Privacy Policy
Last updated: February 2026
1. Data Controller
The controller responsible for the processing of your personal data through the Data Enricher service is:
Yves Van Damme
Sole trader (eenmanszaak) under Belgian law
[Your Address]
Belgium
Enterprise number / VAT: BE 0XXX.XXX.XXX
Email: hello@dataenricher.be
As a sole trader (eenmanszaak), the natural person identified above acts as the data controller within the meaning of Article 4(7) of the General Data Protection Regulation (EU) 2016/679 ("GDPR").
2. What Data We Collect
We collect and process the following categories of personal data:
2.1 Account Data
- Email address — provided during registration or Google OAuth sign-in
- Full name — provided during registration or obtained from your Google account
- Organisation name — optionally provided during registration
- Password — stored as a one-way bcrypt hash; we never store or see your plaintext password
- Google profile data — email, name, and profile picture URL obtained via Google OAuth (if you choose to sign in with Google)
2.2 Product Data
- Product information — titles, descriptions, prices, SKUs, images, and other product attributes you upload via CSV/Excel or that are scraped from URLs you provide
- AI-enriched content — product descriptions, SEO keywords, bullet points, and translations generated by our AI enrichment pipeline
- Generated media — product images and videos generated by the service on your behalf
2.3 Usage Data
- Service usage — actions performed (imports, enrichments, exports), credit consumption, feature usage
- Technical data — browser type, IP address (for security and rate limiting), timestamps of access
- Authentication logs — login timestamps and failed login attempts (security monitoring)
2.4 Payment Data
Payment processing is handled entirely by Stripe. We do not store your credit card number, CVV, bank account details, or other payment instrument data on our servers. Stripe provides us with a customer reference ID, transaction amounts, and purchase dates only.
3. Legal Basis for Processing
Under Article 6(1) of the GDPR, we process your personal data on the following legal bases:
| Processing Activity | Legal Basis |
|---|---|
| Account creation and management | Performance of a contract (Art. 6(1)(b)) |
| AI enrichment of product data | Performance of a contract (Art. 6(1)(b)) |
| Payment processing via Stripe | Performance of a contract (Art. 6(1)(b)) |
| Transactional emails (password reset, verification) | Performance of a contract (Art. 6(1)(b)) |
| Service security, rate limiting, and fraud prevention | Legitimate interest (Art. 6(1)(f)) |
| Usage analytics and service improvement | Legitimate interest (Art. 6(1)(f)) |
| Google OAuth sign-in | Consent (Art. 6(1)(a)) |
| Retaining tax and accounting records | Legal obligation (Art. 6(1)(c)) |
Where we rely on legitimate interest, our interest is ensuring the security, reliability, and continuous improvement of the service. We have assessed that this processing does not override your fundamental rights and freedoms. You may request details of these balancing assessments by contacting us.
4. Data Retention
We retain your data only for as long as necessary to fulfil the purposes described above:
| Data Category | Retention Period |
|---|---|
| Account data (email, name, organisation) | Duration of your account + 30 days after deletion request |
| Product data & AI-enriched content | Duration of your account; permanently deleted upon account termination |
| Generated media (images, videos) | Duration of your account; permanently deleted upon account termination |
| Usage logs & analytics | 12 months, then anonymised or deleted |
| Payment transaction references | 7 years (Belgian accounting obligation under Art. III.86 Code of Economic Law / Wetboek van economisch recht) |
| Security logs (IP addresses, failed logins) | 90 days |
5. Third-Party Processors
We use the following third-party services to operate Data Enricher. Each acts as a data processor under Article 28 GDPR, and we have appropriate data processing agreements in place:
We do not sell your data to third parties. We do not share your data with advertisers. We do not use your product data to train our own AI models.
Google Cloud / Gemini API / Vertex AI
AI content generation, vision analysis, image generation, and video generation. Product data (text and images) is sent to Google's Gemini API for processing. Subject to Google Cloud Data Processing Addendum.
Location: United States / global (Google Cloud regions)
Supabase (PostgreSQL)
Database hosting for account data, product data, and AI-enriched content. Multi-tenant architecture with Row-Level Security (RLS) isolation between accounts.
Location: EU (Frankfurt) or US, depending on project configuration
Railway
Application hosting and server infrastructure. Processes all HTTP requests and temporarily stores uploaded files and generated media.
Location: United States (US-West)
Stripe
Payment processing. Stripe handles all credit card and payment instrument data directly. We never receive or store your full card details. Subject to Stripe Privacy Policy.
Location: European Union (Ireland) and United States
Google OAuth
Authentication. If you choose to sign in via Google, your email, name, and profile picture URL are retrieved from Google and stored in your account.
Location: United States / global (Google infrastructure)
Upstash (Redis)
Queue management and rate limiting infrastructure. Temporarily stores job metadata for background processing. No long-term personal data storage.
Location: European Union
AI Media Providers (OpenAI, Replicate, fal.ai, WaveSpeed, Claid.ai)
Image and video generation. Product image data and text prompts may be sent to these providers when you use the media generation features. Data is processed ephemerally and not retained by these providers for training purposes.
Location: United States
6. International Data Transfers
Some of our third-party processors are established outside the European Economic Area (EEA), primarily in the United States. These transfers are protected by the following safeguards:
- EU-U.S. Data Privacy Framework — Google LLC and Stripe, Inc. are certified under the EU-U.S. Data Privacy Framework, which provides an adequate level of data protection as recognised by the European Commission (Adequacy Decision of 10 July 2023).
- Standard Contractual Clauses (SCCs) — Where the Data Privacy Framework does not apply, we ensure that processors have executed the European Commission's Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914, Module 2: Controller to Processor).
You may request a copy of the relevant transfer safeguards by contacting us at the address provided in Section 13.
8. Security Measures
We implement appropriate technical and organisational measures to protect your personal data in accordance with Article 32 GDPR, including:
- Passwords hashed with bcrypt (12 salt rounds)
- OAuth tokens encrypted with AES-256-GCM before database storage
- JWT authentication with 30-minute access token expiry
- Row-Level Security (RLS) for complete tenant data isolation in the database
- Tiered rate limiting (Redis-backed) to prevent brute-force attacks
- Account lockout after repeated failed login attempts
- HTTPS encryption in transit for all connections
- Security headers (Content Security Policy, HSTS, X-Frame-Options)
- Circuit breakers for external API calls to prevent cascading failures
While we take all reasonable precautions, no method of transmission over the Internet or electronic storage is 100% secure. If you have reason to believe your account has been compromised, please contact us immediately.
9. Your Rights Under GDPR
Under the GDPR, you have the following rights regarding your personal data:
Right of Access (Art. 15)
You may request a copy of all personal data we hold about you, free of charge.
Right to Rectification (Art. 16)
You may request correction of inaccurate or incomplete personal data.
Right to Erasure (Art. 17)
You may request deletion of your personal data ("right to be forgotten"). Upon request, we will delete your account and all associated product data within 30 days, except where retention is required by Belgian law (e.g., accounting records for 7 years).
Right to Data Portability (Art. 20)
You may request your data in a structured, commonly used, machine-readable format. Our export feature already allows you to download all your product data as Excel/CSV files at any time directly from the application.
Right to Restriction of Processing (Art. 18)
You may request that we restrict the processing of your personal data in certain circumstances, such as when you contest the accuracy of the data or have objected to processing pending verification.
Right to Object (Art. 21)
You may object to processing based on our legitimate interest. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.
Right to Withdraw Consent (Art. 7(3))
Where processing is based on consent (e.g., Google OAuth sign-in), you may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
To exercise any of these rights, contact us at hello@dataenricher.be. We will respond within 30 days, as required by Article 12(3) GDPR. There is no fee for exercising your rights, unless requests are manifestly unfounded or excessive.
10. Right to Lodge a Complaint
If you believe that your data protection rights have been violated, you have the right under Article 77 GDPR to lodge a complaint with the Belgian supervisory authority:
Gegevensbeschermingsautoriteit (GBA) / Autorité de protection des données (APD)
Drukpersstraat / Rue de la Presse 35
1000 Brussels, Belgium
Phone: +32 (0)2 274 48 00
Email: contact@apd-gba.be
You may also lodge a complaint with the supervisory authority in the EU/EEA Member State of your habitual residence, place of work, or where the alleged infringement occurred.
11. Children's Privacy
Data Enricher is a business-to-business service intended for e-commerce professionals. We do not knowingly collect personal data from children under the age of 16 (the age threshold set by Belgium under Article 8(1) GDPR). If we become aware that we have collected data from a child under 16, we will take steps to delete it promptly. If you believe a child has provided us with personal data, please contact us at hello@dataenricher.be.
12. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will notify you by email (to the address associated with your account) or by placing a prominent notice within the service at least 14 days before the changes take effect. The "Last updated" date at the top of this page indicates when this policy was most recently revised.
13. Contact
For any questions, concerns, or requests relating to this Privacy Policy or the processing of your personal data, please contact us:
Data Enricher — Privacy Enquiries
Email: hello@dataenricher.be
Yves Van Damme
[Your Address]
Belgium
Enterprise number: BE 0XXX.XXX.XXX
As a sole trader processing data primarily for B2B services without large-scale systematic monitoring of individuals, we are not required to appoint a Data Protection Officer (DPO) under Article 37 GDPR. All privacy enquiries are handled directly by the data controller identified above.