Last reviewed 2026-05-18
Privacy Policy
This policy explains how Mathys Seynaeve, operating ECGT Ready from Mamer, Luxembourg (the operator, we, us), processes personal data when you visit ecgtready.eu, request a demo, or use the platform. It is written to satisfy Articles 13 and 14 of the General Data Protection Regulation (GDPR) and the Luxembourg implementing law of 1 August 2018.
1. Controller and contact
- Controller: Mathys Seynaeve, Mamer, Luxembourg (until SARL-S is registered, then the SARL-S becomes controller).
- Privacy and data protection contact (no formal DPO appointed under GDPR Art. 37): contact@ecgtready.eu
- Supervisory authority: Commission Nationale pour la Protection des Donnees (CNPD), 15 Boulevard du Jazz, L-4370 Belvaux, cnpd.lu
We have not appointed a formal DPO because we do not meet the thresholds in GDPR Article 37(1). The dpo@ alias still routes to the privacy team so you have a single mailbox to write to.
2. What we collect, why, and on what legal basis
2.1 Visitors and demo requests
| Data | Purpose | Legal basis | Retention |
|---|---|---|---|
| IP, user agent, request metadata | Site security, abuse prevention | Legitimate interest (Art. 6(1)(f)) | 30 days raw, then aggregated |
| Cookie consent record | Prove your consent choice | Legal obligation (ePrivacy + GDPR) | 13 months |
| Demo form (name, email, store URL, message) | Reply to your request | Pre-contract steps + legitimate interest | 24 months from last contact |
| Newsletter email (if you opt in) | Send product updates | Consent (Art. 6(1)(a)) | Until you unsubscribe |
| Deep Scan waitlist (email, confirm token, hashed IP, user agent) | Confirm your double opt in and send you the one off Deep Scan launch notice; deleted on request | Consent (Art. 6(1)(a)); legitimate interest for the hashed IP and user agent (abuse control on the public form) | Until launch notice is sent and you ask us to delete it; 24 months max |
2.2 Customers and signed-in users
| Data | Purpose | Legal basis | Retention |
|---|---|---|---|
| Account: name, email, hashed password, MFA factors | Provide the service, account security | Contract (Art. 6(1)(b)) | Account life + 12 months |
| Workspace metadata, scan inputs, scan results | Run the scan engine, deliver reports | Contract | Account life; export on request |
| Billing: company name, billing address, VAT, invoices | Invoicing, accounting | Contract + legal obligation | 10 years (LU accounting law) |
| Audit logs (admin actions, security events) | Security, breach investigation, SOC needs | Legitimate interest | 12 months |
| Support correspondence | Help you | Contract + legitimate interest | 24 months from last contact |
| Connect API: bearer key hash, request URLs, response metadata, per call token totals | Provide the Connect API, enforce the monthly hard cap, bill usage, support the integration | Contract (Art. 6(1)(b)) | Account life; ledger rows retained 24 months for billing reconciliation |
2.3 Data we do not collect
- We do not collect special category data (health, religion, etc.).
- We do not collect children's data. The service is not directed at people under 16. Do not create an account for a minor.
- We do not buy personal data from data brokers.
3. The scan engine and AI processing
When you submit a URL or text to be scanned, the page text is sent to our model provider (Anthropic, see subprocessors) for inference. Anthropic does not train its models on data sent through the API. We do not feed your data into a separate model for training either. See our AI Act notice and methodology for detail.
4. Cookies and similar technologies
Strictly necessary cookies are set when you sign in or save consent choices. All other categories require your consent. You can review or change your choice at any time from the cookie banner. See our cookie policy.
5. Recipients
We rely on a small number of subprocessors to run the platform. The full list, with location and transfer safeguards, is published at /legal/subprocessors. We do not sell personal data and we do not share it with advertisers.
6. International transfers
Some subprocessors operate from the United States (Anthropic, Vercel edge, Resend). Where personal data leaves the European Economic Area, we rely on the European Commission's Standard Contractual Clauses (Decision 2021/914) and supplementary measures (encryption in transit, access controls, contractual data minimisation). Where a vendor is certified under the EU-US Data Privacy Framework we may rely on that as the primary safeguard.
7. Your rights
- Access: ask for a copy of your personal data.
- Rectification: correct inaccurate data.
- Erasure: ask us to delete your data, subject to legal retention.
- Restriction: ask us to pause certain processing.
- Portability: receive your data in a structured machine-readable format.
- Objection: object to processing based on legitimate interest.
- Withdraw consent: where processing is based on consent, you can withdraw at any time.
- Complaint: lodge a complaint with the CNPD (Luxembourg) or your local supervisory authority.
To exercise any right, write to contact@ecgtready.eu or use the data subject request flow. We respond within 30 days.
8. Automated decision-making
The scan engine produces an indicative risk score. This is not a decision with legal or similarly significant effect on you within the meaning of GDPR Article 22. A human (you) reviews and acts on the score. We never block your store or contact authorities on your behalf.
9. Security
See our security statement. In short: TLS in transit, encryption at rest, RLS + GRANT in the database, MFA available, audit logs, regular backups.
10. Breach notification
We notify the CNPD within 72 hours of becoming aware of a personal data breach where required by GDPR Article 33, and notify affected customers without undue delay where Article 34 applies.
11. Changes
We update this policy when our processing changes. The "Last reviewed" date at the top tracks the latest revision. Material changes are emailed to active customers.
All legal pages
- Imprint
- Privacy
- Cookies
- Terms
- Disclaimer
- DPA
- Acceptable Use
- SLA
- Security
- Subprocessors
- Methodology
- Accessibility
- Refunds
- Data subject requests
- AI Act notice
- Intellectual property
- Communications
- Supply chain
- Speak up
- Our own claims
- Ethics
Questions about this page? contact@ecgtready.eu