Privacy Policy
Effective date: 27 May 2026 · Version 1.1
Effective date: 27 May 2026 | Version 1.1
Penningmeester.ai BV · Professor van der Waalsstraat 32, 2014 EG Haarlem, the Netherlands · KVK 96218886
1. Who We Are
Minerva Digital is a trade name of Penningmeester.ai BV, a private limited company registered in the Netherlands.
| Legal entity | Penningmeester.ai BV |
| Trade name | Minerva Digital |
| Address | Professor van der Waalsstraat 32, 2014 EG Haarlem, the Netherlands |
| KVK number | 96218886 |
| Privacy contact | privacy@minerva-digital.io |
When this policy says "we", "us", or "Minerva", it means Penningmeester.ai BV.
2. Our Products
Minerva Platform
A multi-tenant AI operating system for professional organisations. Organisations ("customers") create accounts, invite their team members, and use the platform for knowledge management, AI-assisted workflows, document production, research, and sales and outreach processes. We refer to those organisations as "customers" and to the individuals they invite as "users".
Arena
A public AI planning tool. Anyone can visit, create a personal account, run multi-model AI plans, ask follow-up questions, and purchase credits. Arena users have no organisational affiliation on the platform.
3. Our Roles Under the GDPR
The GDPR (EU 2016/679) distinguishes between the data controller — who decides why and how personal data is processed — and the data processor — who processes data on behalf of a controller.
We are the data controller for:
- Personal data of Minerva Platform users (names, email addresses, login credentials, usage data, AI interaction history).
- Personal data of Arena visitors and account holders.
- Professional contact data collected from public sources for our shared company and contact intelligence database (platform_companies and platform_contacts).
We are the data processor for:
- Documents, files, notes, and any other content that customer organisations upload or create inside the platform. The customer organisation is the data controller for that content. Our Data Processing Agreement (Section 11) governs this relationship.
- Prospect behavioural tracking data generated through tracking tokens that customers deploy on their own websites or documents. Customers are the controllers of that data.
4. What Personal Data We Collect and Why
4a. Platform Users
| Category | Data | Legal basis | Purpose |
|---|---|---|---|
| Identity | Full name, email address, password hash, profile photo (optional) | Contract (Art. 6(1)(b)) | Account creation and management |
| Membership | Organisation membership, role, permissions, team membership | Contract (Art. 6(1)(b)) | Access control and workspace management |
| Usage | AI interactions, conversation history, documents, workflow runs, generated outputs | Contract (Art. 6(1)(b)) | Deliver the service |
| Billing | Subscription plan, credit balance, billing transactions (card data held by Stripe, not us) | Contract (Art. 6(1)(b)) | Billing and credits |
| Technical | IP address, session tokens, audit log entries, browser extension activity | Legitimate interest (Art. 6(1)(f)) | Security and fraud prevention |
| Preferences | Notification settings, workspace preferences, language settings | Contract (Art. 6(1)(b)) | Personalisation |
4b. Arena Account Holders
| Category | Data | Legal basis | Purpose |
|---|---|---|---|
| Identity | Email address, display name (optional) | Contract (Art. 6(1)(b)) | Account creation and authentication |
| Usage | Plan runs, follow-up questions, credit purchases and consumption | Contract (Art. 6(1)(b)) | Deliver the Arena service |
| Billing | Credit balance and purchases (card data held by Stripe) | Contract (Art. 6(1)(b)) | Payment and credits |
| Technical | IP address, session tokens | Legitimate interest (Art. 6(1)(f)) | Security and anti-abuse |
4c. Third-Party Professional Contact Data
To power prospect discovery and enrichment features, we maintain a shared database of professional contact and company information sourced exclusively from publicly available sources: company websites, LinkedIn public pages, the Dutch Chamber of Commerce (KvK), search engine results, and third-party data services. This data includes names, professional email addresses, job titles, LinkedIn profile URLs, and company firmographic information.
This data is never sourced from user-entered CRM notes, private communications, or uploaded contact lists. It relates to professional roles in a business context.
Legal basis: Legitimate interest (Art. 6(1)(f)). We have a legitimate interest in maintaining an accurate professional database to deliver prospect intelligence services. This interest is weighed against the limited privacy impact of processing publicly available professional-role data. Individuals may object to this processing at any time — see Section 9.
5. How We Use Your Data
- Provide, maintain, and improve the Minerva Platform and Arena.
- Authenticate users and enforce access controls. Your organisation's data is logically separated from all other organisations at the database level and is never visible to another organisation.
- Process AI requests and route them through our AI model infrastructure.
- Meter credit consumption and process subscription billing.
- Send transactional emails (account activation, password reset, billing notifications, low-credit alerts). We do not send marketing emails without separate consent.
- Maintain a comprehensive audit trail of actions within your organisation for security and operational purposes.
- Detect and prevent abuse, fraud, and security incidents.
- Maintain and improve AI system quality through anonymised quality sampling (a random sample of AI outputs reviewed internally; not shared externally).
- Comply with legal obligations, including Dutch and EU tax law.
6. Sub-processors and Data Sharing
We do not sell your personal data. We do not share personal data with third parties for advertising purposes.
We use the following sub-processors — third-party companies that process personal data on our behalf — to deliver the service. All are engaged under data processing agreements.
Core Infrastructure (always active)
| Sub-processor | Location | Purpose | Transfer basis |
|---|---|---|---|
| Google Cloud Platform (GCP) | Netherlands, EU (europe-west4) | Primary cloud infrastructure: compute, database, object storage, secrets management, logging, monitoring, and AI model serving (Vertex AI / Gemini) | EU — no transfer |
| Vercel Inc. | Frankfurt, EU | Hosting of the Arena and Minerva web frontends | EU — no transfer |
| Upstash | Paris, EU | Managed Redis: background job queues, event bus, session storage, AI response caching | EU — no transfer |
| Stripe | EU platform | Payment processing and subscription management. Stripe holds all payment card data — we do not store card details | EU — no transfer |
| Mailgun (EU region) | EU | Transactional email delivery (account notifications, billing emails, alerts) | EU — no transfer |
AI Model Providers
Your prompts, uploaded documents, and AI interactions are transmitted to one or more of the following providers depending on the task and model tier selected. We do not use your data to train these providers' models under our agreements with them.
EU-based AI models (always available):
| Sub-processor | Location | Purpose | Transfer basis |
|---|---|---|---|
| Google (Vertex AI) | Netherlands, EU (europe-west4) | Gemini language models — served from the same GCP EU infrastructure | EU — no transfer |
| Mistral AI | France, EU | Mistral language models. Mistral is the sole provider used in EU-Only Processing Mode (see below). | EU — no transfer |
US-based AI models (optional — engaged depending on your organisation's plan and feature configuration):
These providers are not engaged unless your organisation's selected model tier or specific features route to them. Organisations that require fully EU-based AI processing can elect EU-Only Processing Mode — see the section below.
| Sub-processor | Location | Purpose | Transfer basis |
|---|---|---|---|
| Anthropic PBC | USA (EU infrastructure available) | Claude AI language models. Anthropic has EU-region infrastructure available since August 2025; data may be processed in EU regions, but US CLOUD Act jurisdiction applies to Anthropic as a US entity. | SCCs |
| OpenAI Inc. | USA | GPT language models and text embedding models | SCCs |
| Cohere Inc. | Canada / USA | Re-ranking of retrieval and search results | SCCs |
EU-Only Processing Mode
Organisations with data sovereignty requirements may elect EU-Only Processing Mode. When this mode is enabled:
- All AI language model requests are routed exclusively to Mistral AI (France, EU) and Google Vertex AI (Netherlands, EU).
- Anthropic, OpenAI, and Cohere are not engaged for any AI inference.
- Web search augmentation (Perplexity, Brave) is disabled.
- Image generation (fal.ai) is disabled, as that service routes to US infrastructure.
- All remaining infrastructure remains EU-based (see Core Infrastructure above).
To enable EU-Only Processing Mode, contact us at privacy@minerva-digital.io or configure this option in your organisation's settings where available.
Note: EU-Only Processing Mode limits access to certain model capabilities and features. We will make the specific feature impact clear in the product interface when this mode is selected.
Feature-specific Sub-processors (active only when relevant features are used)
| Sub-processor | Location | Purpose | When active |
|---|---|---|---|
| Hunter.io | France, EU | Professional email address discovery from public sources for contact enrichment | When contact discovery features are enabled |
| HeyReach | EU | LinkedIn outreach execution — delivers approved outreach sequences via LinkedIn on behalf of your organisation | When LinkedIn outreach (sales plugin) is activated |
| SerpAPI | USA | Search engine results data for AI search visibility analysis | When AI search visibility features are enabled |
| Perplexity AI | USA | AI-powered web search augmentation for research and retrieval queries | When web search augmentation is enabled and EU-Only Processing Mode is not active |
| Brave Search | USA | Parallel web search results for retrieval augmentation | When web search augmentation is enabled and EU-Only Processing Mode is not active |
| fal.ai | USA | Image generation API. Underlying image models are produced by Black Forest Labs (Freiburg, Germany); fal.ai provides the inference infrastructure. | When image generation features are used and EU-Only Processing Mode is not active |
| Deepgram / AssemblyAI / OpenAI Whisper | USA | Speech-to-text transcription of meeting audio uploaded by your organisation | When meeting intelligence feature is enabled and audio is uploaded |
A note on US-based feature sub-processors: SerpAPI, Perplexity AI, Brave Search, fal.ai, Deepgram, and AssemblyAI are only engaged when your organisation actively uses the specific features they power. They are not active for all customers. Organisations in EU-Only Processing Mode do not engage Perplexity, Brave, or fal.ai.
Customer-configured Integrations (not our sub-processors)
When your organisation connects third-party services — such as Apollo, Instantly, Google Drive, Google Search Console, Microsoft Outlook, or GitHub — those services process data under your organisation's own relationship and agreements with them. Your organisation is the data controller for any personal data flowing through those integrations, and those third parties are sub-processors of your organisation, not of us. We facilitate the technical connection only.
Legal and Regulatory Disclosures
We may disclose personal data to law enforcement, courts, or regulatory authorities where required by applicable law, a court order, or legal process, and only to the extent necessary to comply.
7. International Data Transfers
Our primary infrastructure operates entirely within the European Union. Sub-processors located outside the EU/EEA are: Anthropic (USA, optional), OpenAI (USA, optional), Cohere (Canada/USA, optional), SerpAPI (USA, feature-specific), Perplexity AI (USA, feature-specific), Brave Search (USA, feature-specific), fal.ai (USA, feature-specific), and Deepgram/AssemblyAI (USA, feature-specific). For transfers to these processors, we rely on Standard Contractual Clauses (SCCs) adopted by the European Commission (Decision 2021/914).
You may request a copy of the applicable SCCs by emailing privacy@minerva-digital.io.
Note on US CLOUD Act: Anthropic, OpenAI, Cohere, SerpAPI, Perplexity AI, Brave Search, fal.ai, Deepgram, and AssemblyAI are US-incorporated entities subject to the US CLOUD Act, which may allow US authorities to compel access to data regardless of where it is physically stored. We mitigate this risk by routing to EU-based infrastructure where available, applying SCCs and appropriate supplementary measures, and offering EU-Only Processing Mode for organisations with strict data sovereignty requirements. If your organisation requires fully EU-based processing, contact us to enable EU-Only Processing Mode (see Section 6).
8. Data Retention
| Data type | Retention period |
|---|---|
| Platform user account data | Retained for the duration of your active account. Upon deletion by you or your organisation administrator, personal data is deleted within 30 days, except where legally required (see below). |
| Arena account data | Retained for the duration of the account. Upon deletion, personal data is removed within 30 days. |
| AI interactions and documents | Deleted with the account. Your organisation can delete specific items at any time within the platform. |
| Billing and transaction records | Retained for 7 years as required by Dutch tax law and EU VAT regulations. Covers credit transaction records, subscription history, and invoice data — not payment card details (held by Stripe). |
| Audit trail entries | Retained for 2 years for security and incident investigation, then deleted. |
| Platform contact database (platform_contacts) | Retained while records are accurate and current. Reviewed periodically; removed when no longer relevant. |
| Prospect tracking events | Retained for 2 years, then deleted. Your organisation can delete tracking data at any time. |
| Quality sampling data | Retained for up to 12 months for AI quality improvement, then deleted. Anonymised at sampling and not linked back to personal accounts. |
When your organisation terminates its subscription or requests deletion, we begin the deletion process immediately. All non-legally-required data is purged within 30 days. Financial records required by law are retained only for the minimum legally mandated period and used for no other purpose.
9. Your Rights Under the GDPR
| Right | What it means |
|---|---|
| Access (Art. 15) | Request a copy of the personal data we hold about you. |
| Rectification (Art. 16) | Ask us to correct inaccurate or incomplete data. |
| Erasure (Art. 17) | Ask us to delete your personal data. Fully available except where retention is legally required (Section 8). Platform users can delete their own accounts directly in Settings. |
| Restriction (Art. 18) | Ask us to restrict processing in certain circumstances, e.g. while you contest accuracy. |
| Portability (Art. 20) | Request your data in a structured, machine-readable format. |
| Object (Art. 21) | Object to processing based on legitimate interest, including your professional data in our platform_contacts database. We will stop unless we have compelling legitimate grounds. |
| Withdraw consent | Where processing relies on consent, you may withdraw at any time without affecting prior lawful processing. |
| No automated decisions (Art. 22) | We do not make solely automated decisions producing legal or similarly significant effects about individuals. |
To exercise any right, email privacy@minerva-digital.io. We will respond within one month. You also have the right to lodge a complaint with the Dutch Data Protection Authority: Autoriteit Persoonsgegevens — www.autoriteitpersoonsgegevens.nl — or the supervisory authority in your country of residence.
10. Security
- All data in transit is encrypted with TLS 1.2 or higher.
- All data at rest is encrypted with Google Cloud's default AES-256 encryption.
- Authentication secrets, API keys, and database credentials are stored exclusively in Google Cloud Secret Manager — never in application code or environment files.
- Strict multi-tenant isolation: your organisation's data is logically separated from all other organisations at the database level. Attempts to access another organisation's data return a generic not-found response — existence of data in another tenant is never disclosed.
- All data access and mutations are logged to a tamper-evident audit trail.
- Regular security reviews as part of our development process.
In the event of a personal data breach likely to result in a high risk to your rights and freedoms, we will notify you without undue delay in accordance with Art. 34 GDPR.
11. Data Processing Agreement (Business Customers)
This section constitutes the Data Processing Agreement (DPA) between Penningmeester.ai BV ("Processor") and each subscribing customer organisation ("Controller"). By subscribing to the Minerva Platform and accepting the Terms of Service, the Controller enters into this DPA.
Subject matter and duration
The Processor provides AI-assisted operational platform services for the duration of the subscription. Processing ceases on termination, after which all Controller data is deleted per Section 8.
Nature and purpose
The Processor processes personal data solely to deliver the Minerva Platform services as described in the Terms of Service and this policy. The Processor does not process Controller data for its own purposes.
Categories of data and data subjects
- Identity and contact data of the Controller's employees and contractors (platform users).
- Professional contact data relating to the Controller's prospects, clients, or counterparties, uploaded or generated within the platform.
- Any personal data contained in documents, files, or communications uploaded by the Controller.
- Meeting recordings and transcripts processed through the meeting intelligence feature, where enabled.
Controller's obligations
The Controller warrants that it has a lawful basis for each category of personal data it uploads to the platform, and that it has fulfilled its own transparency obligations to the individuals whose data it processes through the platform.
Processor's obligations
- Process personal data only on documented instructions from the Controller (as set out in the Terms of Service and this DPA).
- Ensure personnel with access to personal data are bound by confidentiality obligations.
- Implement the technical and organisational measures described in Section 10.
- Assist the Controller in fulfilling GDPR obligations (data subject rights, DPIAs, breach notifications) to the extent technically feasible.
- Delete or return all personal data at end of the service relationship per Section 8.
- Provide all information necessary for the Controller to demonstrate compliance with this DPA.
Sub-processors
The Controller grants general authorisation for the sub-processors listed in Section 6. The Processor will notify the Controller of any intended sub-processor changes by updating this policy with reasonable advance notice. If the Controller objects to a new sub-processor, it may terminate in accordance with the Terms of Service.
International transfers
Where the Processor transfers Controller data to sub-processors outside the EU/EEA, it does so under Standard Contractual Clauses as described in Section 7.
Data subject requests
If the Processor receives a data subject request relating to Controller data, it will promptly forward it to the Controller. The Controller is responsible for responding.
Data breach notification
The Processor will notify the Controller without undue delay — and within 72 hours of becoming aware — of any personal data breach affecting Controller data, with sufficient information for the Controller to fulfil its obligations under Art. 33 and 34 GDPR.
12. Cookies and Tracking
We do not currently use cookies or similar tracking technologies on either the Minerva Platform application or the Minerva website. We do not use analytics trackers, advertising pixels, or session recording tools.
If we introduce cookies or similar technologies in the future, we will update this policy and, where required by law, obtain your consent before doing so.
13. Children
Our services are not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, email privacy@minerva-digital.io and we will delete it promptly.
14. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify registered users of material changes by email and via an in-platform notice. The effective date at the top of this document indicates when the current version took effect.
15. Contact
| Privacy enquiries | privacy@minerva-digital.io |
| Postal address | Penningmeester.ai BV, Professor van der Waalsstraat 32, 2014 EG Haarlem, the Netherlands |
| Dutch Data Protection Authority | Autoriteit Persoonsgegevens — www.autoriteitpersoonsgegevens.nl |