Privacy policy

Last updated: 2026-05-24

This privacy policy describes how Axxaes BV ("Decisionmaker") processes personal data in connection with the website https://decisionmaker.ceo and the related platform at https://app.decisionmaker.ceo. Processing is carried out in accordance with the General Data Protection Regulation (GDPR) and applicable Belgian implementing legislation.

Contents
  1. Categories of personal data
  2. Purposes and legal basis
  3. Processors and transfers outside the EEA
  4. Retention
  5. Security
  6. Data-subject rights
  7. Cookies
  8. Complaints
  9. Changes to this policy
  10. Contact
  • Axxaes BV
  • Registered office: Rauwelkoven 87D, 2440 Geel, Belgium
  • VAT nbr: BE0819863202

1. Categories of personal data

1.1 Website visitors

  • Technical data: IP address (typically pseudonymised or hashed), user-agent, browser language, screen resolution.
  • Visit data: pages viewed, timestamp, referrer, UTM parameters.
  • Data submitted via contact or intake forms: name, email, organisation, subject and message body.

1.2 Platform users

  • Identification data: name, email, optional phone number, language preference, time zone.
  • Authentication data: identifiers and session tokens managed by an external authentication provider.
  • Workspace data: organisation, role, team, department.
  • Content created within the platform: decision dossiers, options, rationale, evaluations, comments, attachments.
  • Activity logs for security, troubleshooting and billing.

1.3 Customers and prospects

  • Name, email, organisation, role and correspondence.
  • Billing and payment status for subscriptions.

2. Purposes and legal basis

PurposeLegal basis (GDPR Art. 6)
Delivery of the Decisionmaker service to the customerPerformance of a contract (Art. 6(1)(b))
Customer-relationship management, billing and accountingLegal obligation (Art. 6(1)(c)) and legitimate interest (Art. 6(1)(f))
Security, fraud prevention and loggingLegitimate interest (Art. 6(1)(f))
Product improvement and aggregated analyticsLegitimate interest (Art. 6(1)(f))
Responding to contact requestsLegitimate interest (Art. 6(1)(f)) or consent (Art. 6(1)(a)) where applicable
Sending transactional emails (registration, password reset, intake confirmation)Performance of a contract (Art. 6(1)(b))
Sending commercial communicationsConsent (Art. 6(1)(a)) or existing customer relationship within the legal exception

3. Processors and transfers outside the EEA

To deliver the service, Decisionmaker relies on processors who process personal data on instruction and under the responsibility of the controller. A data-processing agreement (DPA) under Article 28 GDPR is in place with each processor.

The main processors are:

ProcessorFunctionLocation
DigitalOceanApplication and database hostingEU (Amsterdam) — data within the EEA
AuthentikAuthentication and session management (self-hosted by Decisionmaker)EU (Amsterdam) — data within the EEA
Brevo (Sendinblue)Transactional and marketing emailEU (France)
OpenAIAI features within the platformUSA — transfer based on SCCs; no training on customer data (API tier)
Anthropic (Claude)AI features within the platformUSA — transfer based on SCCs; no training on customer data (Workbench / API tier)
MolliePayment processing (cards, SEPA)EU (Netherlands)
BillitInvoicing and VAT complianceEU (Belgium)
Microsoft ClarityAnonymised session analytics on the marketing site only — loaded after explicit cookie consentUSA — transfer based on SCCs; not active on the in-app surface

Customers may request a copy of the Data Processing Agreement at support@decisionmaker.ceo.

For transfers outside the European Economic Area, appropriate safeguards are in place, such as the European Commission's standard contractual clauses and supplementary technical measures where necessary.

4. Retention

  • Active customer data is retained for the duration of the contract and afterwards for up to ten years to comply with bookkeeping obligations.
  • Content created within the platform is retained while the workspace is active. Following termination, data is deleted or anonymised within 90 days, subject to statutory retention requirements.
  • Contact requests are retained for up to twelve months after the last interaction, unless the relationship leads to a customer relationship.
  • Security and debugging logs are retained for a maximum of eighteen months.
  • Visit and analytics data are retained for a maximum of twenty-four months in aggregated or pseudonymised form.

5. Security

Appropriate technical and organisational measures are in place to protect personal data against accidental loss, unauthorised access, disclosure or destruction. These measures include encryption in transit (TLS 1.2+), database encryption at rest, role-based access control, logging of administrative activity, and periodic security reviews.

6. Data-subject rights

Under the GDPR, the data subject has the following rights:

  • Right of access to the personal data being processed.
  • Right to rectification of inaccurate or incomplete data.
  • Right to erasure in the cases provided for by law.
  • Right to restriction of processing.
  • Right to data portability.
  • Right to object to processing based on a legitimate interest.
  • Right to withdraw consent at any time, without affecting the lawfulness of processing prior to withdrawal.

These rights can be exercised by sending a request to privacy@decisionmaker.ceo, accompanied by a reasonable form of identification. A response will be provided within one month, subject to the extension provided for in the GDPR.

7. Cookies

The use of cookies and similar technologies is described in the cookie policy.

8. Complaints

Complaints about the processing of personal data can be addressed to the controller at privacy@decisionmaker.ceo. The data subject also has the right to lodge a complaint with the Belgian Data Protection Authority (DPA) at https://www.gegevensbeschermingsautoriteit.be.

9. Changes to this policy

This privacy policy may be updated to remain in line with legal requirements or service developments. The date at the top of the page reflects the latest version. Material changes are communicated to active users in advance.

10. Contact

For questions about this privacy policy or about the processing of personal data: