Plain language summary: We collect your contact details when you use our free compliance checker or contact us. We use them to send you your report and follow up about our services. We use Google Analytics to understand site traffic. We do not sell your data. You can ask us to delete it at any time.
The data controller responsible for your personal data is:
AuditStream AI
Trading name — not yet incorporated as a legal entity
Belgium
Email: hello@auditstream.ai
AuditStream AI is operated by its co-founders Jeroen De Backer and Thomas Van der Auwermeulen, both resident in Belgium. For all data protection matters, you can contact us at the email address above.
We collect personal data in the following circumstances:
When you complete our free EU AI Act compliance checker and submit your contact details, we collect:
When you submit an enquiry via our contact page, we collect your name, email address, company, and the content of your message.
We use Google Analytics 4 (GA4) to collect anonymised browsing data including pages visited, session duration, device type, browser, and approximate geographic location (country/city level). This data does not directly identify you. See our Cookie Policy for details.
We do not collect, access, or store the contents of any AI datasets, training data, or production data that our clients may reference in discussions. Any such data shared during a paid audit engagement is governed by a separate Data Processing Agreement.
We process your personal data on the following legal bases under Article 6 GDPR:
| Data | Legal Basis | GDPR Article |
|---|---|---|
| Checker form contact details + answers | Legitimate interests — providing you with your requested report and following up on your expressed interest in our services | Art. 6(1)(f) |
| Contact form enquiries | Legitimate interests — responding to your direct enquiry and managing our business relationship | Art. 6(1)(f) |
| Google Analytics browsing data | Consent — collected via cookie consent (analytics cookies are only placed after you accept them) | Art. 6(1)(a) |
| Client data under a paid contract | Performance of a contract | Art. 6(1)(b) |
Where we rely on legitimate interests, you have the right to object to this processing at any time. See Section 7.
We use your personal data for the following purposes:
We will not use your data for automated decision-making or profiling that produces legal or similarly significant effects on you.
Your personal data may be shared with or processed by the following categories of recipients:
| Recipient | Purpose | Location | Safeguard |
|---|---|---|---|
| Google LLC (Analytics) | Website analytics via GA4 | USA | EU Standard Contractual Clauses; Google Ads Data Processing Terms |
| Slack Technologies | Internal lead notifications | USA | EU Standard Contractual Clauses; Slack DPA |
| Google LLC (Sheets) | Internal lead tracking | USA | EU Standard Contractual Clauses; Google Workspace DPA |
| OVH SAS | Website hosting | France (EU) | Within EEA — no transfer safeguard required |
We do not sell, rent, or trade your personal data to any third party. We do not share your data with advertisers.
All transfers to the United States are conducted under the EU–US Data Privacy Framework or Standard Contractual Clauses adopted by the European Commission.
| Data Category | Retention Period | Rationale |
|---|---|---|
| Checker form leads (no commercial relationship formed) | 24 months from collection | Legitimate interests in follow-up within a reasonable sales cycle |
| Active client contact data | Duration of contract + 5 years | Belgian contractual limitation period (Art. 2262bis Civil Code) |
| Contact form enquiries | 24 months from last interaction | Legitimate interests in managing business correspondence |
| Google Analytics data | 14 months (GA4 default, configured in GA4 settings) | Anonymised analytics — set to minimum retention period |
| Financial and invoicing records | 7 years | Belgian accounting law (Art. 6 W.Venn./WVV) |
At the end of each retention period, data is securely deleted or anonymised.
As a data subject, you have the following rights under the GDPR (Regulation (EU) 2016/679) and the Belgian Act of 30 July 2018 on the Protection of Natural Persons with regard to the Processing of Personal Data:
To exercise any of these rights, contact us at hello@auditstream.ai. We will respond within 30 days in accordance with Article 12 GDPR. We may request proof of identity before processing your request.
⚠ If you believe we have violated your rights, you have the right to lodge a complaint with the Belgian Data Protection Authority (Gegevensbeschermingsautoriteit / Autorité de protection des données): www.dataprotectionauthority.be · Rue de la Presse 35, 1000 Brussels · Tel: +32 2 274 48 00.
We implement appropriate technical and organisational measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access, in accordance with Article 32 GDPR. These measures include:
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Belgian Data Protection Authority within 72 hours in accordance with Article 33 GDPR, and notify you directly if the risk is high.
Our services are directed exclusively at professionals and business users. We do not knowingly collect personal data from individuals under the age of 16. If you believe we have inadvertently collected data from a minor, please contact us immediately at hello@auditstream.ai and we will delete it promptly.
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. The "Last updated" date at the top of this page indicates when the most recent revision was made. For material changes, we will notify active clients by email. We encourage you to review this page periodically.
For any questions about this Privacy Policy or to exercise your data protection rights:
AuditStream AI
Email: hello@auditstream.ai
We aim to respond to all privacy-related enquiries within 5 business days, and in any event within the 30-day period required by GDPR.