This document is the English-language version of the privacy policy. In the event of any discrepancy between the Dutch-language and the English-language version, the Dutch-language version shall prevail.
Arkintel B.V. is a company registered in the Netherlands, with the following information:
This privacy policy is a legal agreement between you (hereinafter referred to as "user", "you" or "your") and Arkintel B.V. (hereinafter referred to as "Arkintel", "we", "us" or "our").
At Arkintel, one of our core values is the privacy of our users. We will only use the information that we collect about you lawfully, in accordance with the General Data Protection Regulation (GDPR / AVG), the Dutch GDPR Implementation Act (Uitvoeringswet AVG / UAVG), the Dutch Telecommunications Act (Telecommunicatiewet), and other applicable European and Dutch legislation.
This privacy policy pertains to your access to and use of the Arkintel debt-assistance platform, including the website (the "Site") and any related mobile website, mobile application, or connected media form (collectively, the "Services"). The Services are available exclusively to users within the European Union, as further described in our Terms of Service.
This privacy policy should be read in conjunction with our Terms of Service, which govern your use of the Services.
For the purposes of the GDPR:
If you have any questions about data protection or wish to exercise your rights, please contact us at the privacy contact email address listed at the top of this document.
Arkintel B.V. has not appointed a Data Protection Officer (DPO) as defined in Article 37 GDPR. The processing carried out by Arkintel does not meet the thresholds requiring a DPO appointment under Article 37(1) GDPR, given the limited scale of the current pilot programme and the nature of the data processed.
The Functionaris Gegevensbescherming (FG) of Gemeente Delft has been consulted on the platform's data protection practices in the context of the pilot programme. If you have any questions or concerns regarding data protection, please contact Arkintel at the privacy contact email address listed at the top of this document.
Arkintel will conduct a Data Protection Impact Assessment (DPIA) in accordance with Article 35 GDPR when the pilot programme transitions to extended or long-term use. The DPIA will cover the use of AI technology for chat assistance and document data extraction, the processing of financial data (debt, income, and expenses), and the involvement of potentially vulnerable data subjects.
By creating an account, you enter into a contract with Arkintel. The processing of your personal data is necessary for the performance of this contract as described in this privacy policy. Where processing is based on other legal grounds (such as legitimate interest), this is specified in the Legal Basis for Processing section below.
If we make material changes to this privacy policy, we will notify you by email so that you are always aware of what information we collect, how we use it, and under what circumstances we process it.
We will not collect any personal information about you unless you voluntarily provide it to us. However, you may be required to provide certain information when you register and during your use of the Services in order for us to deliver the service.
| Data field | Required | Purpose |
|---|---|---|
| Name | Optional | Personalisation of the AI assistant |
| Email address | Yes | Account authentication (login link) |
| Postcode | Yes | Verification of eligibility as a resident of a subscribing municipality; demographic analysis for the pilot study with Gemeente Delft (aggregated only) |
| Date of birth | Yes | Demographic analysis for the pilot study with Gemeente Delft (aggregated only) |
| Debt information | Yes | Core debt tracking functionality |
| Debt history | Yes | Core debt tracking functionality |
| Debt status | Yes | Core debt tracking functionality |
| Income information | Yes | Core debt tracking functionality |
| Expenses information | Yes | Core debt tracking functionality |
| Chat messages | Yes (during use) | AI chat assistant interaction |
Data we explicitly do not collect: BSN (burgerservicenummer), bank account numbers, identification document copies, or payment information. The service is provided free of charge to users during the Gemeente Delft pilot.
Providing the data marked as "Yes" (required) in the table above is a contractual requirement necessary for the delivery of the Services. If you do not provide the required data, Arkintel will be unable to provide you with access to the platform. Providing your name is optional and has no effect on your ability to use the Services.
When you upload a document (e.g. a debt letter or invoice), the AI extraction service processes it to extract structured financial data only (creditor names, amounts, dates). The original document is immediately scheduled for deletion after extraction and is typically removed within minutes. We do not store, retain, or make downloadable any uploaded files. Only the extracted structured data is persisted.
When you access the Services, we may automatically collect the following technical information:
This information is collected for the purposes of platform security, error detection, performance monitoring, and service improvement.
Arkintel acknowledges that debt, income, and expense data — while not classified as "special category data" under Article 9 GDPR — is considered sensitive personal data by the Autoriteit Persoonsgegevens. Users of a debt-assistance platform may be in a financially vulnerable position, which requires heightened care in the handling of their data. Arkintel applies technical and organisational safeguards appropriate to the sensitivity of this data and the vulnerability of its users, as described in the Security Measures section of this policy.
Arkintel processes your personal data on the following legal bases (Article 6 GDPR):
| Processing activity | Legal basis | GDPR Article |
|---|---|---|
| Account creation and authentication | Performance of a contract | 6(1)(b) |
| Debt tracking, AI chat, document extraction | Performance of a contract | 6(1)(b) |
| Postcode verification of municipality eligibility | Performance of a contract | 6(1)(b) |
| Platform security and fraud prevention | Legitimate interest | 6(1)(f) |
| Error logging and technical diagnostics | Legitimate interest | 6(1)(f) |
| Aggregated anonymised analytics | Legitimate interest | 6(1)(f) |
| Demographic data for pilot evaluation (postcode, date of birth) | Legitimate interest | 6(1)(f) |
Where a specific processing activity is not covered by the above bases, Arkintel will request your explicit consent (Article 6(1)(a)) before processing. You may withdraw such consent at any time by contacting us, without affecting the lawfulness of processing carried out before the withdrawal.
For processing based on legitimate interest, Arkintel has conducted a balancing assessment and concluded that these interests do not override your fundamental rights and freedoms, taking into account the nature of the data, the security measures in place, and the limited scope of such processing.
With respect to the use of postcode and date of birth for demographic pilot evaluation (the legitimate interest use; note that postcode is also processed under contract performance for municipality eligibility verification), Arkintel has conducted a specific balancing assessment in which the following factors were considered:
We use the information we collect for the following purposes:
We do not use your personal data for:
All data storage and backup locations are within the European Economic Area (EEA).
Arkintel and Arkintel apply appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These measures include:
While we take all reasonable precautions to protect your data, no method of electronic storage or transmission over the internet is 100% secure. We cannot guarantee absolute security, but we commit to addressing any security incident promptly and in accordance with our data breach notification obligations.
Arkintel and Arkintel engage the following sub-processors for the delivery of the Services:
| Sub-processor | Purpose | Data processed | Retention | Transfer mechanism |
|---|---|---|---|---|
| Google LLC (Gemini AI Enterprise API) | AI chat responses and document data extraction | Chat messages, uploaded document content | Zero-retention (no data stored after response) | EU-US DPF and SCCs |
| Vercel Inc. | Frontend hosting (CDN) and privacy-friendly web analytics | User IP address, browser metadata, anonymous aggregated page view data | Standard CDN access logs per Vercel data processing terms | Standard Contractual Clauses (SCCs) |
| Cloudflare Inc. | CDN, DDoS protection, WAF | User IP address, request metadata | Limited log retention per Cloudflare data processing terms | Standard Contractual Clauses (SCCs) |
No data sent to Google is stored, retained, or used for model training after the response is returned. The engagement of Google as a sub-processor is governed by a data processing agreement between Arkintel B.V. and Google that meets the requirements of Article 28(2) and 28(4) GDPR.
Arkintel reserves the right to engage additional sub-processors in the future. Where a new sub-processor is engaged that materially affects the processing of your personal data, this privacy policy will be updated accordingly and users will be notified. If you object to a new sub-processor, you may terminate your account and request deletion of your data. Continued use of the Services after such an update constitutes acceptance of the new sub-processor arrangement.
The Arkintel platform uses only strictly necessary cookies required for the technical operation of the Services. These include:
We do not use:
Because the platform uses only strictly necessary cookies, no cookie consent banner is required under the ePrivacy Directive (Directive 2002/58/EC) and the Dutch Telecommunicatiewet.
Arkintel uses Vercel Web Analytics, a privacy-friendly, cookieless analytics service provided by Vercel Inc. This service collects anonymous, aggregated usage data (such as page views, visitor counts, referring sources, and geographic regions) to help us understand how the platform is used and to improve its performance.
Vercel Web Analytics does not place cookies on your device, does not store IP addresses, and does not track individual users across sessions or websites. Because no information is stored on or read from your device, this service does not require consent under the ePrivacy Directive (Directive 2002/58/EC) or the Dutch Telecommunicatiewet. The legal basis for this processing is legitimate interest (Article 6(1)(f) GDPR) as set out in the Legal Basis for Processing section of this policy.
| Data category | Retention period |
|---|---|
| Active account data | Duration of your use of the Services |
| Data after account termination | Deleted within 30 days, unless retention is required by law or for the defence of legal claims |
| Uploaded documents (originals) | Deleted within minutes of upload |
| Technical and security logs | Up to 12 months, then deleted or anonymised |
| Anonymised data | Retained indefinitely (no longer personal data under GDPR) |
The Arkintel platform is licensed per subscribing municipality. If a subscribing municipality ceases its use of Arkintel, all user accounts with a postcode belonging to that municipality will be terminated, and personal data will be deleted in accordance with the account termination retention period above (within 30 days). Arkintel will notify affected users by email before such termination takes effect.
Arkintel reserves the right to anonymise personal data upon or after account termination and to retain such anonymised data indefinitely for statistical, research, or product improvement purposes.
All primary data storage and backup locations are within the EEA (Delft, Netherlands and Dublin, Ireland).
The Google Gemini AI Enterprise API may process data on infrastructure outside the EEA. This transfer is governed by the EU-US Data Privacy Framework (DPF), under which Google LLC is certified (European Commission adequacy decision of 10 July 2023), and is supplemented by Standard Contractual Clauses (SCCs) between Arkintel and Google. Given the zero-retention policy (no data is stored after processing), the exposure to non-EEA jurisdictions is transient and minimal.
No other international data transfers take place.
The Services are not intended for children. You must be at least 18 years of age to use the Services, which exceeds the Dutch age of digital consent (16 years) under Article 8 GDPR and the UAVG.
Arkintel does not knowingly collect personally identifiable information from children. If we become aware that we have collected personal data from a person under 18, we will take steps to delete that information promptly. If you believe that we have inadvertently collected data from a minor, please contact us immediately at the privacy contact email address listed at the top of this document.
Under the General Data Protection Regulation, you have the following rights:
To exercise any of these rights, please contact Arkintel at the privacy contact email address listed at the top of this document.
Arkintel will respond to your request within one (1) month of receipt. This period may be extended by a further two (2) months where necessary, taking into account the complexity and number of requests. We will inform you of any such extension within one month, together with the reasons for the delay.
Arkintel may require verification of your identity before processing any request, to protect against unauthorised access to or disclosure of personal data.
Arkintel reserves the right to refuse requests that are manifestly unfounded or excessive, in particular because of their repetitive character, and may charge a reasonable administrative fee in such cases, in accordance with Article 12(5) GDPR.
If the fulfilment of a data subject request results in Arkintel being unable to provide the Services to you, Arkintel will inform you of this and may initiate termination of your account.
You have the right to lodge a complaint with a supervisory authority if you believe that the processing of your personal data infringes the GDPR. The competent supervisory authority in the Netherlands is:
Autoriteit Persoonsgegevens Postbus 93374, 2509 AJ Den Haag Website: https://autoriteitpersoonsgegevens.nl
Arkintel encourages you to contact us first so that we can attempt to resolve your concern directly.
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, Arkintel will notify the Autoriteit Persoonsgegevens without undue delay and, where feasible, within 72 hours of becoming aware of the breach, in accordance with Article 33 GDPR.
Where the breach is likely to result in a high risk to your rights and freedoms, Arkintel will also notify you without undue delay, in accordance with Article 34 GDPR. Such notification is not required where:
Arkintel keeps this privacy policy under regular review and will place any updates on this page. The "Version" and "date" fields at the top of this document indicate the current version and effective date.
In the case of material changes that affect your rights or the way your data is processed, we will inform you by email at least fourteen (14) days before the updated policy takes effect. The determination of whether a change is material is at the sole discretion of Arkintel.
For material changes that adversely affect your rights, you will be given the opportunity to reject the changes by terminating your account before the effective date without penalty. If you do not agree with the revised policy, you may terminate your account and request deletion of your data in accordance with the Data Retention section.
Your continued use of the Services after the updated privacy policy takes effect constitutes acceptance of the changes.
The Services may contain links to other websites or services. Arkintel is not responsible for the privacy practices or content of any third-party websites. We advise you to review the privacy policies of any external websites before providing personal information to them.
This privacy policy is governed by the laws of the Netherlands and the General Data Protection Regulation (EU) 2016/679. For dispute resolution, please refer to the Governing Law and Dispute Resolution section of our Terms of Service.
Nothing in this privacy policy limits your right to lodge a complaint with the Autoriteit Persoonsgegevens or to bring proceedings before the courts of your habitual residence in accordance with Article 79 GDPR.