Privacy Policy

Who we are

Venation B.V. ("Venation", "we", "us") is the data controller responsible for your personal data.

A note on what we collect

You can browse venation.digital without giving us any personal details. We only receive personal data when you choose to give it to us — for example by sending us a message, signing up for our weekly email, or asking us to email or review your assessment results.

Below we explain each case: what we collect, why, our legal basis, and how long we keep it.

Contact form and email enquiries

When you use our contact form or email us, we collect your name, work email address, organisation (optional), and the content of your message.

Risk Tolerance Snapshot and Cyber Readiness Check

You can complete the Risk Tolerance Snapshot and the Cyber Readiness Check without giving us your name or contact details. By default we receive only:

• the answers you select; and
• limited technical and usage information (such as approximate location, browser type, and device information) collected through our website analytics.

Your results are generated and stored privately. We do not ask you to enter, and you should not enter, confidential, incident-specific, or sensitive security information into these tools.

At the end of an assessment we offer two optional choices:

• Email me a copy. If you enter your email address so we can send you your results, we use that address only to deliver your copy.
• Ask Venation to review. If you tick the box asking us to review your results, we look at your answers and reply once with a suggested next step.

Weekly email — "Decoding Risk"

If you sign up for our weekly Decoding Risk email, we collect your email address. The signup and the sending of these emails are handled by our email marketing provider, Kit (formerly ConvertKit).

Chatbot

Our website includes a chatbot ("Get Started" assistant). If you use it, we collect the messages you type, along with a randomly generated conversation ID, your browser/device information (user agent), and a one-way hashed version of your IP address used only to prevent abuse. We use this to answer your questions, help you find information, and, where relevant, suggest a next step or route your enquiry to the right person. Please do not enter confidential, incident-specific, or sensitive personal information into the chatbot.

To generate replies, your messages are sent securely to an AI service (Google's Gemini model, accessed through the Lovable AI Gateway). Your browser does not communicate with Google directly. Conversations are stored in our database within the European Economic Area (see "Where your data is stored" below).

Booking a call

If you book a call with us, your booking is handled through Google Calendar appointment scheduling, and the details you enter (such as name and email) are used to arrange and hold that meeting.

Legal basis: pre-contractual steps at your request and our legitimate interest in arranging meetings (GDPR Art. 6(1)(b) and 6(1)(f)).

Cookies and similar technologies

We do not use advertising trackers, and we do not use third-party analytics services such as Google Analytics, Hotjar, Plausible, or PostHog.

The only information stored in your browser is strictly necessary or functional — it makes the site work and is not used to track you:

• venation-cookie-consent (local storage) — remembers your choice on our cookie notice. Stays until you clear your site data.
• venation_assistant_cid (session storage) — a random ID for your chatbot conversation. Cleared when you close the tab.
• venation_assistant_nudged (session storage) — remembers that the chat prompt has already been shown, so it is not repeated. Cleared when you close the tab.
• Cloudflare Turnstile — a privacy-friendly bot check that protects our forms and chatbot from abuse. Any related storage is set by Cloudflare on its own challenge domain, not on venation.digital.

Because these are necessary or functional only, we do not require your consent to use them.

Our website platform's built-in analytics (Lovable Project Analytics) is cookieless: it measures aggregate usage without setting cookies or storing identifiers in your browser, and it does not store your IP address in raw form. We use it only to understand, in aggregate, how our website is used so we can improve it — never to identify individual visitors. Because we set no non-essential cookies or trackers, we provide this information for transparency rather than asking you for cookie consent.

Who we share data with

We do not sell your personal data. We share it only with service providers (processors) who help us run our website and services, and only as needed:

Lovable publishes its Data Processing Agreement and full subprocessor list at trust.lovable.dev. We may also disclose data where required by law.

Where your data is stored

The personal data you submit through our website — contact messages, assessment results, chatbot conversations, and leads — is stored in our database hosted in the European Economic Area (Frankfurt, Germany). Some of the providers above process data outside the EEA, as described in the next section.

International transfers

Some of our providers process personal data outside the European Economic Area, mainly in the United States — specifically Kit (newsletter), Google (chatbot replies via Gemini, and Calendar booking), and Notion (leads). Where data is transferred outside the EEA, we rely on an appropriate safeguard — such as a European Commission adequacy decision or the Standard Contractual Clauses — to protect it. You can ask us for details using the contact details below.

How we keep your data secure

We have put in place appropriate technical and organisational measures to protect your personal data against loss, misuse, and unauthorised access. The website is served over an encrypted (HTTPS) connection, and data you submit is stored in an access-controlled database within the EEA. We practise data minimisation — for example, where we need your IP address to prevent abuse of our forms and chatbot, we use it only temporarily or store it in a one-way hashed form rather than keeping your raw IP address. For more detail, contact security@venation.digital.

Automated processing

The Risk Tolerance Snapshot and Cyber Readiness Check generate indicative, decision-support outputs based on the answers you provide. These are not decisions that produce legal or similarly significant effects about you, and a person at Venation reviews your results before any follow-up.

Your rights

Under the General Data Protection Regulation (GDPR / AVG) you have the right to:

• access the personal data we hold about you;
• have inaccurate data corrected (rectification);
• have your data deleted (erasure);
• restrict or object to our processing;
• data portability; and
• withdraw consent at any time, where our processing is based on consent.

To exercise any of these rights, email info@venation.digital. We may ask you to verify your identity first. We do not charge for handling your request. We may charge a reasonable fee or decline to act only where a request is manifestly unfounded or excessive, and we will tell you before doing so.

You also have the right to lodge a complaint with a data protection authority. In the Netherlands this is the Autoriteit Persoonsgegevens: https://autoriteitpersoonsgegevens.nl/en/contact-dutch-dpa/contact-us

Links to other websites

Our website may contain links to other sites. Once you leave venation.digital we have no control over those sites and are not responsible for how they handle your information. We encourage you to read their privacy policies.

Changes to this policy

We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date at the top of this page.

Contact

For any questions about this Privacy Policy or your personal data, contact us at info@venation.digital, or write to Venation B.V., Roosenburgstraat 5, 5624 JS Eindhoven, The Netherlands.