1. Who we are and scope
E.F VISIONSOFT LTD, a Cyprus private limited company with registration number HE 176128 ("VisionSoft", "we", "us" or "our"), provides B1Go. Our business contact address is 12 Stisichorou Street, Eleni Court, Floor 1, Office 101, 4156 Kato Polemidia, Limassol, Cyprus.
This Privacy Policy applies to the B1Go mobile application, the B1Go Backoffice Portal, B1Go APIs, licensing and device-management services, SAP Business One connectivity, webhooks, notification services, support, documentation and any related website or service that links to this Policy (together, the "Services").
This Policy is intended to explain our practices under Regulation (EU) 2016/679 (the General Data Protection Regulation or "GDPR"), Cyprus Law 125(I)/2018 and other applicable privacy and electronic-communications laws.
It does not govern third-party products or services that have their own privacy notices, including SAP Business One, Microsoft, Google, Cloudflare, app stores or telecommunications providers.
2. Our data-protection roles
For account administration, licensing, security, sales, support, service analytics and our own business operations, VisionSoft normally acts as data controller.
Where a customer uses B1Go to access, transmit, synchronize, store or otherwise process personal data held in the customer’s SAP Business One environment or entered by the customer’s authorized users, the customer is normally the controller and VisionSoft acts as processor on the customer’s documented instructions. The customer remains responsible for determining whether the processing is lawful, providing required notices and managing data-subject requests.
A separate signed order, support agreement or data processing agreement may provide additional or different details. If it conflicts with this Policy on processor obligations, that agreement controls for the relevant processing.
3. Personal data we process
Depending on how the Services are configured and used, we may process the following categories:
- Account and identity data: name, business email, telephone number, job role, display name, company affiliation, user permissions, preferred language and profile settings.
- Authentication and security data: password hashes, session identifiers, authentication tokens, multi-factor authentication details, SSO provider identifiers, email-verification status, IP addresses, IP-whitelist rules, security events and CAPTCHA or Turnstile verification results.
- Company and licensing data: company name, address, VAT number, contact details, SAP installation number, system identifier, company database identifier, subscription, trial, licence assignment, billing status and related commercial records. We do not intentionally store full payment-card details in B1Go.
- Device and application data: unique device and system identifiers, device name, platform, operating-system version, application version, SAP user code, user name, push-notification token, settings, authorizations and device activity.
- SAP and operational data: Service Layer connection information, encrypted credentials, selected SAP master-data identifiers, webhook events, document identifiers, transaction requests, failed-transaction payloads, administrator edits, status histories and information required to post or troubleshoot SAP Business One operations.
- Communications and support data: emails, SMS delivery records, support requests, attachments, feedback, help content and correspondence with us.
- Technical and usage data: request paths, timestamps, HTTP method, status codes, logs, error details, user agent, diagnostics, feature use and audit records.
- Notification data: recipient device, notification title and body, delivery status and related payload data.
- AI-assisted authoring data: only when an authorized portal administrator deliberately uses an AI help-authoring function, the prompt and selected help content may be sent to the configured AI provider.
4. Sources of personal data
We obtain data directly from users and customer administrators; automatically from browsers, devices and the B1Go application; from the customer’s SAP Business One environment and configured integrations; from Microsoft or Google when a user chooses SSO; from service providers that deliver email, SMS, push notifications or security checks; and from public or professional sources where necessary for customer due diligence, contracting or legal compliance.
5. Why we process personal data and our legal bases
- To create and administer accounts, authenticate users, provide trials, subscriptions, licences, device registration and the Services. Legal basis: performance of a contract or steps requested before entering a contract.
- To connect to SAP Business One, synchronize settings, process webhooks, store and retry failed transactions, deliver notifications and provide requested support. Legal basis: contract; and, for customer-controlled data, processing on the customer’s documented instructions.
- To secure the Services, prevent fraud and abuse, enforce access controls, maintain audit trails, diagnose incidents and protect our rights and systems. Legal basis: our legitimate interests and compliance with legal obligations.
- To manage customer relationships, invoices, accounting, licence usage and business communications. Legal basis: contract, legal obligations and legitimate interests.
- To improve reliability, usability and documentation using aggregated operational information and limited diagnostic data. Legal basis: legitimate interests, balanced against users’ rights.
- To send marketing communications where permitted. Legal basis: consent where required, or legitimate interests where applicable law allows; every electronic marketing message will provide an appropriate opt-out.
- To comply with tax, accounting, corporate, sanctions, law-enforcement and regulatory requirements and to establish, exercise or defend legal claims. Legal basis: legal obligation and legitimate interests.
- For any other purpose disclosed at collection, with consent where consent is the required legal basis.
Where we rely on legitimate interests, those interests include operating a secure enterprise service, supporting customers, preventing misuse, improving the Services and protecting VisionSoft, customers and users. You may object as described below.
6. Customer Data and SAP Business One content
B1Go is designed for business use and may process data belonging to the customer, its personnel, suppliers, customers or other individuals ("Customer Data"). VisionSoft does not determine the customer’s business purposes for that data. Customer administrators control users, device access, SAP credentials, settings, authorizations, workflows and much of the content submitted to the Services.
We process Customer Data only to provide, secure, support and maintain the Services; follow documented customer instructions; comply with law; or protect the Services and users. We do not sell Customer Data or use it for third-party advertising.
9. International data transfers
Some providers or support resources may process data outside Cyprus or the European Economic Area. Where EU/EEA personal data is transferred to a country without an adequacy decision, we use an approved transfer mechanism where required, such as the European Commission’s Standard Contractual Clauses, together with supplementary safeguards where appropriate. Information about relevant safeguards may be requested using the contact details below, subject to protection of confidential and security-sensitive information.
10. Retention
We retain personal data only for as long as reasonably necessary for the purposes described in this Policy, including the duration of the customer relationship, account administration, support, security, backup recovery, dispute handling and legal, tax or accounting obligations.
Retention depends on the type of data, customer instructions, the sensitivity and volume of data, security needs, limitation periods and statutory obligations. Account, licence, invoice and contractual records may be retained after termination where required by law. Security and audit logs are retained for a period proportionate to incident detection and investigation. Failed transaction payloads and support material should be removed or anonymized when no longer required for recovery or support.
Deletion from active systems may not immediately remove data from protected backups; backup copies are isolated, access-controlled and overwritten according to the applicable backup cycle.
11. Security
We use technical and organizational measures designed to protect personal data, including role-based access, authentication controls, encryption of selected credentials and secrets, transport encryption, audit logging, tenant separation, backups, security monitoring and controlled administrative access.
No system is completely secure. Customers and users must protect credentials and devices, configure SAP and network access appropriately, apply updates, restrict administrators, review logs and notify us promptly of suspected compromise. Do not send passwords or secrets through ordinary email unless an approved secure method is used.
12. Your data-protection rights
Subject to the GDPR and applicable law, individuals may have the right to request access, correction, deletion, restriction, portability and information about processing; to object to processing based on legitimate interests or direct marketing; and to withdraw consent at any time without affecting earlier lawful processing.
Where VisionSoft acts as processor, requests concerning Customer Data should normally be directed to the relevant customer, employer or organization as controller. We will assist the controller as required by law and contract. We may need to verify identity and authority before acting, and legal exceptions may apply.
13. Automated decision-making and children
B1Go does not intentionally make decisions based solely on automated processing that produce legal or similarly significant effects on individuals. Security systems may automatically block or challenge suspicious access, but authorized administrators can review account and access issues.
The Services are intended for business users who are at least 18 years old or otherwise legally capable of entering the relevant agreement. They are not directed to children. Customers must not knowingly create accounts for children or submit children’s data unless expressly agreed and lawful.
14. Personal-data incidents
If we become aware of a personal-data breach affecting data for which we act as processor, we will notify the relevant customer without undue delay after becoming aware, provide available information reasonably needed for the customer’s obligations and take appropriate mitigation measures. Controller notifications to individuals or authorities remain the controller’s responsibility unless the parties agree otherwise or law requires VisionSoft to notify directly.
15. Questions, requests and complaints
Contact us at info@visionsoft.com.cy, by telephone at +357 25 001138, or by post at 12 Stisichorou Street, Eleni Court, Floor 1, Office 101, 4156 Kato Polemidia, Limassol, Cyprus. Please state that the request concerns B1Go privacy and provide enough information for us to identify the relevant account and processing activity.
You also have the right to lodge a complaint with the Office of the Commissioner for Personal Data Protection in Cyprus or another competent supervisory authority, particularly in the EEA country where you live or work or where an alleged infringement occurred. We encourage you to contact us first so we can investigate and respond.
16. Changes to this Policy
We may update this Policy to reflect legal, technical or service changes. The updated version will show a new effective date and version number. Material changes will be communicated through the Portal, the application, email or another reasonable channel before they take effect where required. Previous versions may be retained for audit and contractual reference.