Privacy Policy
Effective date: [date] · Last updated: [date]
Moonlight Array B.V.
Draft pending legal review
This document is a starting point for legal review, not legal advice. It should be reviewed by a qualified Dutch/EU technology lawyer before publication. Bracketed items [like this] must be completed before use.
1. Who We Are (Controller Identity)
Moonlight Array B.V. is the controller of Personal Data processed for our own purposes in connection with AIDO. We are registered at [address], Chamber of Commerce number [KvK number]. For privacy questions, data-subject requests, or complaints, contact us at [[email protected]]. Where we process Personal Data on behalf of a customer as a processor, our Data Processing Agreement governs that processing. This Privacy Policy describes only the Personal Data we process as a controller.
2. Personal Data We Collect
We collect and process the following categories of Personal Data:
- Account data: name, email address, username, organisation name, role, password hash, authentication data, account settings, communication preferences.
- Billing data: billing address, VAT number, payment status, invoices, subscription plan, usage records, transaction identifiers. Payment card details are processed by our payment processor (currently [Stripe / Mollie]) and are not stored by us.
- Service usage data: login timestamps, IP addresses used for authentication, dashboard activity, feature usage, plan limits, configuration changes, instance status, usage metrics, error logs, audit trails.
- Agent and integration metadata: Agent names, tool configurations, connected service identifiers, API usage statistics, integration status, task-execution logs, and workflow metadata. We do not systematically access the substantive content of Agent inputs, outputs, or processed data except where necessary for security, abuse prevention, debugging at your request, or compliance with law.
- Hosted Instance data: technical identifiers, assigned IP addresses, hostnames, resource usage metrics, network metadata, storage usage, security events, and infrastructure logs.
- Support and communications data: messages, emails, chat transcripts, attachments, feedback, survey responses, and support ticket records.
- Website and device data: IP address, browser type, device identifiers, operating system, referring URLs, pages viewed, approximate location derived from IP address, and cookie identifiers (see Section 7).
- Abuse and security data: abuse reports, takedown notices, investigation records, fraud indicators, security incident records, enforcement actions, and related correspondence.
3. Data Processed by Agents
Your Agents may process data that you connect, upload, authorise, or instruct them to access. This may include files, messages, emails, calendar data, contacts, browser data, third-party account data, Personal Data about your customers or contacts, or other confidential information. You control which accounts, tools, data sources, credentials, and permissions are connected to your Agent. You, not Moonlight Array B.V., are the controller of that data. You are responsible for ensuring that you have the lawful right to provide this data to the Service and to cause your Agent to process it. We process this data as a processor on your behalf, subject to our Data Processing Agreement.
4. How We Use Personal Data (Purposes)
We use Personal Data we control for the following purposes:
- providing, operating, maintaining, securing, and improving the Service;
- creating and managing accounts, authenticating users, and preventing unauthorised access;
- provisioning, operating, monitoring, and supporting Hosted Instances;
- processing billing, payments, taxes, renewals, and generating invoices;
- providing support and responding to requests;
- monitoring usage, enforcing limits, detecting errors, and troubleshooting;
- detecting, preventing, investigating, and responding to fraud, abuse, security incidents, policy violations, and unlawful activity;
- complying with legal obligations, responding to lawful government requests, and meeting regulatory requirements;
- communicating about service updates, security notices, billing, policy changes, and administrative matters;
- sending marketing communications where permitted by law and subject to your opt-out rights;
- analysing and improving the Service, user experience, reliability, and security.
5. Legal Bases Under GDPR (Article 6)
Where the GDPR applies, we rely on the following legal bases:
- Contract (Article 6(1)(b)): Processing necessary to perform our contract with you, including providing the Service, managing accounts, processing billing, provisioning Hosted Instances, and providing support.
- Legitimate interests (Article 6(1)(f)): Processing necessary for our legitimate interests or those of a third party, including securing and improving the Service, preventing and investigating abuse, conducting business analytics, communicating with business contacts, enforcing our Terms, and protecting our rights and property. We balance these interests against your rights and freedoms and do not rely on legitimate interests where your interests override ours.
- Legal obligation (Article 6(1)(c)): Processing necessary to comply with tax, accounting, sanctions, consumer protection, platform, regulatory, and lawful-request obligations under EU, Dutch, or other applicable law.
- Consent (Article 6(1)(a)): For certain non-essential cookies, marketing communications, and optional features where consent is required. You may withdraw consent at any time without affecting the lawfulness of processing prior to withdrawal.
6. Sharing Personal Data
We may share Personal Data with the following categories of recipients:
- Infrastructure and hosting providers that store data, run infrastructure, and provide cloud services on our behalf;
- Payment processors and billing providers that process payments and manage invoicing;
- AI model and API providers where necessary to provide features of the Service (such as sending prompts to language model providers);
- Analytics, monitoring, and communication providers for usage analytics, error tracking, and transactional email;
- Professional advisers including legal counsel, auditors, and insurers;
- Law enforcement, regulators, courts, and competent authorities where required by law, legal process, or to protect rights, safety, or property;
- Affected third parties and platform providers in connection with abuse reports, security incidents, notice-and-action requests, or DSA obligations;
- Acquirers or successors in connection with a merger, acquisition, restructuring, or sale of assets, subject to confidentiality obligations;
- Other parties with your explicit instruction or consent.
We do not sell Personal Data. We do not use Personal Data for automated decision-making that produces legal effects or similarly significantly affects you, unless we explicitly inform you and provide appropriate safeguards.
7. Cookies and Similar Technologies
We may use cookies, pixels, local storage, and similar technologies for authentication, security, preferences, analytics, and performance. Strictly necessary cookies (authentication, security, fraud prevention) do not require consent. Analytics and non-essential cookies require your consent where required by the ePrivacy Directive as implemented in the Dutch Telecommunicatiewet (Article 11.7a). We will present a cookie consent mechanism before placing non-essential cookies. You can manage cookies through your browser settings, our cookie preferences tool, or by withdrawing consent.
8. International Transfers
We may process and transfer Personal Data to countries outside the European Economic Area ("EEA"). Where we transfer Personal Data to a country that has not received an adequacy decision from the European Commission, we use appropriate safeguards as required by Chapter V of the GDPR, including: (a) Standard Contractual Clauses adopted by the European Commission (Commission Implementing Decision (EU) 2021/914); (b) Transfer Impact Assessments where required; (c) Supplementary technical and organisational measures where necessary. For transfers to the United States, we may rely on the EU-U.S. Data Privacy Framework where the recipient is a certified participant. You may request a copy of the safeguards we use by contacting [[email protected]].
9. Subprocessors
We use subprocessors to provide the Service. A current list of subprocessors is available at our Subprocessors page or upon request. For business customers who have entered into a Data Processing Agreement with us, subprocessor changes are notified and managed in accordance with that agreement.
10. Retention
We retain Personal Data for as long as necessary to fulfil the purposes described in this Privacy Policy, comply with legal obligations, resolve disputes, enforce agreements, maintain security, and protect our legitimate interests. Typical retention periods include:
- Account data: for the duration of your account and [12] months after account closure, unless longer retention is required by law;
- Billing and tax records: [7] years, as required by Dutch fiscal law (Algemene wet inzake rijksbelastingen, Article 52);
- Security, abuse, and infrastructure logs: [12] months, or longer where necessary for ongoing investigations, legal proceedings, or compliance;
- Support communications: for as long as needed for support history, quality assurance, and legal protection;
- Agent and Hosted Instance data: according to plan settings, customer instructions, deletion requests, and backup cycles.
We may anonymise or aggregate data after the retention period expires. Anonymised data is no longer Personal Data and may be retained indefinitely for analytical and statistical purposes.
11. Security
We use technical and organisational measures designed to protect Personal Data, including access controls, encryption in transit (TLS) and at rest where appropriate, logging, monitoring, vulnerability management, patch management, and security review processes. No system is completely secure. In the event of a Personal Data breach, we will comply with our notification obligations under Articles 33 and 34 of the GDPR and any applicable Dutch implementation requirements.
12. Your Rights Under the GDPR
Under the GDPR, you have the following rights with respect to Personal Data we process as controller:
- Right of access (Article 15): to obtain confirmation of whether we process your Personal Data and, if so, to receive a copy;
- Right to rectification (Article 16): to have inaccurate Personal Data corrected and incomplete data completed;
- Right to erasure (Article 17): to have Personal Data deleted in certain circumstances (the 'right to be forgotten');
- Right to restriction (Article 18): to restrict processing in certain circumstances;
- Right to data portability (Article 20): to receive your Personal Data in a structured, commonly used, machine-readable format;
- Right to object (Article 21): to object to processing based on legitimate interests or for direct marketing;
- Right to withdraw consent (Article 7(3)): to withdraw consent at any time where processing is based on consent, without affecting the lawfulness of prior processing;
- Right not to be subject to automated decision-making (Article 22): not to be subject to a decision based solely on automated processing that produces legal effects or similarly significantly affects you, unless exceptions apply.
To exercise your rights, contact [[email protected]]. We will respond within one month, extendable by two further months for complex or numerous requests (Article 12(3) GDPR). We may need to verify your identity before processing your request. If your request relates to Personal Data we process on behalf of a customer as processor, we will refer your request to the relevant customer (who is the controller) unless we are legally required to respond directly.
13. Right to Lodge a Complaint
You have the right to lodge a complaint with a supervisory authority. If you are in the Netherlands, the competent authority is the Autoriteit Persoonsgegevens (Dutch Data Protection Authority), Bezuidenhoutseweg 30, 2594 AV The Hague, https://autoriteitpersoonsgegevens.nl. You may also lodge a complaint with the supervisory authority of the EU Member State in which you reside or work, or in which the alleged infringement occurred.
14. Marketing Communications
We may send you marketing communications where you have opted in or where we are permitted to do so under the "soft opt-in" exception (existing customers, similar products, provided we gave you the opportunity to opt out and include an unsubscribe option in each communication). You may opt out of marketing emails at any time by using the unsubscribe link or contacting us. We will continue to send non-marketing administrative messages about your account, security, billing, and legal notices.
15. Children
The Service is not intended for children under 16 years of age (the minimum age set by the Dutch UAVG under Article 8 GDPR). We do not knowingly collect Personal Data from children under 16. If we become aware that we have collected Personal Data from a child under 16 without valid parental consent, we will take steps to delete that data promptly. If you use the Service to process data of children (for example, if your Agent interacts with a service used by minors), you are responsible for obtaining all required parental or guardian consents and complying with applicable child-protection laws.
16. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. If changes are material, we will provide notice by email, in-product notice, or website notice at least [30] days before the changes take effect. The "Last updated" date at the top of this Privacy Policy indicates when it was last revised.
17. Contact
- Privacy contact: [[email protected]]
- Postal address: [address]
- Data Protection Officer (if appointed): [DPO contact details, if applicable]