Privacy Policy
Summary: Stratyx OS processes your professional contact details and commercial pipeline data to operate its services. We do not sell your data. You retain full rights over your data under GDPR. This policy is governed by Belgian law.
1. Data Controller
The data controller for personal data processed through Stratyx OS is:
Stratyx
Email: os@stratyx.be
Website: stratyx.be
Country: Belgium
For all data protection enquiries, contact us at privacy@stratyx.be.
2. What Data We Collect
We collect the following categories of personal data:
| Category | Examples | Source |
|---|---|---|
| Account data | Name, professional email address, job title | Provided by you at registration |
| Organisation data | Company name, workspace name, team structure | Provided by your administrator |
| Commercial pipeline data | Deal names, buyer company names, stage, value, check-in responses | Entered by you or your team |
| Usage data | Log-in events, feature usage, page views within the application | Automatically collected |
| Billing data | Subscription tier, payment method type, billing address | Processed via Stripe (we do not store card numbers) |
| Communication data | Transactional emails sent to your address | Generated by the system |
3. Legal Basis for Processing
We process your data on the following legal bases under GDPR Article 6:
- Contract performance (Art. 6(1)(b)): Processing necessary to provide the Stratyx OS service you have subscribed to — account management, pipeline data storage, weekly cadence emails, and reporting.
- Legitimate interests (Art. 6(1)(f)): Service security, abuse prevention, and product analytics to improve the platform. We balance these interests against your rights.
- Legal obligation (Art. 6(1)(c)): Retention of billing records as required by Belgian accounting and tax law.
- Consent (Art. 6(1)(a)): Any optional communications (e.g., product updates) require your explicit opt-in, which you may withdraw at any time.
4. How We Use Your Data
- Operate and maintain your Stratyx OS workspace and user account
- Deliver weekly check-in reminders, decay alerts, briefings, and forecast warnings
- Generate AI-powered commercial diagnostics using anonymised deal signals
- Process subscription payments and issue invoices
- Provide customer support
- Detect and prevent fraud, abuse, or security incidents
- Comply with applicable legal obligations
5. Recipients of Your Data
We share your data only with the following sub-processors, all of whom are contractually bound to GDPR-compliant data processing:
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase | Database hosting | EU (AWS eu-central-1) |
| Clerk | Authentication & identity management | EU / USA (SCCs in place) |
| Vercel | Application hosting & CDN | EU / USA (SCCs in place) |
| Anthropic | AI processing (deal diagnostics) | USA (SCCs in place) |
| Resend | Transactional email delivery | USA (SCCs in place) |
| Stripe | Payment processing | EU / USA (SCCs in place) |
We do not sell, rent, or trade your personal data to third parties. We do not use your data for advertising.
6. International Data Transfers
Some of our sub-processors operate outside the European Economic Area (EEA). Where data is transferred to the USA, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission pursuant to GDPR Article 46(2)(c), or on the EU–US Data Privacy Framework where applicable.
7. Retention Periods
| Data type | Retention period | Justification |
|---|---|---|
| Account & workspace data | Duration of subscription + 30 days | Service delivery; 30-day grace period for recovery |
| Commercial pipeline data | Duration of subscription + 30 days | Service delivery |
| Billing records | 7 years | Belgian accounting law (Wetboek van Economisch Recht) |
| Security & audit logs | 12 months | Security monitoring and incident investigation |
| Deleted workspace data | Purged within 30 days of deletion request | GDPR erasure right |
8. Your Rights Under GDPR
As a data subject under GDPR, you have the following rights:
- Right of access (Art. 15): Request a copy of all personal data we hold about you. Use the data export feature in your workspace settings or contact us.
- Right to rectification (Art. 16): Correct inaccurate personal data directly in your account settings or by contacting us.
- Right to erasure (Art. 17): Request deletion of your data where no legal obligation to retain it exists. Use the workspace deletion feature or contact us.
- Right to data portability (Art. 20): Export your commercial pipeline data in CSV format directly from workspace settings.
- Right to restriction of processing (Art. 18): Request that we limit processing of your data in certain circumstances.
- Right to object (Art. 21): Object to processing based on legitimate interests.
- Right to withdraw consent: Where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.
To exercise any of these rights, email privacy@stratyx.be. We will respond within 30 days as required by GDPR Article 12.
9. Right to Lodge a Complaint
If you believe we are processing your personal data unlawfully, you have the right to lodge a complaint with the Belgian Data Protection Authority (Gegevensbeschermingsautoriteit / Autorité de Protection des Données):
Gegevensbeschermingsautoriteit (GBA)
Drukpersstraat 35, 1000 Brussels, Belgium
www.gegevensbeschermingsautoriteit.be
Tel: +32 (0)2 274 48 00
10. Cookies and Tracking
Stratyx OS uses strictly necessary cookies for session management and authentication. We do not use advertising cookies or cross-site tracking. A session cookie named demo_auth is set when accessing the demo environment and expires after 24 hours.
11. Data Security
We implement appropriate technical and organisational measures to protect your data, including: TLS encryption for all data in transit, AES-256 encryption for data at rest, row-level security (RLS) on the database enforcing workspace isolation, MFA support via Clerk, and regular security reviews.
12. Changes to This Policy
We may update this Privacy Policy to reflect changes in our practices or applicable law. Material changes will be communicated by email with at least 30 days notice before taking effect. The current version is always available at stratyx-os.vercel.app/legal/privacy.
13. Governing Law
This Privacy Policy is governed by Belgian law. Any disputes shall be subject to the exclusive jurisdiction of the courts of Brussels, Belgium, without prejudice to your rights as a data subject under GDPR.
Contact for data protection matters: privacy@stratyx.be · Stratyx · Belgium