Privacy at Key Arg

What we collect, and why

From visitors to keyarg.com: aggregated, cookieless analytics via our own Statable product. No personal identifiers, no fingerprinting, no consent banner needed. Daily-rotated anonymous IDs derived from your IP and User-Agent only, reset every midnight UTC.

From people who fill the contact form: name, email address, the URL you mentioned, and the message body. Legal basis: legitimate interest in responding to your enquiry (GDPR Article 6(1)(f)). We hold this for 24 months unless an engagement starts, in which case it becomes part of the contract record.

From people who subscribe to The Key Argument Weekly: email address only. Legal basis: consent (GDPR Article 6(1)(a)). One-click unsubscribe is in every issue.

From clients during a paid engagement: business contact details, billing information, and any work materials you share with us. Legal basis: performance of a contract (GDPR Article 6(1)(b)). Retention: contract duration plus 24 months for documentation, then deleted unless a longer retention is mandated by Dutch tax law.

What we never collect

Special category data under GDPR Article 9 (health, biometric, political, religious, etc.) is out of scope for our services. Children's data is out of scope. Authentication tokens or API keys for client systems are exchanged through a password manager you nominate, not through our intake forms.

Where data is stored

Website infrastructure: EU-hosted. Statable analytics: EU residency by default. Our internal systems: EU-hosted email, EU-hosted password manager, EU-hosted file storage. For AI tools (see below), we use enterprise plans with no-training-on-our-data clauses.

Sub-processors

We use a small set of trusted sub-processors. Each has signed a Data Processing Agreement or equivalent. Current list:

• Statable (our own product): analytics, EU residency.
• Cloudflare: CDN and DDoS protection, configured with EU-only data processing where supported.
• Anthropic (Claude Team): AI assistance under no-training-on-our-data terms.
• OpenAI (ChatGPT Team / Enterprise): AI assistance under no-training-on-our-data terms.
• Our email provider: EU-hosted business email.

If we add or change a sub-processor that materially affects how client data is handled, we tell affected clients in writing within 30 days.

AI usage and the EU AI Act

We use AI tools (Anthropic Claude, OpenAI ChatGPT) in drafting and research. Every deliverable goes through a named human editor before it leaves us. See our AI policy for the full breakdown of how this works under EU AI Act Article 50, which becomes enforceable on 2 August 2026.

If you are a client and your engagement involves processing data through these tools, this is documented in your engagement contract and the per-engagement AI usage log. Available on five working days notice.

Your rights under GDPR

You have the right to access the personal data we hold about you (Article 15), to rectify it if it is wrong (Article 16), to ask us to delete it where applicable (Article 17), to restrict our processing (Article 18), to data portability (Article 20), and to object to processing based on legitimate interest (Article 21). Where processing is based on consent (Article 7), you can withdraw consent at any time, which does not affect the lawfulness of prior processing.

To exercise any of these rights, email us using the contact details below. We respond within 30 days, often the same week.

You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, autoriteitpersoonsgegevens.nl) or with the supervisory authority in your member state of residence.

International transfers

For some of our sub-processors (notably OpenAI and Anthropic), data may be processed in the United States under their standard contractual clauses and the EU-US Data Privacy Framework. Where the framework is challenged or invalidated, we switch to alternative arrangements that maintain GDPR-equivalent protection.

Changes to this policy

We update this page when our practices change or when supervisory guidance changes. The "Last updated" date at the top is authoritative. Material changes are sent to active clients by email at least 30 days before they take effect.

Contact us about privacy

For any privacy-related request: privacy at keyarg.com. Postal address: Key Arg B.V., Hoge Bothofstraat 49, 7511 ZA Enschede, Netherlands.