Legal
Privacy Policy
Last update: 07/07/2025
Summary (Informative Only)
This summary highlights key points from our Privacy Policy to help you quickly understand how we handle your data. This Privacy Policy:
Explains which personal data we collect, why, and on what GDPR legal bases.
Clarifies when AstrisNexus acts as controller or processor.
Confirms we never train AI models on your documents.
Describes our ISO 27001-certified security measures, data-transfer safeguards, and deletion timeline for active systems.
Summarises your rights (access, deletion, portability, objection, restriction) and how to exercise them.
Outlines our use of cookies, analytics, and device data—with clear opt-out options.
This summary does not replace the full legal text below.
1. Definitions
Capitalised terms have the meanings set out in the AstrisNexus Terms & Conditions (“T&C”). Additional definitions:
Controller | An organisation that determines the purposes and means of the processing of Personal Data. |
EEA | European Economic Area. |
Personal Data | Any information relating to an identified or identifiable natural person. |
Processor | An organisation that processes Personal Data on behalf of a Controller. |
2. Our Data-Protection Principles
We adhere to the GDPR principles of lawfulness, fairness & transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity & confidentiality; accountability; and privacy by design & default.
3. Role of AstrisNexus
Depending on the context:
As Controller: AstrisNexus processes Personal Data relating to the User or Client to create accounts, manage billing and support, and analyse usage for service improvement. Legal bases include performance of contract, legitimate interest, and (for optional marketing) consent.
As Processor: When handling uploaded Company documentation, AstrisNexus processes data only on instruction, as part of service delivery. This processing is governed by the Data Processing Agreement (DPA) between AstrisNexus and the Client.
4. Personal Data We Collect
We collect only the minimum Personal Data necessary to deliver our services:
Account & Identification Data: name, job title, email, phone number, organisation, country.
Platform Usage Data: login times, document history, clickstream activity.
Transaction Metadata: sector focus, deal size bracket, and anonymised engagement indicators.
Payment & Billing Data: billing address, VAT number, confirmation details (note: card data is processed directly by our payment provider).
Device & Technical Data: IP address, browser type, OS, crash logs, device IDs, language.
Public & Licensed Sources: registry data (e.g. KvK), sanctions lists, commercial datasets.
Cookies & Tracking Technologies: see Section 11.
We do not intentionally collect sensitive (special category) Personal Data. If required, we will do so only with your explicit consent or where legally necessary. Our Platform is not directed at individuals under 16, and we do not knowingly collect their data.
5. Purposes and Legal Bases for Processing
We process Personal Data for the following purposes:
To provide and manage our Services, including document generation and matchmaking (Art. 6(1)(b) GDPR).
To ensure platform security and prevent abuse (Art. 6(1)(f) GDPR).
To improve AI-generated outputs and derive market insights (without accessing document contents) (Art. 6(1)(f) GDPR).
To fulfil AML, KYC and sanction-screening obligations (Art. 6(1)(c) GDPR).
To monitor delivery and engagement with service emails (Art. 6(1)(f) GDPR).
To respond to user rights requests, subject to identity verification (Art. 6(1)(c) and 6(1)(f) GDPR).
To send system notices or platform changes (Art. 6(1)(b) GDPR).
To send newsletters or invitations (with consent) (Art. 6(1)(a) GDPR).
6. Automated Decision-Making & AI Transparency
Astris™ and Nexus™ use AI to draft documents and suggest counterparties. While some features are automated, the Client decides which Advisors or Investors are contacted, and who may access their information. AstrisNexus does not take legally binding decisions on behalf of any User or Client.
Users remain responsible for reviewing suggestions, their own judgment, and making final decisions. We aim to provide a general explanation of how AI-generated suggestions are determined.
7. Sharing & Recipients
We share Personal Data only in these scenarios:
With approved sub-processors (e.g. email, hosting) under written contracts.
With payment providers; payment data is handled by our payment provider under PCI-DSS standards.
With matched Advisors or Investors, only after NDA acceptance and with the Client’s authorisation.
As part of a business transfer (e.g. acquisition or merger).
With regulatory or judicial authorities where required by law.
If AstrisNexus operates across multiple entities, these may act as joint controllers. AstrisNexus B.V. remains your main contact.
We never sell your identifiable data.
Our Platform may link to third-party websites. We are not responsible for their privacy practices and encourage the User to review their privacy policies before sharing data.
8. International Transfers
If Personal Data leaves the EEA, we use:
The EU–US Data Privacy Framework (for certified recipients); or
Standard Contractual Clauses with added safeguards.
For UK transfers, we rely on the IDTA or UK Addendum to the SCCs.
9. Retention & Deletion
Live data is deleted within 14 days of a confirmed request.
Backups are purged within 90 days.
Audit logs (hashed, non-identifiable) are kept under Art. 6(1)(f) GDPR.
Marketing data is deleted on opt-out.
Financial records are retained for 7 years under Dutch law.
The Client may request account deletion at any time via the platform or by contacting legal@astrisnexus.com.
10. Security
We implement ISO 27001-certified security measures, including:
Encryption of data at rest and in transit.
Least-privilege access.
Multi-factor authentication.
Regular penetration testing and monitoring.
All staff with access to Personal Data are under confidentiality agreements and receive regular training.
While no system is infallible, each User is responsible for protecting its own passwords and devices.
For the contractual uptime commitment and force-majeure carve-outs, see T&C.
11. Cookies & Analytics
We use the following types of cookies:
Essential cookies (e.g. "astris_session") maintain your login. These cannot be disabled.
Analytics cookies (e.g. "astris_anon") help us understand user behaviour. Consent is required.
Marketing cookies (e.g. "_ga") support Google Analytics with IP anonymisation. Consent is required.
Non-essential cookies are only set after you click "Accept" in the cookie banner. You may withdraw consent at any time. More information is available in our Cookie Notice.
12. Your Rights
Users have the right to: Access their data, request correction or deletion, restrict or object to processing, receive their data in a portable format, withdraw consent at any time (where applicable). We may ask for identity confirmation before fulfilling User requests. Responses are issued within one month, extendable to two for complex requests.
13. Complaints
A Data Subject may lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens), or with a local authority in the EEA, UK, Switzerland, or the US (if applicable).
14. Contact
AstrisNexus B.V.
Strawinskylaan 3051, 1077 ZX Amsterdam, Netherlands
Email: legal@astrisnexus.com
15. Changes
We review this Privacy Policy annually and when we materially change our processing practices. Users will be notified at least 30 days in advance. Continued use of the Platform constitutes acceptance. If the Client does not agree, it may terminate its account in line with our T&C.
