aneo
Aneo B.V.

Privacy Policy

This Privacy Policy explains how Aneo B.V. collects, uses, shares, protects, and retains personal data when you use aneo.io, contact us, create an account, use our products, or interact with our websites, applications, support, and commercial teams.

Last updated: 24 June 2026

1. Who we are

Aneo B.V. is a company registered in The Netherlands. Our registered address is Thomas Morelaan 104, 2135 WC Hoofddorp, Netherlands. Our Chamber of Commerce number is 98830848 and our VAT ID is NL868661727B01.

For the public website, account administration, billing, commercial communications, and direct customer relationships, Aneo B.V. acts as the controller of personal data. For Customer Content processed inside aneo products on behalf of a customer organization, Aneo B.V. generally acts as processor under the applicable agreement, order form, or data processing agreement.

2. Scope of this policy

This policy applies to the public website at www.aneo.io, product and account surfaces such as app.aneo.io, related aneo.io subdomains, contact forms, email and phone enquiries, product onboarding, support, billing, and commercial conversations.

If a signed agreement, order form, data processing agreement, or product-specific notice applies, that document may provide additional terms for the relevant customer relationship or processing activity.

3. Definitions used in this policy

Personal data means information that identifies or can reasonably relate to an identified or identifiable person. Customer Content means documents, tickets, questionnaire answers, prompts, outputs, policies, reports, evidence notes, incident records, uploads, and similar material submitted to or generated through aneo products by or for a customer.

aneo tools generate structured cybersecurity documentation and analysis reports for internal business use. The platform is not designed to host, publish, or distribute public user-generated content.

4. Personal data we collect

The personal data we collect depends on how you interact with aneo. We collect only what is reasonably needed for the relevant purpose.

  • Contact and enquiry data: name, work email, phone number, company, role, country, product interest, timeline, message content, and communication preferences.
  • Account and billing data: account identifiers, business contact details, plan or product status, payment status, invoices, billing address, VAT details, and purchase history.
  • Authentication data: sign-in identifiers, identity provider information, multi-factor or session information, and authentication logs where account access is enabled.
  • Website and device data: IP address, browser, device type, operating system, pages viewed, referral source, timestamps, approximate location from IP address, and cookie or consent preferences.
  • Product usage data: feature use, app interactions, audit events, generated document activity, ticket activity, timestamps, performance logs, and error events.
  • Framework-Pro data: readiness questionnaire answers, framework selections, control mapping inputs, generated policy drafts, supporting documents, evidence placeholders, and payment-related metadata.
  • IncidentAI data: incident tickets, classifications, severity, impact, categories, timelines, notes, owners, response actions, evidence notes, MITRE ATT&CK mapping context, summaries, and closure records.
  • AI interaction data: prompts, context submitted to AI features, generated outputs, confidence hints, analyst notes, suggested actions, and related metadata.
  • Support data: information submitted through support requests, email, calls, attachments, logs, troubleshooting details, and feedback.
  • Marketing and event data: business contact details, communication history, newsletter preferences, campaign engagement, event registration, and unsubscribe status.

5. Special category and sensitive data

We do not intentionally request special category personal data through the public website or contact forms. Do not submit health data, biometric data, criminal-offence data, government identifiers, payment card numbers, passwords, secrets, or other highly sensitive information unless it is necessary, lawful, and covered by an appropriate written agreement.

Because IncidentAI may be used for security incident records, customers are responsible for configuring their workflows and instructions so that only necessary information is submitted. Customer organizations remain responsible for the lawfulness of Customer Content they provide to aneo products.

6. How we collect personal data

We collect personal data directly from you when you complete a form, email us, call us, create an account, use a product, request a demo, pay for a product, or submit support information.

We also collect data automatically through our websites and applications, such as device data, logs, cookies, consent choices, and product usage events. We may receive limited data from identity providers, payment providers, analytics tools, customer administrators, integration partners, or business systems used to provide the service.

7. How we use personal data

We use personal data to operate aneo, provide our products, respond to enquiries, support customers, secure the platform, improve product quality, and comply with law.

  • To respond to contact requests, demo requests, product questions, partnership enquiries, support requests, and commercial conversations.
  • To create and manage accounts, authenticate users, administer subscriptions, process payments, issue invoices, and provide access to products.
  • To deliver Framework-Pro features, including readiness workflows, framework selection, control mapping, document generation, and downloadable outputs.
  • To deliver IncidentAI features, including incident ticketing, classification support, response records, AI-assisted summaries, owner tracking, and audit history.
  • To provide AI-assisted functionality, generate draft outputs, summarize information, suggest next steps, and improve workflow consistency.
  • To monitor performance, troubleshoot issues, maintain service reliability, prevent abuse, protect accounts, and investigate suspected security incidents.
  • To improve the website, products, onboarding, support, content, and documentation.
  • To send operational messages, product updates, security notices, administrative messages, and B2B marketing where permitted.
  • To comply with tax, accounting, legal, regulatory, contractual, dispute, and record-keeping obligations.

8. Legal bases for processing

Where the GDPR or similar law applies, we rely on one or more legal bases depending on the purpose of processing.

  • Contract: to provide products, account access, support, billing, and customer services requested by you or your organization.
  • Legitimate interests: to operate, secure, improve, and promote aneo products, respond to business enquiries, prevent fraud, and understand product usage, provided those interests are not overridden by your rights.
  • Consent: for optional cookies, some marketing communications, and other activities where consent is required.
  • Legal obligation: for tax, accounting, compliance, lawful requests, record keeping, and regulatory obligations.
  • Vital interests or public interest: only where strictly necessary in exceptional circumstances, such as serious security or safety situations.

9. Customer Content and processor role

For Customer Content inside aneo products, the customer organization is generally the controller and Aneo B.V. is generally the processor. We process that content to provide the contracted product, follow customer instructions, maintain security, provide support, and meet obligations in the applicable agreement or data processing agreement.

If a data subject request relates to Customer Content controlled by your organization, you should usually contact that organization first. We will assist customer controllers as required by the applicable agreement and law.

10. AI processing and model training

Some aneo products use AI to help classify, summarize, draft, map, or analyze security workflow information. AI output should be reviewed by humans before it is relied on for operational, legal, compliance, security, or incident-response decisions.

We do not use Customer Content to train foundation models unless the customer has expressly opted in or agreed in writing. Where third-party model providers process prompts and outputs to provide AI features, we use contractual and technical measures intended to protect Customer Content and limit unauthorized use.

11. Automated decisions

aneo products may generate suggestions, summaries, classifications, document drafts, control guidance, or analysis outputs. These outputs are intended to support human review and decision-making.

We do not intend to make solely automated decisions about individuals that produce legal or similarly significant effects without appropriate human involvement.

12. Cookies and similar technologies

We may use cookies, local storage, pixels, tags, and similar technologies to operate the website, remember preferences, understand website performance, support analytics, protect the service, and improve content.

Strictly necessary cookies may be used without consent where allowed by law. Analytics, preference, and marketing cookies are used only where configured and where the required consent or legal basis exists. More detail is available in our Cookie Policy.

13. Analytics and website measurement

We may use privacy-conscious analytics to understand which pages are useful, how visitors find the website, and where the website can be improved. Analytics should be configured with appropriate privacy controls, consent prompts where required, and retention settings.

Analytics data is used in aggregated or pseudonymous form where practical. We do not use website analytics to sell personal information.

14. Marketing communications

We may contact business users and prospects about aneo products, resources, guides, updates, and events where allowed by law. You can opt out of non-essential marketing communications at any time by using the unsubscribe option or contacting us.

Even after you opt out of marketing, we may still send operational, security, billing, legal, or service-related messages where necessary.

15. Payment processing

Framework-Pro may allow users to pay online through a payment gateway. Payment providers process payment details according to their own terms and privacy notices. We receive limited payment metadata such as payment status, invoice information, customer details, product purchased, and transaction references.

We do not intentionally store full payment card numbers on our own systems.

16. Sharing and recipients

We share personal data only where needed for the purposes described in this policy, where required by law, or where permitted by an applicable agreement. We require service providers to use appropriate confidentiality, security, and data protection commitments.

  • Infrastructure, hosting, storage, backup, and security providers, including Google Cloud services such as Cloud Run where used.
  • Database, authentication, and identity providers, including sign-in providers such as Google, Microsoft, or LinkedIn where enabled.
  • AI model and inference providers that process prompts, context, and outputs to provide AI-assisted features.
  • Payment processors, invoicing tools, and accounting providers used to process payments and maintain financial records.
  • Business systems such as email, CRM, support, scheduling, document, analytics, and customer communication tools.
  • Integration providers where customers configure integrations with ticketing, collaboration, identity, or workflow tools.
  • Professional advisers, insurers, auditors, banks, legal counsel, and public authorities where necessary.
  • Successors or parties involved in a business transaction, such as a merger, financing, acquisition, restructuring, or asset transfer, subject to appropriate protections.

17. Sub-processors

For product processing where we act as processor, sub-processors may be used for hosting, infrastructure, database services, authentication, AI inference, payments, support, monitoring, communication, and other operational needs.

We maintain sub-processor information and can provide relevant details to customers as part of the applicable agreement, data processing agreement, security review, or onboarding process. Sub-processor details may also be published on the aneo website where available.

18. We do not sell personal data

We do not sell personal data. We do not share personal data for cross-context behavioral advertising as those terms are commonly used in US state privacy laws. If our practices change, we will update this policy and provide required choices.

19. International transfers

Aneo B.V. is based in The Netherlands. We aim to keep core processing in the European Economic Area where practical, especially for customer product data and infrastructure choices.

Where personal data is transferred outside the EEA, United Kingdom, or Switzerland, we use appropriate safeguards where required, such as adequacy decisions, Standard Contractual Clauses, the UK Addendum, the Swiss addendum, data processing agreements, technical controls, and vendor due diligence.

20. Security

We use technical and organizational measures designed to protect personal data against unauthorized access, alteration, disclosure, loss, misuse, and destruction. No system is perfectly secure, but we design aneo products and operations with security as a core requirement.

  • Encryption in transit and, where appropriate, encryption at rest.
  • Role-based access controls and least-privilege access practices.
  • Authentication, session management, and account protection controls.
  • Logging, monitoring, backup, and recovery processes.
  • Security review of infrastructure, product changes, and vendors.
  • Separation of public website, product application, and internal administrative access where practical.
  • Human review and approval points for AI-assisted product output.

21. Retention

We keep personal data only for as long as reasonably needed for the purposes described in this policy, for the duration of the customer relationship, or as required by law, contract, dispute, accounting, tax, or security obligations.

  • Contact and enquiry data: typically up to 3 years after the last meaningful interaction, unless a longer period is needed for a customer relationship or legal reason.
  • Account data: for the life of the account and a reasonable period after closure.
  • Billing, invoice, tax, and accounting records: generally up to 7 years where required by law.
  • Product logs and telemetry: typically 90 to 180 days, unless needed longer for security, audit, support, or legal reasons.
  • Support requests: typically up to 3 years after closure.
  • Backups: rolling retention, commonly up to 90 days depending on system configuration.
  • Customer Content after termination: deleted or returned according to the applicable agreement, typically from active systems within 30 days and from backups within a commercially reasonable backup retention period unless law requires longer retention.
  • Marketing preference records: retained as needed to honor unsubscribe and suppression choices.

22. Your privacy rights

Depending on your location and the applicable law, you may have rights over your personal data. These may include the right to access, correct, delete, restrict, object, port your data, withdraw consent, and lodge a complaint with a supervisory authority.

Where we process Customer Content as processor, we may need to refer your request to the customer organization that controls the relevant data.

  • Access: request a copy of personal data we hold about you.
  • Correction: ask us to correct inaccurate or incomplete personal data.
  • Deletion: ask us to delete personal data where the law allows.
  • Restriction: ask us to restrict processing in certain circumstances.
  • Objection: object to processing based on legitimate interests or direct marketing.
  • Portability: request a portable copy of certain personal data.
  • Withdraw consent: withdraw consent where processing is based on consent.

23. How to exercise your rights

To exercise privacy rights, contact privacy@aneo.io. We may need to verify your identity and understand the data or account involved before acting on a request.

You also have the right to lodge a complaint with a supervisory authority. In The Netherlands, the supervisory authority is the Autoriteit Persoonsgegevens.

24. Children

aneo websites and products are intended for business users and are not directed to children. We do not knowingly collect personal data from children under 16 in the EEA or below the applicable age threshold in other locations. If you believe a child has provided personal data to us, contact us and we will take appropriate steps.

25. Third-party websites and integrations

Our websites and products may link to third-party websites, documentation, integrations, identity providers, payment providers, social media pages, or external tools. Their privacy practices are governed by their own policies, not this Privacy Policy.

If a customer enables an integration, personal data may be exchanged with that integration according to the customer configuration and the terms of the relevant provider.

26. Changes to this policy

We may update this Privacy Policy to reflect changes in our products, website, vendors, legal requirements, or privacy practices. When we update it, we will change the Last updated date. Where required, we will provide additional notice or request consent.

27. Contact

Privacy questions and rights requests: privacy@aneo.io.

General enquiries: hello@aneo.io.

Phone: +31 6 10 40 80 06.

Postal address: Aneo B.V., Thomas Morelaan 104, 2135 WC Hoofddorp, Netherlands.

28. Important note

This Privacy Policy is intended to explain aneo's privacy practices in clear terms. It is not legal advice to customers or visitors. Customers remain responsible for their own privacy, security, compliance, incident response, and legal obligations when using aneo products.