Privacy Policy
Last updated: April 2026 · Fluxive BV · BTW BE1029968269 · Ninove 9400 · Belgium
Short version: We collect only what we need to run our service. We never sell your data. We are subject to Belgian GDPR (AVG) enforced by the APD (Autoriteit Persoonsgegevens / Autorité de Protection des Données). You can request deletion of your data at any time by emailing privacy@fluxive.be.
1. Who we are
Fluxive BV is a Belgian company (BTW BE1029968269) headquartered in Ninove 9400, Belgium. We provide a fully managed phishing-simulation and AI-personalised awareness-training service for Belgian SMEs.
Contact: info@fluxive.be · +32 472 92 57 41
Privacy matters: privacy@fluxive.be
2. What personal data we process
| Category | Data | Purpose | Legal basis |
|---|---|---|---|
| Client contacts | Name, work email, phone, company name | Service delivery, invoicing, communication | Contract (Art. 6(1)(b) GDPR) |
| Employee email lists | Name, work email, department, language preference | Sending phishing simulations and training lessons | Legitimate interest (Art. 6(1)(f) GDPR) — employer security training |
| Simulation results | Which employees opened / clicked / submitted, timestamps | Generating vulnerability profiles and AI lessons | Legitimate interest — security improvement |
| Demo requests | Name, work email, company, team size, message you submit | Responding to your enquiry and preparing a possible service offer | Pre-contractual measures (Art. 6(1)(b) GDPR) at your request — plus the explicit consent you tick on the form for transparency |
This marketing website does not use analytics, advertising pixels, or tracking cookies — see the Cookie Policy for the full list of what the site stores locally.
3. How we use your data
We use the data we collect only for the following purposes:
- Running phishing simulations for your organisation as contracted
- Generating personalised AI training lessons for employees who need them
- Producing NIS2 Article 21(2)(g) training documentation reports
- Communicating with you about your service, results, and reports
- Responding to demo requests and enquiries from this website
- Improving our service using aggregated, anonymised data only
We never sell, rent, or share your personal data with third parties for marketing purposes.
4. Data retention
| Data type | Retention period |
|---|---|
| Employee simulation results | Duration of the service contract + 90-day archival window |
| Client contact data | Duration of the service contract + 3 years (legal / accounting obligations) |
| Demo request data | 12 months from submission, or until you ask us to delete it |
5. Cookies and local storage
The marketing website at phishingtraining.be does not set tracking, analytics, or advertising cookies. The only local data stored in your browser is your language and theme preference. See the dedicated Cookie Policy for the exhaustive list.
6. Your rights under GDPR (AVG)
As a Belgian company we are subject to the GDPR (AVG) enforced by the APD (Gegevensbeschermingsautoriteit). You have the following rights:
- Right of access — request a copy of the personal data we hold about you
- Right to rectification — ask us to correct inaccurate personal data
- Right to erasure ("right to be forgotten") — ask us to delete your personal data
- Right to restrict processing — ask us to limit how we use your data
- Right to data portability — request your data in a portable format
- Right to object — object to processing based on legitimate interest
- Right to withdraw consent — where processing is based on consent, withdraw it at any time
To exercise any of these rights, email privacy@fluxive.be. We will respond within 30 days.
If you are unsatisfied with our response, you have the right to lodge a complaint with the Belgian supervisory authority:
Gegevensbeschermingsautoriteit (GBA / APD)
Drukpersstraat 35 · 1000 Brussel
www.gegevensbeschermingsautoriteit.be · contact@apd-gba.be
7. Third-party processors and infrastructure
We use the following processors and pieces of infrastructure to deliver our service. All third parties are subject to data-processing agreements in compliance with GDPR. We update this list when it changes:
| Processor / asset | Purpose | What data | Location |
|---|---|---|---|
| Vercel* | Hosting the marketing website (phishingtraining.be) and the customer-facing dashboard. Includes Vercel Web Analytics (anonymous, cookieless page-view counts — no individual tracking) and Vercel Speed Insights (anonymous Core Web Vitals). | Demo-form submissions in transit; dashboard page loads; aggregated page-view + performance metrics | EU edge network — IP anonymised at origin |
| Railway | Hosting the application API and the production PostgreSQL database and the Redis job queue. This is where your client and employee data is stored at rest. | All client/employee records, campaign results, generated lessons | EU region |
| Anthropic (Claude API) | Generating personalised training lessons from anonymised failure signals | Ephemeral prompt input only; not retained for model training | USA — standard contractual clauses (SCCs) under Art. 46(2)(c) GDPR |
| Resend | Sending training-lesson emails to employees, and demo-form lead-confirmation emails | Employee work email + lesson HTML; demo-form submitter email + body | EU region |
| Vercel KV (Upstash Redis under the hood, via the Vercel Marketplace integration) | Dead-letter queue: holds a demo-form submission as a list entry (Redis RPUSH contact:queue) if Resend cannot deliver the lead email at the moment of submission. The entry remains in the queue until a Fluxive operator manually drains it during the next business day; queued entries are deleted from the queue once the lead has been actioned. Each entry is retained for no longer than the demo-request retention period (12 months from submission, per §4 above). | The unsent demo-form payload (name, work email, company, team size, message, queue timestamp, deployment commit SHA) | EU edge (encrypted at rest) |
| Cloudflare Turnstile | Privacy-respecting bot challenge on the demo form (no cookies, no fingerprinting) | Challenge token only; no PII directly, IP visible at Cloudflare edge for the duration of the challenge | Cloudflare global edge — see Cloudflare's privacy notice |
| Fluxive on-premise GoPhish | Sending phishing simulations to your employees and recording who clicked. Operated by Fluxive on hardware we own and physically control. | Employee work email + simulation result events | Belgium (on-premise) |
* Vercel Web Analytics, Vercel Speed Insights, and the Vercel KV dead-letter queue are products provided by Vercel Inc. under the same Vercel Data Processing Addendum that covers our primary hosting use. They are listed as separate rows above only where the data category differs.
For transfers to the USA (Anthropic), we rely on standard contractual clauses (SCCs) as approved by the European Commission under Article 46(2)(c) GDPR. No other personal data leaves the EU.
8. Security
We implement appropriate technical and organisational measures to protect your personal data, including:
- Encryption in transit (TLS 1.3) and at rest (AES-256)
- Role-based access controls — only authorised personnel can access client data
- Regular security assessments of our infrastructure
- Employee training on data handling
- Data-breach notification within 72 hours of discovery, as required by GDPR Article 33
9. Changes to this policy
We will update this policy when our practices change. Material changes will be communicated to active clients by email. The "Last updated" date at the top of this page always reflects the current version.
Questions? Email privacy@fluxive.be · Fluxive BV · BTW BE1029968269 · Ninove 9400 · Belgium