Privacy Policy

The data controller is: Slimme Fabriek (trade name of Olé. Media) Veldstraat 45 6039 EB Stramproy The Netherlands Chamber of Commerce (KVK): 99640759 Email: info@slimmefabriek.nl Phone: +31 6 37 28 13 86 For questions about this privacy policy or the processing of your personal data, please contact us using the details above.

We process your personal data for the following purposes and on the following legal bases (Art. 6 GDPR): Performance of the contract (Art. 6(1)(b) GDPR): • Providing access to our SaaS platform and its features. • Creating and managing your user account. • Processing payments and invoicing. • Providing customer service and technical support. Legitimate interest (Art. 6(1)(f) GDPR): • Improving our services based on anonymized usage statistics. • Securing our platform and preventing fraud. • Conducting internal analyses and reporting. Consent (Art. 6(1)(a) GDPR): • Sending newsletters and marketing communications (only after explicit consent). • Placing non-essential cookies (see our Cookie Policy). Legal obligation (Art. 6(1)(c) GDPR): • Complying with fiscal and accounting obligations. • Complying with requests from competent authorities.

Depending on your use of our services, we may process the following categories of personal data: Contact details: • Name, address, email, phone number. Company details: • Company name, registration number, VAT number, billing details. Account details: • Username, encrypted password, user role, language preference. Technical data: • IP address, browser type and version, operating system, device type. • Platform usage logs (login times, page visits, error messages). Platform data: • Data you enter into the platform (work instructions, training materials, alarm logs). • Configuration settings and usage preferences. Communication data: • Content of messages via contact forms, email, or chat. We do not collect special categories of personal data (such as data about health, race, political opinions, or sexual orientation).

We do not retain your personal data longer than strictly necessary for the purposes for which they are processed: • Account data: for the duration of your subscription plus 12 months after termination. • Billing data: 7 years (statutory fiscal retention obligation). • Technical log files: maximum 12 months. • Contact form messages: maximum 24 months. • Anonymized usage statistics: indefinitely (not traceable to individuals). After the retention period expires, your data will be securely deleted or anonymized.

We take the protection of your data seriously and implement appropriate technical and organizational measures to prevent misuse, loss, unauthorized access, unwanted disclosure, and unauthorized modification. Our security measures include: • Encryption of data in transit (TLS 1.2+) and at rest (AES-256). • Strict role-based access controls (RBAC). • Multi-tenant architecture with full data isolation between customers. • Periodic security audits and penetration tests. • Two-factor authentication (2FA) for administrator accounts. • Hosting within the European Union (EU) at GDPR-compliant hosting providers. • Incident response plan for data breaches in accordance with Art. 33 and 34 GDPR.

We do not sell your data to third parties. We only share personal data in the following cases: • Processors: Companies that process data on our behalf (such as hosting providers, payment service providers, and email service providers). We have entered into a data processing agreement with all these parties. • Legal obligation: If we are required to do so by law or court order. • Business transfer: In the event of a merger, acquisition, or sale of business activities, where your data is part of the transfer. Our current processors are located within the European Economic Area (EEA). If data is processed outside the EEA in the future, we will implement appropriate safeguards in accordance with Chapter V of the GDPR (such as Standard Contractual Clauses).

Your personal data is generally processed and stored within the European Economic Area (EEA). If transfer to countries outside the EEA is necessary, we ensure an appropriate level of protection through: • An adequacy decision by the European Commission; or • Standard Contractual Clauses (SCCs) approved by the European Commission; or • Other appropriate safeguards as referred to in Art. 46 GDPR. For our Cloud AI services, we use AI models hosted on secure EU servers. For Enterprise customers, we offer the option to run AI entirely locally (Edge).

Under the GDPR, you have the following rights regarding your personal data: • Right of access (Art. 15): You can request which data we process about you. • Right to rectification (Art. 16): You can have incorrect or incomplete data corrected. • Right to erasure (Art. 17): You can request deletion of your data ('right to be forgotten'). • Right to restriction (Art. 18): You can request restriction of processing. • Right to data portability (Art. 20): You can receive your data in a structured, commonly used, and machine-readable format. • Right to object (Art. 21): You can object to processing based on legitimate interests. • Right to withdraw consent (Art. 7): If processing is based on consent, you can withdraw it at any time. You can submit your request by email to info@slimmefabriek.nl. We will respond to your request within 30 days. We may ask you to verify your identity to prevent misuse.

For our AI features (such as the AI Assistant and Predictive Maintenance), we use advanced language models and machine learning. We follow a strict 'Privacy-First' approach: • Data minimization: Messages are anonymized and stripped of company names or specific identifiers before processing by AI models. • No Training on your Data: We exclusively use Enterprise versions of AI models with contractual guarantees that your data is NOT used to train third-party models. • On-Premise Option: For Enterprise customers, we offer the option to run AI models locally (Edge), so no data leaves the factory. • Transparency: AI-generated advice is clearly marked as such. The user always retains final responsibility for decisions. • Logging: Interactions with AI features are logged for quality improvement and audit purposes, but are deleted after a maximum of 12 months.

Our platform uses automated analyses (e.g., anomaly detection, predictive maintenance). These analyses are supportive in nature and do not lead to decisions with legal effects for natural persons within the meaning of Art. 22 GDPR. Human operators always retain final responsibility for operational decisions.

Our services are aimed at businesses (B2B) and not intended for persons under 16 years of age. We do not knowingly collect personal data from children. If we discover that we have inadvertently collected data from a child, we will delete it as soon as possible.

If you have a complaint about the processing of your personal data, we kindly ask you to first contact us at info@slimmefabriek.nl so that we can work together to find a solution. Additionally, you have the right to file a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens): Autoriteit Persoonsgegevens P.O. Box 93374 2509 AJ The Hague https://autoriteitpersoonsgegevens.nl

We reserve the right to modify this privacy policy. Changes will be published on this page. For substantial changes, we will inform you by email or via a notification on the platform. We recommend that you consult this policy regularly.