Privacy Policy

1. Data Controller

The data controller responsible for your personal data is:

2. Data We Collect

We collect and process the following categories of personal data:

2.1 Account Information

When you register for an account, we collect your name, email address, company name, job title, and phone number. This data is necessary to create and maintain your account.

2.2 Usage Data

We automatically collect information about how you interact with our platform, including pages visited, features used, timestamps of activity, IP address, browser type, and device information.

2.3 Payment Information

When you subscribe to a paid plan, we collect billing details such as your billing address and payment method. Payment card details are processed and stored exclusively by our PCI-compliant payment processor and are never stored on our servers.

2.4 Cookies and Tracking Technologies

We use cookies and similar technologies to maintain your session, remember your preferences, and improve your experience. For full details, see our Cookie Policy.

2.5 Customer Business Data

Any data you input into the platform (e.g., contacts, invoices, HR records) is processed on your behalf. You remain the data controller for this data, and we act as a data processor.

3. How We Use Your Data

We process your personal data for the following purposes:

• Service Delivery: To provide, operate, and maintain the Select27 platform, including account management, authentication, and core functionality.
• Service Improvement: To analyze usage patterns, diagnose technical issues, and improve the quality and performance of our platform.
• Communication: To send you transactional emails (e.g., password resets, billing receipts) and, with your consent, product updates and announcements.
• Security: To detect and prevent fraud, abuse, and security incidents.
• Legal Compliance: To comply with applicable laws, regulations, and legal processes, including tax reporting and anti-money laundering obligations.

4. Legal Basis for Processing

We process your personal data under the following legal bases (GDPR Article 6):

• Contract Performance (Art. 6(1)(b)): Processing necessary to provide you with our services under our Terms of Service.
• Legitimate Interest (Art. 6(1)(f)): Processing for security, fraud prevention, and service improvement where our interests do not override your rights.
• Consent (Art. 6(1)(a)): Processing based on your explicit consent, such as for non-essential cookies or marketing communications.
• Legal Obligation (Art. 6(1)(c)): Processing required to comply with applicable laws and regulations.

5. Data Retention

We retain your personal data for as long as your account is active and for an additional period of 5 years after account closure or termination, unless a longer retention period is required by law (e.g., for tax or accounting purposes). Usage logs and analytics data are retained in aggregated, anonymized form after 24 months.

6. Your Rights Under GDPR

As a data subject, you have the following rights under the General Data Protection Regulation:

• Right of Access: You may request a copy of the personal data we hold about you.
• Right to Rectification: You may request correction of inaccurate or incomplete personal data.
• Right to Erasure: You may request deletion of your personal data, subject to legal retention requirements.
• Right to Data Portability: You may request a machine-readable copy of your personal data for transfer to another service.
• Right to Restriction: You may request that we restrict the processing of your personal data in certain circumstances.
• Right to Object: You may object to processing based on legitimate interests or direct marketing.
• Right to Withdraw Consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at privacy@select27.com. We will respond within 30 days.

7. Sub-Processors and Data Transfers

We use a limited number of sub-processors to deliver our services. Primary infrastructure is hosted within the European Union (Hetzner, Germany). When you use the AI assistant feature, your messages are processed by our AI provider, Anthropic (based in the United States), via their API. Anthropic processes data under a Data Processing Agreement and does not use your data for model training. For international data transfers, we rely on Standard Contractual Clauses (SCCs) as approved by the European Commission.

Sub-processors

For details on our data processing arrangements, see our Data Processing Agreement.

8. AI & Automated Processing

Select27 uses an AI assistant powered by Anthropic's Claude to help you with business tasks. When you interact with the AI assistant:

• Your messages and relevant business context are sent to Anthropic's API for processing.
• Anthropic does not use your data to train their models (per their API Terms of Service).
• AI-generated responses should be reviewed by a human before being used for critical business decisions.
• You can choose not to use the AI assistant; all core platform features work without it.
• AI interaction data may be temporarily stored by Anthropic for up to 30 days for abuse prevention.

9. Data Security

We implement appropriate technical and organizational measures to protect your personal data, including encryption in transit (TLS 1.3) and at rest, access controls, regular security assessments, and containerized tenant isolation. Despite these measures, no method of transmission or storage is completely secure, and we cannot guarantee absolute security.

10. Data Protection Officer

Our Data Protection Officer (DPO) can be contacted at:

11. Cookies

We use cookies and similar technologies to operate and improve our platform. For detailed information about the cookies we use and how to manage your preferences, please see our Cookie Policy.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. We will notify you of material changes by posting the updated policy on our website and, where appropriate, by email. The "Last updated" date at the top of this page indicates when the policy was last revised. Your continued use of the platform after any changes constitutes your acceptance of the updated policy.

13. Supervisory Authority

If you believe your data protection rights have been violated, you have the right to lodge a complaint with a supervisory authority. For the Netherlands, this is the Autoriteit Persoonsgegevens (Dutch Data Protection Authority) at autoriteitpersoonsgegevens.nl.