Cross Sector AI logoCross Sector AI

Last updated: 12-11-2025

Privacy Statement (EN)

This statement explains how Cross Sector AI processes personal data within its own operations and how you can exercise your GDPR rights.

1. Who we are

Controller: Cross Sector AI (Chamber of Commerce: 98808354 · VAT: NL005355972B87 · City of seat: Maassluis) · Website: https://crosssector.ai · E-mail: info@crosssector.ai · Work model: Remote First.

We provide B2B AI consulting and implementation. For our own operations we act as controller; for customer-provided personal data in projects we act as processor under a DPA with project-specific annexes that list subprocessors per customer/project.

No e-commerce: this website does not offer online purchases or contract formation.

2. Personal data and purposes

We process business contact and usage data strictly for:

  • Pre-sales and contracting
  • Project delivery and support
  • Invoicing and administration
  • Security and logging
  • Website visits (essential + privacy-friendly analytics)

2.1 Overview (legal bases & retention)

  • Offers & Contracts: Art. 6(1)(b) GDPR · Retention up to 24 months after last contact
  • Project Support/Logs: Arts. 6(1)(b) and 6(1)(f) GDPR · Retention up to 24 months post-completion
  • Invoicing/Accounting: Art. 6(1)(c) GDPR · 7 years (Dutch tax law)
  • Website Analytics (limited, privacy-friendly): Art. 6(1)(f) GDPR · up to 26 months or shorter
  • Newsletter (if you subscribe): Art. 6(1)(a) GDPR · until withdrawal

2.2 AI processing (framework)

We may use AI APIs as (sub-)processors for agreed purposes under the DPA. The EU AI Act is phased (prohibitions since 02-02-2025; GPAI/governance from 02-08-2025; high-risk obligations from 02-08-2026). Project-specific roles (controller/processor/deployer) are defined in the DPA annexes.

3. Recipients and (sub)processors

For our own operations we rely on:

  • Hosting: Vercel (EU region)
  • Email/Productivity: Microsoft 365 Business Basic (EU Data Boundary)
  • AI APIs: OpenAI API (SCCs/TIA; EU data controls)
  • Analytics: PostHog EU Cloud

Project-specific subprocessors are listed per customer/project in the DPA annexes (country/EEA, safeguards and TIA status).

4. International transfers

Transfers outside the EEA may occur. Where applicable we rely on SCCs 2021/914, conduct TIAs and implement supplementary measures when required.

5. Security

We apply appropriate technical and organizational measures (encryption in transit/at rest, need-to-know access, MFA, logging, backups). Personal data breaches are notified under Arts. 33/34 GDPR.

6. Your rights

You may exercise your rights of access, rectification, erasure, restriction, portability and objection (Arts. 15–21 GDPR). For direct marketing you may object at any time. Contact:info@crosssector.ai.

7. Cookies

We only use essential cookies and, where applicable, privacy-friendly analytics cookies. See our Cookie Policy. No marketing cookies are used.

8. Complaints

You may contact us via info@crosssector.ai or lodge a complaint with your supervisory authority (NL: Autoriteit Persoonsgegevens).

9. Changes

We will publish material changes on our website together with an updated “Last updated” date.