Sorbet Logo Sorbet
Log In View pricing
🔐 Privacy Policy

Sorbet Privacy Policy

This Privacy Policy explains how Sorbet Payments OÜ collects, uses and protects personal data when you use our platform to connect your company’s bank accounts, initiate payments and manage financial data.

Note: This Privacy Policy is a working draft and may be updated. It does not constitute legal advice. Please review it carefully and have it adapted by your legal counsel before relying on it as your final policy.

Last updated: 20 November 2025

1. Who we are and how to contact us

This Privacy Policy applies to the processing of personal data carried out by Sorbet Payments OÜ (“Sorbet”, “we”, “us”, “our”), a company registered in Estonia, with its registered office at:

Harju maakond, Tallinn, Kristiine linnaosa,
Kotkapoja tn 2a-10, 10615, Estonia

We act as a data controller for personal data we process in connection with providing our Services, unless otherwise stated.

You can contact us in privacy matters at: support@sorbet.ee.

2. Scope of this Privacy Policy

This Privacy Policy explains how we process personal data when:

  • you use the Sorbet platform as a founder, employee, accountant or other authorised user of a client company;
  • you visit our website or interact with us via email or other channels; or
  • we process personal data for compliance, risk management or other legitimate business purposes.

This Policy does not cover the processing of personal data by your bank, payment institution, accountant, or other independent controllers. Their privacy policies apply to their processing.

3. Categories of personal data we collect

Depending on how you use Sorbet, we may process the following categories of personal data:

  • Identification data, such as name, personal identification code (where required), date of birth, ID document details.
  • Contact details, such as email address, phone number, postal address, preferred language.
  • Company and role information, such as company name, registry code, position, authorisations within the company.
  • Banking and payment data, such as IBANs, account names, balances, transaction details, counterparty names and references, payment purpose and metadata provided by your bank or payment institution.
  • Accounting and invoicing data, such as invoice details, VAT numbers, line items, supporting documents and categorisation data.
  • Compliance data, such as information we may need for KYC/AML purposes, sanctions screening or fraud prevention, where legally required.
  • Technical and usage data, such as IP address, device and browser type, access times, logs of actions performed in the Platform, and interactions with our emails.
  • Communication data, such as messages sent to our support, notes from calls, and other correspondence.
  • Cookies and similar technologies, used on our website to remember your preferences, secure sessions, and understand how the site is used (see Section 10).

4. Where we get your data from

We obtain personal data from several sources:

  • directly from you, when you create an account, provide information in the Platform, or contact us;
  • from your company, if your employer or client adds you as a user or provides your details for onboarding;
  • from banks, payment institutions and other financial providers you connect to Sorbet, via AIS/PIS or similar interfaces;
  • from accounting tools and other third‑party systems you choose to integrate with Sorbet;
  • from publicly available sources and registers, where required for compliance or verification purposes; and
  • from our service providers (e.g. analytics, communication tools) in connection with your use of our Services.

5. Purposes and legal bases for processing

We process personal data only when we have a valid legal basis under the General Data Protection Regulation (“GDPR”) and applicable Estonian law. The main purposes and legal bases include:

  • Providing and operating the Services To create and manage your Account, connect bank accounts, show balances and transactions, initiate payments, generate exports and generally run the Platform. Legal basis: performance of a contract or taking steps at your request before entering into a contract.
  • Compliance with legal obligations To fulfil obligations arising from financial, tax, accounting, anti‑money laundering, sanctions and other applicable laws and regulatory guidance. Legal basis: compliance with legal obligations.
  • Security and fraud prevention To protect the Platform and our users against unauthorised access, abuse, fraud and cyber threats, and to maintain logs and audit trails. Legal basis: legitimate interests in ensuring security and integrity of our Services, and in some cases legal obligations.
  • Improving and developing Sorbet To analyse how the Platform is used, troubleshoot issues, test new features and improve user experience. Legal basis: legitimate interests in developing and improving our services.
  • Business communications To send service‑related notifications, respond to your enquiries, and share information relevant to your use of Sorbet. Legal basis: performance of a contract and legitimate interests in maintaining our relationship with you.
  • Marketing (limited and optional) To send you information about new features or offerings where permitted. Legal basis: your consent where required, or our legitimate interests, subject to your right to opt out at any time.

6. How we share personal data

We do not sell your personal data. We may share personal data with:

  • Banks and payment institutions you connect to Sorbet, in order to retrieve account information and initiate payments, within the scope of your consents.
  • Accounting firms and other professional advisers you grant access to, so they can view and export the data they need to serve you.
  • Service providers who help us deliver the Services, such as cloud hosting, analytics, logging, customer support and email providers. These providers act as processors on our instructions and under data protection agreements.
  • Group companies or future affiliates, where necessary for internal administration or provision of the Services, subject to appropriate safeguards.
  • Authorities and regulators, where we are legally obliged or allowed to do so, for example in response to lawful requests or to report suspicious activity.
  • Other third parties in connection with a merger, acquisition, reorganisation or similar corporate transaction, in which case we will take steps to ensure your data remains protected.

When we share data, we limit it to what is necessary for the specific purpose and require third parties to handle it securely and lawfully.

7. International transfers

Our core infrastructure is hosted in the European Economic Area (“EEA”). However, some of our service providers or partners may be located outside the EEA or may access data from such locations.

Where personal data is transferred outside the EEA, we will ensure that appropriate safeguards are in place – for example:

  • an adequacy decision of the European Commission; or
  • standard contractual clauses or other lawful transfer mechanisms.

You can contact us if you would like more information about international transfers relevant to your use of Sorbet.

8. How long we keep personal data

We keep personal data only for as long as necessary for the purposes described in this Policy, or as required by law.

Retention periods depend on the type of data and context of processing. For example:

  • account and transaction data may be retained for several years to comply with financial and tax regulations;
  • records related to anti‑money laundering or sanctions may need to be kept for periods prescribed by law;
  • support communications and logs may be kept for a reasonable time for audit, security and training purposes; and
  • data processed based on consent (e.g. certain marketing) will generally be kept until you withdraw your consent or the data is no longer needed.

When data is no longer needed, we will delete it or irreversibly anonymise it, unless we are legally required to keep it longer.

9. Your rights under data protection law

Under the GDPR and applicable Estonian data protection laws, you have several rights regarding your personal data, subject to certain conditions and limitations:

  • Right of access – to obtain confirmation whether we process your personal data and receive a copy of it.
  • Right to rectification – to have inaccurate or incomplete personal data corrected.
  • Right to erasure – to request deletion of your personal data, for example where it is no longer necessary for the purposes for which it was collected.
  • Right to restriction of processing – to request that we limit the processing of your data in certain circumstances.
  • Right to data portability – to receive personal data you provided to us in a structured, commonly used and machine‑readable format and to transmit it to another controller, where technically feasible.
  • Right to object – to object to processing based on our legitimate interests, including profiling based on those interests, and to object to direct marketing at any time.
  • Right to withdraw consent – where processing is based on consent, you may withdraw that consent at any time, without affecting the lawfulness of processing before withdrawal.

To exercise these rights, please contact us at support@sorbet.ee. We may need to verify your identity before responding to your request.

You also have the right to lodge a complaint with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) or with your local data protection authority if you believe your data protection rights have been violated.

10. Cookies and similar technologies

Our website uses cookies and similar technologies to make the site work, to remember your choices, to enhance security and to understand how visitors use the site.

Depending on your location and applicable law, we may ask for your consent to use certain non‑essential cookies (for example analytics or marketing cookies). You can usually manage your cookie preferences via the cookie banner or your browser settings.

Some cookies are strictly necessary for the functioning of the website and cannot be disabled without affecting core functionality.

11. Children’s data

Sorbet’s Services are intended for business customers and are not directed at children. We do not knowingly process personal data of individuals under 18 years of age in the context of providing the Platform. If you believe that we have unintentionally collected such data, please contact us so we can address the issue.

12. Security of your personal data

We take security seriously and operate Sorbet under an ISO 27001‑certified information security management system. We implement technical and organisational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access.

Measures include (among others) access controls based on need‑to‑know, encryption in transit and at rest where appropriate, logging and monitoring of key systems, and regular reviews of our security posture.

More information about our security approach is available on our Security page.

13. Changes to this Privacy Policy

We may update this Privacy Policy from time to time, for example to reflect changes in our Services, applicable laws or best practices.

When we make material changes, we will notify you in a reasonable way, for example via the Platform, by email, or by posting a notice on our website. The “Last updated” date at the top of this Policy indicates when it was last revised.

Your continued use of the Services after changes become effective will be considered acceptance of the updated Privacy Policy. If you do not agree with the changes, you should stop using the Services and, if applicable, close your Account.

14. Contact and complaints

If you have any questions, concerns or requests regarding this Privacy Policy or our processing of your personal data, please contact:

Sorbet Payments OÜ
Email: support@sorbet.ee

You also have the right to lodge a complaint with:

Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon)
Website: www.aki.ee

Or with the data protection authority in the EU/EEA country where you live or work, or where you believe a breach has occurred.