GDPR & Data Processing

01. Overview

AIBOVE BV ("AIBOVE", "we", "us") is committed to protecting personal data in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and applicable Dutch data protection legislation. We take our obligations seriously whether we act as a controller or as a processor.

In the context of our website and prospect interactions, AIBOVE acts as the data controller. This means we determine the purposes and means of processing for data such as contact form submissions, newsletter sign-ups, and website analytics.

In the context of our products and services, AIBOVE acts as a data processor. When you, our customer, submit personal data through our platform — for example end-user data, customer records, or employee information — you remain the controller and we process that data strictly on your documented instructions.

This page provides a transparent overview of our data processing practices. For a binding agreement, please request our standard Data Processing Agreement (DPA).

02. Roles & Scope

The allocation of roles under the GDPR is fundamental to understanding who bears which obligations. We distinguish between two scenarios:

• Customer as Controller: You determine the purposes and means of processing the personal data you submit to our platform. You are responsible for having a lawful basis (e.g. consent, contract, or legitimate interest) for processing and for informing your data subjects.
• AIBOVE as Processor: We process personal data solely on your documented instructions. We do not determine the purposes of processing, and we do not use your data for our own purposes such as marketing, profiling, or product development.

We will not process personal data beyond what is strictly necessary to provide the agreed-upon services, unless required to do so by European Union or Member State law. In such cases, we will inform you of the legal requirement before processing, unless the law prohibits disclosure on important grounds of public interest.

Our processing is governed by the terms of your subscription agreement and, where executed, a Data Processing Agreement (DPA) that meets the requirements of Article 28(3) GDPR.

03. Processing Details

3.1 Subject Matter & Purpose

The subject matter of the processing is the provision of AIBOVE's products and services as described in the applicable subscription agreement. This includes hosting, storing, retrieving, transforming, and displaying personal data as necessary to deliver the contracted functionality.

3.2 Duration of Processing

Processing begins on the effective date of your subscription and continues for the duration of the agreement. Upon termination or expiration, AIBOVE will retain the data for a maximum of 30 calendar days to facilitate data return and account closure. After this period, all personal data will be securely deleted unless retention is required by applicable law.

3.3 Categories of Data Subjects

Depending on your use of our services, the following categories of data subjects may be involved:

• Your customers and end-users
• Your employees and contractors
• Your prospects and leads
• Your suppliers and business contacts
• Any other individuals whose data you submit to the platform

3.4 Categories of Personal Data

The categories of personal data processed depend on what you choose to submit. They may include, but are not limited to:

• Identification data: names, email addresses, phone numbers, postal addresses
• Professional data: job titles, company names, department information
• Communication data: message content, support tickets, chat transcripts
• Technical data: IP addresses, browser user agents, device identifiers
• Transaction data: order details, invoicing information, payment references
• Usage data: interaction logs, feature usage, timestamps

AIBOVE does not intentionally process special categories of personal data (Article 9 GDPR) unless explicitly agreed upon in writing with additional safeguards.

04. Sub-processors

We engage a limited number of third-party sub-processors to help deliver our services. Each sub-processor is bound by a data processing agreement that imposes obligations no less protective than those in our own DPA. We conduct due diligence on each sub-processor before engagement and monitor their compliance on an ongoing basis.

Our current sub-processors include:

• AWS (Amazon Web Services) — Cloud infrastructure and hosting (EU region)
• Google Cloud Platform — Cloud infrastructure and compute services (EU region)
• Postmark — Transactional email delivery
• SendGrid — Email delivery services
• PostHog — Product analytics (EU-hosted instance)
• Sentry — Error tracking and application monitoring
• Intercom — Customer communication and support
• Anthropic — AI model provider (data is not used for training)
• OpenAI — AI model provider (data is not used for training; zero-retention API usage)
• Stripe — Payment processing
• Mollie — Payment processing (EU-based)

A complete and up-to-date list of sub-processors is available on request. We will notify you of any intended changes to our sub-processors, giving you the opportunity to object in accordance with the terms of your DPA.

05. Security Measures

AIBOVE implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 GDPR. These measures include, but are not limited to:

• Encryption in transit: All data transmitted between clients and our servers is protected using TLS 1.2 or higher. We enforce HTTPS across all endpoints and HSTS headers are set on all responses.
• Encryption at rest: All stored data, including databases and backups, is encrypted using AES-256 encryption.
• Access control: We implement role-based access control (RBAC) following the principle of least privilege. Access to production systems is restricted to authorised personnel only.
• Multi-factor authentication (MFA): MFA is enforced for all internal systems, including cloud consoles, source code repositories, and administrative dashboards.
• Monitoring & logging: We maintain comprehensive audit logs and employ continuous monitoring for suspicious activity, unauthorised access attempts, and anomalous behaviour.
• Vulnerability management: We perform regular vulnerability scans, apply security patches promptly, and follow responsible disclosure practices for any vulnerabilities discovered in our systems.
• Penetration testing: We conduct annual penetration tests performed by qualified independent third parties. Findings are remediated based on severity.
• Encrypted backups: Backups are encrypted and stored in geographically separated locations within the EU. Backup integrity is tested regularly.
• Security training: All employees and contractors receive security awareness training upon onboarding and at least annually thereafter.
• Background checks: Personnel with access to personal data undergo background checks in accordance with applicable law.

06. International Transfers

AIBOVE stores and processes data in EU data centres by default. We prioritise keeping personal data within the European Economic Area (EEA) wherever possible.

Where a transfer of personal data to a country outside the EEA is necessary — for example, because a sub-processor operates in or has access from a third country — we ensure that appropriate safeguards are in place. These safeguards include:

• Standard Contractual Clauses (SCCs):We use the European Commission's Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) as the primary transfer mechanism for transfers to countries without an adequacy decision.
• Adequacy decisions: Where available, we rely on adequacy decisions issued by the European Commission, including the EU-U.S. Data Privacy Framework where applicable.
• Transfer Impact Assessments: We conduct transfer impact assessments to evaluate the legal framework of the recipient country and implement supplementary measures where necessary.

Details of the specific transfer mechanisms used for each sub-processor are available on request.

07. Data Subject Rights

As a processor, AIBOVE will assist you, the controller, in fulfilling your obligations to respond to data subject requests (DSRs) under Chapter III of the GDPR. These rights include:

• Right of access (Article 15) — the right to obtain confirmation of whether personal data is being processed and to access that data.
• Right to rectification (Article 16) — the right to have inaccurate personal data corrected.
• Right to erasure (Article 17) — the right to have personal data deleted under certain circumstances.
• Right to restriction (Article 18) — the right to restrict processing in certain situations.
• Right to data portability (Article 20) — the right to receive personal data in a structured, commonly used, and machine-readable format.
• Right to object (Article 21) — the right to object to processing based on legitimate interests.

If AIBOVE receives a request directly from one of your data subjects, we will promptly redirect the individual to you and notify you of the request. We will not respond to the request independently unless instructed to do so by you or required by applicable law.

We provide the technical tools and cooperation necessary for you to extract, correct, or delete personal data in our systems. Where manual intervention is required, we will act without undue delay.

08. Breach Notification

In the event of a personal data breach as defined in Article 4(12) GDPR, AIBOVE will notify you within 72 hours of becoming aware of the breach. This notification will include all information required under Article 33 GDPR, to the extent available at the time:

• A description of the nature of the breach, including the categories and approximate number of data subjects and data records affected
• The name and contact details of our Data Protection Officer or other contact point for further information
• A description of the likely consequences of the breach
• A description of the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects

If it is not possible to provide all information simultaneously, we will supply it in phases without undue further delay. We will cooperate fully with your investigation and any regulatory inquiries, and we will take immediate steps to contain the breach and prevent recurrence.

We maintain an internal breach register documenting every incident, regardless of severity, including facts, effects, and remedial actions taken.

09. Audits

AIBOVE makes available to you all information necessary to demonstrate compliance with our obligations under Article 28 GDPR. We support your right to verify our processing activities through audits and inspections.

The following audit arrangements apply:

• Documentation: We will provide copies of relevant policies, procedures, and certifications upon reasonable request.
• On-site and remote audits: Annual audits are permitted with reasonable prior written notice (minimum 30 days). Audits will be conducted during normal business hours and in a manner that minimises disruption to our operations.
• Third-party auditors: You may appoint a qualified independent third-party auditor, subject to confidentiality obligations acceptable to AIBOVE.
• Audit reports: Where we have obtained relevant third-party certifications or audit reports (e.g. SOC 2, ISO 27001), we may provide these as an alternative to a customer-directed audit, provided they adequately address the scope of your inquiry.

We will contribute to and cooperate with audits in good faith. Costs for audits beyond one per year, or audits requiring extraordinary effort, may be subject to reasonable reimbursement.

10. Deletion & Return

Upon termination or expiration of the subscription agreement, and at your choice, AIBOVE will either:

• Return all personal data to you in a structured, commonly used, and machine-readable format; or
• Delete all personal data, including all existing copies, unless European Union or Member State law requires further storage.

In both cases, the return or deletion will be completed within 30 calendar days of termination. We will provide written confirmation of deletion upon your request.

During the 30-day post-termination period, you may continue to request data export through the standard tools available in your account. After this period, data will be irrecoverably deleted from all primary systems and backups, subject to the technical limitations of our backup retention cycles.

Where we are legally obliged to retain certain data (for example, for tax or accounting purposes), we will isolate the relevant data, limit processing to the legally required purpose, and delete it as soon as the retention obligation expires.

11. How to Sign a DPA

We offer a standard Data Processing Agreement that meets the requirements of Article 28(3) GDPR. You can request a copy at any time:

• Standard DPA:Available on request for all customers. Our standard DPA covers the processing activities described on this page and includes the European Commission's Standard Contractual Clauses where applicable. Simply email us at info@aibove.ai and we will provide a pre-signed copy for your countersignature.
• Enterprise customers: If your organisation requires custom contractual terms, additional clauses, or specific supplementary measures, we are happy to work with your legal team. We can provide SCCs with additional safeguards tailored to your requirements.
• Execution: DPAs can be executed electronically. We typically turn around standard DPA requests within two business days.

To get started, send your request to info@aibove.aiwith the subject line "DPA Request". Please include your company name and the AIBOVE products you use so we can prepare the appropriate agreement.

12. Contact

If you have any questions about this page, our data processing practices, or wish to exercise any rights, please contact us:

• Email: info@aibove.ai
• Company: AIBOVE BV, registered in the Netherlands

We aim to respond to all data protection inquiries within five business days. For urgent matters relating to a data breach, please mark your email as urgent and include "Data Breach" in the subject line.