GDPR
The General Data Protection Regulation (GDPR) governs how organizations handle personal data of EU residents. This page is the operational reference for what Solid Accounting does to comply, what data we hold, and how to exercise your rights as a data subject.
What personal data we hold
Solid Accounting (the company) holds a deliberately narrow set of personal data on you, the customer:
| Field | Where | Why |
|---|---|---|
| Name | License server | Receipts, support, license records |
| Email address | License server | License delivery, billing receipts, optional release notifications |
| Billing address | Payment processor (Stripe) | Sales-tax compliance, invoice generation |
| Payment-method metadata (last 4, expiry) | Stripe | Payment processing |
| License keys + activation history | License server | Anti-piracy, support |
| Support tickets + email correspondence | Helpdesk system | Resolution + history |
| Cloud Backup blocks (if you opt in to managed B2) | Backblaze B2 | Encrypted blocks; we cannot read them |
What we don't hold:
- Your
.solidfile or any of its contents - The names of your customers, vendors, employees
- The amounts on any of your invoices, bills, transactions
- Your bank credentials, account numbers, or balances
- Anything in your audit log
That data lives on your computer. Solid (the company) has no access to it.
Your rights as an EU data subject
Under GDPR you have the right to:
| Right | How to exercise |
|---|---|
| Access — see what data we hold on you | Email privacy@solidaccounting.com. Turnaround: 30 days max; usually same week. |
| Rectification — correct inaccurate data | Same email; we update the records and confirm. |
| Erasure ("right to be forgotten") | Same email. We delete what we can; license-records have a 7-year retention requirement under tax law that we honor — see Erasure caveats below. |
| Portability — get your data in a machine-readable format | Same email. JSON export of everything we hold within 30 days. |
| Restriction — pause our processing | Effectively the same as deletion for our use case; we'll process the request the same way. |
| Objection — object to processing on legitimate-interest grounds | We process on contract (your purchase) and legal-obligation (tax) grounds; objection is limited but we'll engage on case-by-case. |
| Lodge a complaint with a supervisory authority | Your home-country DPA. We won't try to dissuade this. |
Erasure caveats
Tax law in most jurisdictions requires retention of sales records for 7 years (varies by country). We retain license-purchase records for that period regardless of erasure requests, but we segregate them and stop using them for marketing or operational purposes. After 7 years, full deletion.
If you've supplied data via Cloud Backup (encrypted blocks via managed B2), erasure is immediate — the blocks are deleted from the destination. Note that we cannot decrypt them anyway, so all we're deleting is opaque ciphertext.
Lawful basis for processing
| Activity | Lawful basis |
|---|---|
| License sale + delivery | Contract (Article 6(1)(b)) |
| Tax-record retention | Legal obligation (Article 6(1)(c)) |
| Service emails (license delivery, renewal notices) | Contract |
| Marketing emails (release notes, blog) | Consent — opt-in only; opt-out at any time |
| Cloud Backup data processing | Contract; you elected this in setup |
| Bank Feeds via Plaid | Contract; you elected this in setup |
| Anti-fraud / abuse detection | Legitimate interest (Article 6(1)(f)) |
Sub-processors
We use these third parties to provide the service:
| Sub-processor | Purpose | Data shared |
|---|---|---|
| Stripe | Payment processing | Name, email, billing address, payment method |
| Backblaze B2 | Cloud Backup managed storage | Encrypted blocks (we have no decryption key) |
| Plaid | Bank Feeds aggregation | Per-customer Plaid items; bank credentials never via us |
| Postmark | Transactional email delivery | Email addresses + email content |
| Cloudflare | CDN + DDoS protection for the marketing site | Standard web logs |
| GitHub (Solid's code repo) | Source-code hosting | None of yours |
| Anthropic | Used internally for screenshot agent | None of yours |
Each is GDPR-compliant in their own right. We have data-processing agreements with all of them where required.
Data residency for EU customers
For customers needing strict EU residency:
| Data | Default location | EU option |
|---|---|---|
.solid file | Your computer (your residency) | — |
| Cloud Backup (managed) | US East (Backblaze B2) | Backblaze B2 EU region — set at Cloud Backup setup |
| Cloud Backup (BYO) | Whatever you configure | Use an EU bucket |
| License-server records | US | EU mirror in development; targeted Q4 2026 |
| Email delivery | US (Postmark) | EU option in development |
For maximum strictness right now: keep your .solid file in the EU (your computer + EU local backups), use Cloud Backup BYO with an EU bucket, accept that your license-purchase record (name, email, billing address, license key) is in the US until our EU mirror ships. That residual data is small and clearly within GDPR's permitted-transfer regime under Standard Contractual Clauses.
DPA (Data Processing Agreement)
Our standard terms include processing terms compatible with GDPR. For customers requiring a bilateral DPA on their own paper or our standard signed version:
- Email
privacy@solidaccounting.com - We respond within 3 business days
- Standard signature turnaround: 5-10 business days
- We charge nothing for DPAs — they're table-stakes
Breach notification
If we detect a breach affecting EU personal data, we notify the relevant DPA within 72 hours per Article 33, and notify affected customers without undue delay.
For customers, we go further: we publish a public incident report on solidaccounting.com/security/incidents within 30 days of any confirmed breach, even when notification isn't legally required.
Data Protection Officer
Our DPO is David Ford (privacy@solidaccounting.com). Pre-launch, this is a pragmatic-not-formal designation; post-launch we may delegate to a dedicated DPO if customer base size warrants.
Cross-references
- Compliance overview — full status table
- SOC 2 — privacy controls also covered under SOC 2 scope
- Security whitepaper — technical controls protecting personal data