Privacy Policy
Effective date: 21 March 2026 · LOCAVERDI B.V.
1. Controller
LOCAVERDI B.V. (the "Controller") is responsible for the processing of personal data as described in this privacy policy.
LOCAVERDI B.V.
KvK: 96035056
BTW: NL867441264B01
Web: Contact form
2. What personal data we collect
We collect and process the following categories of personal data:
| Category | Data | Purpose | Legal basis |
|---|---|---|---|
| Account data | Username, email address, display name, password (hashed) | User authentication, account management | Contract (Art. 6(1)(b)) |
| Security data | TOTP secret (encrypted), backup codes (hashed), login timestamps, IP addresses (for brute-force protection), form submission timing, captcha responses | Account security, 2FA, abuse prevention, bot protection | Legitimate interests (Art. 6(1)(f)) |
| Usage data | Audit log entries (actions performed, timestamps) | Security monitoring, accountability | Legitimate interests (Art. 6(1)(f)) |
| Communication data | Contact form submissions (name, email, message) | Responding to inquiries | Legitimate interests (Art. 6(1)(f)) |
| Preference data | Language setting, dark mode preference (cookie) | User experience customisation | Contract (Art. 6(1)(b)) |
3. Project data (processing on your behalf)
Data entered by users into their projects (service names, data item names, user role descriptions, transfer descriptions, risk assessments, etc.) is processed by LOCAVERDI B.V. as a data processor on behalf of the user (controller). This processing is governed by Chapter 4 of the NLdigital Terms 2025. See our Data Processing Agreement for detailed processing specifications.
Project data may include personal data if users choose to enter it (e.g. real names as data users). We recommend using role descriptions rather than real names. LOCAVERDI B.V. does not access, review, or use project data except as necessary to provide the service.
3a. Breach register and DSAR register
The breach notification register (GDPR Art. 33) and the DSAR tracker (GDPR Art. 15-22) may contain personal data of third parties — specifically the names and email addresses of data subjects who are affected by a breach or who submit a rights request. This data is:
- Entered voluntarily by the user (controller) as part of their legal obligation to document breaches and rights requests.
- Processed by LOCAVERDI B.V. solely as data processor on behalf of the user.
- Stored within the project and deleted when the project or account is deleted (CASCADE).
- Not accessed, reviewed, or used by LOCAVERDI B.V. for any purpose other than providing the service.
- Not sent to AI providers. When an AI report is generated, only aggregated statistics from the breach and DSAR registers are included (e.g. total count, severity distribution, response status). No personal data — no names, emails, breach titles, or request details — is transmitted to the AI provider.
The user (controller) is responsible for ensuring they have a lawful basis for entering personal data of third parties into these registers, and for informing those third parties where required.
4. AI report processing
When a user generates an AI report, project data is submitted to a third-party AI provider for analysis. Before submission:
- The project name is anonymised (replaced with "Project").
- Data user names are anonymised (replaced with "User 1", "User 2", etc.).
- Service names, data item names, descriptions, and other project content are transmitted as entered.
See our Sub-processor Notice for details about the AI providers used.
5. Cookies
Readmodel® uses only essential cookies:
- Session cookie (PHPSESSID) — required for authentication. Also stores form submission timestamps for bot protection (timing validation). Expires when the browser is closed.
- Language cookie (lang) — stores the user's language preference. Expires after 1 year.
We do not use analytics cookies, advertising cookies, or any third-party tracking cookies. Website analytics (Matomo) operates in cookieless mode — see section 5b.
5a. Bot protection
Public forms (login, registration, contact, password reset) are protected by a self-hosted proof-of-work challenge. When you interact with a protected form, your browser solves a cryptographic puzzle. This process:
- Does not use cookies or persistent identifiers
- Does not transmit any data to third parties
- Is processed entirely on our own servers within the EU
Legal basis: Legitimate interests (Art. 6(1)(f)) — preventing automated abuse of public forms.
5b. Analytics
We use Matomo (hosted by InnoCraft Ltd, Luxembourg) to understand how visitors use our public pages. Matomo is configured in cookieless mode:
- No analytics cookies are placed on your device
- No persistent identifiers are stored
- IP addresses are anonymised (last 2 bytes removed) before storage
- No data is shared with third parties or used for advertising
Analytics data collected: page URL, referrer URL, browser type and version, screen resolution, country (derived from anonymised IP), time of visit. This data is used solely to improve the public website and cannot be used to identify individual visitors.
Analytics is applied to public pages only (landing page, blog, FAQ, contact, legal pages). Authenticated application pages are not tracked.
Legal basis: Legitimate interests (Art. 6(1)(f)) — improving our public website based on aggregate usage patterns.
5c. Infrastructure security
Our servers are protected by CrowdSec (CrowdSec SAS, France), an open-source security engine that detects and blocks malicious traffic in real time. CrowdSec processes:
- IP addresses of incoming requests
- Request patterns (frequency, targeted URLs, HTTP methods)
When an IP address is identified as malicious (brute-force attacks, vulnerability scanning, etc.), it may be shared with CrowdSec's community threat intelligence network to protect other users. No other personal data is transmitted — only the IP address and the type of detected attack.
CrowdSec processes all data on EU servers. See CrowdSec's privacy policy for details.
Legal basis: Legitimate interests (Art. 6(1)(f)) — protecting the application and its users from malicious traffic and cyber attacks.
6. Data sharing and sub-processors
We share personal data with third parties only as necessary to provide the service:
- Hosting provider — infrastructure where the application and data are stored (EU/EEA).
- Email provider — for transactional emails (account verification, password resets).
- AI provider — for AI report generation only, with anonymisation applied (see Sub-processor Notice).
- Mollie B.V. (Netherlands) — payment processing for subscription billing. Processes payment details and billing information.
- Jortt B.V. (Netherlands) — invoice generation. Processes billing name, address, and VAT number for invoice creation.
- InnoCraft Ltd (Luxembourg) — website analytics via Matomo Cloud. Processes anonymised page view data on EU servers in cookieless mode. No personal data is stored.
- Keila (Pentacent OÜ) (Estonia, EU) — newsletter delivery. Processes email address for subscribers who voluntarily sign up. See Keila's privacy policy.
- CrowdSec SAS (France, EU) — infrastructure security. Processes IP addresses for threat detection. Malicious IPs may be shared with the CrowdSec community threat intelligence network.
We do not sell personal data. We do not share data for advertising purposes.
6a. Newsletter
If you subscribe to our newsletter, your email address is stored and processed by Keila (Pentacent OÜ, Estonia), an open-source email marketing platform hosted in the EU. We use it solely to send product updates and articles about data risk management.
- Subscription is voluntary and requires explicit action (clicking the subscribe button).
- You can unsubscribe at any time via the link in every newsletter email.
- We do not share your email address with any other party.
Legal basis: Consent (Art. 6(1)(a)) — you actively choose to subscribe.
7. International transfers
The AI provider (Mistral AI) is based in France (EU). Data submitted for AI analysis is subject to appropriate safeguards. Project and user names are anonymised before transmission. See our Sub-processor Notice for details about anonymisation.
8. Data retention
| Data | Retention |
|---|---|
| Account data | Duration of account + 30 days after deletion |
| Project data | Duration of account (deleted with account) |
| Audit logs | Duration of account (deleted with account) |
| Login attempt logs | 30 days (automatic cleanup) |
| AI reports | Duration of account (deleted with project) |
| Breach register | Duration of account (deleted with project). GDPR Art. 33(5) requires breach records to be retained. |
| DSAR register | Duration of account (deleted with project). Records of rights requests should be retained for accountability (Art. 5(2)). |
| Contact form data | Until inquiry is resolved, max 1 year |
| Password reset tokens | 1 hour (automatic expiry) |
9. Your rights
Under GDPR, you have the right to:
- Access — request a copy of your personal data.
- Rectification — correct inaccurate data (via Account Settings or by contacting us).
- Erasure — request deletion of your account and all associated data.
- Restriction — request that we limit processing of your data.
- Portability — receive your data in a structured, machine-readable format (available via the Export function).
- Objection — object to processing based on legitimate interests.
To exercise your rights, contact us.
10. Data security
We implement appropriate technical and organisational measures including:
- Password hashing (bcrypt)
- Two-factor authentication (TOTP)
- CSRF protection on all forms
- Prepared SQL statements (injection prevention)
- Output escaping (XSS prevention)
- Secure session cookies (httponly, samesite=strict, secure)
- Login brute-force protection
- Bot protection on public forms (honeypot fields, timing validation, proof-of-work challenge)
- Rate limiting on sensitive actions (login, registration, contact, password reset)
- Audit logging of data-modifying actions
11. Data breach notification
In the event of a personal data breach, we will notify affected users and the relevant supervisory authority in accordance with GDPR Art. 33 and 34, and Art. 29 of the NLdigital Terms 2025.
12. Supervisory authority
You have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens): www.autoriteitpersoonsgegevens.nl.
13. Changes to this policy
We may update this privacy policy to reflect changes in our practices or legal requirements. The effective date at the top indicates the latest version. We encourage users to review this policy periodically.