Sidekick

Privacy Policy

Version 1.0.0 · Effective 2026-06-13. Previous versions are available on request from privacy@sidekick.mu.

This Privacy Policy explains how Beyond Digital Ltd (“Sidekick”, “we”) collects and processes personal data when you visit https://sidekick.mu or use the Sidekick web application. We act as a data controller for personal data of our own users (account holders, prospects, marketing subscribers) and as a data processor for personal data you upload into your workspace about your own clients (see the Data Processing Agreement).

We comply with the Mauritius Data Protection Act 2017 (the “DPA”) and, where applicable, with the European Union General Data Protection Regulation (Regulation (EU) 2016/679) (the “GDPR”). Sidekick is registered with the Data Protection Office of Mauritius. [LAWYER REVIEW: confirm registration number / status before publishing.]

1. Controller & contact

  • Controller: Beyond Digital Ltd, [LAWYER REVIEW: insert registered address, Mauritius]
  • Data-protection contact: privacy@sidekick.mu
  • EU representative (Art. 27 GDPR): [LAWYER REVIEW: appoint if/when we onboard EU customers or process EU residents’ data at scale.]

2. Personal data we collect

2.1 Information you give us

  • Account: name, email, hashed password, business legal name, currency preference.
  • Business profile: trade name, BRN, VAT number, address, logo, bank details (for invoice footers).
  • Billing: tier, payment confirmations, bank-transfer references (we do not store full card data; manual upgrade is by bank transfer).
  • Support: messages you send to us by email, WhatsApp or in-app.

2.2 Information generated by your use of the Service

  • Session and authentication metadata (cookie token, last-used timestamp, user-agent).
  • Usage logs (pages viewed, features used, error traces).
  • AI prompt + response logs (retained for 30 days for abuse detection, then deleted).
  • Audit trails for electronic-signature workflows, including IP address and timestamps of each signing event — this is a legal requirement under the Electronic Transactions Act 2000.

2.3 Information from your devices

  • IP address, browser type, language, approximate location derived from IP.
  • Cookies and similar technologies — see the Cookie Policy.

2.4 Customer Data you upload

When you add contacts, items, documents or attachments to your workspace, that data may contain personal data of third parties (your clients, suppliers, signatories). For that data you are the controller and we are the processor; our handling of it is governed by the DPA rather than by this Privacy Policy.

3. Why we process your data (purposes & lawful bases)

PurposeLawful basis
Create & operate your account; provide the ServiceContract (DPA s.28(b); GDPR Art. 6(1)(b))
Send transactional emails (verification, password reset, signature notifications, invoice receipts)Contract
Authenticate sessions; prevent fraud and abuse; rate-limitLegitimate interest in operating a secure service (DPA s.28(f); GDPR Art. 6(1)(f))
Comply with tax, accounting and anti-money-laundering lawLegal obligation (DPA s.28(c); GDPR Art. 6(1)(c))
Marketing emails (product news, tips, offers)Consent (DPA s.28(a); GDPR Art. 6(1)(a)) — opt-in tickbox, never pre-ticked
Analytics & product improvementConsent (cookie banner) where non-essential; legitimate interest for first-party server logs strictly necessary to operate the Service
Defend or pursue legal claimsLegitimate interest / legal obligation

4. Who we share data with

We never sell personal data. We share it only with:

  • Sub-processors who help us run the Service (hosting, email delivery, AI). The current list is published below and updated when it changes.
  • Tax, accounting and legal advisers bound by professional confidentiality.
  • Authorities where required by a lawful order (court, MRA, FIU, Data Protection Office).
  • A successor entity in the event of a merger or asset sale, subject to a confidentiality undertaking.

4.1 Sub-processor list

Sub-processorPurposeLocation
Google Cloud Platform (Cloud Run, Cloud SQL, Cloud Storage)Application hosting, database, file storageeurope-west1 (Belgium)
Postmark (ActiveCampaign LLC)Transactional & marketing email deliveryUnited States
Anthropic, PBCAI features (Free tier — Claude Haiku)United States
OpenAI, LLCAI features (Starter / Growth tiers)United States

Each sub-processor is bound by a written processing agreement, has been assessed for adequacy, and AI providers are configured to not use submitted data for model training.

5. International transfers

Application data is primarily hosted in the European Union (Belgium/europe-west1). Some sub-processors (email delivery, AI) operate from the United States. We rely on:

  • the EU Standard Contractual Clauses (Decision (EU) 2021/914), where required;
  • supplementary technical measures (TLS in transit, encryption at rest);
  • for transfers out of Mauritius, written authorisation from the Data Protection Commissioner where required by s.36 DPA.

6. How long we keep data

  • Active account data: for as long as your account is open.
  • Session records: 14 days from creation; cleared on logout.
  • Email-verification & reset tokens: 24 hours.
  • AI prompt/response logs: 30 days.
  • Invoices and signed documents: retained for the periods required by Mauritius tax law and the Electronic Transactions Act — up to ten (10) years from the document date.
  • Account closure: on a verified deletion request we erase active records within thirty (30) days, except records we are legally required to retain (which are placed beyond active use and erased at the end of the statutory period).
  • Marketing list: until you unsubscribe, with a final “suppression” record kept solely so we do not email you again.

7. Your rights

You have the following rights, exercisable free of charge:

  • Access a copy of your personal data (DPA s.37; GDPR Art. 15);
  • Rectification of inaccurate or incomplete data (Art. 16);
  • Erasure (“right to be forgotten”) subject to retention obligations (Art. 17);
  • Restriction of processing while a dispute is resolved (Art. 18);
  • Portability — a structured machine-readable export of your account data (Art. 20);
  • Object to processing based on legitimate interest or for direct marketing (Art. 21);
  • Withdraw consent at any time without affecting prior processing (Art. 7(3));
  • Lodge a complaint with the Data Protection Office of Mauritius (dataprotection.govmu.org) or, if applicable, with your EU supervisory authority.

Most rights can be exercised directly from Settings → Privacy & Data in the app. You may also email privacy@sidekick.mu. We respond within one (1) month.

8. Security

  • Passwords are stored as bcrypt hashes; we never see your plain-text password.
  • All traffic is encrypted in transit (TLS 1.2+).
  • Database and file storage are encrypted at rest by Google Cloud.
  • Row-Level Security in PostgreSQL prevents one tenant from reading another tenant’s data, even in the event of a query bug.
  • Production access is logged and limited to authorised engineers.
  • We will notify affected users and the Data Protection Office of a personal-data breach within seventy-two (72) hours of becoming aware, where the breach is likely to result in a risk to rights and freedoms.

9. Cookies

See the dedicated Cookie Policy for the list of cookies we set, how to control them, and how to withdraw consent.

10. Children

The Service is not directed at children under sixteen (16). We do not knowingly collect personal data from children. If you believe we hold data about a child, contact privacy@sidekick.mu and we will delete it.

11. Automated decision-making

We do not subject you to decisions producing legal or similarly significant effects based solely on automated processing.

12. Changes

We may amend this Policy. The version and effective date appear at the top. Material changes are notified by email or in-app banner at least fourteen (14) days before they take effect.