Privacy Policy

Last Updated: 2026-04-21 | Effective Date: 2025-09-21

1. Data Controller Information

Data Controller: AI-rudder (operated by Alexandru Serbanati)
Address: Brussels, Belgium
Email: [email protected]
Website: ai-rudder.com

2. What Information We Collect

When you complete our AI Readiness Assessment survey, we collect:

Personal Information

  • Contact Details: Name, surname, email address, company name
  • Survey Responses: All answers provided in the AI readiness assessment questionnaire
  • Technical Information: IP address, browser type, device information (automatically collected)

How We Collect Information

  • Directly from you: Through the survey form hosted on Microsoft Forms and the contact form on our website
  • Automatically: Technical information collected when you access our survey or website

3. Legal Basis for Processing

  • Contract Performance (Article 6(1)(b) GDPR): To deliver your requested AI readiness report and respond to inquiries
  • Consent (Article 6(1)(a) GDPR): For marketing communications (separate opt-in required)
  • Legitimate Interest (Article 6(1)(f) GDPR): For business analytics and service improvement

4. How We Use Your Information

Primary Purposes

  • Report Generation: Create and deliver your personalized AI readiness assessment report
  • Service Delivery: Analyze your survey responses to provide tailored insights and recommendations
  • Communication: Send you the requested report and respond to any questions

Secondary Purposes (Legitimate Interest)

  • Service Improvement: Analyze aggregated, anonymized data to enhance our assessment methodology
  • Business Development: Understand market needs and improve our service offerings
  • Marketing Communications: Send information about AI strategy insights and AI-rudder services (only with your explicit consent)

AI Processing

We may use artificial intelligence tools to analyze survey responses and generate insights for your personalized report.

5. Data Sharing and Third Parties

We do not sell, rent, or share your personal data with third parties for their own purposes. We use the following service providers to deliver our services:

Service Providers (Data Processors)

  • Microsoft Corporation (Microsoft 365): Survey hosting, secure data storage, internal communication, and automated document generation
  • Internal Analytics Tools: Custom-built analytics tools operated exclusively within our Microsoft 365 tenant

All service providers are bound by data processing agreements and GDPR compliance requirements.

Legal Requirements

We may disclose your information if required by law, court order, or governmental authority.

6. International Data Transfers

Your data is processed within the European Union (Belgium) and by Microsoft Corporation under appropriate safeguards:

  • Microsoft 365 Services: Protected by Microsoft's Data Protection Addendum and EU Standard Contractual Clauses
  • Adequacy Decisions: We only transfer data to countries with adequate data protection as recognized by the European Commission

7. Data Retention

We retain your personal data for:

  • Non-clients: 3 years from the date of survey completion
  • Clients: For the duration of our business relationship plus 7 years for legal and accounting requirements
  • Marketing Consent: Until you withdraw consent or after 3 years of inactivity

You can request earlier deletion at any time (see Your Rights section).

8. Data Security

We implement appropriate technical and organizational measures to protect your personal data:

  • Encryption: Data encrypted in transit and at rest
  • Access Control: Limited access to authorized personnel only
  • Microsoft Security: Leveraging Microsoft 365's enterprise-grade security infrastructure
  • Regular Updates: Continuous monitoring and updating of security measures

9. Your Rights Under GDPR

You have the following rights regarding your personal data:

Right of Access (Article 15)

Request a copy of personal data we hold about you

Right to Rectification (Article 16)

Correct inaccurate or incomplete personal data

Right to Erasure (Article 17)

Request deletion of your personal data under certain circumstances

Right to Restrict Processing (Article 18)

Limit how we use your personal data under certain circumstances

Right to Data Portability (Article 20)

Receive your personal data in a structured, machine-readable format

Right to Object (Article 21)

Object to processing based on legitimate interest or for marketing purposes

Right to Withdraw Consent (Article 7)

Withdraw consent for marketing communications at any time

How to Exercise Your Rights

Email us at [email protected] with:

  • Clear identification of yourself
  • Specific request details
  • Proof of identity (if required)

We will respond within 30 days of receiving your request.

10. Marketing Communications

Opt-in Requirement

We will only send marketing communications if you explicitly opt-in by checking the marketing consent checkbox in the survey.

Unsubscribe

You can unsubscribe from marketing emails at any time by:

  • Clicking the unsubscribe link in any marketing email
  • Emailing [email protected]
  • Contacting us through our website

11. Cookies and Tracking

Our Website

We do not use cookies or tracking technologies on our main website.

Microsoft Forms

Microsoft Forms may use cookies for functionality and security. Please refer to Microsoft's Privacy Policy for details.

12. Children's Privacy

Our services are not intended for individuals under 16 years of age. We do not knowingly collect personal data from children under 16.

13. Geographic Scope

This service is primarily designed for businesses in the European Union, particularly Belgium and surrounding regions. However, we acknowledge that our online survey may be accessible worldwide.

14. Changes to This Privacy Policy

We may update this privacy policy to reflect changes in our practices or legal requirements. We will notify you of material changes by:

  • Posting the updated policy on our website
  • Sending email notification to survey participants (if we have your consent for communications)

15. Complaints and Supervisory Authority

If you believe we have not handled your personal data appropriately, you can:

  1. Contact us directly: [email protected]
  2. File a complaint with the Belgian Data Protection Authority:

16. Course Registration

This section describes how we process personal data submitted through the course application form on our website.

Data Collected

  • Full name
  • Email address
  • Country of residence or establishment
  • Applicant type (business or individual)
  • Company name (business applicants only)
  • VAT number (EU business applicants only)
  • Professional purpose declaration — checkbox acknowledgement that the application is submitted for professional use
  • Application note — free-text description of professional background and motivation, provided by the applicant

Purpose and Legal Basis

  • Applicant vetting — Determining fit for the cohort and tax eligibility. Legal basis: legitimate interest (Art. 6(1)(f) GDPR).
  • Invoicing and tax compliance (accepted applicants only) — Issuing a compliant invoice and applying the correct VAT treatment under Belgian law. Legal basis: contract performance (Art. 6(1)(b) GDPR).
  • Legal record-keeping (accepted applicants only) — Retaining invoicing records as required by Belgian accounting law. Legal basis: legal obligation (Art. 6(1)(c) GDPR).

Data Processors

  • Microsoft Azure (EU region) — Site hosting and form intake endpoint.
  • Azure Application Insights — Operational telemetry (see "Operational Logging" below).
  • Azure Communication Services — Sends a single operator-notification email per submission.
  • Microsoft 365 — Operator mailbox where application threads are received and stored.
  • Accounting and bookkeeping service providers — Invoice generation for accepted applicants.

All processors operate within the EU or under equivalent Art. 46 GDPR safeguards.

Retention

  • Rejected applications — Deleted from the operator mailbox within 30 days of the decision. No invoice is issued; no tax record is kept.
  • Future cohort notification — Declined applicants who explicitly request (via the decline email exchange with the operator) to be notified when a future cohort opens have their contact details retained for up to 12 months from the decline decision, or until the next cohort's application period closes, whichever comes first. Withdrawable at any time by contacting [email protected].
  • Accepted applications — Invoices, VIES evidence, and relevant correspondence retained for 7 years from the invoice date, as required by Belgian accounting law (Art. 6(1)(c) GDPR).

Operational Logging

Azure Functions and Application Insights capture incidental request metadata (IP address, user-agent, request timestamp) for operational, security, and abuse-prevention purposes. This data is retained for no longer than 30 days and is not linked to application content for any purpose other than detecting abuse. Legal basis: legitimate interest (Art. 6(1)(f) GDPR).

No Automated Decisions

No automated decisions are made about applicants. All follow-up communication is manual, initiated by the operator after human review.

No Marketing Use

Application data is used solely for vetting, acceptance/decline communication, and invoicing. It is not used for marketing purposes. Any future marketing activity would require separate consent under Art. 6(1)(a) GDPR.

Transport Security

All form submissions are transmitted over TLS. The site uses no cookies, analytics, or tracking scripts — no cookie consent banner is required.

17. Contact Information

For any privacy-related questions or requests:

Privacy Contact: [email protected]
Data Controller: AI Rudder (operated by Alexandru Serbanati)
Business Address: Brussels, Belgium