Skip to content
Faylo
DRAFT — review with legal/DPO

Privacy Policy

How Faylo handles the personal data of visitors and firms that contact us — and how the product is designed to keep identifiable client data within your own control. This is a draft version.

Draft

Draft document — not yet reviewed by legal/DPO

This is placeholder text that still has to be reviewed and approved by a human — legal counsel and/or the data protection officer (DPO) — before launch. For a privacy product this applies especially to the privacy policy. Do not rely on this text for any rights or guarantees yet.

DRAFT — review with legal/DPO. This is placeholder text that has not been legally reviewed and must be reviewed and approved by a human before launch. Do not rely on it yet. Last updated: [PLACEHOLDER — date]. Version: [PLACEHOLDER — version number].

1. Who we are

Faylo (“Faylo”, “we”, “us”) provides a privacy-first AI layer for accounting and advisory firms. For the data we process through this website and our contact channels, Faylo acts as the data controller. [PLACEHOLDER — legal entity, registered address, KvK (chamber of commerce) number and contact details, to be completed by the founder.]

2. Scope

This policy covers the personal data we process about website visitors and people who request a pilot or information from us. It explicitly does not cover the client data your firm processes with the Faylo software; for that, Faylo acts as a processor under your instructions and a separate processing agreement applies (see section 5).

3. What data we collect

  • Contact details you provide yourself through the pilot/contact form: name, firm name, email address, firm size and your message.
  • Limited, privacy-friendly and aggregated website usage statistics — only when analytics is enabled, and exclusively via a cookieless solution (Plausible or a self-hosted Umami) that sets no cookies, stores nothing on your device and performs no cross-site tracking.
  • Technical data your browser sends automatically (such as IP address and device type), to the extent needed to deliver the site securely.

Please do not include any client-identifiable data in the contact form — it is not intended for that.

4. Purposes and legal bases

  • Responding to your request and arranging a pilot — basis: performance of, or steps prior to, a contract (Art. 6(1)(b) GDPR).
  • Securing and improving the website — basis: legitimate interest (Art. 6(1)(f) GDPR).
  • Meeting legal obligations where they apply — basis: legal obligation (Art. 6(1)(c) GDPR).

5. Client data and the Faylo service

When your firm uses Faylo, identifiable identifiers — names, BSN, KvK, btw, IBAN — are deterministically pseudonymised before any request leaves your environment; the AI provider receives tokens only. The value-to-token mapping stays inside your own tenant. In doing so, Faylo acts strictly as a processor under your instructions, on the basis of a processing agreement.

Faylo is designed to support your GDPR/AVG obligations by keeping identifiable data within your control. Faylo does not present itself as “certified” or “compliant” and holds no ISO 27001, SOC 2 or GDPR certification; assess the architecture together with your own DPO.

6. Sharing and sub-processors

We do not sell your data. We only engage service providers needed to run our website and communications (such as hosting and email), under appropriate processing terms. [PLACEHOLDER — current list of sub-processors and their hosting regions.]

7. International transfers

We aim to process personal data within the EEA. Where any transfer outside the EEA does occur, it is made with appropriate safeguards (such as the European Commission's standard contractual clauses). [PLACEHOLDER — confirm the actual processing locations.]

8. Retention

We keep contact data no longer than necessary for the purposes above or than legally required. [PLACEHOLDER — concrete retention periods per category.]

9. Your rights

Under the GDPR you have the right to:

  • access your data;
  • rectify inaccurate data;
  • erasure (“to be forgotten”);
  • restrict or object to the processing;
  • data portability;
  • lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).

To exercise a right, use the contact details in section 13.

10. Cookies and analytics

This website sets no tracking or analytics cookies. When we measure usage statistics, we do so with a cookieless, privacy-friendly solution (Plausible or a self-hosted Umami) that works in fully aggregated form: no cookies, no storage on or reading from your device, no cross-site tracking, and no sale or sharing of data. Because nothing is stored on or read from your device (Art. 11.7a Dutch Telecommunications Act; Art. 5(3) ePrivacy Directive), no cookie banner is required for these statistics. Should we ever decide to set non-essential cookies, we will first ask for your consent through a banner with granular opt-in.

11. Security

We take appropriate technical and organisational measures to protect personal data against loss and unauthorised access. No service can guarantee absolute security.

12. Changes

We may update this policy. The current version is always available on this page, stating the date it was last changed.

13. Contact

Questions about privacy or a request regarding your rights? Contact us at [PLACEHOLDER — privacy/DPO contact address]. [PLACEHOLDER — state whether a data protection officer (DPO) has been appointed and, if so, their contact details.]