Legal documents
Data Policy for Participants
Data Processing Agreement (DPA)
General Terms & Conditions
Privacy Statement
Release notes June 21 2026
Service Level Agreement (SLA)
Privacy Statement
2.0
⛔ Superseded. This version (v2.0, 18 June 2026) has been superseded by version 3.0 and remains available for reference only.
This is the Privacy Statement (the "Statement") of dembrane. It explains who we are, which personal data we process about you, why, and what we do with it. Personal data is any information that can directly or indirectly identify you. We may amend this Statement from time to time; the current version is always available on the bottom banner of our website. Last updated: 18 June 2026 (v2.0).
When does this Statement apply?
This Statement explains how we collect and use your personal data when you, for example: visit or use our website or social channels; subscribe to our newsletter; take part in a session offered directly by dembrane; use one of our products (such as dembrane Echo) as a member of an organisation or workspace, or as an invited external collaborator; purchase or take our services; supply goods or services to us; apply for a job; or contact us.
Important note for participants. This Statement applies only where dembrane is the controller of your data. When we process personal data on behalf of another controller (for example, a client who runs a session through our platform), we act as a processor and that client's privacy notice applies. If you took part in a session run by a client, please see our Data Policy for Participants.
Who is dembrane?
dembrane facilitates and enhances participation activities (events, stakeholder engagement, consultations) and develops software and methods to support them. "we", "us" or "dembrane" means dembrane B.V. (Dutch Chamber of Commerce no. 89391438), based in 's-Hertogenbosch.
What personal data do we process, and why?
1. Website visitors. Device information (IP address, device and operating system), log data (pages, time, referrer) and approximate location (from your IP).
Operating and securing the website: legitimate interest (Art. 6(1)(f)).
Analytics to understand and improve usage: consent for non-essential cookies (Art. 6(1)(a)). By default our website runs cookie-free; analytics cookies and session replay are enabled only if you accept. See our cookie policy and the banner on our website.
2. Newsletter subscribers. Name, organisation and email.
Sending news about our services, events and developments: consent (Art. 6(1)(a)). You can unsubscribe at any time.
3. Participants in sessions run directly by dembrane. Contact details; audio recording (subsequently anonymised); information shared during the session.
Communicating with participants and gathering insights: consent (Art. 6(1)(a)). See the Data Policy for Participants.
4. Users of our products. Account contact details (name, email, phone); organisation, workspace and collaboration data (memberships, roles including the external-collaborator role, invitations); product-usage and diagnostic data.
Creating accounts and providing the platform and support: performance of a contract (Art. 6(1)(b)).
Product analytics and error tracking to improve and secure the product (pseudonymous usage and diagnostic data, hosted on PostHog EU Cloud): legitimate interest (Art. 6(1)(f)).
Sending transactional and account email: performance of a contract.
5. (Employees of) (potential) clients. Contact details; financial information (bank or payment details).
Identifying and communicating for the collaboration: performance of a contract (Art. 6(1)(b)).
Reaching out to prospects and managing our wait list: legitimate interest (Art. 6(1)(f)). Marketing emails are sent only with your consent and you can unsubscribe at any time.
Taking payments and collecting receivables (through our payment provider, Mollie): performance of a contract (Art. 6(1)(b)).
Maintaining financial records: legal obligation (Art. 6(1)(c); Art. 52(4) AWR).
6. (Employees of) suppliers. Contact and financial details: performance of a contract and legal obligation, as above.
7. Job applicants. Contact details and application information: performance of a contract (Art. 6(1)(b)) and our legitimate interest in assessing suitability (Art. 6(1)(f)).
8. People who contact us. Identification, contact details and message content: our legitimate interest in responding (Art. 6(1)(f)).
Do we use automated decision-making?
We do not make decisions about you based solely on automated processing that produce legal or similarly significant effects. Where our products use AI (transcription, summarisation, analysis) on behalf of a client, that processing is governed by our Data Processing Agreement and our AI Act disclosures, and the client remains responsible for any decisions it takes.
Who do we share personal data with?
We do not sell your personal data. We share it only as needed to provide our services, with the categories of recipients below. We enter into a data processing agreement with each processor, require EU data residency wherever possible, and apply appropriate safeguards for any transfer outside the EEA.
Purpose | Recipient(s) |
|---|---|
Hosting, storage and compute | DigitalOcean (EU) |
AI analysis and speech-to-text | Google Cloud Vertex AI (EU), AssemblyAI (EU) |
Transactional email | Twilio SendGrid (EU data residency) |
Marketing email (newsletters, event invitations, product and article updates) | MailerLite (EU) |
Product and website analytics | PostHog (EU Cloud) |
Payments | Mollie (EU) |
Productivity, mail and storage | Google Workspace |
Forms | Tally (EU) |
E-signing | BoldSign |
CRM | Attio |
DNS | Cloudflare |
We may also share data with professional advisors (such as banks, auditors, lawyers and accountants) and, in the context of a business transaction (such as a merger, acquisition or reorganisation). Our current sub-processor list is maintained in our compliance documentation.
Transfers outside the EEA
In principle we process your personal data within the EU and EEA and require our processors to do the same. Where a processor's parent company is established outside the EEA, we keep processing within EU infrastructure and rely on appropriate safeguards (the EU Standard Contractual Clauses and, where applicable, the EU-US Data Privacy Framework) for any transfer.
Security
We maintain an ISO 27001:2022-certified information security management system and apply appropriate technical and organisational measures, including encryption in transit and at rest, role-based access control with multi-factor authentication, and logging and monitoring. We require our processors to do the same. No system can be guaranteed fully secure; please contact us if you believe your data is at risk.
Retention
We keep personal data no longer than necessary for the purposes above, unless a longer period is legally required. For product accounts we generally retain user data for one month after account deletion. For job applicants we retain data for up to four weeks after the process ends, unless you are hired or consent to a longer period. Financial records are kept for the statutory period of seven years.
Your responsibilities
Please make sure the data you give us is accurate and up to date. If you share other people's data with us, make sure you are allowed to and have informed them of this Statement.
Your rights
You have the right to access, rectify, erase, restrict or object to processing, and the right to data portability. Contact us using the details below. We respond within one month and may ask you to identify yourself first. You may also lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) or your local regulator.
Contact
Data Protection Officer and privacy matters: privacy@dembrane.com
General enquiries: info@dembrane.com
