Privacy Policy

1. What Data We Collect

We collect personal data through your interaction with our website and intake forms. The data collected includes:

Intake Form Data

When you submit an intake or contact form, we collect:

• Full name and role/title
• Email address and phone number
• Company name and KvK (Chamber of Commerce) number
• Industry and revenue range
• Countries of operation and number of entities
• Intercompany arrangement types
• Service tier preference

Website Data

When you visit our website, we may collect:

• IP address
• Browser type and version
• Operating system
• Pages visited and time spent on page
• Referral source

Payment Data

When you make a payment, transaction details are processed by our EU payment processor. We never see or store your card details.

2. Legal Basis for Data Processing

We process your personal data based on:

• Contract Performance: Processing necessary to prepare your ATAD2 hybrid mismatch documentation and provide our services.
• Legitimate Interest: To improve our website, prevent fraud, and maintain business records.
• Legal Obligation: Where required by Dutch tax law or other applicable regulations.

3. Why We Collect Your Data

We collect and use your data for the following purposes:

• To prepare, verify, and deliver your ATAD2 hybrid mismatch documentation
• To assess your corporate structure for hybrid mismatch risk
• To communicate with you about your engagement and our services
• To process payments and send invoices
• To provide support and respond to inquiries
• To improve our website, services, and user experience
• To comply with legal and tax obligations
• To prevent fraud and ensure security

4. How Long We Keep Your Data

We retain your personal data for different periods depending on the data type:

• Intake and structure data: not stored on our servers. The data you enter to generate a file is processed in the EU only for the duration of that generation and is discarded once your file is delivered. Keep your own copy of the downloaded file.
• Invoice and transaction records: 7 years. We are required to retain invoices and payment records under the Dutch bookkeeping obligation (Art. 52 AWR). Card data itself is handled solely by our payment processor under its own controllership; we never see or store it.
• Website Analytics: Up to 2 years, unless you request deletion earlier.
• Email Communications: Retained for client service purposes; you may request deletion at any time.

If you do not proceed with an engagement after initial contact, we will offer to delete your data unless we are required to retain it by law.

5. Sub-processors and automated AI

We use a small set of sub-processors, each engaged under a data processing agreement. We describe them here by function and location. You can request the current list, including the name of each provider, in writing at info@hybridmismatch.com.

• Site hosting and content delivery: an EU-based hosting and CDN provider (static pages only).
• Document generation: a server hosted within the EU that runs the automated process.
• AI model: a large language model accessed through an EU-resident inference profile (Ireland). The model only reads what you submit to produce your file; it is not trained on your data and the data is not retained past generation.
• Optional document reading (OCR): an EU-based document-extraction service, used only when you choose to upload an org chart.
• Bot protection: a bot-protection widget on our forms, which processes your IP address and interaction with the widget to block automated abuse (legitimate interest).
• Payments and invoicing: an EU-based payment processor.
• Email correspondence: our email provider hosts the info@hybridmismatch.com mailbox. Anything you send us by email is retained there until you ask us to delete it. The automated generation pipeline itself stores nothing.
• Optional marketing emails (Risk Check summary, newsletter): a form and email provider, used only if you opt in by entering your email.

Your intake and structure data is processed in the EU and is not stored on our servers after your file is generated. The AI model is operated by a provider with a US parent company; that transfer is covered by the EU-US Data Privacy Framework and Standard Contractual Clauses, assessed in our transfer impact assessment. If you opt in to a marketing email or email us directly, that data may be handled by a US-based provider under Standard Contractual Clauses.

Automated, AI-generated output (EU AI Act Art. 50): the documentation file is produced by an automated AI process and is not reviewed by a tax advisor. It is not tax advice. You remain responsible for the content you file.

You can request the current sub-processor list, including the name and location of each provider, in writing at info@hybridmismatch.com.

6. International Data Transfers

Most of your data is processed within the EU. A small number of providers can involve a US transfer: the AI model provider (relying on the EU-US Data Privacy Framework, Standard Contractual Clauses and our transfer impact assessment), and our email and optional-marketing providers (relying on Standard Contractual Clauses). Your intake and structure data stays in the EU and is not sent to any of these.

We do not intentionally transfer personal data outside the EU except where necessary for service provision.

7. Your Data Rights

Under GDPR, you have the following rights:

Right of Access

You can request a copy of all personal data we hold about you.

Right of Rectification

You can request that we correct inaccurate or incomplete data.

Right of Erasure

You can request deletion of your data, subject to legal retention requirements (e.g., the 7-year tax retention obligation under Art. 52 AWR).

Right of Data Portability

You can request your data in a portable, machine-readable format (e.g., CSV).

Right to Restrict Processing

You can request that we limit how we use your data in certain circumstances.

Right to Object

You can object to our processing of your data for certain purposes, particularly marketing or profiling.

Right to Lodge a Complaint

If you believe we are not complying with data protection laws, you can file a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens / AP).

To exercise any of these rights, contact us at info@hybridmismatch.com with your request and proof of identity.

8. Security and Data Protection

We take data security seriously. We implement the following measures:

• HTTPS encryption for all website traffic
• Secure form submission to our processing provider over HTTPS
• Restricted access to personal data (only authorized personnel)
• Regular security audits and updates
• Secure deletion of data after retention periods expire

While we implement strong security measures, no online service is 100% secure. We recommend you use strong passwords and keep your login credentials confidential.

9. Cookies and Tracking

We use a limited number of cookies and similar technologies. You control the non-essential ones through our cookie banner, and you can change your choice at any time via the "Cookie settings" link in the footer.

• Strictly necessary (no consent required): storage needed for the site to work, to remember your progress in the intake form, and to protect our forms against spam and abuse. These are always active.
• Analytics and advertising (only with your consent): we use Google's measurement and advertising tag to understand how visitors find and use the site and to measure our campaigns. It stores nothing on your device and shares no data until you accept it in the cookie banner; until then it runs in consent-denied mode.
• No data sale: we never sell or rent your personal data, and we do not share it with third parties for their own marketing.

10. Children's Privacy

Our services are intended for business professionals (18 years and older). We do not knowingly collect personal data from children under 18. If we become aware that a child has submitted data, we will delete it promptly. Parents or guardians who believe a child has provided us with information should contact us immediately at info@hybridmismatch.com.

11. Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements, or other factors. If we make material changes, we will notify you by email or through a prominent notice on our website. Your continued use of our services after changes constitutes your acceptance of the updated policy.

Last Updated: June 18, 2026

12. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

• Email: info@hybridmismatch.com
• Website: www.hybridmismatch.com

We will respond to your inquiry within 30 days.