Privacy Policy
Version 2.0 — Effective date: 1 April 2026
Article 1 — Introduction
1.1 This Privacy Policy explains how Prevector B.V. ("Prevector", "we", "us", or "our") collects, uses, stores, shares, and protects personal data and confidential business data in connection with our website, products, and services.
1.2 Prevector provides two categories of products to business clients:
(a) Prevector Studio — a web-based platform for the generation of financial statements compliant with Dutch Generally Accepted Accounting Principles (NL GAAP). The Studio Platform processes confidential business data, including trial balance data and entity metadata, on behalf of our clients.
(b) MCP Server Products — infrastructure solutions that provide structured access to regulatory, accounting, auditing, tax, and sustainability reporting standards for use with artificial intelligence systems. MCP Server Products do not process clients' confidential business data.
1.3 Our services are exclusively provided to business clients (B2B). We do not offer products or services to consumers.
1.4 We are committed to protecting your privacy and processing personal data in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the Dutch GDPR Implementation Act (Uitvoeringswet Algemene Verordening Gegevensbescherming, "UAVG").
1.5 By using our website or services, you acknowledge that you have read and understood this Privacy Policy.
Article 2 — Data Controller
2.1 The data controller responsible for the processing of personal data described in this Privacy Policy is:
Prevector B.V.
Registered Address: Van Sint Aldegondeplein 42, 2581 TP, The Hague, The Netherlands
Chamber of Commerce (KVK): 99409127
VAT Identification Number (BTW): NL868977202B01
2.2 For any questions or requests regarding this Privacy Policy or the processing of your personal data, you may contact us at:
Email: privacy@prevector.ai
Article 3 — Personal Data We Collect
3.1 Website Data
When you interact with our website, we may collect the following personal data:
(a) Contact Form Submissions: name, email address, company name, and the content of your message when you submit an enquiry through our contact form.
(b) Appointment Bookings: name, email address, and scheduling preferences when you book a meeting through our calendar integration.
(c) Website Analytics: anonymised and aggregated usage data collected through privacy-friendly analytics that do not track individual users or use cookies requiring consent.
3.2 Studio Platform Data
When you use Prevector Studio, we collect and process the following categories of data:
(a) Account Information: company name, contact person name, email address, and organisation details necessary to provide access to the platform and manage your account.
(b) User Account Data: names, email addresses, and role assignments for all users within your organisation who access the platform.
(c) Client Data: all data uploaded to, generated within, or stored by the Studio Platform in connection with your use thereof. This includes:
Trial balance data (uploaded CSV or XLSX files);
Prior-year financial statements (uploaded PDF files);
Entity metadata (entity name, KvK number, RSIN, legal form, registered office, SBI activities);
Account mapping data (the confirmed mapping of trial balance accounts to taxonomy categories);
Supplemental data (maturity analyses, depreciation rates, collateral, FTE, board remuneration, and other data not derivable from the trial balance);
Compilation file data (samensteldossier fields, including Wwft/KYC confirmation references);
Generated financial statements (the complete report document, including all AI-generated text and deterministically computed financial figures);
Advisory report data (financial metrics and AI-generated advisory text);
Export files (iXBRL Report Packages and DOCX documents);
Comment threads and editor annotations.
(d) Audit Trail Data: records of all AI agent steps, model invocations, tool calls, compliance review findings, and user actions within each engagement. This data is retained for traceability, regulatory compliance, and quality assurance.
(e) Pipeline Observability Data: technical execution data for report generation, including step durations, token counts, model identifiers, and truncated input/output previews. This data is used for performance monitoring, debugging, and cost management.
3.3 MCP Server Product Data
When you use our MCP Server Products, we collect the following data:
(a) Account Information: company name, contact person name, email address, and billing information necessary to provide our services.
(b) API Credentials: authentication tokens and API keys required to access the products.
(c) Usage Metrics: information about your use of the products, including API call volumes, timestamps, and feature usage, for purposes of monitoring usage limits, billing verification, performance optimisation, and service improvement.
(d) Anonymised Query Logs: anonymised records of search queries submitted to the API, collected solely to improve search algorithms. These logs are anonymised and cannot be linked to individual clients or users.
(e) Error Logs: technical diagnostic information for troubleshooting purposes, which may temporarily include query context. Such logs do not contain your confidential business data or personal data of your end users.
3.4 Important Notice Regarding Client Data in the Studio Platform
The Studio Platform processes confidential business data belonging to your clients (the entities for which you prepare financial statements). This data may include information that, in combination with other data, could relate to identifiable natural persons (for example, director names in compilation file data, or board remuneration figures for small entities). The processing of such data is governed by the Data Processing Addendum between Prevector and you, as described in Article 6 of this Privacy Policy and in Article 11 of our General Terms and Conditions.
3.5 Important Notice Regarding MCP Server Products
Our MCP Server Products do not process, store, or have access to your confidential business data, client files, or personal data of your end users. The products function as infrastructure solutions that provide access to standardised regulatory and compliance content. Any data processed by your AI systems in connection with the use of the MCP Server Products remains solely within your systems and under your control.
Article 4 — How We Use Your Data
4.1 We process data for the following purposes:
(a) Service Delivery: to provide, maintain, and improve our products and services, including processing your engagements through the Studio Platform, managing your account, providing API access to MCP Server Products, and providing technical support.
(b) AI Processing: to process Client Data through artificial intelligence models for the purpose of generating account mapping proposals, accounting policy text, disclosure narratives, compliance review findings, and advisory reports within the Studio Platform. Details of AI processing are set out in Article 7.
(c) Deterministic Computation: to compute all financial figures, numeric tables, primary statements, and arithmetic results from confirmed account mappings and trial balance data using the Studio Platform's deterministic computation engine. This processing does not involve artificial intelligence models.
(d) Communication: to respond to your enquiries, send service-related communications, and provide information you have requested.
(e) Billing and Administration: to invoice for our services and maintain accurate financial records.
(f) Service Improvement: to analyse usage patterns (using anonymised data) to improve platform functionality and search algorithms.
(g) Security and Compliance: to protect the security and integrity of our services, detect and prevent fraud and abuse, enforce usage limits, and comply with applicable legal obligations.
(h) Legal Obligations: to comply with applicable laws, regulations, and legal processes, including Dutch statutory retention requirements.
Article 5 — Legal Basis for Processing
5.1 Under the GDPR, we process personal data based on the following legal grounds:
(a) Performance of a Contract (Article 6(1)(b) GDPR): processing necessary to perform our contractual obligations to you, including providing our products and services, managing your account, processing engagements through the Studio Platform, and processing payments.
(b) Legitimate Interests (Article 6(1)(f) GDPR): processing necessary for our legitimate business interests, including responding to enquiries, improving our services, ensuring security, monitoring usage for abuse prevention, and conducting business development activities, provided these interests are not overridden by your rights and freedoms.
(c) Legal Obligation (Article 6(1)(c) GDPR): processing necessary to comply with legal obligations, such as tax and accounting requirements under Dutch law, or to respond to lawful requests from public authorities.
5.2 We do not rely on consent as our primary legal basis for processing. Where consent is required for specific processing activities, we will obtain your explicit consent and inform you of your right to withdraw consent at any time.
Article 6 — Data Processing Addendum
6.1 Where your use of the Studio Platform involves the processing of personal data or confidential business data of your clients, Prevector acts as a data processor on your behalf. The terms of this processing are governed by the Data Processing Addendum ("DPA"), which forms an integral part of our contractual relationship.
6.2 The DPA sets out, among other things: the scope, nature, and purpose of processing; the categories of data processed; Prevector's obligations regarding security, confidentiality, and data subject rights; the approved list of sub-processors; international transfer mechanisms; and data breach notification procedures.
6.3 Clients using the Studio Platform are required to enter into the DPA before processing any data through the platform.
6.4 A copy of the DPA is available upon request at privacy@prevector.ai.
Article 7 — AI Model Data Processing
7.1 The Studio Platform uses artificial intelligence models provided by third-party AI service providers to generate textual content, including account mapping proposals, accounting policy descriptions, disclosure narratives, compliance review findings, and advisory reports.
7.2 When processing an engagement through the Studio Platform, certain Client Data is transmitted to the AI service provider for inference. This data may include: trial balance account codes, descriptions, and balances; entity metadata (entity name, legal form, registered office); confirmed account mapping categories; and contextual information necessary for text generation.
7.3 The AI service provider processes this data under the following safeguards:
(a) International Transfer Safeguards: The AI service provider is certified under the EU-US Data Privacy Framework (DPF), which has been recognised by the European Commission as providing an adequate level of data protection (Implementing Decision (EU) 2023/1795). Standard Contractual Clauses are maintained as a supplementary transfer mechanism. Client Data transmitted for AI inference may be processed outside the European Union, subject to these safeguards.
(b) Limited Retention for Abuse Monitoring: The AI service provider may temporarily retain prompts and responses for up to fifty-five (55) days solely for the purpose of abuse monitoring and policy enforcement. Such data is disconnected from Prevector's identity and account before any human review. After the retention period, data is permanently deleted.
(c) No Model Training: Client Data is not used by the AI service provider to train, improve, or fine-tune any AI models. This is contractually guaranteed under Prevector's paid service tier and the applicable Cloud Data Processing Addendum.
(d) Data Processing Addendum: Prevector has entered into a data processing addendum with the AI service provider that governs the processing of data in accordance with the GDPR.
(e) EU Data Residency Commitment: Prevector is committed to migrating AI inference to EU-only processing when technically and commercially feasible. This Privacy Policy will be updated to reflect any such migration.
7.4 All financial figures and numeric results in generated financial statements are produced by Prevector's deterministic computation engine and are not generated by AI models. AI models produce only textual content (accounting policies, narratives, and advisory commentary).
7.5 The specific AI service provider is identified in the sub-processor list in Article 8.
Article 8 — Data Sharing and Sub-Processors
8.1 Sub-Processors
We engage the following categories of sub-processors in the provision of our products and services:
Sub-Processor | Role | Categories of Data Processed | Data Location |
|---|---|---|---|
Google Cloud Platform (Google Ireland Limited) | Cloud infrastructure: database hosting, file storage, application hosting | All application data: account information, Client Data, audit trails, export files | EU (europe-west4, Netherlands) |
Google AI Studio (Google Ireland Limited) | AI inference for text generation, account mapping, compliance review, advisory reports | Client Data transmitted for AI processing (trial balance data, entity metadata, mapping context) — limited retention for abuse monitoring (55 days), no model training | EU/Global (EU-US Data Privacy Framework + SCCs) |
Clerk Inc. | User authentication and identity management | User identity data: names, email addresses, session data, organisation membership | US (EU-US Data Privacy Framework + SCCs) |
Inngest Inc. | Asynchronous job execution for report generation pipeline | Encrypted operational data for job orchestration — all step execution data is encrypted end-to-end before transmission; Inngest cannot access plaintext content | US (EU-US Data Privacy Framework + SCCs) |
Framer B.V. | Website hosting and analytics | Anonymised website usage data only | EU (Netherlands) |
8.2 KVK (Kamer van Koophandel)
The Studio Platform queries the KVK Basisprofiel API to retrieve publicly available entity metadata (legal form, RSIN, SBI activities, registered office) based on the KvK number provided by the client. This data is publicly available register data and does not constitute a transfer of personal data.
8.3 Professional Advisers
We may share personal data with accountants, legal advisers, and other professional service providers as necessary for the operation of our business.
8.4 Public Authorities
We may disclose personal data to government agencies, regulators, or other authorities where required by law or to protect our legal rights.
8.5 Contractual Safeguards
All sub-processors are contractually bound to process data only on our instructions and in accordance with applicable data protection laws. We have entered into data processing agreements with sub-processors where required under the GDPR.
8.6 No Sale of Data
We do not sell, rent, or trade personal data or Client Data to third parties for their marketing purposes or for any other purpose.
8.7 Changes to Sub-Processors
We will notify clients of any intended changes to our sub-processors in accordance with the Data Processing Addendum. An up-to-date list of sub-processors is maintained at prevector.ai/legal or is available upon request at privacy@prevector.ai.
Article 9 — International Data Transfers
9.1 EU-Based Infrastructure
The primary infrastructure for our products is hosted within the European Union. Our database (Cloud SQL), file storage (Google Cloud Storage), and application servers (Cloud Run) are located in the EU (europe-west4, Netherlands). All Client Data at rest is stored within the EU.
9.2 Transfers Outside the EU/EEA
Certain sub-processors process data on infrastructure that may be located outside the European Economic Area. Specifically, AI inference (Google AI Studio), user authentication (Clerk Inc.), and asynchronous job execution (Inngest Inc.) may involve processing outside the EU. For these transfers, we rely on the following legal mechanisms to ensure an adequate level of protection:
(a) EU-US Data Privacy Framework (DPF): Google LLC, Clerk Inc., and Inngest Inc. are certified under the EU-US Data Privacy Framework, which has been recognised by the European Commission as providing an adequate level of data protection (Implementing Decision (EU) 2023/1795).
(b) Standard Contractual Clauses (SCCs): In addition to the DPF, we maintain Standard Contractual Clauses approved by the European Commission as a supplementary safeguard for international data transfers.
(c) Google Cloud Data Processing Addendum: AI inference via Google AI Studio is governed by the Google Cloud Data Processing Addendum (CDPA), which includes contractual commitments regarding data protection, confidentiality, and sub-processor management.
9.3 Encryption in Transit
All data transmitted to sub-processors outside the EU is encrypted in transit using TLS 1.2 or higher. For Inngest, step execution data is additionally encrypted end-to-end at the application level before transmission, ensuring that the sub-processor cannot access plaintext content.
9.4 EU Data Residency Commitment
Prevector is committed to migrating AI inference processing to EU-only infrastructure when technically and commercially feasible. This Privacy Policy will be updated to reflect any such migration.
9.5 Future Changes
In the event that international transfers to new jurisdictions or new sub-processors become necessary, we will ensure that appropriate safeguards are in place and will update this Privacy Policy accordingly.
Article 10 — Data Retention
10.1 We retain data only for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable laws. Our retention periods are as follows:
Data Category | Retention Period | Legal Basis |
|---|---|---|
Contact form submissions | Until the enquiry is resolved; if you become a client, retained for the duration of the relationship plus seven (7) years | Dutch statutory retention (AWR Art. 52) |
Client account data | Duration of the contractual relationship plus seven (7) years | Dutch statutory retention (AWR Art. 52) |
Client Data (Studio Platform) | Duration of the contractual relationship plus seven (7) years | Dutch statutory retention (AWR Art. 52); contractual obligation |
Audit trail data | Duration of the contractual relationship plus seven (7) years | Regulatory traceability; contractual obligation |
Pipeline observability data | Twenty-four (24) months | Legitimate interest (performance monitoring, debugging) |
MCP Server usage metrics | Twenty-four (24) months | Legitimate interest (billing verification, capacity planning) |
Anonymised query logs | Twelve (12) months | Legitimate interest (service improvement) |
Error logs | Six (6) months | Legitimate interest (troubleshooting, diagnostics) |
Export files (iXBRL, DOCX) | Duration of the contractual relationship plus seven (7) years | Dutch statutory retention (AWR Art. 52) |
10.2 After the applicable retention period expires, data is securely deleted or anonymised.
10.3 Clients may request earlier deletion of specific Client Data, subject to applicable statutory retention obligations. We will comply with such requests within thirty (30) days, except to the extent that retention is required by law.
Article 11 — Your Rights
11.1 Under the GDPR, you have the following rights regarding your personal data:
(a) Right of Access (Article 15 GDPR): You have the right to obtain confirmation as to whether we process your personal data and, if so, to request access to that data and information about how it is processed.
(b) Right to Rectification (Article 16 GDPR): You have the right to request correction of inaccurate personal data and completion of incomplete personal data.
(c) Right to Erasure (Article 17 GDPR): You have the right to request deletion of your personal data in certain circumstances, such as when the data is no longer necessary for the purposes for which it was collected. This right is subject to applicable statutory retention obligations.
(d) Right to Restriction (Article 18 GDPR): You have the right to request restriction of processing of your personal data in certain circumstances, such as when you contest the accuracy of the data.
(e) Right to Data Portability (Article 20 GDPR): You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller.
(f) Right to Object (Article 21 GDPR): You have the right to object to processing of your personal data based on legitimate interests, including direct marketing.
(g) Right to Withdraw Consent (Article 7(3) GDPR): Where processing is based on consent, you have the right to withdraw your consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
(h) Right Not to Be Subject to Automated Decision-Making (Article 22 GDPR): You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. The Studio Platform does not make automated decisions with legal or similarly significant effects; all output requires review and approval by the client before use.
11.2 To exercise any of these rights, please contact us at privacy@prevector.ai. We will respond to your request within one (1) month of receipt. In certain circumstances, this period may be extended by two (2) additional months, in which case we will inform you of the extension and the reasons for the delay within one (1) month of receipt.
11.3 We may request verification of your identity before processing your request to ensure the security of personal data.
11.4 Where you are exercising rights on behalf of your clients' data subjects in relation to Client Data processed through the Studio Platform, please refer to the procedures set out in the Data Processing Addendum.
Article 12 — Cookies and Website Analytics
12.1 Our website uses privacy-friendly analytics that do not require cookie consent. These analytics:
(a) do not use tracking cookies or similar technologies that require consent;
(b) do not track individual users across websites;
(c) collect only anonymised and aggregated usage statistics;
(d) are used solely to understand how visitors use our website and to improve our content.
12.2 Our website may use strictly functional cookies that are essential for the operation of the website and do not require consent under applicable law. These may include cookies for session management and security purposes.
12.3 We do not use marketing cookies, advertising cookies, or third-party tracking technologies on our website.
Article 13 — Security Measures
13.1 We implement appropriate technical and organisational measures to protect data against unauthorised access, alteration, disclosure, or destruction. These measures include:
(a) Encryption: All data in transit is protected using TLS/HTTPS encryption. Data at rest is encrypted using industry-standard encryption. Step execution data transmitted to asynchronous job processing services is additionally encrypted at the application level.
(b) Access Controls: Access to personal data and Client Data is restricted to authorised personnel on a need-to-know basis. API access is protected by secure authentication mechanisms. All user access is scoped to the user's organisation; users from one organisation cannot access data belonging to another organisation.
(c) Organisation-Scoped Data Isolation: All Client Data within the Studio Platform is isolated at the organisation level. Every database query, file storage path, and API response is scoped to the authenticated user's organisation. There is no shared namespace between organisations.
(d) Infrastructure Security: Our infrastructure is hosted on Google Cloud Platform in the European Union, which maintains industry-standard security certifications including ISO 27001 and SOC 2.
(e) Audit Trail: All AI agent interactions, model invocations, and significant system events are logged and traceable per engagement, providing a complete chain of provenance for generated content.
(f) Incident Response: We maintain procedures to detect, investigate, and respond to security incidents and data breaches.
13.2 In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of natural persons, we will notify the competent supervisory authority within seventy-two (72) hours of becoming aware of the breach, and we will notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms, in accordance with Articles 33 and 34 of the GDPR.
Article 14 — Business Contact Data
14.1 We may use business contact information obtained from public sources or professional networking to contact potential clients about our services. This processing is based on our legitimate interest in conducting business development activities.
14.2 You can opt out of such communications at any time by contacting us at privacy@prevector.ai or by using any unsubscribe mechanism provided in our communications.
Article 15 — Changes to This Privacy Policy
15.1 We may update this Privacy Policy from time to time to reflect changes in our data processing practices, legal requirements, or business operations.
15.2 Material changes to this Privacy Policy will be communicated to you via email (if we have your email address) and will be published on our website at least thirty (30) days prior to the effective date of the changes.
15.3 We encourage you to review this Privacy Policy periodically to stay informed about how we protect your data. The date of the most recent revision is indicated at the top of this Privacy Policy.
Article 16 — Contact and Complaints
16.1 If you have any questions, concerns, or requests regarding this Privacy Policy or our data processing practices, please contact us at:
Prevector B.V.
Email: privacy@prevector.ai
Website: www.prevector.ai
16.2 We will make every effort to resolve any complaints or concerns you may have regarding the processing of your personal data.
16.3 If you are not satisfied with our response, or if you believe that we are processing your personal data in violation of applicable data protection laws, you have the right to lodge a complaint with the competent supervisory authority. In the Netherlands, this is:
Autoriteit Persoonsgegevens
Postbus 93374
2509 AJ The Hague
The Netherlands
Website: www.autoriteitpersoonsgegevens.nl
Telephone: +31 (0)70 888 8500
Article 17 — Governing Law
This Privacy Policy shall be governed by and construed in accordance with the laws of the Netherlands, without regard to its conflict of laws principles.
— End of Privacy Policy —
Prevector B.V.
Version 2.0 — Effective 1 April 2026
privacy@prevector.ai | www.prevector.ai