Privacy Policy for GuusLab, ArtiFiles & Project Stride
Last updated: 12 May 2025
1. Introduction
GuusLab (eenmanszaak) ("GuusLab", "we", "our" or "us") respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, disclose, secure and store information when you use our products and services—namely GuusLab, ArtiFiles and Project Stride—including our websites, applications, APIs and related tools (collectively, the "Service").
GuusLab is the data controller for the processing activities described in this Policy unless explicitly stated otherwise. If you have any questions, you can reach us at:
GuusLab (eenmanszaak)
Attn: Guus Kaashoek
Emmaweg 46
3603 AN Maarssen
The Netherlands
KvK: 95954600
VAT ID: NL005184094B33
Email: [email protected]
Phone: +31 6 81253560
2. Scope
This Policy applies to all personal data processed when you access or use the Service, visit our websites, interact with us on social media, or otherwise communicate with us. It does not apply to third‑party websites or services that we do not own or control.
3. Personal Data We Collect
| Category | Examples | Source |
|---|---|---|
| Account Data | Name, email address, hashed password, organisation, role | Provided by you |
| Subscription & Payment Data | Billing address, VAT number, subscription tier, last 4 digits of card (full card data handled by Stripe) | You / Stripe |
| User Content | Files and assets uploaded to ArtiFiles; content, schemas & metadata stored in Project Stride; projects in GuusLab | Provided by you |
| AI Chat Content | Prompts, responses, context inside ArtiFiles chats | Provided by you; may be processed by Google AI or OpenAI |
| Communications | Support requests, feedback, email correspondence, newsletters | Provided by you |
| Usage & Device Data | IP address, browser type, device identifiers, feature clicks, A/B‑test variants, error logs | Collected automatically (custom in‑house telemetry) |
| Cookies | Session cookie, preference cookie, GuusLab analytics cookie | Collected automatically |
We do not intentionally collect special categories of personal data or data about children under 16.
4. How We Use Personal Data & Legal Bases (GDPR)
| Purpose | Legal Basis |
|---|---|
| Provide and maintain the Service | Performance of contract (Art. 6 (1)(b)) |
| Authenticate users (Google Identity), process payments (Stripe) | Performance of contract |
| Operate AI features (Google AI, OpenAI) | Performance of contract; legitimate interest to deliver AI functionality |
| Respond to enquiries, provide support | Performance of contract; legitimate interest (Art. 6 (1)(f)) |
| Improve, debug and personalise the Service (incl. in‑house analytics & A/B tests) | Legitimate interest (Art. 6 (1)(f)) |
| Send service or security notifications | Legal obligation; performance of contract |
| Marketing emails & newsletters | Consent (Art. 6 (1)(a)); opt‑out anytime |
| Compliance with tax & accounting laws | Legal obligation (Art. 6 (1)(c)) |
| Detect and prevent fraud, abuse & security incidents | Legitimate interest (Art. 6 (1)(f)) |
| Aggregate/anonymise for statistics | Legitimate interest, provided no individual is identifiable |
We do not engage in automated decision‑making with legal or similarly significant effects.
5. Sharing of Personal Data
We never sell your personal data. We share it only as necessary:
| Recipient / Sub‑processor | Purpose | Location & Safeguards |
|---|---|---|
| Cloudflare, Inc. | CDN, DNS & security (DDoS mitigation) | USA • SCCs • DPF certified |
| Stripe Payments Europe, Ltd. | Payment processing & fraud prevention | EEA/USA • SCCs |
| Wasabi Technologies, LLC (EU region) | Object storage for large files & backups | EU data centre • SCCs |
| Google LLC | Identity/auth services; optional AI processing (Vertex AI) | USA • SCCs • DPF certified |
| OpenAI, L.L.C. | AI chat/completions | USA • SCCs |
| Self‑hosted mail server (Mac mini, NL) | Transactional emails & newsletters | Netherlands |
| Professional advisors & auditors | Legal, accounting, security audits | Confidentiality agreements |
| Authorities | Where required by law or court order | Only upon valid request |
When we host your content in Project Stride, we act as data processor—processing solely on your instructions per our Data Processing Agreement (DPA).
6. International Data Transfers
Your data is primarily stored on our self‑hosted server in the Netherlands. Transfers outside the EEA occur only:
- To sub‑processors certified under the EU–US Data Privacy Framework (Cloudflare, Google); or
- Subject to Standard Contractual Clauses (SCCs) (Stripe, Wasabi, OpenAI).
You may request a copy of these safeguards via [email protected].
7. Data Retention
| Data Category | Retention Period |
|---|---|
| Account Data & User Content | While account is active + 30 days after deletion (unless user deletes earlier) |
| AI Chat Logs | Retained as long as the chat / folder exists. Users can delete at any time. Accounts inactive for 2 years are auto‑deleted along with chat data. |
| Subscription & Payment Records | 7 years (Dutch tax law) |
| Support Tickets & Email | 24 months after resolution |
| Usage Logs & Telemetry | 12 months (aggregated thereafter) |
| Back‑ups | Rolling encrypted backups retained for up to 30 days |
8. Security Measures & Data Breach Notification
We implement appropriate technical and organisational measures, including:
- Self‑hosted Mac mini (encrypted disk) in a secured location
- TLS 1.2+ encryption for data in transit
- AES‑256 encryption for data at rest (Wasabi & internal storage)
- Firewall, intrusion‑detection and Cloudflare WAF & DDoS protection
- Role‑based access controls, MFA for admin logins
- Regular security patching and vulnerability scanning
- Automated off‑site backups to Wasabi (EU region)
Data breach procedure. If we become aware of a personal‑data breach, we will (a) investigate promptly, and (b) notify the Dutch Supervisory Authority and affected users within 72 hours where required under GDPR.
9. Cookies & Similar Technologies
We use a minimal set of cookies:
| Cookie | Type | Purpose | Duration |
|---|---|---|---|
| session_id | Strictly necessary | Keep you signed in | Session |
| prefs | Functional | Remember UI preferences | 1 year |
| glab_analytics | Analytics (first‑party) | Measure feature usage (non‑personal, aggregated) | 6 months |
We do not use third‑party analytics or marketing pixels. You can manage cookies in your browser or via our cookie banner.
10. Your Rights (EEA/UK)
You have the right to access, rectify, erase, restrict, port, and object to processing of your personal data, as well as to withdraw consent. To exercise any right, email [email protected]. We will respond within 30 days. You also have the right to lodge a complaint with the Autoriteit Persoonsgegevens.
11. Children's Privacy
The Service is not directed to children under 16. We do not knowingly collect data from children. If we learn that a child has provided data, we will delete it promptly.
12. Changes to This Policy
We may update this Policy periodically. We will post the new Policy with a new "Last updated" date. Material changes take effect 30 days after posting; we will notify you via email or in‑app notice.
13. Contact & Data Protection Officer
Data Protection Officer (DPO): Guus Kaashoek
Email: [email protected]
Postal: Emmaweg 46, 3603 AN Maarssen, NL