How Eubulia handles personal data. Written to comply with the EU General Data Protection Regulation (GDPR) and the Danish Data Protection Act.
Eubulia is a structured-second-brain product for independent management consultants. The service is operated by Søren Porskrog, an individual founder based in Copenhagen, Denmark. For the purposes of this policy and applicable data-protection law, Søren Porskrog acts as the data controller for personal data we collect about customers (you, the consultant), and as a data processor on your behalf for personal data you store in Eubulia about your own clients and contacts.
Where you process personal data of your own clients in Eubulia, you are the data controller and we are your data processor. Our Data Processing Agreement (DPA) governs that relationship and forms part of these terms.
We collect the minimum data needed to operate the service.
Under GDPR Article 6, we rely on the following legal bases:
| Purpose | Legal basis |
|---|---|
| Providing the service to you (account, workspace, chat) | Contract (Art. 6(1)(b)) |
| Billing and payment processing | Contract + legal obligation (Art. 6(1)(b), (c)) |
| Service-health monitoring, error logging, fraud prevention | Legitimate interest (Art. 6(1)(f)) |
| Compliance with court orders, legal processes | Legal obligation (Art. 6(1)(c)) |
| Sending product updates and operational notices | Legitimate interest (Art. 6(1)(f)), with opt-out |
| Marketing emails (none planned during alpha; opt-in only at GA) | Consent (Art. 6(1)(a)) |
We use your data to:
We do not use your data to:
We share data only with carefully chosen sub-processors who help us deliver the service. The complete and current list is published at /legal/sub-processors and includes:
All sub-processors are bound by data-processing agreements that flow down our obligations. Material changes to the sub-processor list are notified to you at least 30 days in advance via email.
We may also disclose data when required by law, court order, or to protect against fraud, abuse, or safety threats. Such requests are reviewed; we resist over-broad demands and notify you unless prohibited by law.
By default, your structured workspace data is stored and processed in EU infrastructure (Frankfurt, Germany region):
Optional LLM providers (Anthropic, OpenAI, Google Gemini) operate from the United States. Their use is opt-in via your Settings and governed by Standard Contractual Clauses (SCCs) under the EU-U.S. Data Privacy Framework. You can disable all non-EU providers in Settings → AI & search → GDPR mode → "EU-only".
For compliance-bound clients (defense, government, regulated healthcare), we offer sovereign deployment to your own Azure EU tenant on roadmap H2 2026. Contact hello@eubulia.eu for early access.
This is a deliberate architectural choice and a meaningful privacy benefit. When you connect OneDrive, Google Drive, NextCloud, or drop local files into Eubulia:
This means the most sensitive content — actual client documents — is never sitting in our database waiting to leak. We see only the bare minimum needed to be useful.
| Data type | Retention |
|---|---|
| Account (email, name, auth tokens) | Lifetime of your account + 30 days after deletion request |
| Workspace content (chats, notes, structured entities) | Lifetime of your account, with bitemporal version history |
| Billing records | 5 years after end of customer relationship (Danish accounting law) |
| Service logs (API requests, errors) | 90 days rolling |
| LLM usage events | 5 years (for billing reconciliation) |
| Backups | 30 days rolling, encrypted at rest |
| Account-deletion audit log | 10 years (compliance evidence) |
Eubulia uses a bitemporal database model: every change to risks, decisions, documents, and semantic chunks is preserved as a new immutable version. This is a feature for you (full audit trail by design — you can answer "what did we know on November 15th?") but raises a fair question about GDPR Article 17 (right to erasure).
Our position is straightforward:
We do not train models on customer data. Period. This includes:
LLM providers we route to (Mistral, Anthropic, OpenAI, Google) are configured to not retain or train on your data. We have signed enterprise / API agreements with these providers that contractually prohibit training on inference data. This is verifiable in their respective DPAs (linked from our sub-processor list).
If we ever build a domain-specialist model (a possibility on our roadmap), it will be strictly opt-in, anonymized, and aggregated. You will see exactly what would be contributed before any of it leaves your tenant.
You have the following rights regarding your personal data:
To exercise any right: email hello@eubulia.eu with subject "GDPR request — [type]". We respond within 30 days (Art. 12(3)).
Eubulia uses only the minimum cookies needed to operate:
We do not use:
Specific technical and organizational measures are documented at /legal/security. In summary:
Eubulia is a B2B service intended for management consultants. We do not knowingly collect data from anyone under 16. If you become aware that a child has provided personal data to us, contact hello@eubulia.eu and we will delete it promptly.
Material changes are notified to active customers at least 30 days in advance via email and via banner in the application. Non-material changes (clarifications, typos) are made silently with the "Last updated" date refreshed at the top of this page.
Data controller: Søren Porskrog, Eubulia, Copenhagen, Denmark
Email: hello@eubulia.eu (GDPR matters: subject line "GDPR")
If you believe your data has been mishandled, please contact us first — we take privacy seriously and want to resolve concerns directly. You also have the right to lodge a complaint with your local supervisory authority. In Denmark, this is:
Datatilsynet
Carl Jacobsens Vej 35
2500 Valby, Denmark
datatilsynet.dk
If you are processing personal data of your own clients in Eubulia, you are the controller and we are your processor. Our standard DPA (GDPR Art. 28) covers that relationship. Available on request from hello@eubulia.eu with subject "DPA request" — signable copy returned within 2 business days.