Your privacy is fundamental to our mission. This policy explains how hulde, operated by Real AI B.V., collects, processes, stores, and protects your personal data in full compliance with the EU General Data Protection Regulation (GDPR) and applicable Dutch data protection law.
This Privacy Policy (“Policy”) applies to all services provided through the hulde platform at enterprise.hulde.ai and any related sub-domains, mobile applications, and APIs (collectively, the “Platform”). By accessing or using the Platform, you acknowledge that you have read and understood this Policy. Where we require your consent for specific processing activities, we will ask for it separately and you may withdraw it at any time.
The data controller responsible for your personal data is:
Real AI B.V.
Assen, Netherlands
Email: privacy@hulde.ai
KvK (Chamber of Commerce): [Registration Number]
As the controller, Real AI B.V. determines the purposes and means of processing personal data collected through the Platform. References to “hulde,” “we,” “us,” or “our” in this Policy refer to Real AI B.V.
This Policy applies to all individuals who interact with the Platform, including enterprise administrators who register their organisation, employees and learners who access training modules, visitors who browse public pages, and anyone who contacts us via email or the contact form.
The Platform is designed for enterprise use. When your employer or organisation provides you with access to hulde, your organisation acts as a separate controller (or joint controller, as applicable) for the personal data it submits. We recommend reviewing your employer’s internal privacy notice alongside this Policy.
We collect the following categories of personal data:
Full name, corporate email address, job title, organisation name, and hashed authentication credentials. For OAuth-based sign-in (Google Workspace, Microsoft Entra ID), we receive your name, email, and profile image from the identity provider.
Assessment responses, KPI entries, workshop exercise inputs, module progress, session duration, pages viewed, and auto-saved draft content within modules.
IP address, browser type and version, operating system, device type, referring URL, pages visited, and timestamps. This data is collected automatically through server logs and essential cookies.
Subscription plan, billing address, and transaction history. Full payment card details are processed exclusively by our PCI DSS Level 1 compliant payment processor (Stripe) and are never stored on our servers.
Messages sent through the contact form, support tickets, and email correspondence, including name, email, and message content.
We do not collect special categories of personal data (such as health data, biometric data, racial or ethnic origin, political opinions, or religious beliefs) unless explicitly required by a specific module and with your separate, explicit consent.
Under Article 6 of the GDPR, we rely on the following lawful bases for processing your personal data:
Performance of Contract (Art. 6(1)(b))
Processing necessary to provide you with access to the Platform, deliver training modules, save your assessment progress, and manage your subscription.
Legitimate Interests (Art. 6(1)(f))
Processing necessary for our legitimate interests in maintaining platform security, preventing fraud, improving our services through aggregated analytics, and communicating service-related notices. We balance these interests against your rights and freedoms.
Consent (Art. 6(1)(a))
Where required, such as for optional analytics cookies, marketing communications, or processing of special category data. You may withdraw consent at any time by contacting us at privacy@hulde.ai.
Legal Obligation (Art. 6(1)(c))
Processing required to comply with applicable legal or regulatory obligations, such as tax record retention or responding to lawful data access requests from authorities.
We process your personal data for the following specific purposes:
Providing and operating the Platform, including user authentication, module delivery, progress tracking, and auto-saving of learning data. Managing your account and subscription, including billing, access provisioning, and communications about your account status. Improving and developing the Platform through aggregated, anonymised usage analytics to identify trends and enhance user experience. Ensuring security and preventing abuse, including monitoring for unauthorised access, fraud detection, and DDoS mitigation. Responding to support requests and contact form inquiries. Complying with legal obligations, including tax, accounting, and regulatory requirements under Dutch and EU law. Sending service-related notices such as security alerts, policy updates, and feature announcements (distinct from marketing, which requires separate consent).
We do not engage in automated individual decision-making or profiling that produces legal or similarly significant effects on data subjects.
Our primary data infrastructure is hosted within the European Economic Area (EEA). Where data is transferred to countries outside the EEA (for example, to sub-processors with US operations), we ensure appropriate safeguards are in place, including:
Standard Contractual Clauses (SCCs) adopted by the European Commission pursuant to Article 46(2)(c) GDPR, supplemented by transfer impact assessments where required. Adequacy decisions by the European Commission under Article 45 GDPR, including the EU-US Data Privacy Framework where the recipient is certified. Binding Corporate Rules where applicable.
You may request a copy of the relevant safeguards by contacting us at privacy@hulde.ai.
We retain personal data only for as long as necessary to fulfil the purposes described in this Policy, or as required by law. Our retention schedule is as follows:
Account Data
Retained for the duration of the active subscription, plus 30 days after account deletion to allow for reactivation.
Learning & Assessment Data
Retained for the duration of the subscription. Upon account deletion, data is anonymised or deleted within 90 days unless the enterprise administrator has configured a longer retention period.
Billing Records
Retained for 7 years after the end of the financial year in which the transaction occurred, as required by Dutch tax law (Algemene wet inzake rijksbelastingen).
Server Logs
Retained for a maximum of 90 days for security and debugging purposes, then automatically purged.
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction, in line with Article 32 GDPR. These measures include:
Encryption in transit using TLS 1.3 for all data transmitted between your browser and our servers, and encryption at rest using AES-256 for stored data. Passwords are hashed using bcrypt with a cost factor of 12 and are never stored in plaintext. Authentication tokens use JWT with secure, httpOnly cookies. Access control follows the principle of least privilege, with role-based access control (RBAC) at both the application and database levels. Infrastructure is hosted in SOC 2 Type II certified data centres. We conduct regular security assessments and maintain an incident response procedure. In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) within 72 hours and inform affected individuals without undue delay, in accordance with Articles 33 and 34 GDPR.
As a data subject under the GDPR, you have the following rights which you may exercise at any time:
Right of Access (Art. 15)
Obtain confirmation of whether we process your personal data and, if so, receive a copy of the data along with supplementary information about the processing.
Right to Rectification (Art. 16)
Request correction of inaccurate personal data or completion of incomplete data without undue delay.
Right to Erasure (Art. 17)
Request deletion of your personal data where the data is no longer necessary, consent has been withdrawn, or the data has been unlawfully processed.
Right to Restriction (Art. 18)
Request that we restrict the processing of your personal data in certain circumstances, such as when you contest the accuracy of the data.
Right to Data Portability (Art. 20)
Receive your personal data in a structured, commonly used, machine-readable format (JSON or CSV) and transmit it to another controller.
Right to Object (Art. 21)
Object to processing based on legitimate interests or for direct marketing purposes. We will cease processing unless we demonstrate compelling legitimate grounds.
Right to Withdraw Consent (Art. 7(3))
Where processing is based on consent, withdraw that consent at any time without affecting the lawfulness of processing carried out before withdrawal.
Right to Lodge a Complaint (Art. 77)
Lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) or any other competent supervisory authority in the EU.
To exercise any of these rights, please contact us at privacy@hulde.ai with subject line “Data Subject Request.” We will respond within 30 days (extendable by a further 60 days for complex requests, with prior notice). We may request identity verification before processing your request to protect against fraudulent requests.
The Platform is designed for enterprise use and is not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child under 16 without verifiable parental consent, we will take steps to delete that data promptly. If you believe we hold data about a child, please contact us immediately at privacy@hulde.ai.
We have appointed a Data Protection Officer (DPO) who can be contacted for any questions or concerns regarding the processing of your personal data or the exercise of your rights:
We may update this Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. When we make material changes, we will notify you through a prominent notice on the Platform or by email at least 30 days before the changes take effect. The “Last updated” date at the top of this Policy indicates when it was most recently revised. Continued use of the Platform after the effective date constitutes acceptance of the revised Policy.
If you have any questions, concerns, or requests relating to this Policy or our data protection practices, please contact us:
Real AI B.V.
Assen, Netherlands
General: contact@hulde.ai
Privacy: privacy@hulde.ai
Phone: +31 85 0606349
If you are not satisfied with our response, you have the right to lodge a complaint with the Dutch Data Protection Authority:
Autoriteit Persoonsgegevens
Bezuidenhoutseweg 30, 2594 AV Den Haag
Website: autoriteitpersoonsgegevens.nl
Phone: +31 70 888 8500
This Privacy Policy is governed by Dutch law. Any disputes arising from this Policy shall be submitted to the competent court in The Netherlands.