GDPR & Data Processing

Compliance Overview

Our GDPR Commitments

🇳🇱

EU-Based Hosting

All data stored in Netherlands (EU). No transfers outside EEA without SCCs.

✓ Compliant

🔒

Privacy by Design

Data minimization, purpose limitation, and security built into the architecture.

✓ Implemented

📋

DPA Available

Data Processing Agreement available for enterprise customers upon request.

✓ Available

🚫

No Ads, No Tracking

No advertising networks, no third-party trackers, no data selling.

✓ Confirmed

🗑️

Right to Erasure

Delete your account and all data at any time. 30-day final deletion cycle.

✓ Supported

📤

Data Portability

Export your data in machine-readable format on request within 30 days.

✓ Available

Roles

Controller & Processor Roles

🏢

SaaS / Individual Users

For direct users of app.hubrix.ai, Hubrix Consulting VOF acts as Data Controller. We determine the purposes and means of processing your personal data.

🔧

Enterprise / Company Accounts

For enterprise customers deploying Hubrix for their organization, the customer acts as Data Controller and we act as Data Processor. A DPA is required.

Article 32 GDPR

Technical & Organizational Measures

We implement the following security measures as required by GDPR Article 32:

🔐

Encryption in Transit

TLS 1.2/1.3 enforced for all connections. Let's Encrypt certificates with auto-renewal. HSTS headers.

🗄️

Encryption at Rest

PostgreSQL database on encrypted disk. Passwords hashed with bcrypt. API keys stored as SHA256 hashes only.

🛡️

Access Controls

Row-Level Security (RLS) on 13 database tables. JWT HttpOnly cookies. Multi-tier admin hierarchy.

🧪

Regular Testing

83/83 automated tests (100% passing). Security test suite covers auth, XSS, injection, rate limiting, and billing.

💾

Backup & Recovery

Daily encrypted backups to EU-based Grafana server. 10 local + 30 remote copies. Tested recovery procedures.

📊

Monitoring

Grafana monitoring for uptime, API requests, and system health. Rate limiting and anomaly detection via Redis.

Article 28 GDPR

Sub-Processors

We use the following sub-processors. Enterprise customers are notified of new sub-processors with 30 days notice.

Sub-Processor	Purpose	Location	Safeguard
Anthropic	AI model processing (Claude)	USA	Zero Data Retention (ZDR) agreement, SCCs
OpenAI	AI model processing (GPT-4o, Whisper)	USA	Enterprise ZDR agreement, SCCs
Google (Gemini)	AI model processing (Gemini Flash)	USA/EU	EU data processing terms, SCCs
ElevenLabs	Text-to-speech audio generation	USA	SCCs — audio not retained
Stripe	Payment processing	USA/EU	Stripe DPA, SCCs, PCI-DSS compliant
Resend	Transactional email delivery	EU	Resend DPA — email not retained beyond delivery
Hetzner	Server infrastructure (primary)	Netherlands (EU)	ISO 27001 certified, GDPR DPA
Google OAuth	SSO and Drive connector authentication	USA/EU	Optional — only if you connect Google account
Microsoft Azure	SSO and OneDrive/SharePoint authentication	USA/EU	Optional — only if you connect Microsoft account

For AI providers (Anthropic, OpenAI, Google), query content is processed under Zero Data Retention agreements where available — meaning prompts are not used for model training and are not retained after processing.

Data Flows

What Data Flows Where

Your documents, prompts, and responses are stored on our EU server (Netherlands). Only the content of AI queries is transmitted to AI providers. No personal account information is sent to AI providers.

Account data — Stays on our Netherlands server only
AI query content — Sent to selected AI provider (Anthropic/OpenAI/Google) for processing, returned to our server, cached and stored
Payment data — Sent to Stripe for processing. We receive only transaction status and customer ID.
Emails — Content transmitted to Resend for delivery. Not retained by Resend after delivery.
Google Drive / OneDrive files — Downloaded to our Netherlands server when you explicitly import them. Not transmitted to third parties.
SSO tokens — Stored encrypted on our Netherlands server. Not shared with third parties.

Request a Data Processing Agreement

Enterprise customers and organizations deploying Hubrix for their employees can request a formal DPA. We typically respond within 5 business days.

Organization Name

Contact Name

Work Email

https://hubrix.ai/privacy.html Country

Deployment Type

Additional Notes (optional)

Your Rights

Exercise Your GDPR Rights

To exercise any of your rights under GDPR, contact us at privacy@hubrix.ai. We will respond within 30 days.

👁️

Access (Art. 15)

Request a full copy of all personal data we hold about you.

✏️

Rectification (Art. 16)

Correct inaccurate personal data. Most data can be updated directly in your account.

🗑️

Erasure (Art. 17)

Delete your account and all associated data. Final deletion within 30 days.

📤

Portability (Art. 20)

Export your data (chat history, documents, profile) in JSON format.

You can also lodge a complaint with the Dutch supervisory authority: Autoriteit Persoonsgegevens at autoriteitpersoonsgegevens.nl

Contact

Privacy Contact

Privacy inquiries: privacy@hubrix.ai
General: info@hubrix.ai
Address: Hubrix Consulting VOF · KVK 84553081 · Poortugaal, South Holland, Netherlands
Response time: Within 30 days for GDPR requests · Within 5 business days for DPA requests