Privacy Policy | soev.ai

This is the privacy policy of Gradient Data Science B.V., trading as Soev.ai, established at Dunantstraat 8, 3024 BC Rotterdam and registered with the Kamer van Koophandel under number 92267548 (hereinafter: "Soev.ai", "we", "us" or "our").

In this policy, we explain how we handle Personal Data of visitors to our website, (prospective) clients, users of the Soev.ai Platform, and other Data Subjects with whom we interact. We describe which Personal Data we process, the purposes for which we do so, and how we safeguard this data with appropriate care.

Soev.ai provides a platform for sovereign AI, including chatbots, AI agents, and knowledge retrieval within the organisation's own environment. For certain processing activities, we act as Data Controller (for example, for our own administration, sales, and support); for other processing activities, we act as Data Processor on behalf of our clients. In the latter case, the specific arrangements are laid down in a separate Data Processing Agreement with the relevant client.

We attach great importance to transparency and careful data protection. Accordingly, we process Personal Data in compliance with the General Data Protection Regulation (GDPR) and other applicable privacy legislation.

How we obtain Personal Data

When you use our website, the Soev.ai Platform, or otherwise interact with us, you leave certain data with us. This may include Personal Data: data that can be directly or indirectly traced back to you. In principle, we only process Personal Data that you provide to us yourself or that is necessary for the use of our services, or data for which it is clear upon submission that it is being provided to us for processing.

We may collect Personal Data from you in the following ways:

When you provide Personal Data to us via our website, for example through a contact form, demo request, or other web form.
When you contact us by email, telephone, or other channels (for example via a button on our website or a calendar/scheduling tool).
When your organisation becomes a client of Soev.ai and we receive contact and user data in connection with entering into and performing the SaaS agreement.
When you, as an End User, are assigned an Account within the Soev.ai Platform and your data is provided by or on behalf of your employer/client (our client).
When technical data is automatically collected during your visit to our website or use of the Soev.ai Platform, for example via log files and (where applicable) cookies or similar technologies.
When we obtain Personal Data about you from third parties or public sources, such as the Trade Register of the Kamer van Koophandel, where this is necessary in connection with our services or relationship management.

The exact Personal Data we process depends on your role (for example, website visitor, representative of a client, or End User of the Soev.ai Platform) and the manner in which you interact with us and our services.

Types of Personal Data we process

When you use our website, interact with us, or use the Soev.ai Platform, we may process the following categories of Personal Data about you:

Identification and contact data: such as your first and last name, (business) email address, telephone number, job title, and organisation name.
Account and usage data (Soev.ai Platform): such as your username, role/permissions within the platform, login times, log data, and actions within the platform (for example, creating agents, prompts, or integrations).
Engagement, contract, and communication data: data you provide when submitting a demo or information request, entering into a SaaS agreement, support requests, or other forms of contact, including the content of emails or messages.
Billing and administrative data: such as billing address, payment references, VAT number (for business clients), and other data required for our financial administration.
Technical data: such as IP address, browser type, device and session data, and information about your use of our website and the Soev.ai Platform (for example via log files and, where applicable, cookies or similar technologies).
Marketing data: data you provide when subscribing to our newsletter or other commercial communications (such as your name, email address, and preferences), where applicable.
Recruitment data: when you apply for a position at Soev.ai, we may process data such as your CV, cover letter, contact details, and interview notes.

In addition, your organisation may upload its own data (Client Data) via the Soev.ai Platform, such as documents, knowledge articles, or other content that may contain Personal Data. In such cases, we generally act as Data Processor and your organisation is the Data Controller; the arrangements in this regard are laid down in a separate Data Processing Agreement.

Mandatory data and consequences of non-provision

In certain cases, we require specific Personal Data in order to assist you or to comply with our legal obligations. This applies in particular to:

data required to enter into a SaaS agreement with your organisation (such as the name and contact details of the contact person, organisation and billing details)
data required to create an Account for you in the Soev.ai Platform (such as name and email address)
data that we are legally required to record, for example for our administration and tax obligations (such as billing data).

If you do not provide this necessary data, we may in practice be unable to:

enter into an agreement with your organisation
create an Account for you or provide access to the Soev.ai Platform
process certain support or administrative requests
issue an invoice or process a payment.

Other data is provided voluntarily. For example, entering additional information in a contact form or subscribing to our newsletter. If you do not provide such data, the only consequence is, in principle, that we cannot deliver that specific service (such as newsletters), but you may continue to use our other services.

Special and/or sensitive Personal Data

We do not intend to process special or sensitive Personal Data about you via our website or in our own systems, such as data concerning your health, race or ethnic origin, political opinions, religious beliefs, criminal record, or national identification number. Our services are also not specifically aimed at children under the age of 16.

However, it is possible that your organisation may upload its own data (Client Data) via the Soev.ai Platform that contains such sensitive Personal Data, for example in documents, tickets, or other content. In such cases:

your organisation is the Data Controller for this data
Soev.ai acts as Data Processor and processes this data solely in accordance with the arrangements in the Data Processing Agreement and the instructions of your organisation
it is the responsibility of your organisation to assess whether it is necessary and permitted to process such sensitive data via the Soev.ai Platform and to take appropriate measures.

We advise our clients to exercise restraint in processing special categories of Personal Data via the Soev.ai Platform and to do so only when strictly necessary and on the basis of an appropriate Legal Basis under the GDPR.

Automated decision-making and profiling

Soev.ai does not use automated decision-making within the meaning of Article 22 GDPR, whereby decisions about you are made solely on the basis of automated processing (i.e., without human intervention) that produce legal effects or similarly significantly affect you.

Within the Soev.ai Platform, AI models and algorithms are used to generate responses, analyse documents, and structure content. This may involve forms of profiling in a technical sense (for example, analysing entered text or documents to find relevant information). In this regard, the following applies:

Soev.ai uses these functionalities in its capacity as Data Processor, in order to enable the AI functionalities chosen by your organisation.
Your organisation determines the purposes for which and the manner in which these AI functionalities are deployed, and whether human review and decision-making follows.
It is the responsibility of your organisation as Data Controller to ensure that decisions with legal or similarly significant consequences for Data Subjects are not based solely on automated processing, unless this is permitted within the bounds of the GDPR and appropriate safeguards have been implemented.

For processing activities in which Soev.ai itself is the Data Controller (such as our own administration, website, and account management), no automated decision-making takes place with legal effects or similarly significant impact on Data Subjects.

Purposes of processing and Legal Bases

We process your Personal Data only where there is a clear purpose and a valid Legal Basis under the GDPR. Below you will find the main processing activities for which Soev.ai is the Data Controller.

Processing activities for which we act solely as Data Processor on behalf of our clients (for example, the content of Client Data in the Soev.ai Platform) are not listed here; these are governed by the Data Processing Agreement with your organisation.

Purpose of processing	Data involved (categories)	Legal Basis (GDPR)
Responding to enquiries and contact requests (via website, email, telephone)	Identification and contact data, content of your message
Entering into and performing the SaaS agreement with your organisation	Identification and contact data, contract and administrative data, and billing data
Creating and managing Accounts and End Users in the Soev.ai Platform	Identification and contact data, account and usage data
Providing support and administration (including logging and error analysis)	Account and usage data, technical data, content of support requests
Security, monitoring, and abuse prevention for the website and Soev.ai Platform	Technical data, log data, account and usage data
Administration, billing, and tax obligations	Billing and administrative data
Analysis and improvement of our services and functionalities (based on aggregated/anonymised usage and metadata)	Usage and log data, technical data (aggregated or anonymised to the greatest extent possible)
Sending newsletters and other commercial communications (where applicable)	Name, email address, organisation, communication preferences
Recruitment and selection process	Identification and contact data, application/CV data, interview notes

Where we process your data on the basis of consent, you may withdraw that consent at any time. How to do so is explained below under your rights and in the specific section on newsletters and commercial communications.

Legitimate interests

For some of our processing activities, we rely on the Legal Basis of "legitimate interest" (Art. 6(1)(f) GDPR). This means that we have our own interest in the processing, but that we always assess whether your privacy interest does not outweigh that interest.

In summary, Soev.ai's legitimate interests include, among others:

our interest in communicating with (prospective) clients and users, responding to enquiries, and promoting our services
our interest in keeping the Soev.ai Platform and our infrastructure secure, stable, and reliable (for example through logging, monitoring, and abuse prevention)
our interest in analysing and improving our services and AI functionalities, including on the basis of aggregated or anonymised usage and metadata
our interest in maintaining orderly administration and managing business relationships
our interest in informing existing clients about similar services (direct marketing within the applicable legal framework).

In these processing activities, we limit the amount of Personal Data to what is necessary for the purpose, take appropriate security measures, and respect your rights.

If we process your data on the basis of our legitimate interest, you always have the right to object. How you can do so is explained below under your rights as a Data Subject.

Sharing Personal Data with third parties and transfers outside the EU

We do not sell your Personal Data and only share it where necessary for the provision of our services or where we are legally obliged to do so.

When Soev.ai is the Data Controller (for example, for our website, accounts, administration, and support), we may share your Personal Data with the following categories of recipients:

IT and hosting service providers: such as the parties that provide our infrastructure, Kubernetes clusters, and AI inference. These parties act as Data Processor on our behalf.
Email, communication, and support providers: for sending emails, handling support requests, and scheduling appointments.
Accountants and administrative service providers: for maintaining our financial administration and meeting fiscal obligations.
Professional advisors: such as legal or security advisors, where necessary to provide our services in a secure and compliant manner.
Authorities: such as supervisory authorities, tax authorities, or law enforcement agencies, where we are legally required to do so.

Where these parties act as Data Processor, we enter into Data Processing Agreements stipulating, among other things, that they may only process your data on our instructions and subject to appropriate security measures.

In addition, the following applies to the Soev.ai Platform:

Your organisation may choose to establish integrations or connections with third-party services (such as OneDrive, Slack, Microsoft 365, SSO/identity providers). In such cases, your organisation shares (personal) data with these parties itself, and they are not a sub-processor of Soev.ai but rather an independent Data Controller or Data Processor in the relationship with your organisation. It is the responsibility of your organisation to make appropriate privacy arrangements in this regard.

Transfers outside the EU/EEA

Soev.ai focuses on sovereign hosting within the Netherlands. We endeavour to process and store your Personal Data within the Netherlands or the European Economic Area (EEA). If, in an exceptional case, a transfer outside the EEA does occur (for example, because a supplier operates servers or support outside the EEA), this will only take place:

if the relevant country offers an adequate level of protection as determined by the European Commission, or
subject to appropriate safeguards, such as the Standard Contractual Clauses approved by the European Commission and, where necessary, supplementary technical and organisational measures.

In all cases, we ensure that any transfer is in compliance with the GDPR. You may contact us if you would like more information about the specific safeguards applicable to a particular transfer.

Cookies & Tracking

No use of cookies

The Soev.ai website does not place any cookies, including analytical or tracking cookies. We therefore do not use any technologies to track, analyse, or personalise your browsing behaviour.

Only techniques that are necessary for the functioning of the site are used (such as spam protection with Cloudflare Turnstile), but these cannot be traced back to individual users and do not fall under the cookie requirements of the Telecommunications Act.

What does this mean for you?

You do not need to give consent for cookies when visiting our website;
We do not store any Personal Data or other identifying data via cookies;
Your privacy is fully respected when using our website.

Information about external cookies on client websites

Please note: websites developed by Soev.ai may, depending on the client's requirements, use cookies or external tools such as analytics trackers, booking systems, or newsletter modules. In such cases, the client is responsible for complying with the information and consent obligations under the GDPR and the Telecommunications Act. Where applicable, we integrate a cookie banner or tool upon request.

If you wish to disable or delete cookies on your device, you can do so via your internet browser settings. Please be aware that certain functionalities on other websites may not work properly as a result.

Your rights as a Data Subject

Under the GDPR, you have various rights with respect to your Personal Data. We briefly explain these below. You may exercise these rights by contacting us using the contact details at the bottom of this privacy policy.

You have, in any event, the following rights:

Right of access: You have the right to know which Personal Data we process about you, the purposes for which we do so, and with whom we share that data.
Right to rectification: If your data is inaccurate or incomplete, you may request us to correct or supplement it.
Right to erasure (right to be forgotten): In certain cases, you may request us to delete your Personal Data, for example if we no longer need it for the purpose for which it was collected, or if you withdraw your consent (insofar as the processing was based thereon).
Right to restriction of processing: In certain situations, you may request that the processing of your Personal Data be (temporarily) restricted, for example while we assess an objection or rectification request.
Right to data portability: Insofar as we process your data on the basis of consent or a contract and the processing is carried out by automated means, you have the right to receive your data in a structured, commonly used, and machine-readable format, or, where technically feasible, to have us transfer it directly to another party.
Right to object: Where we process your Personal Data on the basis of a legitimate interest, you always have the right to object. We will assess your objection and cease the processing, unless we have compelling legitimate grounds that override your interests. You may also object at any time to the use of your data for direct marketing purposes.
Right to withdraw consent: Where we process your Personal Data on the basis of your consent, you have the right to withdraw that consent at any time. This does not have retroactive effect: processing that has already taken place remains lawful, but we will cease the relevant processing from that point onwards (insofar as there is no other Legal Basis).

When exercising your rights, we may ask you for additional information to verify your identity, to ensure that we do not disclose your data to the wrong person or make unwarranted changes.

Please note: if you are an End User of the Soev.ai Platform provided by your employer or client, your organisation is in many cases the Data Controller for the Client Data in the platform. In such cases, we may refer your request to your organisation, or handle your request on behalf of your organisation. We will inform you if this is the case.

Retention periods for Personal Data

We do not retain your Personal Data for longer than is necessary for the purposes for which we process it, unless we are required to retain your data for a longer period on the basis of a legal obligation (for example, fiscal retention obligations).

The table below provides an overview of the main categories of Personal Data and the corresponding standard retention periods where Soev.ai is the Data Controller:

Category of Personal Data	Examples	Retention period
Contact and communication data (general)	Data from contact forms, emails, notes from conversations/demos	Up to 2 years after the last substantive contact, unless they become part of a client file
Client and contract data	Data in quotations, agreements, account and client files	Up to 7 years after the end of the client relationship (due to fiscal and administrative obligations)
Billing and administrative data	Invoices, payment information, accounting data	A minimum of 7 years after the financial year in which the data was recorded (statutory retention obligation)
Account and usage data (Soev.ai Platform)	User profiles, roles, log data, login times	Up to 1 year after termination of the relevant Account, unless retention for a longer period is required for security, incident investigation, or legal obligations
Technical and log data (security)	Log files relating to security, error reports, incident logs	Generally up to 6 months, unless retention for a longer period is necessary in the context of incident investigation or legal proceedings
Marketing and newsletter data	Name, email address, preferences, open/click statistics	Up to 2 years after the last interaction or until unsubscription; thereafter only in limited form in an opt-out register
Recruitment data	CV, cover letter, interview notes	Generally up to 4 weeks after completion of the recruitment process; with your consent, up to 1 year for a talent pool

For Client Data that your organisation has processed via the Soev.ai Platform, your organisation determines the retention periods as Data Controller. The arrangements regarding retention periods, deletion, and export of Client Data are laid down in the SaaS agreement and the Data Processing Agreement between Soev.ai and your organisation.

Third-party websites and (social) media

Our website and the Soev.ai Platform may contain links to websites, services, or content of third parties. We may also be active on professional social media platforms, such as LinkedIn, and a link or button to our page may be displayed.

Examples include:

links to external websites (for example, documentation, news articles, partner websites)
links to or embeds of video or conferencing platforms
our own pages on social media (such as LinkedIn)

Once you click on a link to a third party or use a third-party service, the privacy policy of that third party generally applies. Soev.ai has no control over those parties, their cookies, their systems, or the way in which they handle your Personal Data.

Within the Soev.ai Platform, your organisation may also choose to create integrations with external services (such as OneDrive, Slack, or other tools). In such cases, your organisation is responsible for the privacy arrangements with those parties, and for the processing of Personal Data via those integrations, we refer to the privacy policies of the relevant providers.

We recommend that you carefully read the privacy and cookie policies of these third parties before using their services.

Newsletters and commercial communications

We may keep you informed by email of developments concerning Soev.ai, such as updates, new functionalities, events, blogs, or other relevant information about our services.

You will only receive such communications if you have subscribed yourself (for example via our website) or if you are an existing client and we inform you about our own similar services.
Every newsletter or commercial email contains an unsubscribe link. You can use it to easily unsubscribe at any time.
You may also unsubscribe by sending us an email using the contact details at the bottom of this privacy policy.

After unsubscribing, we will no longer use your email address for newsletter or marketing purposes. However, your email address may still appear in other systems where we require it, for example for our client administration or to comply with legal obligations.

Security measures

We take the security of Personal Data seriously. Soev.ai has implemented appropriate technical and organisational measures to protect your Personal Data against loss, misuse, unauthorised access, unintended disclosure, and unauthorised modification.

In summary, these include, among others:

Secure infrastructure: the Soev.ai Platform is hosted by professional Dutch hosting providers, with data centres located in the Netherlands and modern security provisions (such as firewalls, network segmentation, and monitoring).
Encryption: where appropriate, we use encryption, for example for connections (TLS) and for the storage of sensitive data.
Access control: access to systems and Personal Data is limited to employees who require such access for their duties. We employ role-based access, strong password policies, and, where possible, additional security measures.
Information security policy and ISO 27001: Soev.ai operates an information security management system aligned with the international standard ISO 27001. This means, among other things, that processes, risks, and measures are systematically identified, managed, and periodically evaluated.
Logging and monitoring: we maintain log files of relevant system and access activities in order to detect and investigate abuse, errors, and security incidents.
Internal policies and awareness: employees who work with Personal Data are bound by confidentiality obligations and are instructed on the careful and secure handling of Personal Data and information security.
Review and improvement: we periodically evaluate our security measures and adjust them where necessary, for example in response to new risks, technical developments, or extensions of our services.

Despite all these measures, no system can guarantee an absolute level of security. If you suspect that your data is being misused or that there is a security incident in relation to Soev.ai, we request that you report this to us as soon as possible using the contact details at the bottom of this privacy policy.

Changes to this privacy policy

We may amend this privacy policy from time to time, for example when our services change or when legislation is updated.

The most recent version is always available on our website. In the event of significant changes that may materially affect you (for example, if we add new processing activities or change the Legal Bases), we will, to the extent possible, actively inform you, for example by email or a notification in the Soev.ai Platform.

We recommend that you consult this privacy policy regularly so that you remain informed of any changes.

Complaints and supervisory authority

If you have questions about this privacy policy or are dissatisfied with the way in which we handle your Personal Data, we encourage you to contact us first. We will then endeavour to resolve your question or complaint to the best of our ability.

In addition, you always have the right to lodge a complaint with the supervisory authority for the protection of Personal Data:

Autoriteit Persoonsgegevens

Website: www.autoriteitpersoonsgegevens.nl

Telefoonnummer: +31 (0)88 1805 250

You may file a report or complaint there if you believe that we process your Personal Data in violation of the GDPR or other privacy legislation.

Contact details

The Data Controller for the processing activities described in this privacy policy is:

Gradient Data Science B.V.

trading as Soev.ai

Dunantstraat 8

3024 BC Rotterdam

92267548

Website: https://soev.ai

For questions about this privacy policy or the way in which we handle Personal Data, you may contact us via the contact form or other contact options on our website. If you have specific privacy or GDPR-related questions (such as access or deletion requests), please state this clearly in your message so that we can handle your request as effectively as possible.