AutoDeck

Privacy Policy

Last updated: 25 February 2026 · Effective: 25 February 2026

1. Introduction & Identity of the Controller

This Privacy Policy explains how Autodeck B.V. ("we", "us", or "our"), a company registered in the Netherlands, collects, uses, stores, and protects personal data when you use the Autodeck platform ("Service").

We are the data controller for personal data you provide when registering and using the Service. Where you use our Service to process personal data of your own users, you are the controller and we act as your data processor — governed by a separate Data Processing Agreement (DPA).

This policy complies with the General Data Protection Regulation (GDPR) (EU) 2016/679 and any applicable national implementing legislation.

2. Data We Collect

We collect only the personal data strictly necessary for the purposes described below.

2.1 Account & Identity Data

  • Name and email address (required for account creation)
  • Authentication credentials (password hash or OAuth identity token from your identity provider)
  • Organisation name and workspace settings

2.2 Billing & Payment Data

  • Invoice contact details (name, email, company, VAT number)
  • Payment method metadata (card type, last 4 digits, expiry) — full card data is processed exclusively by our PCI-DSS-compliant payment processor (Stripe) and never stored on our servers
  • Transaction history and subscription status

2.3 Usage & Audit Data

  • Log data: IP addresses, browser/client type, pages visited, timestamps, HTTP status codes
  • Platform audit events: who performed what action, on which resource, at what time — required for security, compliance, and debugging
  • Error reports and crash diagnostics (anonymised where possible)

2.4 Support Data

  • Communications you send us for support, including email content and any attachments
  • Information you voluntarily share when reporting an issue

2.5 Data We Do Not Collect

We do not collect:

  • Special category data (health, biometric, racial/ethnic origin, political opinions, etc.)
  • Data from children under 16 — accounts for minors are prohibited
  • Third-party tracking or behavioural advertising data
  • The content of your AI agent conversations beyond what is required for the operation of the Service and your configured audit log retention period

3. Legal Bases for Processing (GDPR Art. 6)

PurposeLegal Basis
Account creation & authenticationContract (Art. 6(1)(b))
Providing and operating the ServiceContract (Art. 6(1)(b))
Billing & invoicingContract + Legal obligation (Art. 6(1)(b)(c))
Security monitoring & audit loggingLegitimate interests (Art. 6(1)(f))
Customer supportContract (Art. 6(1)(b))
Sending service notifications (downtime, policy changes)Legitimate interests (Art. 6(1)(f))
Marketing emails (optional)Consent (Art. 6(1)(a)) — opt-in only
Compliance with legal obligationsLegal obligation (Art. 6(1)(c))

4. How We Use Your Data

We use your personal data only for the following purposes:

  • Providing, maintaining, and improving the Service
  • Processing payments and managing subscriptions
  • Communicating with you about your account, security, or the Service
  • Responding to support requests
  • Detecting, preventing, and investigating fraud, abuse, or security incidents
  • Complying with applicable legal obligations (e.g. tax, financial record-keeping)
  • Sending product updates and marketing communications where you have given consent

We do not sell your personal data to third parties. We do not use your data for automated profiling that produces legal or similarly significant effects without human oversight.

5. AI Agent Data Processing

The Service uses AI models and agentic workflows to process instructions and data you provide. In this context:

  • Prompts and responses may be temporarily processed by third-party AI model providers (see Section 6). We configure providers to disable training on your data where contractually available.
  • Agent execution logs, tool call inputs/outputs, and audit trails are stored to provide transparency and compliance reporting. Retention periods are configurable per workspace.
  • You are responsible for ensuring you have a lawful basis before using AI agents to process personal data of third parties through our Service.

6. Sub-processors & Third-Party Recipients

We engage the following categories of sub-processors to deliver the Service. All sub-processors are contractually bound to process data only on our instructions and in compliance with GDPR.

CategoryPurposeLocation
Cloud infrastructure (Supabase / hosting provider)Database hosting, storageEU
Payment processor (Stripe)Billing, invoicingUSA (SCCs)
AI model provider (Google, OpenAI, Anthropic, etc.)Inference for agentic workflowsUSA (SCCs)
Email delivery (transactional)Account notifications, supportEU / USA (SCCs)
Error monitoringPlatform stability & debuggingEU

SCCs = EU Standard Contractual Clauses (Commission Decision 2021/914). Where transfers occur to countries outside the EEA, we rely on SCCs or equivalent safeguards under GDPR Chapter V.

You may request a current list of sub-processors by emailing dpa@autodeck.io.

7. Data Retention

  • Account data: Retained for the duration of your account, plus 30 days after termination to allow data export.
  • Billing records: Retained for 7 years to comply with Dutch and EU financial record-keeping requirements.
  • Audit logs & usage data: Default retention of 90 days; configurable per workspace up to 2 years.
  • Support correspondence: Retained for 2 years from case closure.
  • Marketing consent records: Retained until you withdraw consent plus 3 years for compliance evidence.

After the applicable retention period, data is securely deleted or irreversibly anonymised.

8. Your Rights Under GDPR

As a data subject in the EU/EEA, you have the following rights. To exercise any of these rights, contact us at privacy@autodeck.io. We will respond within 30 days.

  • Right of access (Art. 15): Obtain a copy of the personal data we hold about you.
  • Right to rectification (Art. 16): Correct inaccurate or incomplete data.
  • Right to erasure (Art. 17): Request deletion of your data where no legal basis for retention exists.
  • Right to restriction (Art. 18): Restrict processing while a dispute is resolved.
  • Right to data portability (Art. 20): Receive your data in a structured, machine-readable format.
  • Right to object (Art. 21): Object to processing based on legitimate interests, including for direct marketing.
  • Right to withdraw consent (Art. 7(3)): Where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.
  • Right not to be subject to automated decisions (Art. 22): We do not make solely automated decisions with significant legal effects on individuals.

You also have the right to lodge a complaint with your national supervisory authority. In the Netherlands, this is the Autoriteit Persoonsgegevens (AP).

9. Cookies & Tracking

We use only strictly necessary cookies required for authentication, session management, and security (e.g. CSRF protection). We do not use:

  • Third-party advertising or tracking cookies
  • Cross-site tracking technologies
  • Analytics tools that collect personal data without anonymisation

Because we only set strictly necessary cookies, no consent banner is required under ePrivacy Directive Art. 5(3). If we introduce optional cookies in future, we will update this policy and obtain your consent first.

10. Security

We implement appropriate technical and organisational measures (TOMs) to protect your personal data, including:

  • Encryption in transit (TLS 1.2+) and at rest (AES-256)
  • Strict tenant isolation at the database level (row-level security)
  • Role-based access control and principle of least privilege
  • Comprehensive audit logging of all data access and changes
  • Regular vulnerability assessments and dependency updates
  • Access to production systems restricted to authorised personnel only

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and inform affected users without undue delay, as required by GDPR Art. 33–34.

11. Data Processing Agreement (DPA)

If you use the Service to process personal data on behalf of your organisation or your customers, you act as the data controller and Autodeck B.V. acts as the data processor under GDPR Art. 28. A Data Processing Agreement governing such processing is available upon request.

To request a DPA, email dpa@autodeck.io.

12. Children's Privacy

The Service is not directed to individuals under 16 years of age. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child under 16 without verified parental consent, we will delete it promptly.

13. Changes to This Policy

We may update this Privacy Policy periodically. We will notify you of material changes via email or a prominent notice in the Service at least 14 days before changes take effect. The "Last updated" date at the top of this page reflects the most recent revision.

14. Contact & Data Protection Officer

For privacy-related questions, to exercise your rights, or to request a DPA, contact us at:

Autodeck B.V. — Privacy Team
the Netherlands

If your query relates specifically to a data processing agreement or sub-processor list: dpa@autodeck.io

You may also review our Terms of Service for the contractual framework governing your use of the Service.