PRIVACY POLICY
enclava.io
Effective date: 16 March 2026
1. Controller Identity and Contact Details
Enclava is a sole proprietorship (eenmanszaak) established under Dutch law, operated by:
- Name: M Zulfa Achsani
- Address: Bastenakenstraat 168, 1066JG, Amsterdam
- KVK number: [KVK REGISTRATION NUMBER]
- Email: privacy@enclava.io
- Website: https://enclava.io
Note: Enclava currently operates as a sole proprietorship (eenmanszaak). The sole proprietor bears unlimited personal liability for all data processing activities under the GDPR. Upon incorporation as a B.V. (besloten vennootschap), the legal entity of the controller will change to the B.V., the KVK registration number will be updated, and liability will generally be limited to the corporate entity. A revised version of this Privacy Policy will be published at that time.
2. Scope
This Privacy Policy applies to the processing of personal data of tenant staff members (i.e. employees, contractors, and authorised users of businesses that use the Enclava platform) for which Enclava acts as the data controller within the meaning of Article 4(7) GDPR.
Enclava also processes personal data of end-customers of tenant businesses in its capacity as a data processor on behalf of those businesses. That processing relationship is governed by a separate Data Processing Agreement between Enclava and each tenant. End-customers should refer to the privacy policy of the relevant tenant business for information about how their data is handled.
This Privacy Policy does not apply to individuals under the age of 16. The Enclava platform is a business-to-business (B2B) service and is not directed at children. If we become aware that we have collected personal data from a person under 16 without appropriate parental consent, we will take steps to delete that data promptly. The age threshold of 16 applies in the Netherlands pursuant to Article 5 of the Uitvoeringswet AVG (UAVG), implementing Article 8 GDPR.
3. Personal Data We Collect
When you create a tenant staff account on Enclava, we collect and process the following personal data:
| Category | Data Elements | Source |
|---|---|---|
| Account data | Full name, email address, phone number | Provided directly by tenant staff member or tenant administrator |
| Authentication data | Encrypted password hash, session tokens | Generated during account creation and login |
| Usage data | Login timestamps, IP addresses, actions performed within the platform | Collected automatically during platform use |
4. Purposes and Legal Basis
| Purpose | Legal Basis (Art. 6(1) GDPR) |
|---|---|
| Providing and maintaining the Enclava platform and your tenant staff account | Art. 6(1)(b) — performance of a contract (the Enclava Terms of Service) |
| Communicating with you about your account, service updates, and support requests | Art. 6(1)(b) — performance of a contract |
| Ensuring security, monitoring for threats, and preventing fraud or misuse of the platform | Art. 6(1)(f) — legitimate interest (security of the platform and protection of users). A Legitimate Interest Assessment has been conducted and is available on request. |
| Complying with Dutch and EU legal obligations (e.g. tax record retention under Art. 52 AWR) | Art. 6(1)(c) — compliance with a legal obligation |
| Platform performance and reliability monitoring | Art. 6(1)(f) — legitimate interest (maintaining a reliable service). A Legitimate Interest Assessment has been conducted and is available on request. |
4a. Automated Processing and AI
Enclava uses artificial intelligence (AI) technologies, including large language models (LLMs), to process inbound customer messages on behalf of tenant businesses. This processing extracts structured operational data (such as service type, preferred dates, and contact details) from free-text messages.
Important clarifications regarding AI processing:
- AI processing of end-customer messages is carried out by Enclava in its capacity as a data processor on behalf of tenant controllers. The legal basis for this processing is determined by each tenant controller.
- AI-extracted data is always presented as a draft for human review. No quotes, work orders, invoices, or other operational decisions are made solely by AI.
- Enclava does not engage in automated individual decision-making producing legal effects or similarly significant effects on data subjects within the meaning of Article 22 GDPR. All operational decisions require explicit approval by tenant staff.
- Enclava does not use tenant or end-customer data to train or fine-tune AI models.
For more information about the AI systems used, see the AI Transparency Disclosure in Section 14 of the Terms of Service.
5. Data Retention
We retain your personal data only for as long as necessary for the purposes set out in this Privacy Policy:
| Data Category | Retention Period |
|---|---|
| Tenant staff account data | For the duration of the account. Data is deleted within 30 days of account deletion, unless retention is required by law. |
| Financial records and invoices | 7 years from the end of the fiscal year in which the record was created, in accordance with Article 52 of the Dutch Algemene wet inzake rijksbelastingen (AWR). |
| Usage data (logs) | 12 months from the date of collection, unless a longer retention is necessary for security incident investigation. |
| Support communications | For the duration of the account plus 12 months, or as long as necessary to resolve the inquiry. |
6. Recipients and Sub-processors
We share your personal data with the following categories of recipients, solely to the extent necessary for the purposes described in Section 4:
| Recipient | Purpose | Location | Safeguard |
|---|---|---|---|
| EU-based hosting provider | Infrastructure and data storage | European Union | Data processed within the EU/EEA; no additional transfer mechanism required |
| Self-hosted AI models (Ollama) | LLM-based extraction of inbound message content (primary processing route; data does not leave EU infrastructure) | European Union (self-hosted) | No international transfer; data remains on EU-hosted servers |
| OpenAI, L.L.C. | LLM-based extraction of inbound message content (cloud fallback) | United States | EU Standard Contractual Clauses (SCC) pursuant to Commission Implementing Decision (EU) 2021/914. Transfer Impact Assessment conducted. |
| OpenRouter, Inc. | LLM-based extraction of inbound message content (cloud fallback) | United States | EU Standard Contractual Clauses (SCC) pursuant to Commission Implementing Decision (EU) 2021/914. Transfer Impact Assessment conducted. |
| Resend, Inc. | Transactional email delivery (e.g. account notifications) | United States | EU Standard Contractual Clauses (SCC) pursuant to Commission Implementing Decision (EU) 2021/914. Transfer Impact Assessment conducted. |
Where personal data is transferred to the United States, we rely on EU Standard Contractual Clauses (SCCs) adopted by the European Commission under Implementing Decision (EU) 2021/914 as the transfer mechanism. Transfer Impact Assessments have been conducted for each US sub-processor in accordance with the CJEU Schrems II judgment. Copies of the executed SCCs and TIA summaries are available on request at privacy@enclava.io.
A current list of sub-processors is also published at [https://enclava.io/sub-processors].
7. Your Rights as a Data Subject
Under the GDPR (Articles 15 through 22) and the Dutch Uitvoeringswet AVG (UAVG), you have the following rights with respect to the personal data we process about you as a controller:
| Right | Description |
|---|---|
| Access (Art. 15) | You may request confirmation of whether we process your personal data and, if so, obtain a copy of it. |
| Rectification (Art. 16) | You may request correction of inaccurate personal data or completion of incomplete data. |
| Erasure (Art. 17) | You may request deletion of your personal data where it is no longer necessary for the purposes for which it was collected, or where you withdraw consent (if applicable). |
| Restriction (Art. 18) | You may request that we restrict the processing of your personal data in certain circumstances (e.g. while we verify its accuracy). |
| Data portability (Art. 20) | You may request to receive your personal data in a structured, commonly used, machine-readable format (e.g. JSON or CSV), and to transmit that data to another controller. |
| Objection (Art. 21) | You may object to processing based on our legitimate interest (Art. 6(1)(f)). We will cease processing unless we demonstrate compelling legitimate grounds that override your interests. |
| Not to be subject to automated decision-making (Art. 22) | You have the right not to be subject to a decision based solely on automated processing which produces legal effects concerning you or similarly significantly affects you. Enclava does not currently engage in such automated decision-making. |
To exercise any of these rights, please contact us at privacy@enclava.io. We will respond to your request within one month, as required by Article 12(3) GDPR. In complex cases, this period may be extended by a further two months, in which case we will inform you of the extension and the reasons for it.
We may ask you to verify your identity before processing your request.
8. Right to Lodge a Complaint
If you believe that our processing of your personal data infringes the GDPR or the UAVG, you have the right to lodge a complaint with the Dutch supervisory authority:
Autoriteit Persoonsgegevens (AP) Hoge Nieuwstraat 8, 2514 EL Den Haag Website: https://autoriteitpersoonsgegevens.nl Phone: +31 (0)70 888 8500
We encourage you to contact us first at privacy@enclava.io so that we may attempt to resolve your concerns directly.
9. Security
We implement appropriate technical and organisational measures to protect your personal data, including: HTTPS encryption for all data in transit; schema-per-tenant database isolation in PostgreSQL; Fernet-based encryption of sensitive tokens at rest; role-based access control; regular security reviews; and encrypted backups.
A Data Protection Impact Assessment (DPIA) has been conducted for the AI-based message extraction feature, in accordance with Article 35 GDPR. The DPIA is available on request.
10. Cookies and Tracking Technologies
We use cookies and similar technologies on enclava.io and within the Enclava platform. For detailed information about the cookies we use, their purposes, and how to manage your preferences, please see our Cookie Policy.
In summary:
- We use strictly necessary cookies for authentication, session management, and security. These do not require your consent under Article 11.7a of the Dutch Telecommunicatiewet.
- We use functional cookies for preferences (e.g., language selection) with your consent.
- We do not currently use analytics or marketing cookies.
- We do not use third-party advertising cookies.
11. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or in applicable law. When we make material changes, we will notify you by email or through a notice on the platform. The date at the top of this document indicates the most recent revision.
12. Governing Law
This Privacy Policy is governed by and construed in accordance with the laws of the Netherlands. Any disputes arising from or in connection with this Privacy Policy shall be submitted to the competent court in the Netherlands.
Enclava Privacy Policy — Version 2.0