5 May 2026
Introduction
Your privacy is of great importance to BeeSensible. In this privacy statement, we explain which personal data we collect and use, for what purpose we do this, and what your rights are. We adhere to the General Data Protection Regulation (GDPR) and other relevant privacy legislation.
This privacy statement applies to all processing of personal data for which BeeSensible is the Data Controller. This concerns the data of our website visitors, (potential) customers, and the users of our services.
Important: This statement does not cover the data that you or your organisation process via our Application (for example, the content of text you type in supported web applications). For that data, your organisation is the Data Controller and we are the Processor. The agreements about this are laid down in our Data Processing Agreement (DPA).
Article 1: Who are we?
BeeSensible is the Data Controller for the processing as described in this statement. Our details are:
Name: Venturo Media B.V.
Address: Spijksedijk 1a, 6917 AD Spijk, The Netherlands
Chamber of Commerce number: 72127198
VAT number: NL859075330B01
Contact: For privacy-related questions, contact us at trust@beesensible.eu.
Article 2: What personal data do we process and why?
We process various personal data, depending on how you interact with us. Below we specify per situation which data we collect, for what purpose, on what legal basis, and how long we store it.
2.1 When you visit our website
Data: Technical data such as your IP address (anonymized), browser type, operating system, pages visited, and the duration of your visit.
Purpose: To ensure the proper functioning of our website.
Legal Basis: Legitimate interest (offering a functional and secure website). We ask for your consent to place non-essential cookies.
Retention Period: Technical logs are kept for a maximum of 30 days.
2.2 When you create an Account (free or paid)
Data: Name, email address, and an encrypted password, or a unique identifier from a third party (such as Google or Microsoft) with which you log in.
Purpose: Creating and managing your Account, granting you access to the Application, sending essential service messages (e.g., about maintenance or security), and providing user support.
Legal Basis: Performance of the agreement (the terms of use you accept).
Retention Period: As long as your Account is active. After deleting your account, your data will be permanently deleted within 90 days.
2.3 When you (or your organisation) enter into a paid Agreement
Data: Company name, address details, Chamber of Commerce number, name and email address of the contact person, and payment details (such as the last four digits of your credit card and the expiry date).
Purpose: Drawing up and executing the Agreement, invoicing, financial administration, and fraud prevention.
Legal Basis: Performance of the agreement and legal obligation (our administrative duty for the Tax and Customs Administration).
Retention Period: Invoice and payment data are kept for 7 years in accordance with the legal retention obligation. Account data is kept for the duration of the contract plus 7 years.
2.4 When you contact us
Data: Your name, email address, telephone number (if provided), and the content of your message.
Purpose: Answering your question, providing support, or following up on your request.
Legal Basis: Performance of the agreement (if you are a customer), your consent (if you fill in a contact form), or legitimate interest (to be able to help you adequately).
Retention Period: Correspondence is kept for up to 2 years after the last interaction, unless a legal obligation requires a longer period.
2.5 When you subscribe to our newsletter
Data: Email address (and possibly your name).
Purpose: To inform you about product updates, news, tips, and offers.
Legal Basis: Your explicit consent.
Retention Period: As long as you are subscribed. You can unsubscribe at any time via the link at the bottom of each newsletter. After unsubscribing, you will be immediately removed from the mailing list.
2.6 When the Application processes text (as Processor)
When the browser extension is active, text you type in supported web applications is sent to BeeSensible's detection service for analysis. This processing happens in working memory only. The text is discarded immediately after detection and is never written to disk, never stored in a database, and never included in logs or backups.
The detection service returns only labels and positions to the extension. BeeSensible never receives a copy of the text for storage or review.
What is stored after detection: counts of detection events per category, per application, per time window, and the action you took (remove, replace, mask, or ignore). This detection metadata contains no content. Detection metadata is kept for the duration of your licence, with a maximum of 24 months rolling.
The purpose of this processing is strictly limited to real-time detection of potentially sensitive information and presenting a sanitisation suggestion. It is not used for performance monitoring, behaviour monitoring, disciplinary action, profiling, scoring, marketing, or model training.
Article 3: Do we share your data with third parties (sub-processors)?
Yes, we use third parties (sub-processors) to provide our services. We only share your data when strictly necessary and always ensure a (processor) agreement with these parties. We will never sell your data to third parties.
Our main sub-processors are:
| Sub-processor | Function | Location |
|---|---|---|
| Scaleway | Hosting API, dashboard, and IAM | EU (France, Netherlands, Poland) |
| Hetzner | Hosting detection model | EU (Germany) |
| Paddle | Billing and licence administration | UK (adequacy decision) |
| Proton | Email communication (support) | Switzerland (adequacy decision) |
| Brevo | CRM and transactional email | EU (France) |
Article 4: Is your data transferred outside the EU/EEA?
Our principle is to process personal data within the European Economic Area (EEA). Our product infrastructure runs entirely in the EU: Scaleway (France, Netherlands, Poland) and Hetzner (Germany).
Two sub-processors are located outside the EEA but in countries with an adequacy decision under the GDPR:
- Paddle (UK): the UK has an adequacy decision from the European Commission.
- Proton (Switzerland): Switzerland has an adequacy decision from the European Commission.
No personal data is transferred to countries without an adequacy decision.
Article 5: How do we secure your data?
We take appropriate technical and organisational measures to prevent misuse, loss, unauthorised access, and unauthorised modification. This includes:
Encryption: All data is encrypted during transport (TLS) and at rest.
Access Control: We apply strict access controls based on the least privilege principle, so that only authorised personnel can access your data.
Secure Data Centres: Our infrastructure is hosted in certified data centres. Scaleway holds SecNumCloud certification. Both Scaleway and Hetzner are ISO 27001 certified.
No content in logs: Logs contain only status codes, performance metrics, component identifiers, timestamps, and correlation IDs. No request bodies, text snippets, or user input appear in any log.
Security Audits: We regularly conduct internal and external audits and penetration tests.
Personnel: All our employees are bound by confidentiality obligations and are trained in data protection.
Article 6: What are your rights?
You have the following rights with regard to the personal data we process about you:
Right of access: You can request an overview of the personal data we process about you.
Right to rectification: You can ask us to correct incorrect data.
Right to erasure: You can ask us to delete your data.
Right to restriction of processing: You can ask us to temporarily stop processing your data.
Right to object: You can object to processing based on legitimate interest.
Right to data portability: You can receive your data in a structured, commonly used, and machine-readable format.
Right to withdraw consent: If processing is based on your consent, you can withdraw it at any time.
Note on content data: The right of access and the right to erasure do not apply to the text you type while using the Application, because that text is never stored. It is processed in working memory and discarded immediately. There is no stored record of it to access or delete.
Note on dashboard reports: The admin dashboard shows only aggregated statistics. Reports are not linked to individual users and are not shown for any group of fewer than 10 active users. No individual report exists.
You can send a request to exercise your rights to trust@beesensible.eu. We will respond within one month. To verify your identity, we may ask for additional information.
You also have the right to file a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).
Article 7: Automated decisions
BeeSensible does not make any fully automated decisions with legal or significant effect about you. The extension presents detection results and suggestions. You decide in every case whether to act on a suggestion, ignore it, or send the text unchanged.
Article 8: Cookies and Tracking Technologies
We use cookies and similar technologies on our website. Cookies are small text files stored on your device when you visit our website.
Types of cookies: We use functional cookies (necessary for the site to work) and marketing cookies (for personalised advertising).
Consent: Your consent is not required for functional cookies. For analytical and marketing cookies, we ask for your prior and explicit consent via our cookie banner. These cookies are only placed after you have made an active choice.
Freedom of choice: Our cookie banner gives you the option to accept or refuse cookies on equal terms. The option to refuse is not hidden or harder to reach. We do not use pre-ticked boxes for non-essential cookies.
Withdrawing consent: You can withdraw your consent at any time via the "Cookie settings" link in the footer of our website.
Cookie Statement: For a detailed overview of all cookies we use, their purpose, the provider, and the retention period, see our Cookie Statement.
Article 9: Note for organisations deploying BeeSensible
If your organisation is considering deploying BeeSensible for employees, we recommend consulting your works council (ondernemingsraad) before deployment. This is relevant under the Dutch Works Councils Act for monitoring systems and employee data protection arrangements. BeeSensible is not designed for monitoring employees, but the works council is the appropriate body to be involved in decisions about software that touches employee communications.
A product DPIA is available on request at trust@beesensible.eu. Your organisation remains responsible for its own DPIA.
Article 10: Changes to this privacy statement
We may change this privacy statement from time to time. Changes will be published on our website. The date at the top of this statement indicates when it was last updated. In the event of significant changes that affect your rights or the way we process your data, we will proactively inform you, for example via email or a notification on our website.