Privacy Policy
Last updated: April 2026 · Fluxive BV · BTW BE1029968269 · Ninove 9400 · Belgium
Short version: We collect only what we need to run our service. We never sell your data. We are subject to Belgian GDPR (AVG) enforced by the APD (Autoriteit Persoonsgegevens / Autorité de Protection des Données). You can request deletion of your data at any time by emailing privacy@fluxive.be.
1. Who we are
Fluxive BV is a Belgian company (BTW BE1029968269) headquartered in Ninove 9400, Belgium. We provide a fully managed phishing-simulation and AI-personalised awareness-training service for Belgian SMEs.
Contact: info@fluxive.be · +32 472 92 57 41
Privacy matters: privacy@fluxive.be
2. What personal data we process
| Category | Data | Purpose | Legal basis |
|---|---|---|---|
| Client contacts | Name, work email, phone, company name | Service delivery, invoicing, communication | Contract (Art. 6(1)(b) GDPR) |
| Employee email lists | Name, work email, department, language preference | Sending phishing simulations and training lessons | Legitimate interest (Art. 6(1)(f) GDPR) — employer security training |
| Simulation results | Which employees opened / clicked / submitted, timestamps | Generating vulnerability profiles and AI lessons | Legitimate interest — security improvement |
| Demo requests | Name, email, company, message you submit | Responding to your enquiry | Consent (Art. 6(1)(a) GDPR) |
This marketing website does not use analytics, advertising pixels, or tracking cookies — see the Cookie Policy for the full list of what the site stores locally.
3. How we use your data
We use the data we collect only for the following purposes:
- Running phishing simulations for your organisation as contracted
- Generating personalised AI training lessons for employees who need them
- Producing NIS2 Article 21(2)(g) training documentation reports
- Communicating with you about your service, results, and reports
- Responding to demo requests and enquiries from this website
- Improving our service using aggregated, anonymised data only
We never sell, rent, or share your personal data with third parties for marketing purposes.
4. Data retention
| Data type | Retention period |
|---|---|
| Employee simulation results | Duration of the service contract + 90-day archival window |
| Client contact data | Duration of the service contract + 3 years (legal / accounting obligations) |
| Demo request data | 12 months from submission, or until you ask us to delete it |
5. Cookies and local storage
The marketing website at phishingtraining.be does not set tracking, analytics, or advertising cookies. The only local data stored in your browser is your language and theme preference. See the dedicated Cookie Policy for the exhaustive list.
6. Your rights under GDPR (AVG)
As a Belgian company we are subject to the GDPR (AVG) enforced by the APD (Gegevensbeschermingsautoriteit). You have the following rights:
- Right of access — request a copy of the personal data we hold about you
- Right to rectification — ask us to correct inaccurate personal data
- Right to erasure ("right to be forgotten") — ask us to delete your personal data
- Right to restrict processing — ask us to limit how we use your data
- Right to data portability — request your data in a portable format
- Right to object — object to processing based on legitimate interest
- Right to withdraw consent — where processing is based on consent, withdraw it at any time
To exercise any of these rights, email privacy@fluxive.be. We will respond within 30 days.
If you are unsatisfied with our response, you have the right to lodge a complaint with the Belgian supervisory authority:
Gegevensbeschermingsautoriteit (GBA / APD)
Drukpersstraat 35 · 1000 Brussel
www.gegevensbeschermingsautoriteit.be · contact@apd-gba.be
7. Third-party processors
We use the following third-party processors to deliver our service. All are subject to data-processing agreements in compliance with GDPR:
| Processor | Purpose | Location |
|---|---|---|
| Anthropic (Claude API) | Generating personalised training lessons | USA — standard contractual clauses; prompts processed ephemerally and not retained for model training |
| Resend | Sending training-lesson emails to employees | EU region |
| Railway | Hosting the application backend | EU region |
| Vercel | Hosting the marketing website | EU edge network |
For transfers to the USA (Anthropic), we rely on standard contractual clauses (SCCs) as approved by the European Commission under Article 46(2)(c) GDPR.
8. Security
We implement appropriate technical and organisational measures to protect your personal data, including:
- Encryption in transit (TLS 1.3) and at rest (AES-256)
- Role-based access controls — only authorised personnel can access client data
- Regular security assessments of our infrastructure
- Employee training on data handling
- Data-breach notification within 72 hours of discovery, as required by GDPR Article 33
9. Changes to this policy
We will update this policy when our practices change. Material changes will be communicated to active clients by email. The "Last updated" date at the top of this page always reflects the current version.
Questions? Email privacy@fluxive.be · Fluxive BV · BTW BE1029968269 · Ninove 9400 · Belgium