Privacy policy

Who we are

Sarrai BV (hereinafter "Sarrai", "we" or "us") is a Belgian private limited company with its registered office in Stabroek, registered with the Crossroads Bank for Enterprises under number BE 06 537 798 02. We develop and operate a platform for capturing, managing and unlocking company knowledge.

For the personal data we process via our website, we act as controller. For the data our customers enter into the Sarrai platform, we act as processor within the meaning of Article 28 GDPR; in that case the processing takes place on the basis of a data processing agreement (DPA) with the customer.

What data we process

Depending on how you come into contact with Sarrai, we process various categories of personal data. In each case we limit ourselves to what is strictly necessary for the purpose for which the data are collected.

In principle we do not process special categories of personal data (such as data concerning health, religious belief or political opinion). Customers are asked not to upload such data into the platform unless this has been expressly provided for contractually.

Purposes and legal bases

We process personal data only for specified, explicit and legitimate purposes. For each purpose we rely on one of the legal bases set out in Article 6 GDPR.

• Performance of a contract — to give you access to the platform, to draw up invoices and to provide the agreed support.
• Legal obligation — for accounting and tax obligations, and for legally required data retention.
• Legitimate interest — to guarantee the operation and security of our services, to prevent fraud, and to inform existing customers about relevant product updates. We weigh that interest against your rights and freedoms in each case.
• Consent — for non-essential cookies, for commercial newsletters to prospects, and for any other processing for which we explicitly ask for consent. Consent can always be withdrawn.

How long we keep data

We do not keep personal data longer than necessary for the purposes for which they were collected, unless a longer retention period is required by law.

• Account data: as long as you are a customer, and up to a maximum of 12 months after termination of the contract — after which they are anonymised or erased.
• Billing and accounting data: 7 years, in accordance with Article III.86 of the Code of Economic Law.
• Contact and support communication: up to 3 years after the last contact, unless longer retention is necessary for an ongoing dispute.
• Technical logs: a maximum of 12 months, after which they are automatically deleted.
• Marketing mailings: until you unsubscribe or up to 3 years without interaction.

Sharing with third parties and processors

We do not sell your data to third parties. We share them only where this is necessary for the operation of our services, where you have expressly given consent for it, or where a legal obligation requires us to do so.

For the delivery of our services we rely on a limited number of carefully selected processors, in each case under a written data processing agreement. These include, among others:

• Hosting and infrastructure (within the European Economic Area);
• Email delivery for transactional and commercial messages;
• Payment processing and billing;
• Customer support, troubleshooting and product analytics.

A current list of our processors and their location can be requested via privacy@sarrai.be. For customers of the Sarrai platform, this list is included as an annex to the data processing agreement.

Transfers outside the EEA

Sarrai is deliberately built to keep personal data within the European Economic Area. Our hosting, storage and AI processing take place with European providers, in data centres on European territory.

Should a transfer to a country outside the EEA nevertheless be necessary, this takes place solely on the basis of appropriate safeguards as provided for in Articles 45 and 46 GDPR — preferably an adequacy decision of the European Commission, or the European Commission's standard contractual clauses supplemented with additional technical and organisational measures. We inform you about this in advance where it directly concerns you.

Security of your data

We take appropriate technical and organisational measures to protect your personal data against loss, misuse, unauthorised access, disclosure, alteration or destruction. Our measures include, among other things, encryption of data at rest and in transit, strict role-based access management, periodic back-ups, audit logging, vulnerability testing and a written data breach policy.

A more detailed overview of our technical and organisational measures can be found on our Security & privacypage.

Should a data breach unexpectedly occur that entails a high risk to your rights and freedoms, we will notify you of it without undue delay, as provided for in Article 34 GDPR.

Your rights

Under the GDPR you have a number of rights with regard to your personal data. You can exercise these rights at any time free of charge by contacting us via privacy@sarrai.be. We may ask you to confirm your identity in order to prevent misuse.

• Right of access — you can request which personal data we process about you.
• Right to rectification — you can have inaccurate or incomplete data corrected or completed.
• Right to erasure — in certain cases you can request that your data be erased ("right to be forgotten").
• Right to restriction — you can request that the processing of your data be temporarily restricted.
• Right to portability — you can receive your data in a structured, commonly used and machine-readable format, or have it transferred onward.
• Right to object — you can object to processing based on a legitimate interest or on direct marketing.
• Right to withdraw consent — where processing is based on your consent, you can withdraw it at any time, without affecting the lawfulness of processing that took place before the withdrawal.

We will in principle respond to your request within one month. If a request is particularly complex, this period may be extended by two months; in that case we will inform you of this with reasons.

Cookies and similar technologies

Our website uses cookies and similar technologies to enable the operation of the site, to remember your preferences and, subject to your consent, to analyse the use of the site.

We distinguish three categories:

• Strictly necessary cookies — required for the basic operation of the site (e.g. session management, security). These are placed without consent.
• Preference cookies — remember, for example, language choice or display options.
• Analytical cookies — give us aggregated insights into how the site is used. For this we use a privacy-friendly tool hosted in Europe.

You can adjust your cookie preferences at any time via the cookie banner. Disabling certain cookies may make parts of the site work less smoothly.

Minors

Our services are aimed at organisations and their staff. We do not knowingly collect personal data from persons under the age of 16. If we discover that we have nevertheless unintentionally collected such data, we will delete it as soon as possible.

Changes to this policy

We may amend this privacy policy from time to time, for example following changes to our services, to the applicable legislation, or after comments from supervisory authorities. The most recent version is always available on this page; the date at the top indicates the last change.

In the case of material changes, we expressly notify our customers and, where relevant, visitors to the site, before the changes take effect.

Contact and complaints

Do you have questions about this privacy policy, would you like to exercise a right, or do you believe we are not processing your data correctly? Then please first contact our privacy officer. We do everything we can to reach a solution together.

You always retain the right to lodge a complaint with the competent supervisory authority. In Belgium this is the Data Protection Authority, Drukpersstraat 35, 1000 Brussels — www.gegevensbeschermingsautoriteit.be.