Privacy Policy

Last updated: 1 March 2026

1. Introduction

Crimson Owl Technologies ("we", "us", "our") is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our website and services.

We process personal data in accordance with the General Data Protection Regulation (GDPR), the Dutch Implementation Act of the GDPR (Uitvoeringswet AVG), and other applicable data protection laws.

2. Data Controller

The data controller responsible for your personal data is:

Crimson Owl Technologies

KVK (Chamber of Commerce): 99457377

BTW (VAT): NL869000172B01

Email: [email protected]

3. What Personal Data We Collect

We may collect and process the following categories of personal data:

3.1 Information You Provide

  • Contact information: Name, email address, company name when you contact us or fill out forms
  • Communication data: Content of messages you send us via contact forms or email
  • Account data: Login credentials and profile information if you use our Platform Architecture Authority (PAA) service

3.2 Information Collected Automatically

  • Technical data: IP address, browser type, operating system, device information
  • Usage data: Pages visited, time spent on pages, referral source
  • Cookie data: Information collected through cookies and similar technologies (see Section 8)

4. Legal Basis for Processing

We process your personal data based on the following legal grounds under Article 6 GDPR:

  • Consent (Art. 6(1)(a)): Where you have given explicit consent, such as for marketing communications
  • Contract (Art. 6(1)(b)): Where processing is necessary to perform a contract with you or take pre-contractual steps at your request
  • Legal obligation (Art. 6(1)(c)): Where we must comply with legal requirements
  • Legitimate interests (Art. 6(1)(f)): Where we have a legitimate business interest that does not override your rights, such as improving our services and website security

5. How We Use Your Data

We use your personal data for the following purposes:

  • To respond to your inquiries and provide customer support
  • To provide and maintain our services, including the PAA platform
  • To process transactions and send related information
  • To send administrative information, such as service updates
  • To improve our website, products, and services
  • To detect, prevent, and address technical issues and security threats
  • To comply with legal obligations
  • To send marketing communications (only with your consent)

6. Data Sharing and Transfers

We do not sell your personal data. We may share your data with:

  • Service providers: Third parties who provide services on our behalf (hosting, analytics, email delivery), bound by data processing agreements
  • Legal requirements: When required by law, regulation, or legal process
  • Business transfers: In connection with a merger, acquisition, or sale of assets

International Transfers

Your data is primarily stored and processed within the European Economic Area (EEA). If we transfer data outside the EEA, we ensure appropriate safeguards are in place, such as:

  • EU adequacy decisions
  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Other valid transfer mechanisms under GDPR

7. Platform Architecture Authority (PAA) — Data Processing

This section applies specifically to users of the Platform Architecture Authority (PAA) platform.

7.1 Data We Process on Your Behalf

When you use PAA, we act as a data processor on your behalf for the following categories of data:

  • Azure infrastructure metadata: Resource identifiers, configuration properties, and topology data retrieved via Azure Resource Graph from your connected Azure subscriptions. This data does not include the contents of your workloads, only their configuration and structure.
  • Architecture documentation: Documents, assessments, Architecture Decision Records (ADRs), and diagrams generated through the platform. This content is stored in PAA and, where configured, synchronised to your designated GitHub repository or Confluence space.
  • Conversation data: Input you provide to the AI agents during assessment sessions. This data is processed to generate assessment output and is not used to train AI models.
  • Audit logs: Records of actions taken within your workspace, retained according to your subscription plan.

7.2 How PAA Accesses Your Azure Environment

PAA connects to your Azure environment using a service principal that you create and configure. The service principal is granted Reader role on the target subscription — it can read resource configuration and topology but cannot create, modify, or delete resources. Your service principal credentials are encrypted and stored in Azure Key Vault using per-tenant encryption keys. You can revoke access at any time by removing the service principal or deleting your workspace.

7.3 AI Processing

Assessment content is processed using AI model APIs. PAA supports multiple AI providers — Anthropic (Claude), OpenAI (GPT), Google (Gemini), and Mistral. The active provider is determined by your workspace configuration. Data submitted for inference is governed by the applicable provider's data processing terms; none of the supported providers use customer data submitted via API to train their models. All data is transmitted over encrypted connections (TLS 1.2 minimum).

7.4 Data Residency

All PAA platform infrastructure is hosted in the Azure West Europe region (Amsterdam, Netherlands). Platform operational data — workspace configuration, user accounts, audit logs — remains within this region. AI inference requests are routed to Anthropic's API, which may process data outside the EEA; appropriate safeguards (Standard Contractual Clauses) are in place for these transfers.

7.5 Data Processing Agreement

Organisations requiring a Data Processing Agreement (DPA) in accordance with Article 28 GDPR may request one by contacting us at [email protected]. A standard DPA is available for Business and Enterprise tier customers.

7.6 Sub-processors

We use the following sub-processors in the delivery of the PAA platform:

Sub-processor Purpose Location
Microsoft Azure Platform hosting, storage, authentication, key management EU (West Europe)
Anthropic AI model inference for assessment generation (Claude) USA (SCCs in place)
OpenAI AI model inference for assessment generation (GPT), if configured USA (SCCs in place)
Google AI model inference for assessment generation (Gemini), if configured USA/EU (SCCs in place)
Mistral AI AI model inference for assessment generation (Mistral), if configured EU (France)
Mollie Payment processing for subscription billing EU (Netherlands)
GitHub (optional) Document synchronisation, if configured by customer USA (SCCs in place)
Atlassian Confluence (optional) Document synchronisation, if configured by customer USA/EU (SCCs in place)

We will notify customers of any material changes to our sub-processor list with reasonable advance notice, providing an opportunity to object before the change takes effect.

8. Data Retention

We retain your personal data only for as long as necessary for the purposes described in this policy, or as required by law. Specific retention periods:

  • Contact form submissions: 2 years after last contact, unless a business relationship is established
  • Customer account data: Duration of the business relationship plus 7 years (Dutch fiscal retention requirement)
  • Website analytics: 26 months
  • Marketing consent records: Until consent is withdrawn, plus 3 years for documentation purposes

9. Cookies and Tracking Technologies

Our website uses cookies and similar technologies. Cookies are small text files stored on your device that help us provide and improve our services.

Types of Cookies We Use

  • Strictly necessary cookies: Essential for the website to function properly. These do not require consent.
  • Functional cookies: Remember your preferences (e.g., theme settings)
  • Analytics cookies: Help us understand how visitors interact with our website

You can control cookies through your browser settings. Note that disabling certain cookies may affect website functionality.

10. Your Rights

Under the GDPR, you have the following rights regarding your personal data:

  • Right of access (Art. 15): Request a copy of your personal data
  • Right to rectification (Art. 16): Request correction of inaccurate data
  • Right to erasure (Art. 17): Request deletion of your data ("right to be forgotten")
  • Right to restriction (Art. 18): Request limitation of processing
  • Right to data portability (Art. 20): Receive your data in a structured, machine-readable format
  • Right to object (Art. 21): Object to processing based on legitimate interests or for direct marketing
  • Right to withdraw consent (Art. 7): Withdraw consent at any time, without affecting the lawfulness of prior processing

To exercise these rights, please contact us at [email protected]. We will respond to your request within one month.

11. Complaints

If you believe we have not handled your personal data properly, you have the right to lodge a complaint with the Dutch Data Protection Authority:

Autoriteit Persoonsgegevens

Postbus 93374

2509 AJ Den Haag

Website: autoriteitpersoonsgegevens.nl

We encourage you to contact us first so we can try to resolve your concerns directly.

12. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These include:

  • Encryption of data in transit (TLS) and at rest
  • Access controls and authentication mechanisms
  • Regular security assessments
  • Employee training on data protection

13. Children's Privacy

Our services are not directed to individuals under 16 years of age. We do not knowingly collect personal data from children. If you become aware that a child has provided us with personal data, please contact us.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by posting the new policy on this page and updating the "Last updated" date. We encourage you to review this policy periodically.

15. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us:

Crimson Owl Technologies

Email: [email protected]