Who we are

• Automation Boutique B.V.
• Stadsplateau 27, 3521 AZ Utrecht, The Netherlands
• Privacy contact: [email protected]

Two roles, one policy

GDPR has two main job titles for handling personal data: the “Controller” (the one who decides what to do with the data and why) and the “Processor” (the one who does it on the Controller’s instructions). We wear both hats, depending on the situation:

• We’re the Controller: when you visit our website, contact us, or interact with us directly. We decide what we collect and why.
• We’re the Processor: when you use NineAnts because your employer (or another organisation) has signed up for it. They decide what data goes in and what it’s used for; we process it on their documented instructions.

Both roles are covered in this policy. Where a section only applies to one of them, we say so.

What data we collect

When you interact with us directly (Controller)

• Identity: first name, last name, username or similar identifier.
• Contact: email and phone, if you give them to us.
• Technical: IP address, browser type, operating system, time zone, device info; the usual web stuff.
• Usage: how you move around our website (pages, time spent, links clicked), mostly via cookies.

When you use NineAnts (Processor)

• Account: name, business email.
• Authentication: user ID, hashed credentials, access logs.
• Business contact: company.
• Technical and usage: IP address, timestamps, audit logs.
• Treasury data fed in by the customer organisation: mostly non-personal financial data (balances, transactions, commitments, currency codes), but it can incidentally contain personal data, for example a counterparty name on a payment record.

We don’t process any special categories of personal data (race, ethnicity, religion, sex life, sexual orientation, political opinions, trade union membership, health, genetic or biometric data) in either role. We don’t collect data about criminal convictions either.

Why we use it

Website and direct interactions (Controller)

We only use your data when there’s a lawful reason. The usual ones for us are:

• Our (or someone else’s) legitimate interest, where it doesn’t override your rights.
• A legal obligation we have to comply with.
• Your consent, for example for analytical cookies.

And we use your data to:

• Run our website.
• Respond to you when you reach out.
• Improve our website and services through usage analysis (only if you’ve consented to analytical cookies).
• Comply with legal requests from authorities.

NineAnts (Processor)

When we’re the Processor, we only do what the customer organisation tells us to. The legal basis between us and them is the service contract; the lawful basis for processing the underlying personal data is decided by them, not by us.

AI in NineAnts

NineAnts uses AI to help treasury teams build cash flow forecasts. Three things you should know about it:

• What the AI actually does: we use a pre-trained large language model (LLM), specifically Microsoft’s Azure OpenAI hosted inside our own Azure environment, as an “orchestrator”. It picks the right tool to run for a given user question and writes the explanation in plain language. The actual forecasts come from deterministic and statistical models, not from the language model. The LLM doesn’t do the maths; it just routes and explains.
• We don’t train on customer data: customer data is never used to train, fine-tune or otherwise improve any AI model. Not ours, not any third party’s. Microsoft’s base model is pre-trained by them under their own content policies; we use it as-is.
• No fully automated decisions about people: AI output is decision-support; consequential actions need human approval. We don’t make solely automated decisions that produce legal or similarly significant effects on individuals (the kind GDPR Article 22 is concerned about).

Who else sees your data

Website and direct interactions (Controller)

We may share data we hold as Controller with:

• Service providers that help us run things: IT, hosting, system admin.
• Professional advisers such as lawyers, accountants, auditors, and insurers.
• Authorities, where the law requires it.
• A future buyer or successor, if we ever sell or merge the business.
• Analytics providers like Google (Google Analytics), only with your explicit consent.

NineAnts sub-processors (Processor)

To deliver NineAnts we use the following sub-processor:

• Microsoft Ireland Operations Limited (Microsoft Azure): hosting, data storage, and Azure OpenAI inference.

The full, current sub-processor list is maintained and made available on request: drop us a line at [email protected]. Before we add or replace any sub-processor, we tell the customer organisation in advance and they have a right to object. We require every third party to handle personal data the way the law requires; they can’t use it for their own purposes.

Where your data lives

By default, we host customer environments inside the European Economic Area (EEA), in Microsoft Azure data centres. That covers most customers.

We can also deploy outside the EEA where a customer needs it (for example, to keep data closer to their users in another region, or to meet local requirements). When that happens, we use one of the safeguards GDPR allows for international transfers: an adequacy decision where one applies, or the European Commission’s Standard Contractual Clauses combined with a transfer impact assessment and any supplementary measures needed. Customers know in advance which region their environment runs in, and they can ask us at any time.

How we keep your data safe

We run an ISO/IEC 27001 certified Information Security Management System (ISMS). In practical terms that means: personal data is encrypted in transit (TLS 1.2 or higher) and at rest; access is role-based and least-privilege with multi-factor authentication for anyone with admin access; we log access and security events; we run regular backups and we test that we can actually restore from them.

If a personal data breach happens that affects data we hold as Processor (NineAnts customer data), we notify the affected customer organisation without undue delay. How fast we move depends on severity: more serious incidents get a quicker response and remediation, with the targets set out in our ISMS incident response procedure. For data we hold as Controller, we notify you and any applicable regulator where the law requires it.

How long we keep your data

Website and direct interactions (Controller)

Only as long as we actually need it for the purpose we collected it for, plus anything legal, regulatory, tax or accounting rules require us to keep. As an example, basic information about our customers (Contact, Identity, Financial and Transaction Data, where applicable) is generally kept for seven years after the relationship ends, for tax purposes in the Netherlands. Cookie consent preferences are stored for 6 months (1 day if you decline).

NineAnts (Processor)

Customer data, including AI logs (prompts, outputs and human-modification traceability), is kept for the duration of the customer agreement. On termination or expiry, personal data is, at the customer organisation’s choice, deleted or returned within 30 days.

Your rights

Under GDPR, you have the right to:

• Access your personal data.
• Correct it if it’s wrong.
• Have it erased.
• Object to processing based on legitimate interests.
• Restrict processing.
• Receive your data in a portable format.
• Withdraw consent at any time, where we rely on consent.
• Lodge a complaint with a supervisory authority. In the Netherlands that’s the Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl).

How to actually use these rights

• If we hold the data as Controller: (your interactions with our website or with us directly), get in touch with us using the contact details below.
• If we hold the data as Processor: (it’s in NineAnts because your employer signed up for it), contact your employer; they’re the Controller and they decide how the request is handled. We’ll help them respond.

We don’t charge a fee. We may ask for information to confirm who you are. We try to respond within a month; if a request is genuinely complex, we might need a bit longer and we’ll keep you posted.

Cookies

Our website uses cookies and similar technologies to tell users apart, give you a decent browsing experience, and help us improve the site.

We use two kinds:

• Strictly necessary cookies: needed for the site to work. You can’t disable these through the consent manager because the site won’t function without them.
• Analytical / performance cookies: to count visitors and see how they move around the site (Google Analytics). We only use these if you give explicit consent.

The user_cookie_consent cookie stores your preferences. Consent for analytical cookies is valid for 6 months; if you decline, that choice is remembered for 1 day. You can change your settings at any time via the “Manage Cookies” link in the footer.

Links to other sites

Our website may link to other sites, plug-ins, or apps. We don’t control them and aren’t responsible for their privacy practices. When you leave our site, give their privacy policy a read.

Changes to this policy

We review this policy regularly. If we change it, we update this page and, for anything significant, let you know directly where appropriate. The effective date and version at the top of the page tell you what you’re looking at.