Privacy Policy
Last updated: 1 April 2026
1. Data Controller
Dentrius B.V., registered in the Netherlands (KvK pending), located at Herengracht 420, 1017 BZ Amsterdam, Netherlands, is the data controller for personal data processed through the Dentrius platform.
For privacy enquiries: [email protected]
Data Protection Officer: [email protected]
2. Personal Data We Collect
| Category | Examples | Source |
|---|---|---|
| Account data | Name, work email address, company name | You, on registration |
| Usage data | Pages visited, features used, session duration | Automatically collected |
| Document data | Uploaded sustainability reports and their extracted text | You, on upload |
| Payment data | Billing name, email, last-4 card digits, invoice history | Stripe (processor) |
| Technical data | IP address, browser type, operating system | Automatically collected |
| Communications | Support tickets, email correspondence | You, when contacting us |
We do not process special categories of personal data (Article 9 GDPR) and do not knowingly collect data from individuals under 18 years of age.
3. Purposes and Legal Basis
| Purpose | Legal Basis (GDPR Art. 6) |
|---|---|
| Provide and operate the service | Art. 6(1)(b) — Performance of a contract |
| Process payments and manage billing | Art. 6(1)(b) — Performance of a contract |
| Send transactional emails (invoices, security alerts) | Art. 6(1)(b) — Performance of a contract |
| Detect fraud and abuse; enforce rate limits and lockouts | Art. 6(1)(f) — Legitimate interests |
| Improve platform performance and reliability | Art. 6(1)(f) — Legitimate interests |
| Comply with legal obligations (tax records, audit logs) | Art. 6(1)(c) — Legal obligation |
| Send product update emails | Art. 6(1)(a) — Consent (withdrawable at any time) |
4. Data Retention
We retain personal data only as long as necessary for the purpose for which it was collected:
| Data type | Retention period |
|---|---|
| Account and profile data | Duration of the contract + 3 years |
| Document and analysis data | Duration of the contract + 30 days post-termination |
| Billing records | 7 years (Dutch tax law: Belastingdienst requirement) |
| Security logs (login attempts) | 90 days |
| Audit logs | 3 years |
| GDPR deletion request records | 5 years (legal compliance) |
| Backup snapshots | Maximum 30 days rolling |
5. Data Sharing and Sub-processors
We share personal data only with the following categories of recipients:
| Recipient | Purpose | Location |
|---|---|---|
| Supabase Inc. | Database and authentication hosting | EU (Frankfurt) |
| Vercel Inc. | Application hosting and CDN | EU edge nodes |
| Stripe Inc. | Payment processing | EU (Ireland) |
| Anthropic PBC | AI analysis (document text only, no PII) | US — SCCs applied |
| Amazon Web Services | Document OCR pipeline (Textract) | EU (eu-west-1) |
We do not sell personal data. We do not share personal data with third parties for their own marketing purposes.
Transfers to Anthropic PBC in the United States are governed by Standard Contractual Clauses (SCCs, EC Decision 2021/914, Module 2) supplemented by a Transfer Impact Assessment. Document text sent to the Anthropic API does not include names, email addresses, or other directly identifying personal data unless such data appears in uploaded sustainability reports.
6. Your Rights Under GDPR
As a data subject you have the following rights (Articles 15–22 GDPR). To exercise any right, email [email protected] or use the automated options in your account settings:
- Art. 15Right of access — Obtain a copy of your personal data.
- Art. 16Right to rectification — Correct inaccurate data.
- Art. 17Right to erasure — Delete your account and all associated data. Available immediately in Settings → Account or via DELETE /api/user/delete.
- Art. 18Right to restriction — Restrict processing while a dispute is resolved.
- Art. 20Right to portability — Receive your data in machine-readable format (JSON/CSV).
- Art. 21Right to object — Object to processing based on legitimate interests.
- Art. 22Automated decision-making — We do not make solely automated decisions with legal or significant effects.
We will respond to requests within 30 days. If you are not satisfied with our response, you have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, autoriteitpersoonsgegevens.nl).
7. Security Measures
We implement technical and organisational measures proportionate to the risk of processing (Article 32 GDPR):
- TLS 1.2+ encryption in transit for all connections
- AES-256 encryption at rest (Supabase managed keys)
- Row-level security (RLS) on all database tables
- Account lockout after 5 consecutive failed login attempts
- Automatic session termination after 30 minutes of inactivity (SOC 2 CC6.1)
- Security headers: HSTS, CSP, X-Frame-Options, X-Content-Type-Options
- API rate limiting on all endpoints
- Audit logging for all data access and modifications
- SOC 2 Type II report in progress (estimated Q3 2026)
8. Cookies
We use only strictly necessary cookies. No advertising, tracking, or analytics cookies are set without explicit consent. The session cookie (sb-auth-token) is set by Supabase and is required for authentication. It expires when you sign out or after 1 hour of inactivity on the server.
9. Changes to This Policy
We will notify you by email and by a prominent notice in the application at least 14 days before any material changes take effect. The current version is always available at dentrius.com/privacy.