Your Privacy is Our Priority
Applicable to: civai.eu, govgpt.nl, edugpt.nl and other CivAI services
Contact
1. Who are we
CivAI B.V.
Hoge Zand 39, 2512 EL Den Haag
Chamber of Commerce number: 98956221
2. Contact
3. When are we the controller and when the processor
CivAI as controller
For website visits, marketing, sales contact, contract management, invoicing and supplier administration, CivAI is generally the controller. CivAI determines the purposes and means of this processing and is responsible for compliance with the GDPR.
CivAI as processor
When an organisation such as a municipality, executive agency or educational institution uses our services (GovGPT, EduGPT, OrgGPT), CivAI generally processes personal data as a processor on behalf of that organisation. In that case, the customer is the controller and the agreements in the data processing agreement with the customer apply. CivAI processes this data exclusively on behalf of the customer.
4. What personal data do we process
Depending on your relationship with us, we may process the following categories of personal data:
We advise against entering special categories of personal data or criminal data unless this has been expressly agreed and appropriate safeguards have been put in place.
5. Purposes and legal bases
We process personal data for the following purposes and on the following legal bases:
Performance of a contract
Performance of a contract or taking pre-contractual measures
Legitimate interest
Security, fraud prevention, improvement of services and limited B2B relationship management
Legal obligation
Such as fiscal retention obligations
Consent
Where required, such as for certain cookies or a newsletter
7. Sharing with third parties and sub-processors
We only share personal data with third parties when this is necessary for our services, when it is needed for support, or when we are legally obliged to do so.
Where we engage service providers as a processor or sub-processor, we conclude appropriate processing agreements.
8. Transfers outside the EEA
CivAI uses EU hosting as a starting point and strives to process personal data within the European Economic Area (EEA).
If a transfer outside the EEA is necessary, for example because a sub-processor is established in a third country, this only takes place:
- To a country with an adequacy decision by the European Commission, or
- With appropriate safeguards such as European Standard Contractual Clauses (SCCs), or
- On the basis of another derogation under Chapter V of the GDPR
When we engage sub-processors outside the EEA, we assess the level of protection and take additional measures where necessary. A list of sub-processors is available upon request.
9. Retention periods
We do not retain personal data longer than necessary for the purposes for which they are processed. In general, we apply the following retention periods:
| Type of data | Retention period |
|---|---|
| Contact data (prospects) | Up to 2 years after last contact unless a new relationship arises |
| Contact data (customers) | For the duration of the relationship and up to 2 years thereafter unless a longer period is needed for disputes or compliance |
| Support and communication | Up to 2 years after completion of the ticket or communication |
| Security logs | In principle up to 12 months unless a longer period is needed for incident investigation |
| Financial administration | 7 years (statutory retention obligation) |
| Customer data in the services | In accordance with the agreement and data processing agreement, deletion after end of agreement unless otherwise agreed |
For customer data, retention periods may vary depending on contractual agreements and archival legislation applicable to the customer.
10. Security
We take appropriate technical and organisational measures to secure personal data, including:
11. Your rights
Under the GDPR, you have the following rights, among others:
You can submit a request via privacy@civai.eu. We verify your identity and will respond in principle within 1 month. In complex cases, this period may be extended by 2 months.
When CivAI processes personal data as a processor, we forward requests to the controller and handle them in consultation with that party.
12. Complaints
If you have a complaint about the way we handle your personal data, we are happy to help you first via privacy@civai.eu. We aim to respond to complaints within 2 weeks.
If we cannot reach a satisfactory solution together, you have the right to file a complaint with the Dutch Data Protection Authority:
Autoriteit Persoonsgegevens (Dutch Data Protection Authority)
Website: autoriteitpersoonsgegevens.nl
Post: Autoriteit Persoonsgegevens, Postbus 93374, 2509 AJ Den Haag
13. Changes
We may update this privacy statement. The most recent version will be published on our website.