Privacy Policy

Updated May 15, 2025

At Elmtrail B.V., we are committed to protecting your privacy. This Privacy Policy outlines how we collect, use, store, and share your personal data when you interact with our services, including our AI consulting and mailing tool (such as Elmtrail Gaia) and any current or future products.

1. Definitions and Roles

  • Data Controller: The company or entity that determines the purposes and means of processing personal data. For most services, our clients are the data controllers. For Elmtrail Gaia, we process personal data solely on the instructions of our clients, acting as a data processor.
  • Data Processor: The entity that processes personal data on behalf of the controller.
  • Data Subject: The individual whose personal data is processed (for example, your customers, employees, or users).

Our role (controller or processor) may differ depending on the specific product or service. For Elmtrail Gaia, we act as a processor; for future products, this may vary, and this policy will be updated as needed.

2. Information We Collect

We may collect the following types of personal data, depending on your use of our services:

  • Contact Information: Name, email address, phone number
  • Billing Information: Payment details, invoicing address
  • Usage Data: Interactions with our services, including IP address, browser type, usage patterns, etc.
  • Client Data: Data you share with us during consulting engagements or through use of our tools (such as datasets, email content, project details, etc.)

3. Legal Basis for Processing

We process your personal data under the following legal bases:

  • Consent: Where you have given your clear consent (for example, signing up for a newsletter).
  • Contractual Necessity: To fulfill our contract with you (for example, delivering our services).
  • Legitimate Interests: To improve our services, ensure security, and better understand user behavior.
  • Processing on Behalf of Clients: For Elmtrail Gaia, we act exclusively on the documented instructions of our client (the data controller), as outlined in our Data Processing Agreements (DPAs).

4. Use of Cookies and Tracking Technologies

Our website and some of our services may use cookies or similar tracking technologies in the future (for example, for analytics or feature improvements). We will update this policy to reflect specific cookie use as it is implemented.

You can choose to manage or refuse cookies via your browser settings. Some features may not work as intended if cookies are disabled.

5. How We Use Your Data

We use your personal data for the following purposes:

  • To provide and improve our products and services
  • To communicate with you regarding our services, updates, or support
  • To process payments and manage billing
  • To analyze service usage and improve security
  • To comply with legal obligations

6. Data Sharing and Subprocessors

We may engage trusted third-party service providers (subprocessors) to help us deliver our services (for example, cloud hosting, analytics, or AI platforms). We maintain an up-to-date list of these subprocessors, which is available upon request.

Where personal data is transferred outside the European Economic Area (EEA), we ensure that appropriate safeguards are in place (such as Standard Contractual Clauses), in accordance with GDPR requirements.

7. Data Retention

We retain personal data only as long as necessary for the purposes described in this policy or as required by law. When your data is no longer needed, it will be securely deleted or anonymized.

8. Security Measures

We take the security of your personal data seriously. Elmtrail B.V. implements appropriate technical and organizational measures to protect your data against unauthorized access, loss, misuse, or disclosure. These measures include:

Application & Data Security

Passwords are hashed using bcrypt. Expiring, encrypted tokens are used for email activation. All connections are forced over HTTPS. User sessions expire after periods of inactivity, and all cookies are set as secure. Sensitive data and credentials are encrypted in transit and at rest, and application secrets are managed using Rails credentials.

Infrastructure & Hosting

The application is hosted on Hetzner servers in Germany, certified under ISO/IEC 27001 for information security management. Servers are firewalled to block all non-essential ports. Cloudflare's Web Application Firewall (WAF) is enabled with OWASP rules and managed threat blocks.

Development & Operations

Static code analysis and code reviews are used in the development process. Dependency updates are performed monthly, with automated vulnerability scanning (bundler-audit, dependabot) in place. Only company founders have access to user data. Nightly backups are performed and restoration processes are tested, with a recovery time of up to one day.

Privacy, Compliance, and Incident Response

Manual data deletion is performed upon user request to comply with GDPR. The privacy policy is public. If a data breach affecting user data is detected, affected users will be notified within 72 hours by email, in line with GDPR guidelines. Only certified, reputable third-party providers are used.

We carry out ongoing application of security updates. Our security practices are regularly reviewed and improved as technology advances.

Please note: While we take significant precautions, no method of transmission over the internet or electronic storage is 100% secure. Our Privacy Policy does not cover the privacy practices of external websites; we encourage you to review the privacy policies of any third-party sites you may visit.

9. Your Rights

Under the GDPR, you have the right to:

  • Access your personal data
  • Correct or update inaccurate data
  • Request deletion of your data
  • Object to or restrict the processing of your data
  • Data portability (receive your data in a usable format)
  • Withdraw consent at any time (where processing is based on consent)

How to exercise your rights:

Simply email us at [email protected], and we will respond promptly.

If you have concerns about how we handle your data, you may also contact the Dutch Data Protection Authority (Autoriteit Persoonsgegevens): https://autoriteitpersoonsgegevens.nl

10. Changes to This Policy

We may update this Privacy Policy from time to time. Updates will be posted on our website. We recommend checking this policy regularly to stay informed about how we protect your data.

11. Contact Us

If you have questions about this Privacy Policy or your data, please contact us at:

This Privacy Policy will be updated as new products and services are added, or as our data practices change.