Privacy Policy

1. What Data We Collect

We collect personal data through your interaction with our website and intake forms. The data collected includes:

Intake Form Data

When you submit an intake or contact form, we collect:

• Full name and role/title
• Email address and phone number
• Company name and KvK (Chamber of Commerce) number
• Industry and revenue range
• Countries of operation and number of entities
• Intercompany arrangement types
• Service tier preference

Website Data

When you visit our website, we may collect:

• IP address
• Browser type and version
• Operating system
• Pages visited and time spent on page
• Referral source

Payment Data

When you make a payment, transaction details are processed by Stripe (our EU payment processor). We never see or store your card details.

2. Legal Basis for Data Processing

We process your personal data based on:

• Contract Performance: Processing necessary to prepare your ATAD2 hybrid mismatch documentation and provide our services.
• Legitimate Interest: To improve our website, prevent fraud, and maintain business records.
• Legal Obligation: Where required by Dutch tax law or other applicable regulations.

3. Why We Collect Your Data

We collect and use your data for the following purposes:

• To prepare, verify, and deliver your ATAD2 hybrid mismatch documentation
• To assess your corporate structure for hybrid mismatch risk
• To communicate with you about your engagement and our services
• To process payments and send invoices
• To provide support and respond to inquiries
• To improve our website, services, and user experience
• To comply with legal and tax obligations
• To prevent fraud and ensure security

4. How Long We Keep Your Data

We retain your personal data for different periods depending on the data type:

• Intake and structure data: not stored on our servers. The data you enter to generate a file is processed in the EU only for the duration of that generation and is discarded once your file is delivered. Keep your own copy of the downloaded file.
• Payment Records: 7 years, held by our payment processor (Stripe) as required for accounting and tax compliance.
• Website Analytics: Up to 2 years, unless you request deletion earlier.
• Email Communications: Retained for client service purposes; you may request deletion at any time.

If you do not proceed with an engagement after initial contact, we will offer to delete your data unless we are required to retain it by law.

5. Sub-processors and automated AI

We use a small set of EU-resident sub-processors:

• Site hosting: Cloudflare (static pages only; EU Cloud Code of Conduct verified).
• Document generation: a server hosted in the EU (Hetzner, Frankfurt) that runs the automated process.
• AI model: Anthropic Claude via AWS Bedrock in the EU (Frankfurt, eu-central-1). The model only reads what you submit to produce your file; it is not trained on your data and the data is not retained past generation.
• Optional document reading (OCR): our EU document-extraction service (Mistral, EU) when you choose to upload an org chart.
• Payments and invoicing: Stripe (EU).
• Optional marketing emails (Risk Check summary, newsletter): a form/email provider, used only if you opt in by entering your email.

Your intake and structure data is processed in the EU and is not stored on our servers after your file is generated. The AI model is operated by AWS, which has a US parent; that transfer is covered by the EU-US Data Privacy Framework and Standard Contractual Clauses, assessed in our transfer impact assessment.

Automated, AI-generated output (EU AI Act Art. 50): the documentation file is produced by an automated AI process and is not reviewed by a tax advisor. It is not tax advice. You remain responsible for the content you file.

You can request the current sub-processor list in writing at [email protected].

6. International Data Transfers

Most of your data is processed within the EU. Some service providers may process data in the United States or other jurisdictions. These providers rely on appropriate safeguards such as Standard Contractual Clauses or adequacy decisions to ensure GDPR compliance.

We do not intentionally transfer personal data outside the EU except where necessary for service provision.

7. Your Data Rights

Under GDPR, you have the following rights:

Right of Access

You can request a copy of all personal data we hold about you.

Right of Rectification

You can request that we correct inaccurate or incomplete data.

Right of Erasure

You can request deletion of your data, subject to legal retention requirements (e.g., the 7-year tax law retention period).

Right of Data Portability

You can request your data in a portable, machine-readable format (e.g., CSV).

Right to Restrict Processing

You can request that we limit how we use your data in certain circumstances.

Right to Object

You can object to our processing of your data for certain purposes, particularly marketing or profiling.

Right to Lodge a Complaint

If you believe we are not complying with data protection laws, you can file a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens / AP).

To exercise any of these rights, contact us at [email protected] with your request and proof of identity.

8. Security and Data Protection

We take data security seriously. We implement the following measures:

• HTTPS encryption for all website traffic
• Secure form submission to our processing provider over HTTPS
• Restricted access to personal data (only authorized personnel)
• Regular security audits and updates
• Secure deletion of data after retention periods expire

While we implement strong security measures, no online service is 100% secure. We recommend you use strong passwords and keep your login credentials confidential.

9. Cookies and Tracking

Our website uses minimal cookies. We only use functional cookies necessary for the website to operate correctly. We do not use cookies for tracking, profiling, or marketing purposes.

• Functional Cookies: Help the website function properly and remember your preferences.
• No Tracking: We do not use Google Analytics, Facebook Pixel, or similar tracking tools that would require your consent.
• No Selling Data: We never sell, rent, or share your personal data with third parties for marketing purposes.

10. Children's Privacy

Our services are intended for business professionals (18 years and older). We do not knowingly collect personal data from children under 18. If we become aware that a child has submitted data, we will delete it promptly. Parents or guardians who believe a child has provided us with information should contact us immediately at [email protected].

11. Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements, or other factors. If we make material changes, we will notify you by email or through a prominent notice on our website. Your continued use of our services after changes constitutes your acceptance of the updated policy.

Last Updated: April 9, 2026

12. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

• Email: [email protected]
• Website: www.hybridmismatch.com

We will respond to your inquiry within 30 days.