Privacy Policy

Last updated: June 2026

This Privacy Policy describes how GBrutus Power ("we," "us," or "our") collects, uses, and shares your personal information when you visit our website, use our AI assistant services, or otherwise interact with us.

1. Information We Collect

Information you provide to us

• Contact information: name, email address, phone number, business name, and business address when you sign up, book a demo, or contact us.
• Business content: menus, pricing, FAQs, opening hours, and other business information you provide for your AI assistant.
• Payment information: billing details processed securely through Stripe. We do not store full payment card numbers.
• Communications: messages, emails, and other correspondence you send us.

Information collected automatically

• Usage data: pages visited, features used, time spent, click patterns, and referring URLs.
• Device information: browser type, operating system, device type, screen resolution, and language preference.
• IP address and location: approximate geographic location derived from your IP address.
• Cookies and similar technologies: we use privacy-friendly, cookieless analytics (Plausible) and no advertising cookies. See our Cookie Policy.

AI interaction data

• Conversation logs: messages exchanged between end users and your AI assistant, used to improve response quality and provide analytics.
• Voice call data: transcripts and metadata from voicebot interactions.
• Email data: emails processed by the AI email reader on your behalf.
• Metadata: timestamps, session duration, language detected, and escalation events.

2. How We Use Your Information

• Service delivery: to set up, operate, maintain, and improve your AI assistant.
• Communication: to respond to inquiries, send service updates, and provide customer support.
• Analytics and improvement: to understand usage patterns and improve our services.
• Billing: to process payments and manage subscriptions.
• Legal compliance: to comply with applicable laws, regulations, and legal processes.
• Security: to detect, prevent, and address fraud, abuse, and technical issues.

3. Legal Bases for Processing (GDPR)

• Contract performance: processing necessary to deliver our services to you.
• Legitimate interests: improving our services, analytics, fraud prevention, and marketing to existing customers.
• Consent: where you have given explicit consent, such as for marketing communications.
• Legal obligation: where processing is required by law.

4. How We Share Your Information

We do not sell your personal data. We may share information with:

• Service providers: cloud hosting, payment processing, analytics, and email delivery providers who process data on our behalf under data processing agreements.
• AI providers: Anthropic (Claude) to power AI responses. Conversations are processed per their data processing terms and are not used to train their models.
• Legal requirements: when required by law, court order, or governmental authority.
• Business transfers: in connection with a merger, acquisition, or sale of assets, with notice to you.

5. International Data Transfers

Your data may be transferred to and processed in countries outside the European Economic Area (EEA). When this occurs, we ensure appropriate safeguards are in place, including Standard Contractual Clauses approved by the European Commission.

6. Data Retention

• Account data: retained while your account is active and for 30 days after termination.
• AI conversation logs: retained while the service is active and deleted within 30 days after cancellation, unless a longer period is required by law.
• Billing records: retained for 7 years as required by Dutch tax law.
• Marketing consent records: retained for as long as consent is valid plus 3 years.

7. Your Rights

Under GDPR and Dutch data protection law, you have the right to:

• Access: request a copy of your personal data.
• Rectification: correct inaccurate or incomplete data.
• Erasure: request deletion of your data ("right to be forgotten").
• Restriction: request restricted processing of your data.
• Portability: receive your data in a structured, machine-readable format.
• Objection: object to processing based on legitimate interests or for direct marketing.
• Withdraw consent: where processing is based on consent, withdraw it at any time.

To exercise any of these rights, contact us at gonzalo@gbrutuspower.com. We will respond within 30 days.

8. Data Security

We implement appropriate technical and organisational measures to protect your data, including encryption in transit (TLS) and at rest, access controls, regular security assessments, and secure development practices.

9. Children's Privacy

Our services are not directed to individuals under 16 years of age. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child under 16, we will delete it promptly.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on our website and updating the "Last updated" date.

11. Contact Us

GBrutus Power
76 Van Ollefenstraat
Amsterdam, Netherlands
gonzalo@gbrutuspower.com

You also have the right to lodge a complaint with the Dutch Data Protection Authority at autoriteitpersoonsgegevens.nl.