Back to senga
Privacy

Privacy Policy

How we handle the information you trust us with — and the rights you have over it.

Last updated January 15, 2026

The short version: we collect the minimum data needed to run senga; we never sell it; we host inside the EU; and you can export, correct, or delete it at any time. If we're processing your customers' data on your behalf, we do so under our Data Processing Agreement.

1. Who we are

This Privacy Policy explains how LOBI-SYSTEMS SRL (“Lobi Systems”, “we”, “us”), the company behind senga, processes personal data when you visit senga.lobi-systems.com, sign up for an account, or use the senga product (collectively, the “Services”).

LOBI-SYSTEMS is a Belgian company headquartered at Mons, Belgium. For questions about this policy or to exercise your rights, write to [email protected].

When you operate a senga instance to process data about your own customers, employees, or business contacts, you are the data controller for that data and we act as your data processor. The terms governing that relationship live in our Data Processing Agreement.

2. What we collect

We collect the minimum data needed to run the Services:

  • Account data — name, work email, role, company, and authentication credentials.
  • Billing data — billing address, VAT number, and invoice history. Card details are handled directly by our PCI-DSS-compliant payment processor; we never store card numbers.
  • Product usage data — anonymous metrics about which features you use, when, and from which region. We never log the content of your queries or your customers' data as part of usage telemetry.
  • Communications — emails, support chats, contact form submissions, and any other messages you send us.
  • Cookies — a single first-party session cookie for authenticated areas. No advertising cookies, no cross-site tracking.

3. How we use it

We use personal data to:

  • Operate, secure, and improve the Services.
  • Authenticate you and protect your account.
  • Bill you for the Services you use.
  • Respond to your support requests.
  • Send you operational updates (security advisories, billing notices, important changes to the Services). You cannot opt out of these because they are necessary for the contract.
  • Send you product updates if you have opted in. You can unsubscribe at any time from any product email.
  • Comply with our legal obligations.

4. Lawful bases (GDPR)

We process personal data on the following bases:

  • Contract (Art. 6(1)(b) GDPR) — to provide the Services to you.
  • Legitimate interests (Art. 6(1)(f) GDPR) — to keep the Services secure, prevent abuse, and improve the product.
  • Legal obligation (Art. 6(1)(c) GDPR) — to comply with tax, accounting, and other applicable laws.
  • Consent (Art. 6(1)(a) GDPR) — for product update emails and any optional data we ask for explicitly.

5. How long we keep it

We keep personal data only as long as needed for the purpose it was collected for:

  • Account data: while your account is active, plus 30 days after deletion.
  • Billing data: ten (10) years, as required by Belgian accounting law.
  • Product usage data: rolling 24 months in aggregate.
  • Support messages: 36 months from last reply.
  • Backups: encrypted, rotating 30-day retention window.

6. Who we share it with

We do not sell personal data. We share it only with:

  • Subprocessors we rely on to deliver the Services (hosting, billing, email, error monitoring). The current list is published in our DPA.
  • Authorities when compelled by a binding legal order. We notify the affected user before complying unless doing so is unlawful.
  • Successors in the event of a merger or acquisition, under strict confidentiality and with prior notice to you.

7. International transfers

The Services run inside the European Union. We do not transfer personal data outside the EU/EEA except where a subprocessor we engage operates outside it — in which case the transfer is covered by the European Commission's Standard Contractual Clauses (Module 2 or 3 as appropriate) plus supplementary measures where required.

8. Security

We protect data with industry-standard measures: TLS 1.3 in transit, AES-256 at rest, hardware-backed key management, least-privilege access controls, audit logging, and regular third-party penetration tests. Incident response procedures align with GDPR Art. 33 — we notify the affected supervisory authority within 72 hours and you without undue delay if we detect a breach affecting your data.

9. Your rights

Under the GDPR you have the right to access, rectify, erase, restrict, port, and object to the processing of your personal data. You can exercise these rights at any time by writing to [email protected]. We respond within 30 days.

A short version of these rights with how to use them lives at our GDPR rights page.

If you believe we have not met our obligations, you can lodge a complaint with the Belgian Data Protection Authority or your local supervisory authority.

10. Changes to this policy

We may update this Privacy Policy from time to time. Material changes are announced 30 days in advance via email and a banner on the Services. The effective date appears at the top of this page.

11. Contact

For any privacy-related question: [email protected].

For postal mail: LOBI-SYSTEMS SRL, Mons, Belgium.