← Trust Center Draft — final legal review pending

Privacy Policy

How Eubulia handles personal data. Written to comply with the EU General Data Protection Regulation (GDPR) and the Danish Data Protection Act.

Effective date: Pre-launch alpha · Last updated: 2026-05-04 · Controller: Søren Porskrog, founder, Eubulia (Copenhagen, Denmark) · Contact: hello@eubulia.eu

Contents
  1. Who we are
  2. What data we collect
  3. Legal basis for processing
  4. How we use your data
  5. Who we share data with
  6. Where data is processed
  7. Documents stay in your own cloud
  8. How long we keep data
  9. Bitemporal data model and your right to erasure
  10. Zero training on your data
  11. Your rights under GDPR
  12. Cookies and tracking
  13. Security measures
  14. Children
  15. Changes to this policy
  16. Contact and complaints

1. Who we are

Eubulia is a structured-second-brain product for independent management consultants. The service is operated by Søren Porskrog, an individual founder based in Copenhagen, Denmark. For the purposes of this policy and applicable data-protection law, Søren Porskrog acts as the data controller for personal data we collect about customers (you, the consultant), and as a data processor on your behalf for personal data you store in Eubulia about your own clients and contacts.

Where you process personal data of your own clients in Eubulia, you are the data controller and we are your data processor. Our Data Processing Agreement (DPA) governs that relationship and forms part of these terms.

2. What data we collect

We collect the minimum data needed to operate the service.

Account data

Workspace content (your input)

Usage telemetry

What we explicitly do not collect

3. Legal basis for processing

Under GDPR Article 6, we rely on the following legal bases:

PurposeLegal basis
Providing the service to you (account, workspace, chat)Contract (Art. 6(1)(b))
Billing and payment processingContract + legal obligation (Art. 6(1)(b), (c))
Service-health monitoring, error logging, fraud preventionLegitimate interest (Art. 6(1)(f))
Compliance with court orders, legal processesLegal obligation (Art. 6(1)(c))
Sending product updates and operational noticesLegitimate interest (Art. 6(1)(f)), with opt-out
Marketing emails (none planned during alpha; opt-in only at GA)Consent (Art. 6(1)(a))

4. How we use your data

We use your data to:

We do not use your data to:

5. Who we share data with

We share data only with carefully chosen sub-processors who help us deliver the service. The complete and current list is published at /legal/sub-processors and includes:

All sub-processors are bound by data-processing agreements that flow down our obligations. Material changes to the sub-processor list are notified to you at least 30 days in advance via email.

We may also disclose data when required by law, court order, or to protect against fraud, abuse, or safety threats. Such requests are reviewed; we resist over-broad demands and notify you unless prohibited by law.

6. Where data is processed

By default, your structured workspace data is stored and processed in EU infrastructure (Frankfurt, Germany region):

Optional LLM providers (Anthropic, OpenAI, Google Gemini) operate from the United States. Their use is opt-in via your Settings and governed by Standard Contractual Clauses (SCCs) under the EU-U.S. Data Privacy Framework. You can disable all non-EU providers in Settings → AI & search → GDPR mode → "EU-only".

For compliance-bound clients (defense, government, regulated healthcare), we offer sovereign deployment to your own Azure EU tenant on roadmap H2 2026. Contact hello@eubulia.eu for early access.

7. Documents stay in your own cloud

This is a deliberate architectural choice and a meaningful privacy benefit. When you connect OneDrive, Google Drive, NextCloud, or drop local files into Eubulia:

This means the most sensitive content — actual client documents — is never sitting in our database waiting to leak. We see only the bare minimum needed to be useful.

8. How long we keep data

Data typeRetention
Account (email, name, auth tokens)Lifetime of your account + 30 days after deletion request
Workspace content (chats, notes, structured entities)Lifetime of your account, with bitemporal version history
Billing records5 years after end of customer relationship (Danish accounting law)
Service logs (API requests, errors)90 days rolling
LLM usage events5 years (for billing reconciliation)
Backups30 days rolling, encrypted at rest
Account-deletion audit log10 years (compliance evidence)

9. Bitemporal data model and your right to erasure

Eubulia uses a bitemporal database model: every change to risks, decisions, documents, and semantic chunks is preserved as a new immutable version. This is a feature for you (full audit trail by design — you can answer "what did we know on November 15th?") but raises a fair question about GDPR Article 17 (right to erasure).

Our position is straightforward:

10. Zero training on your data

We do not train models on customer data. Period. This includes:

LLM providers we route to (Mistral, Anthropic, OpenAI, Google) are configured to not retain or train on your data. We have signed enterprise / API agreements with these providers that contractually prohibit training on inference data. This is verifiable in their respective DPAs (linked from our sub-processor list).

If we ever build a domain-specialist model (a possibility on our roadmap), it will be strictly opt-in, anonymized, and aggregated. You will see exactly what would be contributed before any of it leaves your tenant.

11. Your rights under GDPR

You have the following rights regarding your personal data:

To exercise any right: email hello@eubulia.eu with subject "GDPR request — [type]". We respond within 30 days (Art. 12(3)).

12. Cookies and tracking

Eubulia uses only the minimum cookies needed to operate:

We do not use:

13. Security measures

Specific technical and organizational measures are documented at /legal/security. In summary:

14. Children

Eubulia is a B2B service intended for management consultants. We do not knowingly collect data from anyone under 16. If you become aware that a child has provided personal data to us, contact hello@eubulia.eu and we will delete it promptly.

15. Changes to this policy

Material changes are notified to active customers at least 30 days in advance via email and via banner in the application. Non-material changes (clarifications, typos) are made silently with the "Last updated" date refreshed at the top of this page.

16. Contact and complaints

Data controller: Søren Porskrog, Eubulia, Copenhagen, Denmark
Email: hello@eubulia.eu (GDPR matters: subject line "GDPR")

If you believe your data has been mishandled, please contact us first — we take privacy seriously and want to resolve concerns directly. You also have the right to lodge a complaint with your local supervisory authority. In Denmark, this is:

Datatilsynet
Carl Jacobsens Vej 35
2500 Valby, Denmark
datatilsynet.dk

Need a Data Processing Agreement (DPA)?

If you are processing personal data of your own clients in Eubulia, you are the controller and we are your processor. Our standard DPA (GDPR Art. 28) covers that relationship. Available on request from hello@eubulia.eu with subject "DPA request" — signable copy returned within 2 business days.