Skip to main content
Veyron
Menu

Privacy Policy

Version 1.0 — 5-1-2026

1. Who we are

Veyron

  • Address: Hazegoedweg 40, 8800 Roeselare, Belgium
  • Company registration number (KBO): BE1029.939.169
  • Email: privacy@veyron.digital
  • Privacy contact (internal): Finance & Legal / compliance officer

Veyron is not required to appoint a Data Protection Officer (DPO). For questions about this privacy policy or the processing of personal data, you can reach us at privacy@veyron.digital.

Veyron helps businesses grow through digitalisation, automation, AI-supported processes and activation.

1.1 In brief

  • We process personal data to handle enquiries, deliver our services, manage our administration and – only after consent or within reasonable B2B expectations – send relevant communications.
  • We use AI exclusively as a supporting tool (analysis, summarisation, document creation) and always validate output by an employee before use.
  • Where possible, we choose EU processing or EU data centres. If data is processed outside the EEA, we typically use SCCs and conduct a transfer impact assessment, supplemented by technical measures.
  • We apply retention periods as operational maximums and delete or anonymise data when the period has expired, unless a legal obligation or dispute requires longer retention.
  • You can exercise your GDPR rights via privacy@veyron.digital and you can always object to processing based on legitimate interest.

2. Roles: controller, processor and joint controllership

Veyron may, depending on the context, act as controller, as processor or, in exceptional cases, as joint controller.

2.1 When Veyron is controller

Veyron is controller for personal data we process for our own business operations, including:

  • use of the website, forms and digital intake;
  • communication and follow-up of enquiries;
  • CRM management, administration and invoicing;
  • marketing and relationship management (within the limits of consent or legitimate interest);
  • security, logging and internal quality control.

2.2 When Veyron is processor

When we process personal data in the context of client projects or service provision, we typically act as processor and process data exclusively according to the client's (controller's) instructions.

As processor, we process in generic terms project contacts, project documents and – if provided by the client – other necessary personal data to deliver the agreed services (e.g. analysis, automation, reporting or document formatting). We process this data exclusively according to documented instructions, with appropriate security, and we record details (purposes, categories, sub-processors, locations and retention periods) in the project agreement and/or data processing agreement (DPA).

2.3 How the role allocation is recorded

The specific role allocation (controller, processor or joint controllership) is recorded in writing per project or service in the agreement and, where applicable, in a data processing agreement (DPA). This includes the categories of data, purposes, security measures, (sub-)processor chain and arrangements for international transfers.

2.4 Joint controllership

In some projects, Veyron and a partner jointly determine the purposes and means of processing (for example in joint events, co-marketing campaigns or shared digital tools). In those cases, we act as joint controllers. We record our respective responsibilities in a joint arrangement (art. 26 GDPR), specifying which information obligations each party assumes and where you can exercise your rights. The essence of this arrangement is communicated per project via the relevant event or campaign pages and/or in the registration forms.

3. What personal data we process

We only process personal data necessary for our service provision and operations.

3.1 Identification and contact data

  • first name and surname
  • company name and position
  • email address
  • telephone number
  • address details (if required for invoicing or contractual documents)

3.2 Data you provide via forms or communication

  • content of your question or request
  • information about your organisation, systems and context (to the extent you share it)
  • documents or files you upload (to the extent necessary and permitted)
  • content of correspondence via email or other communication channels

3.3 Technical data (via cookies and analytics)

  • IP address
  • browser and device type
  • pages visited and interactions
  • cookie information and tracking data (to the extent you give consent)

See our cookie policy for full details.

3.4 Data processed via AI systems (AI transparency)

When we use AI systems (such as OpenAI Business, Azure OpenAI or automation platforms), we only process:

  • business information
  • non-sensitive personal data necessary for the assignment
  • anonymised or pseudonymised scan and project data, where possible

We do not process special categories of personal data (such as health, religion, political preference or biometric data) via AI tools, unless this has been agreed in writing in advance and appropriate safeguards apply.

AI output is always validated by an employee before use and is never used autonomously for binding decisions.

4. Purposes, legal bases and data linkage

We process personal data for the purposes below, each time based on a clear and valid legal basis. Where we rely on legitimate interest, we conduct a Legitimate Interest Assessment (LIA). Typical examples are B2B CRM/prospect management, security and internal quality control. In the LIA, we weigh our need for efficient business operations against your reasonable expectations, the limited impact through data minimisation and appropriate safeguards, and your right to object. You can request a brief summary of the relevant LIA via privacy@veyron.digital.

Purpose Examples of data Legal basis Retention period (max.) Notes
Contact & follow-up of enquiries name, position, email, telephone, content of your enquiry pre-contractual necessity or legitimate interest up to 3 years after last interaction Processing is done by internal teams and may be via Zoho One (e.g. CRM/forms) and email/communication tools. Where those tools process outside the EEA, the safeguards from the 'International transfers' section apply.
Orientation scan / intake (digital scan) input from forms, basic context about systems and goals pre-contractual necessity or legitimate interest scan input: max. 18 months Internal consultants process the scan. For forms/scan tools and any AI support, processors may be engaged. Scan input may – if relevant to the requested analysis – be processed via AI platforms for summarisation/structuring; see section 'AI use' and 'International transfers'.
CRM prospect management & B2B relationship management contact details, interaction history, notes on business context legitimate interest (B2B relationship management) up to 3 years after last interaction We base prospect and B2B relationship management on legitimate interest (efficient business communication). We limit this to professional contact details, relevant business content and reasonable contact frequency. Our LIA weighs your reasonable expectations and the limited impact (data minimisation, right to object) against our need for relationship management. Processing typically occurs in Zoho One (CRM) and linked tools; see 'International transfers' if a provider processes outside the EEA.
Execution of services & project work project contacts, deliverables, necessary project files necessity for performance of contract up to 3 years after project completion Client-specific (sub-)processors may be engaged (hosting, integration, collaboration tools, AI). Per project, we record this in the agreement and/or DPA, including processing locations and transfers. An up-to-date (sub-)processor list is available on request.
Invoicing & accounting invoicing data, payment information, contract references legal obligation 7 years (fiscal retention obligation) Data is shared with accounting software, accountants and banks. If cloud accounting processes outside the EEA, this is done under SCCs and additional measures as described in 'International transfers'.
Marketing newsletters & campaigns name, email, preferences, email interaction consent until withdrawal of consent Email marketing is based on opt-in consent (no soft opt-in, unless we explicitly communicate this). Unsubscribing is always possible via the link in each email or via privacy@veyron.digital. Processing may occur via email marketing platform(s) and CRM. Any transfers outside the EEA fall under SCCs and additional measures.
Website analysis & optimisation cookie IDs, IP address (truncated where possible), site behaviour consent (cookie banner) analytics data: max. 13 months Analytics and optimisation only occur after cookie consent (not on legitimate interest). Examples of tools are Zoho PageSense/CMP and linked analytics. Details per cookie/vendor are in the cookie policy.
Security, logging & incident management access logs, security events, technical metadata legitimate interest and/or legal obligation typically 12 months, longer in case of incident Logs and security events may be processed by hosting providers, network/security tools and audit logging within our platforms (e.g. Zoho). Logs are not used for marketing. Where possible, logs are stored in EU environments; otherwise under SCCs and additional measures.
AI-supported analysis, summarisation & document creation (project-based) non-sensitive project information and necessary personal data performance of contract (or pre-contractual) follows the project retention period AI is only deployed as processor in enterprise environments (e.g. OpenAI Business/Enterprise or Azure OpenAI), with configurations that exclude model training on client data, with data minimisation, encryption and strict access control. Where available, we choose EU regions/EU data centres. Possible transfers outside the EEA fall under SCCs and additional measures.
Internal quality improvement anonymised or internally generated data; statistics legitimate interest as long as necessary for quality purpose For internal quality purposes, we preferably use anonymised or internally generated data and statistics. We avoid using directly identifiable personal data for this purpose.

5. Retention periods and clean-up

The retention periods stated in this policy and table are operational maximums. We do not retain personal data longer than necessary for the purposes for which they were collected, unless a legal obligation, ongoing dispute, evidence preservation or limitation period requires longer retention.

Within our internal data retention policy, processes are in place to periodically (at least annually) review data and, when the retention period has expired and no exception applies, delete or irreversibly anonymise data. Where technically possible, we configure retention periods in systems so that automatic clean-up occurs.

We apply the following retention periods:

  • Contact and prospect data: up to 3 years after the last interaction.
  • Project and client data: up to 3 years after completion, unless longer retention is needed (for example for handling disputes, contractual liability or limitation periods).
  • Invoicing and accounting: 7 years (fiscal retention obligation).
  • Marketing data: until withdrawal of consent or objection (where applicable).
  • Orientation scan/input: maximum 18 months.
  • Analytics data: maximum 13 months (after consent via cookie banner).

Veyron conducts a periodic review (at least annually) of retention periods and deletes or anonymises data when the retention period has expired and no legitimate exception applies.

6. With whom we share data

We do not share personal data with third parties for their own marketing purposes. We only share data when this is necessary for our service provision, for legal obligations or with your consent.

6.1 Processors and sub-processors

We work with processors for operational and technical support. The list below is indicative and is supplemented per project and per service used. An up-to-date (sub-)processor list is available on request.

  • Zoho One (CRM, administration, forms, analytics).
  • cloud and hosting providers.
  • automation and integration platforms.
  • AI platforms (such as OpenAI Business or Azure OpenAI) that do not use client data for model training.
  • freelancers or partners who collaborate on assignments, under contractual confidentiality and security requirements.

We contractually record processor obligations, including security measures, confidentiality and instructions. An up-to-date list of (sub-)processors can be requested via privacy@veyron.digital.

6.2 Legal authorities

Data may be shared with government authorities when this is legally required or when a valid request is received.

7. International transfers (outside the EEA)

Some of our service providers (for example certain cloud, CRM, email, analytics or AI providers) may process personal data outside the European Economic Area (EEA), for example in the United States or other third countries.

When this occurs, we typically use the Standard Contractual Clauses (SCCs) approved by the European Commission and conduct a transfer impact assessment (TIA). Where an adequacy decision applies, we rely on that. We acknowledge that in certain third countries a residual risk may exist (Schrems II) and therefore take additional measures where appropriate.

In addition to contractual safeguards, we take, where appropriate, additional technical and organisational measures, including:

  • encryption in transit and, where available, at rest; key management with restricted access.
  • data minimisation (only necessary data) and limitation of identifiable data.
  • pseudonymisation or anonymisation when processing permits.
  • strict access control, logging and contractual audit/assurance arrangements where possible.

When selecting providers, preference is given, where feasible, to EU data centres or EU processing. For AI processing, we exclusively use enterprise configurations (such as OpenAI Business/Enterprise or Azure OpenAI) and configure these so that client data is not used for model training. The specific data location and transfer basis may vary per service; where relevant, we explain this in the agreement/DPA and/or in specific notices (e.g. cookie policy).

8. AI use, governance and automated decision-making

8.1 AI platforms and configuration

We use AI exclusively in enterprise environments and under processor agreements. Per platform, we apply configurations to limit risks, including:

  • no model training on client or project data (contractually and via tenant settings where available);
  • data minimisation: only strictly necessary content is processed; pseudonymisation/anonymisation where possible;
  • encryption and strict access control (need-to-know, MFA) for AI environments;
  • limited logging and retention of prompts/outputs according to contract and internal retention policy;
  • preference for EU regions/EU data centres where the service permits.

Examples of AI platforms used are OpenAI Business/Enterprise and Azure OpenAI. The specific configuration (region, retention, logging) may vary per use case and is recorded where relevant in the project file and/or DPA.

8.2 Legal basis and transparency for AI

When AI is used within client projects, the legal basis is typically performance of contract or pre-contractual necessity. For internal quality improvement, we rely on legitimate interest and use anonymised or internally generated data for this purpose in principle.

When a specific service intensively uses AI (for example a scan or intake tool), we provide additional information via the relevant product or service pages, intake information or project documentation.

8.3 Risk assessment and DPIA

When AI applications play a significant role in assessments about individuals or when processing may, by its nature, scope or context, pose an increased risk, we conduct a risk analysis and – if required or advisable – a Data Protection Impact Assessment (DPIA). This applies for example to profiling/scoring, systematic monitoring, large-scale processing, combination of data sources, use of new technology, or processing of special categories of data or data of vulnerable persons.

In the risk analysis/DPIA, we assess: (i) the nature of the data, (ii) the purposes and necessity/proportionality, (iii) the scope, duration and context, (iv) the potential impact on rights and freedoms, and (v) mitigating measures (human oversight, transparency, security). If significant risks cannot be mitigated, we adjust the processing or do not carry it out.

8.4 No autonomous decisions

Veyron does not carry out automated decision-making or profiling with legal effects for individuals, as referred to in Article 22 GDPR. AI output is always validated by an employee and never used autonomously for binding decisions.

9. Security

We take appropriate technical and organisational measures to protect personal data against loss, misuse, unauthorised access or disclosure, taking into account the state of the art, the nature of the processing and the risks.

  • encryption (in transit and where possible at rest)
  • multi-factor authentication
  • role-based access and need-to-know
  • regular backups and recovery tests
  • internal data classification (public, internal, confidential, personal data)
  • controlled access to AI systems and prompt/output guidelines
  • logging and monitoring where possible

10. Your rights

Within the limits of the GDPR, you have the following rights:

  • access to your personal data;
  • rectification of inaccurate data;
  • erasure of data (to the extent permitted);
  • restriction of processing;
  • data portability (for processing based on consent or contract);
  • objection to processing based on legitimate interest;
  • withdrawal of consent (without affecting the lawfulness prior to withdrawal).

You can exercise these rights by contacting privacy@veyron.digital.

To prevent misuse, we may, proportionally, request additional information to verify your identity.

We handle your request in principle within one month. For complex or numerous requests, this period may be extended by a maximum of two months; in that case, we will inform you in a timely manner about the extension and the reason.

11. Cookies & analytics

Our website uses functional cookies and, after consent, analytical and marketing cookies. See our cookie policy for details.

12. Complaints

If you have a complaint about our processing of personal data, please contact us first via privacy@veyron.digital so that we can try to resolve the issue.

You can also file a complaint with the Data Protection Authority (Gegevensbeschermingsautoriteit, GBA):

  • Address: Drukpersstraat 35, 1000 Brussels
  • Website: www.gegevensbeschermingsautoriteit.be

13. Changes

We may update this privacy policy when legislation, our services or our processors change. The most recent version is available on our website and applies from the date of publication.