Privacy Policy
Last updated: March 2026
1. Data Controller
The data controller for your personal data is [COMPANY LEGAL NAME], registered at [REGISTERED ADDRESS], KvK number [KVK NUMBER].
For questions or requests regarding your personal data, contact our Data Protection Officer at [DPO EMAIL].
2. Data We Collect
Account & Profile Data
When you create an account, we collect your name, email address, password (hashed), and optionally your phone number, language preference, and profile photo. If you sign up as part of an organization, we also collect your job title and role within the company.
Business Data
When you use ThinQr, you provide business data including: your company name, industry, business type, customer channel, fulfillment model, products and services, team structure, training content, and uploaded documents. This data is used solely to provide the Service and is owned by you.
Usage Data
We automatically collect information about how you interact with the Service, including: pages visited, features used, timestamps, referring URLs, browser type, operating system, device type, and IP address. This data is collected via server logs and analytics tools.
Payment Data
Payment information (credit card numbers, billing address) is processed directly by Stripe and is not stored on our servers. We receive and store your Stripe customer ID, subscription status, and transaction history.
3. Legal Bases for Processing (GDPR Art. 6)
We process your personal data on the following legal bases:
- Performance of a contract (Art. 6(1)(b)): Processing necessary to provide the Service you have subscribed to, including account management, training generation, business mapping, and customer support.
- Legitimate interest (Art. 6(1)(f)): Analytics and product improvement, fraud prevention, security monitoring, and direct marketing to existing customers (with opt-out).
- Consent (Art. 6(1)(a)): Marketing cookies (specifically our
thinqr_lead_idcookie), promotional emails, and optional analytics. You may withdraw consent at any time. - Legal obligation (Art. 6(1)(c)): Tax and accounting records, regulatory compliance.
4. AI Data Handling
ThinQr uses third-party AI providers to power features such as training generation, business mapping analysis, briefings, and document processing:
- Anthropic (Claude): Used for training generation, business mapping, ThinQr AI assistant, and document summarization. Your business data is sent to Claude's API for processing but is not stored by Anthropic for model training. Data is processed under Anthropic's commercial API terms, which explicitly exclude training use.
- OpenAI (GPT-4 Vision): Used exclusively for contract OCR and document text extraction. Document content is sent for processing but is not stored by OpenAI for model training under their API data usage policy.
AI-generated outputs (training modules, analysis, recommendations) are stored within your ThinQr account and are subject to the same data retention and deletion policies as your other data.
5. Data Retention
- Active accounts: Your data is retained for as long as your account is active and you maintain a valid subscription.
- Cancelled accounts: After cancellation, your data is preserved for 30 days (grace period), after which it is permanently deleted from our systems and backups within 90 days.
- Financial records: Transaction and invoice data is retained for 7 years as required by Dutch tax law (AWR).
- Server logs: Automatically deleted after 90 days.
- Analytics data: Anonymized and aggregated after 26 months.
6. Your Rights (GDPR)
Under the General Data Protection Regulation, you have the following rights:
- Right of access (Art. 15): Request a copy of your personal data.
- Right to rectification (Art. 16): Request correction of inaccurate data.
- Right to erasure (Art. 17): Request deletion of your personal data ("right to be forgotten").
- Right to data portability (Art. 20): Receive your data in a structured, commonly used, machine-readable format.
- Right to object (Art. 21): Object to processing based on legitimate interest, including profiling and direct marketing.
- Right to restrict processing (Art. 18): Request restriction of processing in certain circumstances.
- Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time.
To exercise any of these rights, contact us at [DPO EMAIL]. We will respond within 30 days as required by GDPR.
You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at autoriteitpersoonsgegevens.nl.
7. Subprocessors
We use the following subprocessors to deliver the Service. For full details, see our Data Processing Agreement.
| Subprocessor | Purpose | Location |
|---|---|---|
| Supabase | Database, Auth, Storage | EU (aws-eu-central-1) |
| Vercel | Hosting, CDN | US/EU (fra1) |
| Anthropic | AI processing | US |
| OpenAI | Contract OCR | US |
| Stripe | Payments | US/EU |
| Resend | Email delivery | US |
| Upstash | Rate limiting | EU (fra1) |
8. International Data Transfers
Some of our subprocessors are based in the United States. For these transfers, we rely on:
- Standard Contractual Clauses (SCCs) as approved by the European Commission, incorporated into our agreements with US-based processors.
- Supplementary measures including encryption in transit (TLS 1.2+) and at rest, access controls, and contractual restrictions on data use.
9. Cookies
We use a limited number of cookies to operate the Service. For full details on cookies used and how to manage them, see our Cookie Policy.
10. Security
We implement appropriate technical and organizational measures to protect your personal data, including: encryption in transit and at rest, row-level security policies, rate limiting, input validation, regular security audits, and access controls. For details, see our Data Processing Agreement.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and, for significant changes, by email. We encourage you to review this page periodically.
12. Contact
[COMPANY LEGAL NAME]
[REGISTERED ADDRESS]
KvK: [KVK NUMBER]
Data Protection Officer: [DPO EMAIL]