GDPR Compliance
Last updated: April 2026
1. Introduction
AI Survivors processes personal data in compliance with the General Data Protection Regulation (GDPR, Regulation EU 2016/679). This document describes how we, as data controller, handle personal data of clients, website visitors and contacts.
2. Data Controller
AI Survivors Mitchell van Rijkom Email: [email protected]
For questions about data processing or to exercise your rights, please contact us at the above email address.
3. Legal Basis for Processing
We only process personal data where a valid legal basis exists:
| Legal basis | When applicable |
|---|---|
| Consent (Art. 6(1)(a)) | Cookies, marketing communications |
| Contract (Art. 6(1)(b)) | Delivery of engagements |
| Legal obligation (Art. 6(1)(c)) | Invoice retention obligations |
| Legitimate interest (Art. 6(1)(f)) | Website security, analytics |
4. What Data We Process
We only process data you actively provide or that is necessary for our services:
- Contact details: name, email address, phone number, company name
- Project data: information you share in the context of an engagement
- Invoice data: name, address, VAT number, bank details
- Website data: IP address, browser type, pages visited (anonymised)
5. Retention Periods
| Category | Retention period |
|---|---|
| Contact details | Max. 2 years after last contact |
| Project documentation | Duration of engagement + 7 years (tax obligation) |
| Invoice data | 7 years (legally required) |
| Website analytics | 26 months (anonymised) |
| Email correspondence | 2 years after closure |
6. Your Rights as a Data Subject
Under GDPR you have the following rights:
Right of access (Art. 15) You may request what personal data we process about you, for what purpose, and for how long we retain it.
Right to rectification (Art. 16) You may have inaccurate or incomplete data corrected or supplemented.
Right to erasure (Art. 17) You may request deletion of your data where no legal retention obligation applies and processing is no longer necessary.
Right to restriction (Art. 18) You may request that processing of your data be temporarily restricted, for example while an objection is being assessed.
Right to data portability (Art. 20) You have the right to receive your data in a commonly used, machine-readable format.
Right to object (Art. 21) You may object to processing based on legitimate interest.
Right to withdraw consent Where processing is based on consent, you may withdraw it at any time.
You can exercise your rights via [email protected]. We will respond within 30 days.
7. Data Sharing with Third Parties
We do not share your data with third parties for commercial purposes. We use a limited number of processors:
| Processor | Purpose | Location |
|---|---|---|
| Microsoft Azure | Cloud infrastructure, backups | EU (West-Europe) |
| Strato | Server hosting | Germany |
| Resend | Transactional email | EU |
Data Processing Agreements have been concluded with all processors in accordance with Art. 28 GDPR.
8. International Transfers
Your personal data is not transferred to countries outside the EEA unless an adequate legal basis exists (such as Standard Contractual Clauses under Art. 46 GDPR).
9. Data Breaches
In the event of a data breach with likely risks for data subjects, we notify the relevant supervisory authority within 72 hours (Art. 33 GDPR). Where the breach is likely to result in a high risk to your rights, we will also notify you directly (Art. 34 GDPR).
10. Complaints
If you believe we are not handling your personal data correctly, you have the right to lodge a complaint with the relevant supervisory authority. In the Netherlands: Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl).
We appreciate you contacting us first at [email protected] so we can resolve the issue together.
11. Changes
This policy may be updated. The date at the top of this document indicates the most recent version. For significant changes, we will notify active contacts by email.
