Privacy Policy
Effective date: 12 May 2026 · LOCAVERDI B.V.
1. Controller
LOCAVERDI B.V. (the "Controller") is responsible for the processing of personal data as described in this privacy policy.
LOCAVERDI B.V.
KvK: 96035056
BTW: NL867441264B01
Web: Contact form · Legal details
2. What personal data we collect
We collect and process the following categories of personal data:
| Category | Data | Purpose | Legal basis |
|---|---|---|---|
| Account data | Username, email address, display name, password (hashed) | User authentication, account management | Contract (Art. 6(1)(b)) |
| Security data | TOTP secret (encrypted), backup codes (hashed), login timestamps, IP addresses (for brute-force protection), form submission timing, captcha responses | Account security, 2FA, abuse prevention, bot protection | Legitimate interests (Art. 6(1)(f)) |
| Usage data | Audit log entries (actions performed, timestamps) | Security monitoring, accountability | Legitimate interests (Art. 6(1)(f)) |
| Communication data | Contact form submissions (name, email, message) | Responding to inquiries | Legitimate interests (Art. 6(1)(f)) |
| Preference data | Language setting, dark mode preference (cookie) | User experience customisation | Contract (Art. 6(1)(b)) |
3. Project data (processing on your behalf)
Data entered by users into their projects (service names, data item names, user role descriptions, transfer descriptions, risk assessments, etc.) is processed by LOCAVERDI B.V. as a data processor on behalf of the user (controller). This processing is governed by Chapter 4 of the NLdigital Terms 2025. See our Data Processing Agreement for detailed processing specifications.
Project data may include personal data if users choose to enter it (e.g. real names as data users). We recommend using role descriptions rather than real names. LOCAVERDI B.V. does not access, review, or use project data except as necessary to provide the service.
3a. Breach register and DSAR register
The breach notification register (GDPR Art. 33) and the DSAR tracker (GDPR Art. 15-22) may contain personal data of third parties — specifically the names and email addresses of data subjects who are affected by a breach or who submit a rights request. This data is:
- Entered voluntarily by the user (controller) as part of their legal obligation to document breaches and rights requests.
- Processed by LOCAVERDI B.V. solely as data processor on behalf of the user.
- Stored within the project and deleted when the project or account is deleted (CASCADE).
- Not accessed, reviewed, or used by LOCAVERDI B.V. for any purpose other than providing the service.
- Limited use in AI reports. When an AI report is generated, only aggregated statistics from the breach and DSAR registers are included (e.g. total count, severity distribution, response status). No personal data — no names, emails, breach titles, or request details — is included in the AI report input. (AI processing runs on infrastructure operated by LOCAVERDI B.V. — see section 4.)
The user (controller) is responsible for ensuring they have a lawful basis for entering personal data of third parties into these registers, and for informing those third parties where required.
4. AI report processing
The AI features in Readmodel® — the AI-generated report, and the summarisation of uploaded documents (DPAs, privacy policies) and policy/terms URLs — run on a language model hosted on infrastructure operated by LOCAVERDI B.V., the operator of the service. This means:
- Project data is not transmitted to any third-party AI provider. There is no AI sub-processor for this feature.
- Project data is not used to train any model. The model is run for inference only; inputs are not retained beyond the request that produced the report.
- Because the data never leaves infrastructure operated by LOCAVERDI B.V., no anonymisation step is applied.
See our Sub-processor Notice (section 3) for the full description.
5. Cookies
Readmodel® uses only essential cookies:
- Session cookie (PHPSESSID) — required for authentication. Also stores form submission timestamps for bot protection (timing validation). Expires when the browser is closed.
- Language cookie (lang) — stores the user's language preference. Expires after 1 year.
We do not use analytics cookies, advertising cookies, or any third-party tracking cookies. Our website analytics are first-party, server-side, and cookieless — see section 5b.
5a. Bot protection
Public forms (login, registration, contact, password reset) are protected by a self-hosted proof-of-work challenge. When you interact with a protected form, your browser solves a cryptographic puzzle. This process:
- Does not use cookies or persistent identifiers
- Does not transmit any data to third parties
- Is processed entirely on our own servers within the EU
Legal basis: Legitimate interests (Art. 6(1)(f)) — preventing automated abuse of public forms.
5b. Analytics
We count pageviews on public pages using our own server-side analytics. There are no cookies, no JavaScript trackers, and no third-party services:
- No cookies are placed on your device
- No persistent identifiers are stored
- Your raw IP address and User-Agent are never stored — instead, each pageview is tagged with a one-way hash combining your IP, your browser, the current UTC date, and a secret salt. The hash changes every day at midnight UTC, so we cannot recognise you across days
- Raw events are deleted after 7 days; only aggregate daily counts (pageviews, unique-visitor counts per page) are kept long-term
- No data is shared with third parties or used for advertising
What we collect: the requested URL, the referring URL's host (not the full URL), the browser family (e.g. "Chrome on macOS"), the first tag of the Accept-Language header, and — when an optional offline GeoLite2 database is installed — a country code derived from your IP. UTM tags (utm_source, utm_medium, utm_campaign) that we add to our own outbound links are stored when present.
Analytics is applied to public pages only (landing page, blog, FAQ, contact, legal pages). Logged-in users and authenticated application pages are not tracked.
Legal basis: Legitimate interests (Art. 6(1)(f)) — improving our public website based on aggregate usage patterns. No personal data leaves our infrastructure.
5c. Infrastructure security
Our servers are protected by CrowdSec (CrowdSec SAS, France), an open-source security engine that detects and blocks malicious traffic in real time. CrowdSec processes:
- IP addresses of incoming requests
- Request patterns (frequency, targeted URLs, HTTP methods)
When an IP address is identified as malicious (brute-force attacks, vulnerability scanning, etc.), it may be shared with CrowdSec's community threat intelligence network to protect other users. No other personal data is transmitted — only the IP address and the type of detected attack.
CrowdSec processes all data on EU servers. See CrowdSec's privacy policy for details.
Legal basis: Legitimate interests (Art. 6(1)(f)) — protecting the application and its users from malicious traffic and cyber attacks.
6. Data sharing and sub-processors
We share personal data with third parties only as necessary to provide the service:
- Hosting provider — infrastructure where the application and data are stored (EU/EEA).
- Email provider — for transactional emails (account verification, password resets).
- AI processing — runs on infrastructure operated by LOCAVERDI B.V.; there is no third-party AI sub-processor (see Sub-processor Notice, section 3).
- Mollie B.V. (Netherlands) — payment processing for subscription billing. Processes payment details and billing information.
- Jortt B.V. (Netherlands) — invoice generation. Processes billing name, address, and VAT number for invoice creation.
- Keila (Pentacent OÜ) (Estonia, EU) — newsletter delivery. Processes email address for subscribers who voluntarily sign up. See Keila's privacy policy.
- CrowdSec SAS (France, EU) — infrastructure security. Processes IP addresses for threat detection. Malicious IPs may be shared with the CrowdSec community threat intelligence network.
We do not sell personal data. We do not share data for advertising purposes.
Embedded videos. Where a video appears on a public page (for example in blog posts), the video file and poster image are self-hosted on readmodel.com. No third-party video hosts (YouTube, Vimeo, etc.) are loaded. The video's preload="metadata" attribute means only a small amount of metadata is fetched until you click play, and no cookies are set.
6a. Newsletter
If you subscribe to our newsletter, your email address is stored and processed by Keila (Pentacent OÜ, Estonia), an open-source email marketing platform hosted in the EU. We use it solely to send product updates and articles about data risk management.
- Subscription is voluntary and requires explicit action (clicking the subscribe button).
- You can unsubscribe at any time via the link in every newsletter email.
- We do not share your email address with any other party.
Legal basis: Consent (Art. 6(1)(a)) — you actively choose to subscribe.
7. International transfers
We do not transfer your personal data outside the EU/EEA. All our sub-processors (see Sub-processor Notice) are EU-based, and AI processing runs on infrastructure operated by LOCAVERDI B.V. within the EU — there is no third-party AI provider involved.
8. Data retention
| Data | Retention |
|---|---|
| Account data | Duration of account + 30 days after deletion |
| Project data | Duration of account (deleted with account) |
| Audit logs | Duration of account (deleted with account) |
| Login attempt logs | 30 days (automatic cleanup) |
| AI reports | Duration of account (deleted with project) |
| Breach register | Duration of account (deleted with project). GDPR Art. 33(5) requires breach records to be retained. |
| DSAR register | Duration of account (deleted with project). Records of rights requests should be retained for accountability (Art. 5(2)). |
| Contact form data | Until inquiry is resolved, max 1 year |
| Password reset tokens | 1 hour (automatic expiry) |
9. Your rights
Under GDPR, you have the right to:
- Access — request a copy of your personal data.
- Rectification — correct inaccurate data (via Account Settings or by contacting us).
- Erasure — request deletion of your account and all associated data.
- Restriction — request that we limit processing of your data.
- Portability — receive your data in a structured, machine-readable format (available via the Export function).
- Objection — object to processing based on legitimate interests.
To exercise your rights, contact us.
10. Data security
We implement appropriate technical and organisational measures including:
- Password hashing (bcrypt)
- Two-factor authentication (TOTP)
- CSRF protection on all forms
- Prepared SQL statements (injection prevention)
- Output escaping (XSS prevention)
- Secure session cookies (httponly, samesite=strict, secure)
- Login brute-force protection
- Bot protection on public forms (honeypot fields, timing validation, proof-of-work challenge)
- Rate limiting on sensitive actions (login, registration, contact, password reset)
- Audit logging of data-modifying actions
11. Data breach notification
In the event of a personal data breach, we will notify affected users and the relevant supervisory authority in accordance with GDPR Art. 33 and 34, and Art. 29 of the NLdigital Terms 2025.
12. Supervisory authority
You have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens): www.autoriteitpersoonsgegevens.nl.
13. Changes to this policy
We may update this privacy policy to reflect changes in our practices or legal requirements. The effective date at the top indicates the latest version. We encourage users to review this policy periodically.