Privacy Policy
Last updated on [enter date]
Coheed (“we”, “us”, or “Coheed”) values the protection of your personal data. Coheed provides a SaaS platform that unifies data from various operational systems so organisations can surface insights and connect AI agents. This privacy policy explains, clearly and transparently, which data we process through the website coheed.nl and in the context of our services, and how we handle that data. We comply with the requirements of the General Data Protection Regulation (GDPR).
This policy distinguishes between two roles: (1) as data controller for the data of website visitors and (business) contacts, and (2) as data processor for the data that we combine and process on behalf of our customers within the platform. See chapters 2 and 3 below.
1. Who are we?
Coheed is the data controller for the processing of your personal data as described in this policy. Our contact details:
- Company name: [enter company name]
- Address: [enter address]
- Email: [enter email address]
- Phone: [enter phone number]
- Chamber of Commerce (KvK) number: [enter KvK number]
- Website: coheed.nl
2. What data do we process as data controller?
This chapter describes the personal data we process from website visitors and contacts. We only process this data for the purposes for which you provided it to us, or which are necessary to operate our website and services.
2.1 Contact form
When you contact us via the contact form, we process the data you enter in order to respond to your question or request.
| Data | Purpose | Legal basis (GDPR) | Retention period |
|---|---|---|---|
| Name, email address, phone number (if provided), and the content of your message | Getting in touch and answering your question | Legitimate interest / taking steps prior to entering into a contract | Up to a maximum of [e.g. 12 months] after handling |
2.2 Account and login
Customers who have signed an agreement with us get access to our platform through an account. Payment via the website is not possible; invoicing takes place outside the website based on the agreement. For the account, we process the data necessary to grant access and perform the service.
| Data | Purpose | Legal basis (GDPR) | Retention period |
|---|---|---|---|
| Name, business email address, phone number, job title/organisation, login credentials, and platform usage/log data | Creating and managing your account, granting platform access, security, and customer support | Performance of the agreement; legitimate interest (security) | As long as the agreement and account are active; afterwards we delete the data within a reasonable period, unless a statutory retention obligation applies |
2.3 Website statistics (analytics)
We use analytics software to understand how visitors use our website so that we can improve it.
| Data | Purpose | Legal basis (GDPR) | Retention period |
|---|---|---|---|
| IP address (shortened/anonymised where applicable), browsing behaviour, pages visited, device and browser data | Analysing and improving the website | Consent, or legitimate interest with a privacy-friendly configuration | [enter analytics retention period, e.g. 14 or 26 months] |
We use [name of analytics provider, e.g. Google Analytics / Matomo / Plausible] for this purpose. Where possible, we have configured this service in a privacy-friendly way. You can read more about cookies in chapter 4.
3. Data we process as processor on behalf of customers
Our platform unifies data from our customers’ operational systems to surface insights and connect AI agents. To the extent that data contains personal data, we process it solely on the instructions of, and on behalf of, our customer. For that data, the customer is the data controller and determines the purposes and means; Coheed acts as processor.
- We process this data only in accordance with the customer’s instructions and the purpose for which it was provided.
- We enter into a data processing agreement with every customer, setting out arrangements on security, confidentiality, sub-processors, and retention periods.
- We do not use this data for our own purposes and do not provide it to third parties, except on the customer’s instructions or where legally required.
- Are you a data subject whose data is held in the platform via our customer? Please direct your request to that organisation (the data controller). We support our customers in handling such requests.
More information on how we deploy AI agents and models, and the safeguards that apply, is set out in the agreement and data processing agreement with the relevant customer.
4. AI agents, models, and automated decision-making
Our platform makes it possible to connect AI agents and models to the unified data. We consider it important to be transparent about how we handle this.
No training on customer data. We do not use the personal data we process on behalf of customers to train or improve our own or general AI models, unless expressly agreed with the customer. Where we use external AI providers, we choose, where possible, options where the data we supply is not used for training by that provider.
Automated decision-making.To the extent that AI agents make or prepare decisions that have legal effects on individuals or otherwise significantly affect them (Article 22 GDPR), this takes place under the customer’s responsibility. The customer determines whether and how automated decision-making is used, ensures the correct legal basis, and safeguards the rights of data subjects, including the right to human intervention, to express a point of view, and to contest a decision.
Coheed’s role.Coheed provides the technical capability and processes data solely in accordance with the customer’s instructions. Arrangements on the use of AI, logging, and safeguards are set out in the data processing agreement.
Are you a data subject and want to know whether automated decision-making takes place regarding you? Please contact the organisation (our customer) responsible for the relevant data.
5. Cookies
Our website uses cookies and similar technologies. A cookie is a small text file stored on your device when you visit our website.
- Functional cookies – necessary to make the website and login work properly (for example, for your session and account). No consent is required for these.
- Analytics cookies – to measure website usage, as described in section 2.3.
- Other cookies – [remove if not applicable, e.g. marketing/tracking cookies].
On your first visit, where legally required, we ask for your consent before placing non-essential cookies. You can change your cookie preferences at any time or delete cookies via your browser settings.
6. Sharing with third parties and transfers outside the EEA
We do not sell your data to third parties. We only share data where necessary to perform our services or to comply with a legal obligation, such as with:
- our hosting and cloud infrastructure providers and IT service providers;
- our analytics software provider;
- [list any AI/model providers or sub-processors, where applicable];
- government authorities, where we are legally required to do so.
We enter into a data processing agreement with parties that process personal data on our behalf, to ensure an equivalent level of security and confidentiality.
Transfers outside the EEA. Some of our suppliers, including possibly cloud and AI providers, process data outside the European Economic Area (for example, in the United States). In that case, we ensure a valid transfer mechanism, such as an adequacy decision of the European Commission or the Standard Contractual Clauses adopted by the Commission, supplemented with appropriate additional measures where necessary. [Name the relevant suppliers and the country of processing here, where applicable.]
7. Security and data breaches
We take appropriate technical and organisational measures to protect your personal data against loss or unlawful processing. Among other things, we use a secured (SSL/TLS) connection, access restrictions and logging, and we limit access to data to people who need it. If you believe your data is not adequately secured, or you notice signs of misuse, please contact us.
Data breaches. Despite our measures, a personal data breach may occur. We have a procedure to detect, assess, and handle data breaches. When we process personal data on behalf of a customer, we inform that customer without undue delay after becoming aware of a data breach, so the customer can comply with its statutory obligation to notify the Dutch Data Protection Authority and, where necessary, data subjects. For data for which we are ourselves the data controller, we handle these notifications ourselves where the law requires it.
8. Your rights
Under the GDPR, you have the following rights regarding your personal data:
- Access – you may request which data we process about you;
- Rectification – you may have incorrect data corrected;
- Erasure – you may ask us to delete your data (“right to be forgotten”);
- Restriction – you may have the processing restricted;
- Objection – you may object to the processing;
- Data portability – you may receive your data in a common format or have it transferred;
- Withdrawing consent – if processing is based on consent, you may withdraw it at any time.
Would you like to exercise one of these rights? Send a request to [enter email address]. To make sure the request comes from you, we may ask for additional identification. We respond as soon as possible, and no later than within one month. If your request concerns data we process on behalf of a customer (see chapter 3), we will refer you to that organisation.
9. Filing a complaint
Do you disagree with how we handle your data? You have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) via autoriteitpersoonsgegevens.nl.
10. Changes
We may amend this privacy policy from time to time, for example in response to changes in our services or in laws and regulations. The most current version is always available on this page. We recommend that you review this policy regularly.