Privacy Policy

Last updated: April 19, 2026

This Privacy Policy describes how GBrutus Power ("we," "us," or "our") collects, uses, and shares your personal information when you visit our website, use our AI assistant services, or otherwise interact with us.

1. Information We Collect

Information you provide to us

• Contact information: name, email address, phone number, business name, and business address when you sign up, book a demo, or contact us.
• Business content: menus, pricing, FAQs, opening hours, and other business information you provide for your AI assistant.
• Payment information: billing details processed securely through our third-party payment processor. We do not store full payment card numbers.
• Communications: messages, emails, and other correspondence you send us.

Information collected automatically

• Usage data: pages visited, features used, time spent, click patterns, and referring URLs.
• Device information: browser type, operating system, device type, screen resolution, and language preference.
• IP address and location: approximate geographic location derived from your IP address.
• Cookies and similar technologies: as described in our Cookie Policy.

Chatbot interaction data

• Conversation logs: messages exchanged between end users and your AI assistant, used to improve response quality and provide analytics.
• Metadata: timestamps, session duration, language detected, and escalation events.

2. How We Use Your Information

We use personal information for the following purposes:

• Service delivery: to set up, operate, maintain, and improve your AI assistant.
• Communication: to respond to inquiries, send service updates, and provide customer support.
• Analytics and improvement: to understand usage patterns and improve our services.
• Billing: to process payments and manage subscriptions.
• Legal compliance: to comply with applicable laws, regulations, and legal processes.
• Security: to detect, prevent, and address fraud, abuse, and technical issues.

3. Legal Bases for Processing (GDPR)

Under the General Data Protection Regulation, we process your personal data based on:

• Contract performance: processing necessary to deliver our services to you.
• Legitimate interests: improving our services, analytics, fraud prevention, and marketing to existing customers.
• Consent: where you have given explicit consent, such as for marketing communications or non-essential cookies.
• Legal obligation: where processing is required by law.

4. How We Share Your Information

We do not sell your personal data. We may share information with:

• Service providers: cloud hosting, payment processing, analytics, and email delivery providers who process data on our behalf under data processing agreements.
• AI providers: language model providers (e.g., OpenAI, Anthropic) to power chatbot responses. Conversations are processed per their data processing terms and are not used to train their models.
• Legal requirements: when required by law, court order, or governmental authority.
• Business transfers: in connection with a merger, acquisition, or sale of assets, with notice to you.

5. International Data Transfers

Your data may be transferred to and processed in countries outside the European Economic Area (EEA). When this occurs, we ensure appropriate safeguards are in place, including Standard Contractual Clauses approved by the European Commission.

6. Data Retention

We retain personal data for as long as necessary to provide our services and fulfill the purposes described in this policy. Specifically:

• Account data: retained while your account is active and for 30 days after termination.
• Chatbot conversation logs: retained for up to 12 months for analytics and improvement, then anonymised or deleted.
• Billing records: retained for 7 years as required by Dutch tax law.
• Marketing consent records: retained for as long as consent is valid plus 3 years.

7. Your Rights

Under the GDPR and Dutch data protection law, you have the right to:

• Access: request a copy of your personal data.
• Rectification: correct inaccurate or incomplete data.
• Erasure: request deletion of your data ("right to be forgotten").
• Restriction: request restricted processing of your data.
• Portability: receive your data in a structured, machine-readable format.
• Objection: object to processing based on legitimate interests or for direct marketing.
• Withdraw consent: where processing is based on consent, withdraw it at any time.

To exercise any of these rights, contact us at gonzalo@gbrutuspower.com. We will respond within 30 days.

8. Data Security

We implement appropriate technical and organisational measures to protect your data, including encryption in transit (TLS) and at rest, access controls, regular security assessments, and secure development practices. However, no method of transmission or storage is completely secure.

9. Children's Privacy

Our services are not directed to individuals under 16 years of age. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child under 16, we will delete it promptly.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on our website and updating the "Last updated" date. Your continued use of our services after changes constitutes acceptance of the updated policy.

11. Contact Us

If you have questions about this Privacy Policy or our data practices, contact us:

GBrutus Power
76 Van Ollefenstraat
Amsterdam, Netherlands
gonzalo@gbrutuspower.com

You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at autoriteitpersoonsgegevens.nl.