1 Who We Are (Data Controller)
Hubrix AI Suite is operated by Oceanic Consulting VOF, registered in the Netherlands.
| Detail | Information |
|---|---|
| Legal Name | Oceanic Consulting VOF |
| Trade Name | Hubrix |
| KVK Number | 84553081 |
| Address | Poortugaal, South Holland, Netherlands |
| privacy@hubrix.ai | |
| Data Protection Role | Data Controller (GDPR Art. 4(7)) |
| Supervisory Authority | Autoriteit Persoonsgegevens (AP) β autoriteitpersoonsgegevens.nl |
π³π± Nederlands β Wie zijn wij
Hubrix AI Suite wordt beheerd door Oceanic Consulting VOF (KVK 84553081), gevestigd in Poortugaal, Zuid-Holland. Wij zijn de verwerkingsverantwoordelijke voor uw persoonsgegevens in de zin van de AVG (Algemene Verordening Gegevensbescherming / GDPR EU 2016/679).
2 What Data We Collect
2.1 Account Data
| Data | Purpose | Required |
|---|---|---|
| Username | Account identification | Yes |
| Email address | Account access, notifications | Yes |
| Password (bcrypt hash) | Authentication β plaintext never stored | Yes |
| Company name | Multi-tenant isolation | Company accounts |
| Account type & plan | Feature access control | Yes |
2.2 Usage Data
| Data | Purpose | Retention |
|---|---|---|
| Chat messages & history | Conversation continuity | Until deleted by user |
| Uploaded documents | RAG / document analysis | Until deleted by user |
| AI model usage (tokens) | Billing & credit tracking | 24 months |
| API request logs | Rate limiting, abuse prevention | 30 days |
| IP address | Security, fraud prevention | 30 days |
2.3 Payment Data
Payment processing is handled by Stripe (Stripe Payments Europe Ltd, Dublin). We store only your Stripe Customer ID β never your card details. Stripe is PCI-DSS Level 1 certified.
2.4 SSO Data (Optional)
If you connect Google or Microsoft for Single Sign-On, we receive your name and email from those providers. We do not receive passwords. You may disconnect SSO at any time in Settings.
π³π± Nederlands β Welke gegevens verzamelen wij
Wij verzamelen accountgegevens (gebruikersnaam, e-mail, wachtwoord als bcrypt-hash), gebruiksgegevens (chatgeschiedenis, geΓΌploade documenten, tokengebruik) en betalingsgegevens via Stripe. Wij slaan nooit uw bankkaartgegevens op. Chatberichten worden bewaard totdat u ze verwijdert.
3 How We Use Your Data (Legal Basis)
| Processing Activity | Legal Basis (GDPR Art. 6) | Details |
|---|---|---|
| Account creation & authentication | Contract (Art. 6(1)(b)) | Necessary to provide the service |
| Delivering AI responses | Contract (Art. 6(1)(b)) | Core service functionality |
| Billing & invoicing | Contract + Legal obligation (Art. 6(1)(b)(c)) | Stripe payments, Dutch tax records (7 years) |
| Security & fraud prevention | Legitimate interest (Art. 6(1)(f)) | Rate limiting, abuse detection, IP logging |
| Service improvement | Legitimate interest (Art. 6(1)(f)) | Aggregate analytics β never individual profiling |
| Legal compliance | Legal obligation (Art. 6(1)(c)) | Dutch law, AP requests |
| Marketing communications | Consent (Art. 6(1)(a)) | Only with explicit opt-in β withdraw anytime |
π³π± Nederlands β Rechtsgrond verwerking
Wij verwerken uw gegevens op basis van: uitvoering van de overeenkomst (Art. 6(1)(b) AVG) voor accountbeheer en dienstverlening; wettelijke verplichting (Art. 6(1)(c) AVG) voor belastingadministratie; gerechtvaardigd belang (Art. 6(1)(f) AVG) voor beveiliging; en toestemming (Art. 6(1)(a) AVG) voor marketingcommunicatie. Wij verkopen uw gegevens niet.
4 Data Retention
| Data Category | Retention Period | Basis |
|---|---|---|
| Account data | Duration of account + 30 days after deletion request | Contract |
| Chat history & documents | Until deleted by user, or account closure | User control |
| Token usage / billing records | 24 months | Legitimate interest |
| Stripe payment records | 7 years | Dutch tax law (Belastingdienst) |
| Security logs (IP, rate events) | 30 days | Legitimate interest |
| Backups | 30 days remote, 10 days local | Business continuity |
Upon account deletion, all personal data is permanently removed within 30 days, except where retention is required by law (e.g. tax records).
π³π± Nederlands β Bewaartermijnen
Accountgegevens worden 30 dagen na verwijderingsverzoek gewist. Chatgeschiedenis wordt bewaard totdat u deze verwijdert. Betalingsgegevens worden 7 jaar bewaard conform de Nederlandse belastingwetgeving. Beveiligingslogboeken worden 30 dagen bewaard.
5 Third-Party Processors & International Transfers
We use the following sub-processors. All have signed Data Processing Agreements and provide adequate safeguards under GDPR Chapter V.
| Processor | Purpose | Location | Safeguard |
|---|---|---|---|
| Anthropic | Claude AI models | USA | DPA + SCCs (Art. 46(2)(c)). Zero Data Retention available. |
| OpenAI | GPT models, Whisper STT, Embeddings | USA | DPA + SCCs. Zero Data Retention available. |
| Gemini models, OAuth SSO | EU/USA | DPA + SCCs + EU adequacy decisions where applicable. | |
| ElevenLabs | Text-to-Speech | USA | DPA + SCCs |
| Stripe | Payment processing | Ireland (EU) | EU entity β GDPR compliant. PCI-DSS Level 1. |
| Hetzner Online | Server hosting | Germany (EU) | EU entity β ISO 27001 certified. Data stays in EU. |
| Resend | Transactional email | USA | DPA + SCCs |
π³π± Nederlands β Subverwerkers en doorgifte
Wij maken gebruik van subverwerkers voor AI-verwerking (Anthropic, OpenAI, Google), betalingen (Stripe, Ierland) en hosting (Hetzner, Duitsland). Alle overdrachten naar de VS zijn gebaseerd op Standaard Contractbepalingen (SCC's) conform Art. 46(2)(c) AVG. Uw gegevens worden niet gebruikt om AI-modellen te trainen.
6 Your Rights (GDPR Art. 12β22)
As an EU data subject, you have the following rights. All requests are responded to within 30 days (extendable to 90 days for complex requests with notice).
Right of Access (Art. 15)
Request a copy of all personal data we hold about you.
Right to Rectification (Art. 16)
Correct inaccurate or incomplete personal data.
Right to Erasure (Art. 17)
Request deletion of your data ("right to be forgotten").
Right to Restriction (Art. 18)
Restrict how we process your data in certain circumstances.
Right to Portability (Art. 20)
Receive your data in a structured, machine-readable format.
Right to Object (Art. 21)
Object to processing based on legitimate interests.
Automated Decision-Making (Art. 22)
We do not make solely automated decisions with legal effect on individuals.
Right to Withdraw Consent (Art. 7(3))
Withdraw consent at any time where processing is consent-based.
To exercise any right, email privacy@hubrix.ai with subject line "GDPR Request β [Right]". We may verify your identity before processing.
π³π± Nederlands β Uw rechten
U heeft recht op inzage (Art. 15), rectificatie (Art. 16), verwijdering (Art. 17), beperking (Art. 18), overdraagbaarheid (Art. 20) en bezwaar (Art. 21). Verzoeken worden binnen 30 dagen beantwoord. Stuur een e-mail naar privacy@hubrix.ai met als onderwerp "AVG-verzoek β [recht]". U kunt ook een klacht indienen bij de Autoriteit Persoonsgegevens via autoriteitpersoonsgegevens.nl.
7 Security Measures
| Measure | Implementation |
|---|---|
| Encryption in transit | TLS 1.2/1.3 enforced via Nginx + Let's Encrypt. HSTS enabled. |
| Encryption at rest | Hetzner server-level encryption. Database on encrypted volumes. |
| Authentication | bcrypt password hashing (cost factor 12). JWT HttpOnly cookies. API keys SHA-256 hashed. |
| Access control | Row-Level Security (RLS) on 13 PostgreSQL tables. 4-tier role model. |
| API security | Rate limiting (30 req/min), parameterized queries (no SQL injection), XSS sanitization. |
| Backups | Daily encrypted backups. Remote copy to secondary EU server. 30-day retention. |
| Incident response | Data breaches reported to AP within 72 hours (GDPR Art. 33). Affected users notified within 72 hours where required (Art. 34). |
π³π± Nederlands β Beveiligingsmaatregelen
Wij passen TLS 1.3-versleuteling toe voor datatransmissie, bcrypt-wachtwoordhashing, roltoegangscontrole en dagelijkse versleutelde back-ups. Datalekken worden binnen 72 uur gemeld aan de Autoriteit Persoonsgegevens conform Art. 33 AVG.
8 Cookies
| Cookie | Type | Purpose | Duration | Consent |
|---|---|---|---|---|
hubrix_token | Strictly necessary | Authentication session JWT | 7 days | Not required |
hubrix_consent | Functional | Stores your cookie consent choice | 1 year | Set on consent |
We use no tracking cookies, no advertising cookies, and no third-party analytics cookies (e.g. Google Analytics). The authentication cookie is strictly necessary β it cannot be declined without losing access to the service.
π³π± Nederlands β Cookies
Wij gebruiken uitsluitend een strikt noodzakelijk authenticatiecookie (hubrix_token) en een toestemmingscookie (hubrix_consent). Er worden geen tracking- of advertentiecookies gebruikt. Strikt noodzakelijke cookies vereisen geen toestemming op grond van Art. 5(3) van de ePrivacy-richtlijn.
9 Data Processing Agreement (DPA) For Business Customers
This section constitutes the Data Processing Agreement between Oceanic Consulting VOF ("Processor") and the business customer ("Controller") as required by GDPR Art. 28.
9.1 Subject Matter
Oceanic Consulting VOF processes personal data on behalf of the Controller solely for the purpose of providing the Hubrix AI Suite service as described in the service agreement.
9.2 Nature and Purpose of Processing
- Processing AI queries submitted by Controller's employees/users
- Storing documents uploaded for RAG/document analysis
- Managing user accounts and access control
- Generating billing and usage records
9.3 Types of Personal Data
The categories of personal data processed are determined by the Controller and may include: names, email addresses, and any personal data contained within documents or prompts submitted to the platform.
9.4 Processor Obligations (Art. 28(3))
Oceanic Consulting VOF agrees to:
- Process data only on documented instructions from the Controller
- Ensure persons authorised to process data are bound by confidentiality
- Implement appropriate technical and organisational security measures (Art. 32)
- Assist the Controller in responding to data subject rights requests
- Delete or return all personal data upon termination of service
- Make available all information necessary to demonstrate compliance
- Notify the Controller without undue delay of any personal data breach
9.5 Sub-processors
The Controller authorises use of sub-processors listed in Section 5. Oceanic Consulting VOF will notify the Controller of any intended changes to sub-processors with at least 30 days' notice, giving the Controller the opportunity to object.
9.6 International Transfers
Data transfers to sub-processors outside the EEA (Anthropic, OpenAI, ElevenLabs) are governed by Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR and Commission Implementing Decision (EU) 2021/914.
9.7 Audit Rights
The Controller has the right to conduct audits or inspections, or to mandate an independent auditor. Requests must be submitted to privacy@hubrix.ai with 30 days' notice. Costs are borne by the Controller unless non-compliance is found.
9.8 Termination
Upon termination of the service agreement, Oceanic Consulting VOF will delete all Controller personal data within 30 days, unless longer retention is required by applicable law.
π³π± Nederlands β Verwerkersovereenkomst
Dit gedeelte vormt de verwerkersovereenkomst tussen Oceanic Consulting VOF (Verwerker) en de zakelijke klant (Verwerkingsverantwoordelijke) conform Art. 28 AVG. Wij verwerken persoonsgegevens uitsluitend op basis van gedocumenteerde instructies van de Verwerkingsverantwoordelijke. Enterprise-klanten kunnen een afzonderlijk ondertekende verwerkersovereenkomst aanvragen via privacy@hubrix.ai.
10 Children's Privacy
Hubrix AI Suite is intended for business use only. We do not knowingly collect personal data from individuals under the age of 16. If you believe a minor has created an account, contact privacy@hubrix.ai and we will delete the account immediately.
π³π± Nederlands β Privacy van minderjarigen
Hubrix AI Suite is uitsluitend bedoeld voor zakelijk gebruik. Wij verzamelen niet bewust persoonsgegevens van personen onder de 16 jaar. Meld eventuele minderjarige gebruikers via privacy@hubrix.ai.
11 Changes to This Policy
We may update this Privacy Policy to reflect changes in our practices or legal requirements. Material changes will be communicated via:
- Email notification to registered users
- In-app notification banner
- Updated "Last modified" date at the top of this page
Continued use of Hubrix after the effective date of changes constitutes acceptance of the updated policy.
π³π± Nederlands β Wijzigingen
Wezenlijke wijzigingen in dit privacybeleid worden per e-mail en via een melding in de app gecommuniceerd. Voortgezet gebruik na de ingangsdatum geldt als aanvaarding van het gewijzigde beleid.
12 Contact & Complaints
π¬ Contact Us
Privacy requests & DPA enquiries:
privacy@hubrix.ai
General:
info@hubrix.ai
Postal address:
Oceanic Consulting VOF
Poortugaal, South Holland
Netherlands
You have the right to lodge a complaint with the Dutch Data Protection Authority:
Autoriteit Persoonsgegevens
autoriteitpersoonsgegevens.nl/contact
Telefoon: 088 β 1805 250