Privacy Policy

Last updated: 19th November 2025

Aneo B.V. (“Aneo”, “we”, “us”, “our”) is committed to protecting your privacy.

This Privacy Policy explains how we collect, use, disclose, and protect personal data when you use aneo.io and all subdomains and aliases, for example app.aneo.io, api.aneo.io, docs.aneo.io, status.aneo.io, and any future subdomains under *.aneo.io, and when you interact with our applications, websites, and support.

We are a company registered in The Netherlands and act as controller for our websites and account data. For Customer Content inside our products we act as processor under the Data Processing Agreement.

1. Who we are and how to contact us

Controller: Aneo B.V., Thomas Morelaan 104, 2135 WC Hoofddorp, Netherlands
Email: privacy@aneo.io
General contact: https://www.aneo.io/contact/

You can lodge a complaint with a supervisory authority. In the Netherlands this is the Autoriteit Persoonsgegevens.

2. What we collect

The data we collect depends on how you use our services.

Account and contact data
Name, business email, phone, company, role, billing details, plan and subscription status.

Authentication data
Identity provider information from Google, Microsoft, or LinkedIn when you sign in, and session tokens from Firebase Authentication.

Customer Content
Documents you upload, tickets you create, questionnaire answers, policy drafts, AI prompts and outputs.

Usage and device data
IP address, browser and device type, pages viewed, app interactions, timestamps, approximate location from IP.

Support data
Information you include in requests, chat transcripts, and attachments.

Cookie and analytics data
See our Cookie Policy for details on cookies and similar technologies. We use Google Analytics 4 with privacy-focused settings and consent prompts where required.

We do not intentionally collect special category data. Do not submit sensitive data unless you have a lawful basis and a written agreement with us.

3. How we use your data and legal bases

We process personal data only where we have a legal basis under GDPR.

To provide the services
Create and manage accounts, authenticate users, deliver features, process payments, provide support, notify about changes.
Legal basis: performance of a contract.

To secure and improve the services
Monitor performance, fix bugs, prevent abuse and fraud, perform analytics to improve features.
Legal basis: legitimate interests in operating a secure and useful service.

To communicate with you
Operational emails, onboarding guidance, and product updates. You can opt out of non-essential emails at any time.
Legal basis: legitimate interests and consent where required.

To comply with law
Tax, accounting, responses to lawful requests, and record keeping.
Legal basis: legal obligation.

Marketing to business contacts
We may send B2B marketing about our products. You can unsubscribe at any time.
Legal basis: consent or legitimate interests, subject to local law.

We do not use Customer Content to train foundation models unless you opt in. See https://www.aneo.io/responsible-ai/.

4. When we act as processor

For Customer Content in our products, we act as processor and process data only on your instructions. The DPA governs security, sub‑processors, international transfers, and deletion. You remain controller for Customer Content and responsible for fulfilling data subject requests that relate to that content.

5. Sharing and recipients

We share personal data with service providers that help us deliver the services. We require appropriate data protection commitments from them.

Infrastructure and storage
Google Cloud Platform (EU) for hosting and backups. Supabase (EU) for the application database.

Authentication and identity
Firebase Authentication. Federated sign‑in with Google, Microsoft, and LinkedIn acting as separate controllers.

AI model inference
OpenAI processes prompts and outputs to provide AI features. No training on Customer Content unless you opt in.

Business operations
HubSpot for CRM and support communications. Google Workspace for business email and docs. Hostinger for website hosting and DNS. Google Analytics 4 for product and website analytics with consent.

The current list of sub‑processors is kept up to date at https://www.aneo.io/subprocessors/.

We do not sell personal information. We do not share personal information for cross‑context behavioral advertising.

6. International transfers

Our core processing runs in the EU. If personal data is transferred outside the EEA, UK, or Switzerland, we use appropriate safeguards, including the EU Standard Contractual Clauses, the UK Addendum, and the Swiss addendum as described in the DPA.

7. Retention

We keep personal data only as long as needed for the purposes stated here or as required by law.

• Account and billing records: for the life of the account and up to 7 years after for tax and accounting.

• Product logs and telemetry: typically 90 to 180 days.

• Support tickets: typically 3 years after closure.

• Backups: rolling backups with a typical 90‑day retention.

• Customer Content after termination: deleted from active systems within 30 days and from backups within 90 days unless law requires longer retention.

Actual retention may vary by configuration and legal obligations. See the DPA for deletion timelines.

8. Your rights

Subject to law, you may have the right to request access, correction, deletion, restriction, or portability of your personal data, and to object to processing based on legitimate interests. You can withdraw consent at any time where consent is the legal basis.

To exercise your rights, contact privacy@aneo.io. For Customer Content, contact your organization, which is the controller.

You also have the right to lodge a complaint with a supervisory authority.

9. Children

Our services are intended for business users. We do not knowingly collect personal data from children under 16 in the EEA or under the age threshold set by local law. If you believe a child has provided personal data, contact us to delete it.

10. Security

We apply technical and organizational measures to protect personal data, including encryption in transit and at rest, access controls, logging and monitoring, and regular testing. Learn more in our Security Overview.

11. Cookies and similar technologies

See our Cookie Policy for details on cookies, analytics, and your choices, including consent management.

12. Third‑party sites

Our websites may link to third‑party sites. Their privacy practices are governed by their own policies.

13. Changes

We may update this policy to reflect changes to our services or legal requirements. We will change the “Last updated” date and, where appropriate, notify you.

14. Contact

Questions about this policy or your data rights: privacy@aneo.io
General inquiries: hello@aneo.io
Postal address: Aneo B.V., Thomas Morelaan 104, 2135 WC Hoofddorp, Netherlands