Privacy statement

AEO Expert B.V. is the data controller within the meaning of the GDPR. We are based in Amsterdam and registered with the Dutch Chamber of Commerce under number 91823740.

We only collect data that is necessary to deliver or improve our service:

• ◊ Account data: name, email, company name, job title (at registration)
• ◊ Payment data: via our payment partner Stripe — we only see billing data, no card numbers
• ◊ Scan data: the URLs you have scanned, including the results of those scans
• ◊ Usage data: which features you use, how often, and for how long (aggregated)
• ◊ Communications: emails or messages you send us via support channels

We do not collect special categories of personal data (such as health, religion, or political opinion).

Each processing of personal data has a legal basis under Article 6 GDPR:

• ◊ Performance of a contract — to deliver the AEO scans you signed up for
• ◊ Legitimate interest — for product improvement, fraud prevention, and security
• ◊ Consent — for optional newsletters and marketing (revocable)
• ◊ Legal obligation — for tax administration and statutory retention

We do not retain personal data longer than necessary. Specifically:

• ◊ Account data: as long as your account is active, plus 90 days after termination
• ◊ Scan results: 24 months after execution (then anonymized for benchmarks)
• ◊ Invoicing: 7 years (statutory tax retention)
• ◊ Support communication: 3 years after last contact
• ◊ Backup files: up to 35 days

We only share personal data with carefully selected processors, under a data processing agreement:

• ◊ AWS Frankfurt (eu-central-1) — hosting and storage, within the EU
• ◊ Stripe — payment processing (PCI-DSS certified)
• ◊ Postmark — transactional email (EU servers)
• ◊ Mixpanel — product analytics (anonymized, GDPR-compliant)
• ◊ OpenAI, Anthropic, Google — AI model providers (we send no personal data, only scan content)

We never sell personal data. Data is not processed outside the European Economic Area (EEA), except where explicitly mentioned and with appropriate safeguards (SCCs).

Under the GDPR you have several rights regarding your personal data:

• ◊ Right of access — what data we hold on you
• ◊ Right to rectification — correcting inaccurate data
• ◊ Right to erasure — having data deleted ("right to be forgotten")
• ◊ Right to restriction of processing
• ◊ Right to data portability — export your data in a readable format
• ◊ Right to object — against processing on a legitimate-interest basis
• ◊ Right to withdraw consent — for all consent-based processing

Send a request to privacy@aeoexpert.nl with a copy of ID (BSN masked). We respond within 30 days. If unsatisfied, you have the right to file a complaint with the Dutch DPA (autoriteitpersoonsgegevens.nl).

We only use functional and anonymized statistical cookies. No third-party tracking, no ad networks.

• ◊ Session cookie (functional) — to stay logged in
• ◊ Language preference (functional) — remembers NL/EN
• ◊ Plausible Analytics (aggregated) — no personal data, no cross-site tracking

We have appropriate technical and organizational measures to protect personal data: TLS 1.3 for all connections, AES-256 at rest, mandatory 2FA for employees, least-privilege access, and annual third-party penetration tests.

Data breaches are reported to the Dutch DPA within 72 hours where they pose a risk to data subjects.

We may update this statement. Changes are published on this page, and for material updates we notify active customers by email. The date at the top of this page reflects the latest version.