Skip to content
JedAi

PRIVACY POLICY JEDAI

Version 4.0 - May 2026

Translation notice. This is an English translation of the Dutch original, provided for convenience. In case of any discrepancy, the Dutch version (privacybeleid v4.0) prevails as the legally binding text.

Article 1: Introduction

1.1 This privacy policy describes how JedAi collects, processes and protects personal data. JedAi attaches great importance to the privacy of its customers, website visitors and other data subjects.

1.2 This privacy policy applies to all JedAi services, including AI chatbots, SaaS solutions, consultancy, training, implementation, AI workflow automation and the JedAi CRM platform.

1.3 By using our website, services or applications you agree to the processing of your personal data as described in this privacy policy.

1.4 This privacy policy should be read together with:

  • our Terms and Conditions (which contain additional provisions on data processing in articles 15 and 16);
  • our Data Processing Agreement (applicable when JedAi processes personal data on behalf of a customer);
  • our Sub-processor list (current, category-based list at jedai.nl/subverwerkers).

Article 2: Definitions

2.1 In this privacy policy the following definitions apply:

a. JedAi: the sole proprietorship JedAi, established in Oud-Beijerland at Boerderijweg 62, 3262 CC, registered with the Dutch Chamber of Commerce under number 42049125, operated for the account of its owner.

b. Controller: the party that determines the purpose and means of processing personal data. JedAi acts as Controller for its own customer relations, website visitors and business operations. For processing carried out on behalf of a customer (e.g. chatbots or SaaS for the customer's end users), JedAi acts as Processor; in that case the customer is the Controller.

c. Data subject: the natural person to whom personal data relates.

d. Personal data: any information relating to an identified or identifiable natural person.

e. Processing: any operation performed on personal data.

f. GDPR: the General Data Protection Regulation (EU) 2016/679.

g. Processor: a party that processes personal data on behalf of the Controller.

h. Sub-processor: a third party engaged by JedAi to perform (part of) a processing operation.

i. AI output: results generated by artificial intelligence, including texts, answers, analyses and automated suggestions.

Article 3: What data we collect

3.1 JedAi may collect the following categories of personal data:

3.2 Contact data: name, email address, phone number, company name and job title.

3.3 Customer and project data: company information, billing details, quotes, assignments and communication history in our CRM platform.

3.4 Chat data: messages and conversations conducted via our AI chatbots, including the content of the communication and metadata (timestamp, session information).

3.5 Usage data: login moments, performed actions and configuration settings within our SaaS services and AI applications.

3.6 Technical data: IP address (truncated where possible), browser type, device information, operating system and pages visited on our website.

3.7 Quote-approval data: acceptance status, time of approval, comments and acceptance of our Terms and Conditions during digital quote approval.

3.8 Training and workshop data: participant data including name, email address and any evaluation feedback.

3.9 Authentication data: login credentials and session information for access to our services.

Article 4: Purposes of data processing

4.1 JedAi processes personal data for the following purposes:

4.2 Service delivery: providing, configuring and maintaining AI chatbots, SaaS solutions and other services.

4.3 Customer relationship management: quotes, assignments, invoices and communication via our CRM platform.

4.4 Communication: answering questions, sending quotes/invoices, maintaining business relationships.

4.5 Training and consultancy: organising and delivering training sessions, workshops and advisory engagements, including sharing of training materials.

4.6 Service improvement: analysing anonymised metadata (such as error reports, performance statistics and usage volumes) to improve, optimise and secure our services. For clarity: JedAi does not use customer data, prompts or chat content to train public or shared AI models (see article 12).

4.7 Legal obligations: complying with tax retention obligations, accounting requirements and other statutory requirements.

4.8 Marketing: sending newsletters and information about our services, only with your prior consent.

4.9 Security: safeguarding the security of our systems, detecting misuse and preventing fraud.

Article 5: Legal bases for processing

5.1 JedAi processes personal data on the basis of the following GDPR legal bases:

5.2 Performance of a contract (art. 6(1)(b) GDPR): for delivery of our services and execution of agreements.

5.3 Consent (art. 6(1)(a) GDPR): with explicit consent, such as for marketing or non-functional cookies.

5.4 Legitimate interest (art. 6(1)(f) GDPR): for service improvement, customer relations, security and prevention. JedAi takes your interests and rights into account in this balancing test.

5.5 Legal obligation (art. 6(1)(c) GDPR): for statutory obligations such as tax retention.

Article 6: Retention periods

6.1 JedAi does not retain personal data longer than necessary for the purposes for which they were collected.

6.2 Customer and project data: for the duration of the agreement and a maximum of 7 years thereafter (tax retention obligation).

6.3 Chat data: in accordance with the agreement with the customer. After termination, chat data is deleted within 30 days, unless a longer retention period has been agreed.

6.4 Quote data: 7 years (tax retention obligation).

6.5 Marketing data: until unsubscription or a maximum of 3 years after last contact.

6.6 Technical logs and analytical data: maximum 12 months, unless required for security.

6.7 Training data: for the duration of the training project and a maximum of 2 years thereafter.

6.8 After expiry of the retention period, personal data is deleted or anonymised. For the full retention overview per data category we refer to our internal GDPR processing register (available to our customers on request).

Article 7: Your rights as a data subject

7.1 Under the GDPR you have the following rights:

7.2 Right of access (art. 15 GDPR): request an overview of your personal data.

7.3 Right to rectification (art. 16 GDPR): correction of inaccurate data.

7.4 Right to erasure (art. 17 GDPR): deletion of your personal data, unless retention is required by law (see article 6).

7.5 Right to restriction (art. 18 GDPR): restriction of processing in certain circumstances.

7.6 Right to data portability (art. 20 GDPR): receive personal data in a structured, commonly used and machine-readable format.

7.7 Right to object (art. 21 GDPR): object to processing based on legitimate interest.

7.8 Right to withdraw consent: for consent-based processing.

7.9 Self-service in the customer portal. Customers with an active customer portal account can request a download of their data (articles 15 + 20) and submit a deletion request (article 17) via Settings > My data (GDPR). Deletion requests are processed within one month; data subject to a tax or statutory retention obligation is retained but stripped of your personal data.

7.10 You can also exercise your rights via the contact details in article 16. JedAi responds within 30 days; in complex cases this may be extended once by 60 days.

7.11 When your request relates to processing where JedAi acts as Processor on behalf of a customer, we will forward your request to the customer concerned without delay, as that customer is the Controller.

Article 8: Data security

8.1 JedAi takes appropriate technical and organisational measures to protect personal data against loss, theft, unauthorised access, alteration or destruction.

8.2 These measures include:

  • encryption in transit (TLS 1.2+) and at rest;
  • two-factor authentication for system access;
  • Row Level Security at database level (all tables);
  • regular security updates and monitoring;
  • restricted employee/contractor access on a need-to-know basis;
  • a Data Loss Prevention filter that redacts personal data (BSN, IBAN, phone numbers, email addresses) before each external AI call.

8.3 Hosting takes place primarily within the European Union. For exceptions see article 11.

8.4 Data breach notification:

  • To the Dutch Data Protection Authority (AP): within 72 hours, if the breach is likely to result in a risk to the rights and freedoms of data subjects (art. 33 GDPR).
  • To data subjects: without undue delay if the breach is likely to result in a high risk (art. 34 GDPR).
  • To the customer (where JedAi acts as Processor): within 48 hours of detection, so the customer as Controller can fulfil its own notification obligations on time (see Data Processing Agreement art. 9).

Article 9: Cookies, localStorage and analytics

9.1 Scope. This article describes which cookies, similar storage technologies (localStorage, sessionStorage) and analytics mechanisms JedAi deploys on its public website (jedai.nl) and in the customer application (crm.jedai.nl). For cookies and pixels in our marketing emails, see article 9.7.

9.2 Strictly necessary cookies and session storage. The following cookies / storage items are necessary for the operation of our website and application:

  • Authentication cookie (httpOnly, secure): for your login session in the customer portal or CRM.
  • CSRF token: security measure against cross-site request forgery attacks.
  • Session token in localStorage: only active during a logged-in session, removed on logout.

These cookies are strictly necessary and cannot be disabled without breaking the service. They fall under the exception in article 11.7a paragraph 2 of the Dutch Telecommunications Act and do not require prior consent.

9.3 Functional localStorage items. For your own convenience we store a few settings in your browser:

  • Cookie-notice dismiss status: so our transparency notice does not reappear at every visit after you have dismissed it.
  • Language preference (NL/EN) when you actively set it.

These items are first-party (only readable by jedai.nl itself) and contain no personal data.

9.4 Analytics: Vercel Analytics (cookieless). For insight into which pages are visited and how users move through our site, we use Vercel Analytics. This is a cookieless tracking mechanism:

  • No tracking cookies are placed.
  • An anonymised visitor ID is stored in your browser via localStorage. This ID is not linked to your identity.
  • Your IP address is truncated server-side (last parts removed) before processing.
  • Vercel does not sell analytics data to third parties, does not use it for advertising and does not grant access to other customers.

Given the minimal-impact nature of Vercel Analytics, JedAi considers this processing on the basis of legitimate interest (art. 6(1)(f) GDPR); see also our DPIA for BusinessWaard funnel tracking for the balancing criteria.

9.5 Transparency notice. On your first visit to jedai.nl we display a short notice in the bottom right that informs you of Vercel Analytics. Once dismissed, it does not reappear. Your choice is stored in localStorage (see article 9.3).

9.6 No advertising, no tracking for third parties. JedAi does not use any of the following technologies:

  • No Google Analytics, Facebook Pixel, Hotjar, Mixpanel or similar tracker.
  • No advertising cookies, no retargeting, no cross-site tracking.
  • No sale, transfer or trade of your browsing behaviour to third parties.

9.7 Marketing emails: open and click tracking. Our transactional emails (quotes, invoices, reminders) contain no tracking pixels. Our marketing emails (only after explicit opt-in) contain a tracking pixel to measure open and click behaviour at the aggregate level. You can unsubscribe at any time via the unsubscribe link at the bottom of each email. Unsubscription is effective immediately and is recorded indefinitely to prevent you from being approached again after unsubscribing.

9.8 Management. You can manage your cookies and localStorage at any time via:

  • your browser settings (Chrome, Edge, Firefox and Safari all offer an option to clear or block site data);
  • our unsubscribe link in each marketing email (for open/click tracking);
  • the logout button in our application (removes authentication cookies + session token).

9.9 Changes. If we consider new analytics or tracking technologies in the future that do place cookies or involve third parties, we will ask for your explicit consent in advance via a consent banner with opt-in choice.

Article 10: Sharing with third parties and sub-processors

10.1 JedAi shares personal data with third parties only where necessary for the performance of our services or where legally required.

10.2 JedAi engages sub-processors in categories, including hosting providers, AI model providers, email platforms and productivity tools. As JedAi uses different combinations of tools depending on the engagement, JedAi maintains a current, category-based sub-processor list at:

>>> jedai.nl/subverwerkers

This list contains, per sub-processor, the service, location and safeguards for international transfers. On request you receive an engagement-specific overview.

10.3 Data Processing Agreements meeting GDPR requirements are in place with all sub-processors that process personal data.

10.4 For material changes to the sub-processor list (such as adding a new category or replacing a fixed sub-processor) JedAi informs its customers by email or via a notice on the sub-processor page.

10.5 JedAi provides personal data to government authorities only when legally required.

Article 11: International transfers

11.1 A number of sub-processors are based in the United States (e.g. AI model providers and communication platforms). This may result in transfers of personal data to countries outside the European Economic Area.

11.2 For such transfers JedAi safeguards an adequate level of protection through:

  • the EU-US Data Privacy Framework (where applicable, e.g. for Anthropic and Vercel);
  • Standard Contractual Clauses (SCCs, implementing decision 2021/914);
  • "zero data retention" arrangements with AI providers where available;
  • additional technical and organisational measures where necessary (such as the DLP filter described in article 8.2).

11.3 JedAi prefers EU data centres where technically and functionally possible. For Supabase, Microsoft 365, Upstash, Resend and Sentry the EU region is actively selected.

11.4 The status of the EU-US Data Privacy Framework is monitored by JedAi every six months. In the event of revocation we activate a backup plan and inform you of the consequences for your data.

Article 12: AI applications and data processing

12.1 JedAi delivers AI applications that use artificial intelligence, including large language models (LLMs). When deploying these applications, personal data may be processed.

12.2 Chat conversations conducted via our AI chatbots may be processed by external AI platforms (such as Anthropic, OpenAI, Google or Microsoft). JedAi ensures appropriate Data Processing Agreements and SCCs with these platforms.

12.3 AI training with customer data. JedAi does not use data, prompts, documents or content from customers to train, retrain or fine-tune public or shared AI models. Only anonymised metadata (error reports, performance statistics, usage volumes) may be used for internal quality improvement. If a customer requests a customer-specific model that is trained on customer data, this is documented explicitly in writing.

12.4 AI output may contain inaccuracies (hallucinations). JedAi does not take automated decisions with legal effect based on AI output without human intervention (art. 22 GDPR).

12.5 Prior to each API call to an external AI provider, a Data Loss Prevention filter runs that detects and redacts direct personal data (BSN, IBAN, phone numbers, email addresses). This limits the actual transfer of personal data.

12.6 AI Act transparency (art. 50 AI Act, in force from 2 August 2026). End users are informed that they are interacting with an AI system. For AI-generated or AI-manipulated content (synthetic content), JedAi and the customer make arrangements where necessary about watermarks, labels or other markers.

Article 13: Data Processing Agreement

13.1 When JedAi processes personal data on behalf of a customer (e.g. chat data of the customer's end users), JedAi acts as Processor. In that case the parties enter into a separate Data Processing Agreement.

13.2 A template of our Data Processing Agreement (v1.1) is available on request via privacy@jedai.nl and is completed and signed per customer.

13.3 The Data Processing Agreement records, among other things: the subject and duration of the processing, its nature and purpose, the categories of data subjects and personal data, the rights and obligations of both parties, and the technical and organisational measures applied.

Article 14: Continuity and legal succession

14.1 JedAi is a sole proprietorship. In the event of long-term illness, incapacity or death of the owner, the continuity arrangement in article 4.4 of the Terms and Conditions takes effect. For customer data, article 17.5 of the Terms and Conditions applies: data is made available for export for 30 days and then deleted, unless statutory retention obligations dictate otherwise.

14.2 When the business is transferred to a legal successor (including a future private limited company of the owner) this privacy policy remains in force; data subjects are informed of any such transfer.

Article 15: Changes to this privacy policy

15.1 JedAi reserves the right to amend this privacy policy to comply with changed legal obligations, new services or changed business processes.

15.2 Material changes are communicated via our website and, where possible, by email.

15.3 The most recent version is always available at jedai.nl/privacybeleid.

Article 16: Contact and complaints

16.1 For questions, requests or complaints:

16.2 Privacy / GDPR requests: privacy@jedai.nl

16.3 General: info@jedai.nl

16.4 Post: JedAi, Boerderijweg 62, 3262 CC Oud-Beijerland, Netherlands

16.5 JedAi aims to respond within 30 days. In complex cases this may be extended once by 60 days (you will be informed in time).

16.6 If you are not satisfied with our response, you have the right to lodge a complaint with the Dutch Data Protection Authority (www.autoriteitpersoonsgegevens.nl).

JedAi (sole proprietorship) Boerderijweg 62 3262 CC Oud-Beijerland Netherlands

CoC: 42049125 VAT: NL005455557B05

privacy@jedai.nl www.jedai.nl