Children's Privacy

Our service is not intended for persons under the age of 16. We do not knowingly collect personal data from children under the age of 16. If you are a parent or guardian and become aware that your child has provided us with personal data, please contact us.

17. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes in the following ways:

• Posting the new Privacy Policy on this page
• Updating the "Last updated" date
• Sending an email notification about significant changes
• Requesting renewed consent where required by law