Privacy Notice - Scrydon BV

Last updated: May 2026 | Version: 2.0

• Controller: Scrydon BV
• Address: Zonnestraat 93, 9100 Nieuwkerken-Waas, Belgium
• Enterprise number: BE 1034.697.119
• DPO / Privacy contact: Cornelia Kutterer — [email protected]
• Supervisory authority: Gegevensbeschermingsautoriteit (GBA) — www.gegevensbeschermingsautoriteit.be

1. Who We Are

Scrydon BV (“Scrydon”, “we”, “us”) is a Belgian company incorporated under Belgian law, with registered office at Zonnestraat 93, 9100 Nieuwkerken-Waas, Belgium (enterprise number BE 1034.697.119). We provide a European-native sovereign AI and data platform covering Agentic AI, Analytics, and sovereign infrastructure.

This Privacy Notice explains how we process personal data when you visit our website (scrydon.com), use our platform, or interact with us as a customer, prospect, or job applicant. It is written in accordance with the General Data Protection Regulation (GDPR, Regulation (EU) 2016/679) and applicable Belgian data protection law.

Scrydon is established in Belgium and is subject to GDPR as an EU-established controller. Our lead supervisory authority is the Belgian Data Protection Authority (Gegevensbeschermingsautoriteit).

2. What Personal Data We Collect and Why

2.1 Website visitors

When you visit scrydon.com, we process the following data:

Data	Purpose	Legal basis	Retention
IP address; pages visited; browser type; referring URL; visit duration	Website security; understanding how visitors use our site; improving content	Art. 6(1)(f) GDPR — legitimate interests (website security and improvement)	90 days for server logs; analytics data retained in aggregate form only

Scrydon uses two types of cookies on scrydon.com: strictly necessary cookies and analytical cookies. Analytical cookies are only placed with your prior consent — you will be asked via a cookie banner when you first visit the site. You can change your preferences at any time through the cookie banner or your browser settings.

2.2 Contact form and email enquiries

• Data: Name; email address; organisation; message content; any additional information you provide
• Purpose: Responding to your enquiry; following up where appropriate
• Legal basis: Art. 6(1)(f) GDPR — legitimate interests (responding to business enquiries)
• Retention: 2 years from last contact, or until you ask us to stop

2.3 Prospects and marketing contacts

• Data: Name; email address; job title; organisation; sector; country; communication preferences; event attendance records
• Purpose: Sending relevant communications about Scrydon products and services; event follow-up; business development
• Legal basis: Art. 6(1)(f) GDPR — legitimate interests (B2B marketing to professionals in relevant sectors); Art. 6(1)(a) — consent where specifically obtained
• Retention: 3 years from last meaningful engagement, or until you opt out

You can opt out of marketing communications at any time by clicking the unsubscribe link in any email or by contacting us at [email protected].

2.4 Platform customers — account and licence management

If your organisation uses the Scrydon platform, we process personal data of account holders and Authorised Users for the purpose of administering your organisation’s account and licence relationship with us:

• Data: Names; email addresses; job titles; organisation name; billing contact details; account credentials (hashed); communication records; licence and subscription data
• Purpose: Account administration; licence management; billing; customer support; platform communications
• Legal basis: Art. 6(1)(b) GDPR — performance of contract; Art. 6(1)(c) — legal obligation (invoicing, VAT records)
• Retention: Duration of the customer relationship plus 7 years (Belgian statutory accounting retention requirement)

Important: Scrydon does not access, host, store, or process your organisation’s operational data. In all deployment modes (air-gapped, on-premises, cloud), your data remains within your own infrastructure. Scrydon provides the platform software and governance layer only. No data processing agreement (DPA) between Scrydon and your organisation is required for platform use, as Scrydon does not act as a data processor for your operational data.

2.5 Job applicants

• Data: Name; contact details; CV / résumé; cover letter; employment history; qualifications; references; any additional information you provide during the recruitment process
• Purpose: Evaluating your application; conducting interviews; making a hiring decision
• Legal basis: Art. 6(1)(b) GDPR — steps prior to entering a contract; Art. 6(1)(f) — legitimate interests (evaluating candidates)
• Retention: 6 months after the end of the recruitment process if unsuccessful; duration of employment plus 5 years if successful

2.6 Employees, contractors, and seconded personnel

We process personal data of our employees, contractors, and seconded personnel for HR administration, payroll, access management, and compliance purposes. This processing is governed by separate agreements (employment contracts, contractor agreements, or secondment addenda). For details, please contact [email protected].

3. Who We Share Your Data With

We share personal data only where necessary and with appropriate safeguards in place:

• SD Worx — Payroll processor (Belgium); processes employee payroll data under a DPA
• Yuki — Accounting and invoicing software (Belgium); processes financial and billing data; ISAE 3402 certified; hosted on AWS Frankfurt and Dublin (EU)
• Microsoft (M365 / Azure / Entra / Intune) — Modern workplace, cloud infrastructure, identity management, and device management; EU data residency; DPA in place
• GitHub (Microsoft) — Source code repository; Standard Contractual Clauses in place
• Vanta — Compliance monitoring platform; EU instance (app.eu.vanta.com); processes names, email addresses, and training completion records of Scrydon personnel only
• Anthropic (Claude) — AI-assisted development tool used internally by Scrydon developers; acts as independent controller under its own privacy policy; Scrydon’s policy strictly prohibits inputting customer personal data into AI tools

We do not sell personal data. We do not share personal data with third parties for their own marketing purposes.

4. International Transfers

Scrydon is a Belgian company and our primary data processing is within the EU/EEA. Where we use services that involve transfers outside the EEA (GitHub/Microsoft — US), we rely on Standard Contractual Clauses approved by the European Commission as the transfer mechanism. Anthropic (Claude) is a US-based company; our policy minimises personal data in AI tool prompts and we are monitoring developments in EU-US data transfer frameworks.

5. Your Rights

Under GDPR, you have the following rights regarding your personal data:

• Right of access: Request a copy of the personal data we hold about you (Art. 15)
• Right to rectification: Ask us to correct inaccurate or incomplete data (Art. 16)
• Right to erasure: Ask us to delete your data in certain circumstances (Art. 17)
• Right to restriction: Ask us to restrict processing in certain circumstances (Art. 18)
• Right to portability: Receive your data in a structured, commonly used format (Art. 20)
• Right to object: Object to processing based on legitimate interests or for direct marketing (Art. 21)
• Right to withdraw consent: Where processing is based on consent, withdraw it at any time without affecting prior processing

To exercise any of these rights, contact us at [email protected]. We will respond within one month. You also have the right to lodge a complaint with the Belgian Data Protection Authority: www.gegevensbeschermingsautoriteit.be.

6. Security

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, disclosure, alteration, or destruction. These include encryption at rest and in transit, multi-factor authentication, role-based access controls, regular security training, and an ISO 27001 controls programme. We will notify the Belgian Data Protection Authority of any personal data breach within 72 hours where required by GDPR, and we will notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms.

7. Cookies

Scrydon uses only strictly necessary cookies on scrydon.com. These cookies are essential for the website to function properly and cannot be switched off. They do not collect personal data for marketing or tracking purposes and do not require your consent under applicable Belgian and EU law.

Cookie type	Purpose	Consent required	Third-party cookies
Strictly necessary	Session management; website security	No consent required	None
Analytical (Matomo — with consent only)	Understanding how visitors use our site to improve content and services	Consent required — only placed after you accept via the cookie banner	None — Matomo is self-hosted on Scrydon’s infrastructure

Matomo is self-hosted on Scrydon’s own servers — no data is sent to any third-party analytics provider. Matomo is configured without IP address collection; only approximate region-level location is recorded. This configuration is consistent with CNIL and other EU supervisory authority guidance on privacy-friendly analytics. No advertising or cross-site tracking cookies are used.

8. Changes to This Notice

We may update this Privacy Notice from time to time. The “Last updated” date at the top indicates when changes were made. Material changes will be communicated to customers and where required by law. We encourage you to review this notice periodically.

9. Contact Us

If you have any questions about this Privacy Notice or how we handle your personal data, please contact:

Cornelia Kutterer — CLO / DPO / AI Governance Lead
Email: [email protected]
Scrydon BV, Zonnestraat 93, 9100 Nieuwkerken-Waas, Belgium

You may also contact the Belgian Data Protection Authority: www.gegevensbeschermingsautoriteit.be

This Privacy Notice is published at scrydon.com/privacy-policy and reviewed annually or upon material change to Scrydon’s processing activities. Version 2.0 — May 2026.

Previous version: Version 1.0 — January 2026.