Privacy Policy
Applicable Region — This Privacy Policy applies to Service Provider personnel residing in the European Economic Area (EEA), the United Kingdom, and other jurisdictions outside South Korea and Japan. Residents of Korea should refer to the Korean version. Residents of Japan should refer to the Japanese version when published.
Roovook Inc. (the "Company", "we", "us", or "our") protects the personal data of its Service Providers (Service Provider personnel) in accordance with the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"), the ePrivacy Directive (2002/58/EC), the UK GDPR and Data Protection Act 2018, and other applicable data-protection laws. We provide this Privacy Policy to explain clearly how we process personal data and how data subjects can exercise their rights.
This Policy governs the personal data of Service Provider personnel (hotel / venue sales staff) collected and processed through business.roovook.com (the product marketing site), the EMS Dashboard (ems.roovook.com), and the email-integration feature. Personal data of general end-users (event organisers, booking requesters, and so on) is covered by the separate B2C Privacy Policy.
Article 1 (Purposes and Lawful Bases of Processing)
We process personal data for the purposes set out below. Each purpose is tied to one or more lawful bases under Article 6 GDPR. Personal data will not be used beyond these purposes; where purposes change materially, we will obtain fresh consent or rely on another appropriate lawful basis, with prior notice.
| # | Purpose | Lawful basis (GDPR Art. 6) |
|---|---|---|
| 1 | SaaS service delivery and account management — EMS account creation and authentication, access-rights management, subscription-state management | Art. 6(1)(b) Contract (performance of the SaaS agreement) |
| 2 | Demo and sales-inquiry handling — receiving and responding to demo requests and adoption inquiries submitted via business.roovook.com | Art. 6(1)(b) Pre-contractual steps at the data subject's request |
| 3 | Email integration — connecting a user's business email account (Microsoft Outlook via Microsoft Graph API; Gmail via Gmail API; IMAP/POP3-capable accounts) so that business email can be read, composed, sent, and deleted from within EMS | Art. 6(1)(b) Contract (core EMS feature provisioning). OAuth 2.0 scope authorisation (Gmail/Microsoft Graph) is obtained additionally as part of the technical authorisation flow required by the upstream provider, not as the GDPR lawful basis. |
| 4 | Messenger connector (Slack, Microsoft Teams) — connecting external messaging platforms to forward customer-inquiry notifications to a Service Provider's internal work channel | Art. 6(1)(b) Contract (EMS connector feature). OAuth 2.0 installation authorisation (Slack/Teams) is obtained additionally as part of the technical authorisation flow required by the upstream provider, not as the GDPR lawful basis. |
| 5 | Service improvement and statistical analysis — analysing service usage, developing new features, producing non-identifying statistics | Art. 6(1)(f) Legitimate interests |
| 6 | Cross-border transfer to non-adequacy countries — transfer of personal data to the United States and other jurisdictions lacking an EU adequacy decision, where required to deliver the purposes above | Art. 6(1)(a) Consent |
Note: Cross-border transfers additionally rely on Chapter V safeguards (Standard Contractual Clauses) as detailed in Article 6.
Article 2 (Categories of Personal Data Collected)
(1) Service Provider personnel account information
| Category | Items |
|---|---|
| Required | Name, email address, phone number, affiliated venue/hotel name, job title |
| Optional | Profile photo, department name |
(2) Demo / adoption-inquiry submissions
| Category | Items |
|---|---|
| Required | Name, email address, phone number, venue/hotel name |
| Optional | Venue size, features of interest, other inquiry content |
(3) Data collected during email integration
- OAuth 2.0 method (Microsoft Outlook, Gmail): email subjects, bodies, attachments, sender/recipient information, and email metadata (date, read status, folder information). Data is accessed only within the scope explicitly authorised by the user through the OAuth 2.0 consent screen; the user's email password is never stored by Roovook.
- Gmail API scopes:
gmail.readonly,gmail.send,gmail.modify,gmail.settings.basic,userinfo.email - Microsoft Graph API scopes:
Mail.ReadWrite,Mail.Send,User.Read,offline_access
- Gmail API scopes:
- IMAP/POP3 method: email address, password or app-specific password, mail-server address (IMAP/POP3/SMTP), port numbers. These credentials are encrypted at rest using AES-256 and stored in access-controlled systems. Accessed data includes email subjects, bodies, attachments, sender/recipient information, and metadata.
(4) Data collected automatically during service use
- IP address, access timestamps, access logs, and page-use records
- Device information (model, operating-system version), browser information
- Information collected via cookies and similar tracking technologies
(5) Data collected via messenger connector integration
- Slack/Teams workspace identifier, channel identifier, webhook URL or bot token
- Notification payload content (inquiry customer name, inquiry summary, associated venue/property)
- Installation metadata (installer user identifier, installation timestamp)
- OAuth 2.0 access and refresh tokens (Slack) or app-authorisation record (Teams), encrypted at rest
We do not collect national-identification numbers, passport numbers, driving-licence numbers, or other unique government-issued identifiers from Service Provider personnel.
Article 3 (Retention Periods)
We retain personal data only for as long as necessary to achieve the processing purpose, or for the period required by applicable law, whichever is longer.
- Default: Personal data is deleted without undue delay once the purpose is achieved.
- EMS account information: Retained for the duration of the SaaS subscription; deleted within 30 days of subscription termination.
- Email-integration data: Deleted immediately upon disconnection of the integration; OAuth 2.0 access tokens and refresh tokens are revoked and discarded at that point. On account termination, all integration-related data is deleted within 30 days.
- Demo / adoption-inquiry data: Retained for 1 year after the inquiry is resolved; if a contract is concluded, retained for the duration of the contract.
- Legal-retention obligations (where Korean consumer-protection records are involved for cross-border transactions):
- Contract and order-withdrawal records — 5 years
- Payment and supply records — 5 years
- Website and app access logs — 3 months
Article 4 (Processors — Art. 28 GDPR)
We engage the following processors under Article 28 GDPR. Each processor is bound by a written agreement that requires (i) processing only on our documented instructions, (ii) confidentiality commitments for authorised personnel, (iii) appropriate technical and organisational security measures, (iv) engagement of sub-processors only with prior authorisation, (v) assistance with data-subject rights and breach response, and (vi) deletion or return of personal data at the end of the engagement.
| Processor | Service provided |
|---|---|
| Google LLC — Japan (Tokyo region data centre, asia-northeast1); operating entity: Google LLC (United States) | Google Cloud Platform infrastructure (hosting, data storage, network). All Roovook GCP workloads (Cloud Run, App Engine, Cloud SQL, Cloud Storage) run in the Tokyo region; user data is physically stored in Japan. |
| Anthropic, PBC (United States) | Automated summarisation / classification of inquiries for internal workflow (Claude API). Data is not used for model training. |
| OpenAI, L.L.C. (United States) | Automated summarisation / classification of inquiries for internal workflow (GPT API). Data is not used for model training. |
| Google LLC (United States) | Automated summarisation / classification of inquiries for internal workflow (Gemini API). Data is not used for model training. |
| Microsoft Corporation (United States) | EMS email integration: Outlook email read/send via Microsoft Graph API (OAuth 2.0) |
| Google LLC (United States) | EMS email integration: Gmail read / compose / send via Gmail API (OAuth 2.0). Data is not used for AI training. |
| Slack Technologies LLC (a Salesforce company, United States) | EMS external-channel integration: delivery of customer-inquiry notifications to Slack workspace channels (Slack Bot OAuth 2.0) |
| Microsoft Corporation (United States) | EMS external-channel integration: delivery of customer-inquiry notifications to Microsoft Teams channels (Graph API, OAuth 2.0) |
| Return Zero, Inc. (Korea) | Speech-to-text conversion of call recordings (VITO API). Transcripts are used solely for consultation review and summarisation. |
| Dawoo Technology Co., Ltd. (Korea) | Transactional and notification messages (SMS, LMS, email, KakaoTalk AlimTalk) |
Where we add or replace a processor, we will update this Policy and give advance notice before the change takes effect.
Article 5 (Role Allocation — Controller / Processor)
Roovook's role under Art. 28 GDPR varies by data type:
(a) Service Provider personnel data (name, work email, role, EMS account credentials) — Roovook acts as controller for account management, authentication, and billing (Art. 2 items 1, 2, 4).
(b) Email inbox content processed via OAuth (Gmail / Microsoft Graph) and messenger notification content (Slack / Teams) — Roovook acts as processor on behalf of the Service Provider (the employing hotel/venue), which is the controller for its own business communications and for any third-party personal data contained therein. Roovook processes such data strictly on documented instructions from the Service Provider (embodied in the EMS Terms of Service and the Data Processing Agreement).
(c) Upstream providers — Google (Gmail API, Gemini) and Microsoft (Graph API, Teams) act as independent controllers in respect of their direct end-user relationships, and as sub-processors to Roovook for the specific data accessed on behalf of the Service Provider under this scope.
Article 6 (International Transfers — Art. 44–49 GDPR)
To operate the service we rely on cloud, AI, and email-platform services located outside the EEA and the United Kingdom. The following transfers take place:
Roovook's core Google Cloud Platform infrastructure (Cloud Run, App Engine, Cloud SQL, Cloud Storage, and related services) operates in the asia-northeast1 (Tokyo) region. User data stored on this infrastructure physically resides in Japan. Transfers from the EEA or United Kingdom to Japan are covered by the European Commission's adequacy decision for Japan (Commission Implementing Decision (EU) 2019/419, and the analogous UK adequacy regulations); no further supplementary safeguards (such as Standard Contractual Clauses) are required for this data location. The transfers listed in the table below apply only to data shared with providers or entrustees outside Japan.
| Recipient | Country | Data transferred | Purpose | Transfer mechanism | Country's protection framework | Safeguards applied |
|---|---|---|---|---|---|---|
| Anthropic, PBC | United States | Inquiry content and minimum data required for processing | Internal summarisation / classification (Claude API) | Standard Contractual Clauses (Art. 46(2)(c)) | Sectoral privacy laws; EU–US DPF provides adequacy for certified recipients | Encrypted API calls; data not retained beyond request processing; not used for model training |
| OpenAI, L.L.C. | United States | Inquiry content and minimum data required for processing | Internal summarisation / classification (GPT API) | Standard Contractual Clauses (Art. 46(2)(c)) | Same as above | Encrypted API calls; data not retained beyond request processing; not used for model training |
| Google LLC | United States (Vertex AI, us-central1) | Inquiry content and minimum data required for processing | Internal summarisation / classification (Gemini API) | Standard Contractual Clauses (Art. 46(2)(c)) + EU–US DPF where applicable | Same as above | Encrypted API calls; data not retained beyond request processing; not used for model training |
| Microsoft Corporation | United States | Email subjects, bodies, attachments, sender/recipient information, metadata | EMS email integration (Outlook, Microsoft Graph API) | Standard Contractual Clauses (Art. 46(2)(c)) + EU–US DPF where applicable | Same as above | OAuth 2.0 scoped access; tokens encrypted; deleted immediately on disconnection; 30 days on account termination; not used for AI/ML training (per Microsoft Customer Data terms) |
| Google LLC | United States | Email subjects, bodies, attachments, sender/recipient information, metadata | EMS email integration (Gmail API) | Standard Contractual Clauses (Art. 46(2)(c)) + EU–US DPF where applicable | Same as above | OAuth 2.0 scoped access; tokens encrypted; deleted immediately on disconnection; 30 days on account termination; not used for AI training |
| Slack Technologies LLC (Salesforce, Inc.) | United States | Customer-inquiry notification content (name, inquiry summary) | EMS external-channel integration (Slack Bot) | Standard Contractual Clauses + EU–US DPF where applicable | Same as above | OAuth 2.0 scoped access; deleted on disconnection |
| Microsoft Corporation | United States | Customer-inquiry notification content (name, inquiry summary) | EMS external-channel integration (Teams, Graph API) | Standard Contractual Clauses + EU–US DPF where applicable | Same as above | OAuth 2.0 scoped access; deleted on disconnection |
| Dawoo Technology Co., Ltd. | Korea | Recipient contact identifiers (email, phone, KakaoTalk ID) | SMS/LMS/email/KakaoTalk AlimTalk delivery | Adequacy Decision — Korea (Commission Implementing Decision (EU) 2022/254) | Korea PIPA; independent supervisory authority PIPC; adequacy-decision country | Contractual DPA; scoped access |
Note: The Google LLC GCP infrastructure transfer previously listed in this table is covered by the Japan adequacy decision and is no longer enumerated separately. It is disclosed in Article 4 (Processors).
Adequacy references: Japan benefits from an EU adequacy decision under Article 45 GDPR (Commission Implementing Decision (EU) 2019/419), so transfers from the EEA to Japanese recipients do not require additional safeguards. The Republic of Korea similarly benefits from an EU adequacy decision (Commission Implementing Decision (EU) 2022/254) of 17 December 2021.
Service Provider personnel have the right to object to cross-border transfers that rely on consent. Objecting may limit the availability of some features; we will explain the impact before processing the objection.
Article 7 (Management of Email-Integration Data)
(1) Disconnection and permission revocation
A user may disconnect the email integration at any time:
- Within EMS: Settings menu → disconnect the email account.
- Microsoft Outlook: revoke the "Roovook EMS" permission at account.microsoft.com/consent/manage. For Microsoft 365 organisational accounts, administrators can revoke app consent at entra.microsoft.com.
- Gmail: revoke the "Roovook EMS" permission at myaccount.google.com/permissions.
- IMAP/POP3: disconnecting in EMS triggers immediate deletion of the stored credentials (including passwords).
On disconnection, cached email data and OAuth 2.0 tokens are immediately deleted and revoked.
(2) Data-deletion requests
Independent of integration disconnection, a user may request deletion of specific data by emailing support@roovook.com; we process such requests within 30 days. On account termination, all email-integration data (cache, tokens, metadata) is fully deleted within 30 days.
(3) Access limitations
Roovook processes email data exclusively through automated systems; staff do not inspect individual email content directly. Access by staff is permitted only with the user's explicit consent (e.g., technical support), for security-incident investigation, or to fulfil a legal obligation, and is logged.
Article 8 (Google API Services User Data Policy)
- Roovook's use of Gmail API data, and any transfer of information received from the Gmail API to other apps, complies with the Google API Services User Data Policy, including the Limited Use requirements.
- Roovook does not use Google Workspace API data to develop, improve, or train generalised AI and/or ML models.
- Email data accessed via the Gmail API is used solely to provide the user-requested email-management features (read, compose, send).
- Roovook does not sell Gmail-API-derived user data to advertising platforms, data brokers, or other third parties.
- Roovook does not use Gmail-API-derived user data for advertising purposes, including retargeting, personalised advertising, and interest-based advertising.
- Roovook does not use Gmail-API-derived user data for credit assessment, loan-underwriting, or similar purposes.
Microsoft Graph API Compliance
Our use of information received from the Microsoft Graph API adheres to the Microsoft Graph API Terms of Use and the Microsoft Services Agreement. Data accessed via Microsoft Graph is used solely to provide the user-requested email-management features; it is not used to train generalised AI or ML models, and is not transferred or sold to third parties.
Article 9 (Cookies and Automatic Collection — ePrivacy + Art. 7 GDPR)
(1) What cookies are
Cookies are small files that a website transmits to the user's browser and which may be stored on the user's device. We use cookies and similar tracking technologies to operate the service and to provide certain features.
(2) Consent model — prior opt-in with reject-all parity
- Strictly-necessary cookies (login session, security, CSRF protection): set on service use; no consent is required pursuant to Article 5(3) of the ePrivacy Directive.
- Functional, analytics, and marketing cookies: set only after the user has given prior, informed, freely given, specific, and unambiguous opt-in via our cookie banner. The banner provides "Accept all" and "Reject all" with equivalent visual prominence. Consent is recorded, revocable at any time, and can be adjusted via the "Cookie Preferences" link in the site footer.
(3) Third-party tools (loaded only with the relevant consent)
| Cookie / Tool | Provider | Purpose | Category | Lifetime | Transfer country |
|---|---|---|---|---|---|
Google Analytics (_ga, _ga_<stream-id>, _gat_<property>) | Google LLC | Visit statistics, page-dwell time, traffic-source analysis | Analytics | _ga 2 years · _ga_* 2 years · _gat_* 1 minute | United States |
| Google Tag Manager | Google LLC | Tag management (does not set its own cookies; cookies are set by the tools loaded through it) | Functional | — | United States |
Hotjar (_hjSessionUser_<site>, _hjSession_<site>, _hjAbsoluteSessionInProgress, _hjFirstSeen) | Hotjar Ltd. | User-behaviour (scroll/click/heatmap) analysis and UX improvement | Analytics | User cookies 365 days · Session cookies 30 minutes | Malta (EU, Hotjar Ltd. headquarters) and United States (Contentsquare sub-processing following acquisition) |
Microsoft Clarity (_clck, _clsk, MUID, ANONCHK) | Microsoft Corporation (loaded via Google Tag Manager container) | User behavioural analytics (clicks, scrolls, session replay) | Analytics | _clck 1 year · _clsk 1 day · MUID 13 months · ANONCHK 10 minutes | United States |
Naver Premium Log (NNB, _npcmp) | NAVER Corp. | Naver-referral visit statistics | Analytics | 1 year | Korea |
| Kakao SDK | Kakao Corp. | Kakao-account social-login authentication (session-based) | Essential (at login) | Session | Korea |
Facebook SDK (fr) | Meta Platforms, Inc. | Facebook-account social-login authentication | Essential (at login) | 90 days | United States |
| Firebase Authentication | Google LLC | Phone/email/social-account authentication (not cookie-based; uses IndexedDB / session storage) | Essential | IndexedDB / session storage | United States |
Roovook does not use marketing pixels such as Meta Pixel or TikTok Pixel. The Facebook SDK is used exclusively for social login authentication and is distinct from the behavioural-tracking Meta Pixel.
Information collected by these tools includes cookie identifiers, IP address, device/browser metadata, and page-use records. Social-login SDKs process only the minimum data needed for authentication (account identifier, authentication token); names, phone numbers, and other identifiers are not passed to analytics tools.
(4) Rejecting cookies
A user may decline cookies at any time via (i) the cookie banner (available on first visit and re-invocable from the "Cookie Preferences" link), or (ii) browser settings. Rejecting strictly-necessary cookies may impair core service functionality.
Article 10 (Security Measures — Art. 32 GDPR)
Taking into account the state of the art, implementation cost, and the nature, scope, context, and purposes of processing, we implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk:
- Organisational measures: written internal security plan; periodic data-protection training for staff and processors; role-based access-control procedures; documented incident-response playbook; annual CASA security assessment for Gmail restricted scopes.
- Technical measures: access control to personal-data processing systems; encryption of passwords and key personal data at rest (AES-256, including IMAP/POP3 credentials) and in transit (TLS 1.2+); intrusion-detection and intrusion-prevention systems; log retention and periodic log review; OAuth-token rotation and revocation tracking; anti-malware controls.
- Physical measures: controlled access to server rooms and document-storage facilities.
- Resilience: Systems are designed to maintain confidentiality, integrity, availability and resilience of processing, including redundancy, failover, and load balancing across multiple Google Cloud zones (Art. 32(1)(b)).
- Restoration: We maintain daily encrypted backups with documented restoration procedures, tested quarterly, to ensure timely recovery from incidents (Art. 32(1)(c)).
- Testing: Security controls are subject to regular testing, assessment and evaluation, including annual penetration tests and ongoing vulnerability scans (Art. 32(1)(d)).
Article 11 (Personal Data Breach Response — Art. 33–34 GDPR)
- Supervisory authority notification (Art. 33): On becoming aware of a personal-data breach, we notify the competent supervisory authority without undue delay and, where feasible, not later than 72 hours after awareness, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where notification is not made within 72 hours, we accompany the delayed notification with reasons for the delay.
- Data-subject notification (Art. 34): Where a breach is likely to result in a high risk to the rights and freedoms of natural persons, we communicate the breach to affected data subjects without undue delay, in clear and plain language, describing the nature of the breach, the likely consequences, and the measures taken or proposed.
- Controller notification where Roovook acts as processor: Where Roovook processes personal data on behalf of a Service Provider as processor (Article 5), we notify the relevant Service Provider (controller) without undue delay upon becoming aware of a breach, in accordance with Art. 33(2) GDPR and the applicable DPA.
- Internal logging: We document all breaches, their effects, and the remedial action taken, in a breach register made available to the supervisory authority on request.
Article 12 (Data-Subject Rights — Art. 15–22 GDPR)
Subject to the conditions in the GDPR, Service Provider personnel have the following rights with respect to their personal data:
| Right | GDPR Article | Description |
|---|---|---|
| Right of access | Art. 15 | Confirm whether we process your personal data and obtain a copy |
| Right to rectification | Art. 16 | Correct inaccurate personal data or have incomplete personal data completed |
| Right to erasure ("right to be forgotten") | Art. 17 | Request deletion where grounds apply (e.g., purpose achieved, consent withdrawn) |
| Right to restriction of processing | Art. 18 | Pause processing under specified conditions |
| Right to be informed of recipients | Art. 19 | Obtain information on recipients to whom your personal data has been disclosed, where a rectification, erasure or restriction request has been made. |
| Right to data portability | Art. 20 | Receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller |
| Right to object | Art. 21 | Object to processing based on legitimate interests (Art. 6(1)(f)) or to direct marketing |
| Rights related to automated decision-making | Art. 22 | Not be subject to a decision based solely on automated processing that produces legal or similarly significant effects. Roovook does not currently perform such automated decision-making; any change will be communicated in advance. |
| Right to lodge a complaint | Art. 77 | Lodge a complaint with a supervisory authority (see Article 14) |
How to exercise: Contact us by email (support@roovook.com) or via the in-product support form. We will respond within one month (30 days) of receipt pursuant to Art. 12(3) GDPR; this period may be extended by up to two further months for complex or numerous requests, in which case we will notify you of the extension and the reasons within the first month. No fee is charged unless the request is manifestly unfounded or excessive.
Where Roovook acts as processor (email integration and messenger connector), requests concerning that data should be directed first to the Service Provider (controller); Roovook will assist the controller in responding, as required by Art. 28(3)(e) GDPR.
Verification: We may ask for information reasonably necessary to confirm your identity. A data subject may also act through an authorised representative on presentation of valid authority.
Article 13 (Consent Withdrawal — Art. 7(3) GDPR)
Where processing is based on consent, you have the right to withdraw your consent at any time, as easily as you gave it, without affecting the lawfulness of processing based on consent before its withdrawal.
Concrete withdrawal paths:
- Email integration: disconnect in EMS Settings, or revoke the app permission directly in Google / Microsoft account settings (see Article 7).
- Messenger connector (Slack, Teams): disconnect in EMS Settings or uninstall the app from the Slack/Teams workspace.
- Marketing communications: unsubscribe link at the foot of every marketing email, or in account settings under "Communication preferences".
- Non-essential cookies: the "Cookie Preferences" link in the site footer (re-invokes the cookie banner with Reject-all parity).
- Cross-border transfer consent: by emailing support@roovook.com. We will confirm the scope of service that can still be provided without the transfer.
- Account and all consent-based processing: by closing your account via account settings, or by emailing support@roovook.com.
Withdrawing consent does not affect other lawful bases that may still apply to the same data (for example, statutory retention or SaaS-contract performance).
Article 14 (Data Protection Officer and Supervisory Authorities)
Data Protection Officer (DPO) / Privacy Contact
- Name: Sungmo Kim
- Email: support@roovook.com
- Company: Roovook Inc.
- Japan-market alternative contact: support@roovook.com
EU Representative (Art. 27 GDPR)
Roovook has not appointed an EU representative under Article 27 at this time; our processing of EEA residents' data presently occurs on an occasional, low-risk basis. On formal EU market expansion we will appoint and publish an Article 27 representative, with designated contact details, by updating this Policy prior to launch.
Supervisory authorities
Data subjects in the EEA have the right to lodge a complaint with the data protection authority in their EU member state. The directory of supervisory authorities is maintained by the European Data Protection Board at edpb.europa.eu. UK residents may contact the Information Commissioner's Office (ICO) at ico.org.uk.
Article 15 (Revision History and Notice)
This Policy takes effect on its effective date. Where we make additions, deletions, or corrections driven by law or policy changes, we will publish the amended Policy via in-service notice at least 7 days before effect; for changes that are materially adverse to data subjects, we will give at least 30 days' prior notice and, where required, obtain fresh consent.
| Version | Effective | Summary of changes |
|---|---|---|
| 1.0 | 2026-04-17 | Initial publication (separated from the B2C Privacy Policy); English version drafted under GDPR (Regulation (EU) 2016/679) and ePrivacy Directive. Includes Art. 6 lawful-basis mapping, Art. 28 processor table, Art. 44–49 international-transfer table with SCC mechanism and country-protection framework, Art. 33–34 72-hour breach notification (with controller-notification clause for Roovook's processor role), Art. 15–22 data-subject rights set with 30-day response, Art. 7(3) consent-withdrawal paths, controller/processor role allocation (Art. 5), Google API Services User Data Policy compliance, DPO / Art. 27 EU-representative statement. |
| 1.1 | 2026-04-24 | Email-integration OAuth scope update — added gmail.settings.basic (signature, vacation responder, and filter configuration access) for Gmail. Added Mail.ReadWrite (Outlook mail read/write, draft save, folder management) and removed the Mail.Read entry that was not actually requested (Mail.ReadWrite already supersedes it with read access) for Microsoft Graph. Scope lists in Section 2(3) updated accordingly. |
Last updated: 24 April 2026