Legal

Privacy Policy

Refinery collects and processes personal data only as needed to operate the product, respond to baseline and pilot requests, and maintain governed data-quality workflows. This policy describes what we collect, why, and your rights.

Who we are

Refinery operates the getrefinery.nl website and the Refinery operational data trust platform. For privacy inquiries contact privacy@getrefinery.nl.

Website and lead forms

When you submit a Readiness Scan, Shadow Baseline request, or contact form, we may collect: work email, company name, role, use case, systems involved, estimated record volume, marketing consent, UTM parameters, and page URL.

Do not submit secrets, API keys, credentials, or sensitive production data through public website forms.

Product operation

When you use Refinery as a customer, we process operational metadata required to govern paths: connector configuration, policy versions, decision records, verification results, and audit receipts. Payload retention is minimized according to engagement scope and enterprise agreement.

Legal bases (GDPR)

• Contract — to deliver baseline, pilot, or production services you request
• Legitimate interest — to respond to inquiries and improve product security
• Consent — where required for marketing communications

Retention

Lead data is retained as long as needed to respond to your request and maintain a commercial relationship, unless you request deletion sooner. Product and receipt data retention depends on your agreement tier.

Subprocessors

Refinery may use infrastructure and service providers (hosting, email, authentication, database) under appropriate data processing terms. An enterprise subprocessor list is available on request and will be published in the Trust Center.

Your rights

• Access, rectification, erasure, restriction, and portability where applicable under GDPR
• Object to processing based on legitimate interest
• Withdraw marketing consent at any time
• Lodge a complaint with your supervisory authority

International transfers

Where data is processed outside the EEA, appropriate safeguards such as Standard Contractual Clauses apply under enterprise agreements.

Changes

We may update this policy. Material changes will be reflected on this page with an updated effective date.

Related pages

• Terms of Service
• Trust center

Start read-only. No production writeback required. Do not submit secrets through public website forms. Privacy