Laava LogoLaava

Privacy

Privacy Policy

Last updated: 21 May 2026

This document covers

How data is processedWhat data is used forWhich rights data subjects haveHow contact or requests are handled

Laava B.V. processes personal data. This privacy policy explains which data we process, why we process it, how long we keep it and which rights you have.

Laava B.V., Gerbrandypad 17, 3515 HA Utrecht, the Netherlands. KVK: 97025356. VAT: NL867879439B01. Contact: [email protected].

1. Controller

Laava B.V. is the controller for personal data processed through this website, contact requests, business correspondence and our own administration.

When we process personal data on behalf of a client, for example within a client project or AI solution, we usually act as processor. In that case, the arrangements are recorded in a separate data processing agreement with the client.

2. Data we process

Through the website, contact forms and business communication we may process:

  • Name, email address, phone number, company name and job title.
  • The contents of messages, requests and appointments.
  • Technical data such as IP address, browser, device, visited pages and server logs.

For clients and suppliers we may process:

  • Business contact details.
  • Contract, quote, invoice and payment data.
  • Communication about engagements, support and execution.

Within client engagements we may also process documents, datasets, prompts, transcripts or other information provided by the client. The client determines what data is included and remains responsible for the lawful provision of that data.

We do not process special-category personal data unless this is necessary for a specific engagement and written arrangements have been made.

3. Purposes and legal bases

We process personal data for these purposes:

  • Responding to contact requests and messages.
  • Preparing, executing and managing engagements.
  • Delivering, maintaining and securing AI solutions and technical systems.
  • Invoicing, bookkeeping and statutory administration.
  • Improving our website, services and internal processes.
  • Securing our systems, preventing misuse and solving technical issues.

The legal bases are performance of a contract, legal obligation, consent or legitimate interest. Where we rely on legitimate interest, this includes security, business communication, debugging and improving our services.

We do not use personal data for profiling or solely automated decisions with legal effect.

4. Retention periods

We do not keep personal data longer than necessary:

  • Contact requests and email correspondence: maximum 24 months after the last contact, unless a client relationship starts.
  • Client and project administration: for the duration of the engagement and afterwards as needed for evidence, support or legal obligations.
  • Client documents in an engagement: until the engagement ends plus 90 days, unless agreed otherwise.
  • Invoices and bookkeeping records: 7 years.
  • Server logs and technical logs: maximum 30 days, unless longer retention is needed to investigate misuse or security incidents.

5. Sharing with third parties

We do not sell personal data. We share data only where needed for our services, business operations or legal obligations.

We use suppliers for, among other things:

  • Hosting, infrastructure and file storage.
  • Database, email delivery and business communication.
  • Bookkeeping, administration and payment processing.
  • AI model services and technical tools within client engagements.

We conclude a data processing agreement with processors. A current sub-processor list is available on request via [email protected].

6. Transfers outside the EEA

Some suppliers may be located outside the European Economic Area. In that case, we use a valid transfer mechanism, such as an adequacy decision, the EU-US Data Privacy Framework or the European Commission's Standard Contractual Clauses.

7. AI and client data

We use client data only to perform the agreed engagement. We do not use client data to train our own models or improve products.

Where possible, we use model endpoints with zero data retention or contractual guarantees that data will not be used for training. The suitable model route, storage location and retention are agreed per engagement with the client.

For AI systems involving search, document processing, agentic workflows, voice, integrations or automation, we apply data minimisation, access controls, logging, source references, human review and escalation where relevant. The concrete setup depends on the engagement and the client's systems.

8. Cookies

This website uses functional cookies needed to make the site work. We do not use tracking cookies, marketing pixels or analytics cookies that require consent.

9. Security

We take appropriate technical and organisational measures to protect personal data. These include encrypted connections, access restrictions, multifactor authentication where appropriate, logging, backups and limiting access to people who need the data.

If a data breach occurs, we handle it under the GDPR. Where required, we notify the Dutch Data Protection Authority and inform data subjects.

10. Your rights

Under the GDPR you have the right to:

  • access your data.
  • have your data corrected or deleted.
  • restrict processing.
  • object to processing based on legitimate interest.
  • receive your data in a portable format.
  • withdraw consent, where processing is based on consent.

Send a request to [email protected]. We respond within 30 days. Sometimes we may or must ask for identification before handling a request.

You can also lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at autoriteitpersoonsgegevens.nl.

11. Changes

We may update this privacy policy. The most recent version is always on this page. For material changes we inform active clients by email.

Back to homeGeneral contact question
Privacy Policy | Laava