Debat.EU B.V. (“DebatEU”, “we”) offers an AI-driven, B2B debate-coaching app. We collect only the data we need to verify your identity, provide coaching and safeguard the platform. Customer conversation content is processed and stored exclusively in european economic area (EEA) data centres; we never use it to train language models. When data are no longer required, we erase them promptly in line with the retention periods set out below.

Debat.NL B.V. – Rijnsburgerweg 56, 2333 AC Leiden, Netherlands

Chamber of commerce 52870251 · VAT NL850639542B01

Data protection officer (DPO) – sharon kroes

kroes@debat.eu | +31 23 562 99 72

We maintain a GDPR Article 30 record of processing activities. The dutch data protection authority (autoriteit persoonsgegevens) may inspect this record on request.

We rely on the GDPR legal grounds listed in Section 3 for each data category. If we ever need to process your data for a new purpose we will inform you and, where required, seek your consent beforehand.

The app is licensed exclusively to corporate customers. We do not knowingly permit anyone under 16 to use the service. If you believe a minor’s data have been processed, please contact kroes@debat.eu so that we may delete it immediately

We use microsoft azure AI services (West Europe) to perform speech-to-text transcription, content moderation and language-model replies. Every screen that contains generated text is clearly labelled “Content generated by Ethical AI.” Users can flag issues at any time; human moderators review all reports within 48 hours. No fully automated decisions with significant legal effect are made.

All customer conversation content stays in EEA data centres.

• Microsoft Azure AI (West Europe): Used for transcription, moderation, and inference. Data stays in the EEA and is never used to train models
• Amazon Web Services (EU regions): Used for hosting, encrypted backups, and compliance logging. Primary and backup data remain in the EEA.
• Mandrill / Mailchimp (United States): Used to deliver transactional emails. Protected under the EU–US data privacy framework and the 2021 standard contractual clauses. Only hashed email addresses and message IDs leave the EEA; no conversation content is transferred.

All sub-processors are contractually obliged to provide protection that is at least equivalent to GDPR and to apple app store review guidelines § 5.1.1.

We encrypt every connection with TLS 1.2 or higher and all stored data with AES-256. Conversation IDs are kept separate from account data. We enforce multi-factor authentication and least-privilege access; no standing admin credentials exist. Deployments occur only after a combined privacy, security and quality review.

Prompts and AI replies are deleted after 30 days.

Voice recordings are deleted immediately after transcription.

User support reports are retained for 365 days.

Transactional emails are deleted when the sign-in link expires (45 days).

Account data are retained for the duration of the customer contract and erased or anonymised 90 days after termination or after 1 year of inactivity, whichever comes first.

Under the general data protection regulation you have the following rights with respect to your personal data:

• Right of access (Art. 15) – to obtain confirmation of whether we process your data and, if so, receive a copy together with key information about the processing.
• Right to rectification (Art. 16) – to have inaccurate or incomplete personal data corrected without undue delay.
• Right to erasure (“right to be forgotten”, Art. 17) – to have your personal data deleted where no lawful reason remains for us to continue processing it.
• Right to restriction of processing (Art. 18) – to have us suspend processing, for example while we verify accuracy or our legitimate grounds.
• Right to data portability (Art. 20) – to receive the personal data you provided in a structured, commonly used, machine-readable format and have us transmit it to another controller where technically feasible.
• Right to object (Art. 21) – to object, on grounds relating to your particular situation, to processing based on legitimate interest. We will stop unless we demonstrate compelling legitimate grounds that override your interests, rights and freedoms or we need the data to establish, exercise or defend legal claims.
• Right to withdraw consent (Art. 7(3)) – if we rely on your consent for any future processing, you may withdraw it at any time without affecting the lawfulness of prior use.
• Right to lodge a complaint (Art. 77) – to complain to a supervisory authority if you believe we process your data unlawfully.

To exercise any of these rights, please contact kroes@debat.eu. We will respond within one month.

If you believe your data are being processed unlawfully you may lodge a complaint with the dutch data protection authority (Autoriteit Persoonsgegevens, Bezuidenhoutseweg 30, 2594 AV The Hague) or with your local EU supervisory authority:

https://autoriteitpersoonsgegevens.nl..

You can delete your account at any time via settings → delete account in the app. All associated data are removed or anonymised within 30 days unless we are legally obliged to retain specific records.

We perform data protection impact assessments (DPIAs) for any processing that could present a high risk to individual rights and freedoms, as required by GDPR Art. 35. Findings and mitigating measures are documented and reviewed regularly

The app provides coaching suggestions only. No automated decision with legal or similarly significant effect is taken without meaningful human involvement (GDPR Art. 22).

We review this statement regularly. The latest version is always available in-app at settings → privacy policy and at https://debat.eu/privacyverklaring/?lang=en. If changes materially alter your rights we will notify you through the app or by e-mail before the new version takes effect.