This Privacy Policy ("Policy") describes how Subduxion B.V. ("Subduxion", "we", "us", or "our"), a company incorporated under the laws of the Netherlands (KVK 94892083), with its registered office at High Tech Campus 5, Eindhoven, The Netherlands, collects, uses, discloses, and otherwise processes Personal Data in connection with the Blake platform and related services (collectively, the "Services").
Blake is an AI-powered sales development platform operated by Subduxion B.V. References to "Blake" in this Policy refer to the Services provided by Subduxion B.V.
This Policy is issued in compliance with Regulation (EU) 2016/679 (the "General Data Protection Regulation" or "GDPR"), the Dutch Uitvoeringswet Algemene Verordening Gegevensbescherming ("UAVG"), Directive 2002/58/EC (the "ePrivacy Directive"), and any other applicable data protection legislation.
1. Definitions
In this Policy, unless the context requires otherwise:
- "Personal Data" means any information relating to an identified or identifiable natural person, as defined in Article 4(1) GDPR.
- "Processing" means any operation or set of operations performed on Personal Data, as defined in Article 4(2) GDPR.
- "Data Subject" means the identified or identifiable natural person to whom the Personal Data relates.
- "Controller" means the natural or legal person which determines the purposes and means of the Processing of Personal Data. Subduxion B.V. is the Controller for the Processing described in this Policy.
- "Processor" means a natural or legal person which Processes Personal Data on behalf of the Controller.
- "User" means any natural person who accesses or uses the Services, including representatives of organisations that have entered into a service agreement with Subduxion.
- "Visitor" means any natural person who visits our website(s) without necessarily using the Services.
- "Customer Data" means Personal Data that Users upload, submit, or otherwise make available through the Services, including prospect data, lead information, CRM records, and communication content.
2. Data Controller
The Controller responsible for the Processing of your Personal Data is:
Subduxion B.V.
High Tech Campus 5
5656 AE Eindhoven
The Netherlands
KVK: 94892083
Email: privacy@subduxion.com
3. Categories of Personal Data We Collect
We collect and process the following categories of Personal Data, depending on your relationship with us:
3.1 Users (Platform Customers and their Representatives)
- Identity Data: first name, last name, job title, company name, professional role.
- Contact Data: email address, telephone number, business address.
- Account Data: login credentials (hashed), account preferences, workspace settings, role assignments.
- Usage Data: feature interaction logs, session duration, pages visited, actions taken within the platform, search queries, AI interaction logs.
- Technical Data: IP address, browser type and version, operating system, device identifiers, time zone setting, referral source.
- Transaction Data: billing information, payment history, subscription tier, invoices.
- Communication Data: support requests, feedback submissions, email correspondence with our team.
3.2 Visitors
- Technical Data: IP address (anonymised where possible), browser type, operating system, referral URL.
- Usage Data: pages visited, time on page, scroll depth, click interactions.
- Form Data: information voluntarily submitted through contact forms, waitlist registrations, or demo requests (name, email, company, role).
- Cookie Data: as described in Section 10 of this Policy.
3.3 Customer Data (Processed on Behalf of Users)
When Users use the Services, they may upload or generate Customer Data including prospect names, email addresses, company information, interaction histories, AI-generated outreach content, lead scores, and pipeline data. Subduxion processes this Customer Data as a Processor on behalf of the User (who acts as Controller), subject to our Data Processing Agreement.
4. Purposes and Legal Bases for Processing
We process Personal Data for the following purposes and on the following legal bases under Article 6(1) GDPR:
| Purpose | Legal Basis |
|---|---|
| Providing, maintaining, and improving the Services | Performance of contract (Art. 6(1)(b)) |
| Account creation, authentication, and access management | Performance of contract (Art. 6(1)(b)) |
| Processing payments and managing subscriptions | Performance of contract (Art. 6(1)(b)) |
| Responding to support requests and communications | Performance of contract (Art. 6(1)(b)) |
| Sending transactional communications (account alerts, service updates) | Performance of contract (Art. 6(1)(b)) |
| Fraud detection, security monitoring, and abuse prevention | Legitimate interest (Art. 6(1)(f)) |
| Analytics, usage patterns, and product improvement | Legitimate interest (Art. 6(1)(f)) |
| Training and improving AI models using aggregated, anonymised data | Legitimate interest (Art. 6(1)(f)) |
| Compliance with legal obligations (tax, accounting, regulatory) | Legal obligation (Art. 6(1)(c)) |
| Marketing communications and product announcements | Consent (Art. 6(1)(a)) |
| Waitlist and demo request processing | Pre-contractual measures (Art. 6(1)(b)) |
| Website analytics and performance optimisation | Consent (Art. 6(1)(a)) for non-essential cookies; Legitimate interest (Art. 6(1)(f)) for essential cookies |
Where we rely on legitimate interest as the legal basis, we have conducted a balancing test and determined that our interests do not override the fundamental rights and freedoms of Data Subjects. You may request a copy of our legitimate interest assessments by contacting us at privacy@subduxion.com.
5. AI-Specific Processing
Blake employs artificial intelligence and machine learning technologies to deliver its core functionality, including lead scoring, prospect matching, outreach generation, and pipeline forecasting. In this context:
- AI models are trained on aggregated and anonymised datasets. Individual Customer Data is not used to train models shared across customers unless the User has provided explicit, informed consent.
- AI-generated outputs (e.g., email drafts, call scripts, lead scores) are generated based on Customer Data provided by the User and are subject to the User's review before any external communication.
- No automated decision-making with legal or similarly significant effects (within the meaning of Article 22 GDPR) is carried out without human intervention. Users retain full control over all actions taken based on AI recommendations.
- Users may request information about the logic involved in AI-driven features by contacting privacy@subduxion.com.
6. Data Sharing and Recipients
We may share Personal Data with the following categories of recipients:
- Service Providers (Processors): cloud hosting providers (Vercel, Neon), payment processors, analytics services, email delivery services, and customer support tools. All Processors are bound by Data Processing Agreements in accordance with Article 28 GDPR.
- Affiliates: entities within the Subduxion corporate group, subject to equivalent data protection safeguards.
- Professional Advisors: legal counsel, accountants, and auditors where necessary for the management of our business.
- Law Enforcement and Regulatory Authorities: where required by applicable law, regulation, legal process, or enforceable governmental request.
- Business Transfers: in connection with any merger, acquisition, reorganisation, sale of assets, or bankruptcy, subject to the acquiring entity assuming our obligations under this Policy.
We do not sell Personal Data. We do not share Personal Data with third parties for their own direct marketing purposes.
7. Data Storage and Transfers
Customer Content (including CRM data, attachments, and AI-generated insights) is stored and processed within the European Economic Area ("EEA"). We do not transfer Customer Content in bulk to countries outside the EEA.
Limited infrastructure processing, including edge routing and error monitoring, is performed by sub-processors certified under the EU-US Data Privacy Framework, as approved by Commission Implementing Decision (EU) 2023/1795. This processing is restricted to technical metadata (such as IP addresses, request timestamps, and error codes) and does not involve access to Customer Content.
Supplementary measures, including encryption in transit (TLS 1.2 or higher) and at rest (AES-256), pseudonymisation, and access controls, are applied in accordance with EDPB Recommendations 01/2020.
You may obtain a copy of the relevant transfer safeguards by contacting privacy@subduxion.com.
8. Data Retention
We retain Personal Data only for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable law. Specific retention periods are as follows:
- Account Data: retained for the duration of the contractual relationship, plus 12 months following account closure to allow for reactivation and dispute resolution.
- Transaction and Billing Data: retained for 7 years following the transaction date, in accordance with Dutch fiscal retention obligations (Article 52 Algemene wet inzake rijksbelastingen).
- Customer Data: deleted or returned within 90 days following termination of the service agreement, unless retention is required by law.
- Usage and Technical Data: retained for a maximum of 26 months, after which it is anonymised or deleted.
- Marketing Consent Records: retained for the duration of the consent, plus 3 years following withdrawal for evidentiary purposes.
- Waitlist and Demo Request Data: retained for 12 months following submission, unless the individual enters into a service agreement.
- Cookie Data: as specified in the cookie descriptions in Section 10.
Upon expiry of the applicable retention period, Personal Data is securely deleted or irreversibly anonymised.
9. Your Rights
Under the GDPR, you have the following rights in relation to your Personal Data. To exercise any of these rights, please contact us at privacy@subduxion.com. We will respond within one month of receipt, extendable by two further months where necessary given the complexity or number of requests (Article 12(3) GDPR).
- Right of Access (Art. 15): You have the right to obtain confirmation as to whether Personal Data concerning you is being processed and, where that is the case, access to the Personal Data together with certain prescribed information.
- Right to Rectification (Art. 16): You have the right to obtain the rectification of inaccurate Personal Data and to have incomplete Personal Data completed.
- Right to Erasure (Art. 17): You have the right to obtain the erasure of your Personal Data in certain circumstances, including where the data is no longer necessary for the purposes for which it was collected.
- Right to Restriction (Art. 18): You have the right to restrict the Processing of your Personal Data in certain circumstances, including where you contest the accuracy of the data.
- Right to Data Portability (Art. 20): You have the right to receive your Personal Data in a structured, commonly used, and machine-readable format and to transmit it to another controller.
- Right to Object (Art. 21): You have the right to object to Processing based on legitimate interest or direct marketing at any time. Where you object to Processing for direct marketing, the Personal Data shall no longer be processed for such purposes.
- Right to Withdraw Consent (Art. 7(3)): Where Processing is based on consent, you may withdraw your consent at any time without affecting the lawfulness of Processing carried out prior to withdrawal.
- Right Not to be Subject to Automated Decision-Making (Art. 22): You have the right not to be subject to a decision based solely on automated Processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.
You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens), Bezuidenhoutseweg 30, 2594 AV Den Haag, The Netherlands (www.autoriteitpersoonsgegevens.nl), or with the supervisory authority in your country of habitual residence.
10. Cookies and Tracking Technologies
Our website uses cookies and similar technologies in accordance with the ePrivacy Directive (2002/58/EC) as implemented in Dutch law (Telecommunicatiewet, Article 11.7a). We distinguish between:
- Strictly Necessary Cookies: required for the operation of the website (e.g., session management, security tokens, locale preferences). These do not require consent.
- Analytics Cookies: used to collect anonymised usage statistics to improve our website. Placed only with your prior consent.
- Marketing Cookies: used to deliver relevant advertising and measure campaign effectiveness. Placed only with your prior consent.
You may manage your cookie preferences at any time through your browser settings or our cookie consent mechanism. Withdrawal of consent does not affect the lawfulness of Processing based on consent before its withdrawal.
11. Security Measures
We implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 GDPR, including:
- Encryption of Personal Data in transit (TLS 1.2 or higher) and at rest (AES-256).
- Multi-factor authentication for platform access.
- Role-based access controls with principle of least privilege.
- Regular vulnerability assessments and penetration testing.
- Incident response procedures with defined escalation paths.
- Employee training on data protection and information security.
- Business continuity and disaster recovery provisions.
12. Children's Privacy
The Services are not directed at individuals under the age of 16. We do not knowingly collect Personal Data from children. If we become aware that we have collected Personal Data from a child without verification of parental consent, we will take steps to delete that information.
13. Changes to This Policy
We may update this Policy from time to time. Material changes will be communicated through the Services or by email at least 30 days before they take effect. The "Last Updated" date at the top of this Policy indicates when it was last revised. Continued use of the Services after the effective date constitutes acceptance of the revised Policy.
14. Contact
For any questions, concerns, or requests regarding this Privacy Policy or our data protection practices, please contact:
Subduxion B.V.
Attn: Data Protection
High Tech Campus 5
5656 AE Eindhoven
The Netherlands
Email: privacy@subduxion.com
For complaints that remain unresolved, you may contact the Autoriteit Persoonsgegevens at www.autoriteitpersoonsgegevens.nl.