Privacy Policy

1. Who we are

EUCompany.org is operated by Westcube Management BV, established at Entrada 100, 1114 AA Amsterdam, The Netherlands (Chamber of Commerce number 96923954). For the purposes of the EU General Data Protection Regulation (GDPR), Westcube Management BV is the controller of personal data processed through this site. You can reach us at info@eucompany.org.

2. What personal data we process

We process only the data we need to run the platform. Specifically:

• Account data: name, email address, password (stored hashed), company name, role.
• Scan data: answers you give in the Quick Scan and Extended Scan, the resulting scores, and any company profile information you submit.
• Billing data: billing name, VAT number, address (needed for invoices on paid features).
• Payment metadata: transaction IDs and status from Mollie (we never see your card or bank details).
• Communication: messages you send us via forms or email.
• Technical data: IP address and browser type, collected only via Matomo analytics in cookieless mode (see section 6).

3. Why we process this data (legal basis)

• Contract performance (Art. 6(1)(b) GDPR): to create and manage your account, run scans, issue badges, process payments, and deliver scan results.
• Legal obligation (Art. 6(1)(c) GDPR): retaining invoices and accounting records for seven years under Dutch tax law.
• Legitimate interest (Art. 6(1)(f) GDPR): measuring aggregate usage of the site (cookieless), preventing abuse, and improving content. Balanced against your privacy interest; you can object at any time.
• Consent (Art. 6(1)(a) GDPR): for any optional use we ask you about explicitly — e.g. newsletter subscription, public company profile listing in the directory.

4. How long we keep your data

• Account data: while your account is active, plus 12 months after deactivation.
• Scan answers and scores: tied to your account; deleted when your account is deleted, unless you explicitly agreed to a public directory listing (in which case we keep the aggregated classification only).
• Invoices and billing records: seven years, as required by Dutch tax law.
• Contact form messages: up to 24 months after last contact.
• Analytics (Matomo): aggregated only, retained for 13 months.

5. Who we share data with

We only share personal data with third parties where necessary for the platform to function, and we sign a data processing agreement with each of them. Our current processors are:

• Hosting: European cloud provider (EU jurisdiction, data stored in the EU).
• Matomo Cloud (InnoCraft / Matomo Analytics, hosted in France): anonymised usage analytics in cookieless mode.
• Mollie Payments (The Netherlands): payment processing for the Extended Scan and other paid features.
• Email delivery: transactional email provider based in the EU.
• Anthropic / Mistral AI: when you use the AI advisor feature, your scan data and questions are sent to the underlying LLM provider. Mistral (EU-based) is used as primary; Anthropic as fallback.

We do not sell personal data. We do not share it with advertising networks. Data is kept within the EU wherever reasonably possible.

6. Cookies and analytics

7. Security

We apply appropriate technical and organisational measures to protect your data, including encrypted connections (TLS), hashed passwords, CSRF protection on all state-changing requests, principle-of-least-privilege access to the database, and regular backups. If we become aware of a data breach that is likely to affect your rights, we will notify you and the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) in line with Art. 33 and 34 GDPR.

8. Your rights

Under the GDPR you have the following rights regarding your personal data:

• Access — ask what data we hold about you.
• Rectification — ask us to correct inaccurate data.
• Erasure — ask us to delete your data (“right to be forgotten”), subject to legal retention obligations.
• Restriction — ask us to limit processing while a dispute is being resolved.
• Data portability — get your data in a machine-readable format.
• Objection — object to processing based on legitimate interest.
• Withdraw consent — where processing is based on consent, you can withdraw it at any time.

To exercise any of these rights, email info@eucompany.org. We respond within one month. We may ask for proof of identity to prevent disclosure to someone impersonating you.

9. Complaints

If you believe we are not handling your data properly, please contact us first so we can address it. You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) or with the supervisory authority in your EU country of residence.

10. Children

EUCompany.org is a B2B platform and is not directed at children under 16. We do not knowingly collect personal data from children.

11. International transfers

We host our platform and analytics within the European Union. Where a processor unavoidably involves a transfer outside the EU/EEA (for example, the AI fallback provider), we rely on Standard Contractual Clauses or adequacy decisions as safeguards under Chapter V GDPR. You can request more information about the specific safeguards in place.

12. Changes to this policy

We may update this privacy policy as the platform evolves. The “last updated” date at the top of this page reflects the most recent substantive change. Significant changes are communicated by email or via a notice on the site.