Legal

Privacy Policy

EdgeBuddy B.V. trading as edge247

Last updated: February 13, 2026

Our Core Promise

edge247 is a security-first AI transformation agency. We deploy Full-Time Agents on your hardware, at your premises. Your agent data (conversations, memory, notes) stays on your machine. We do not host, store, or retain your agent data on our infrastructure. All AI processing uses Zero Data Retention, so no provider stores or trains on your conversations.

1. Who We Are

Data Controller:

EdgeBuddy B.V., trading as edge247
KvK: 97717193 | RSIN: 868199230 | BTW: NL868199230B01
Email: contact@edge247.ai

We are registered in the Netherlands and comply with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the Dutch GDPR Implementation Act (Uitvoeringswet AVG, "UAVG").

We have not appointed a Data Protection Officer as this is not required given the nature and scale of our data processing. For all privacy inquiries, contact us at contact@edge247.ai.

2. What Personal Data We Collect

We collect the minimum amount of personal data necessary to provide our services.

2.1 Website Visitors

Data	Purpose	Legal Basis
Anonymous usage statistics	Understanding how visitors use our website	Legitimate interest (Article 6(1)(f) GDPR)

We use Vercel Analytics, which collects anonymous, aggregated website usage data without cookies and without personal identifiers. No IP addresses, device fingerprints, or individual browsing behaviour is collected or stored.

We do not use advertising cookies, tracking pixels, or behavioural analytics.

2.2 Business Contacts

When you contact us via our website, email, phone, or messaging, we collect:

Data	Purpose	Legal Basis
Name	Identify you as a contact	Pre-contractual necessity (Article 6(1)(b) GDPR)
Email address	Communicate with you	Pre-contractual necessity
Phone number (if provided)	Communicate with you	Pre-contractual necessity
Company name	Understand your business context	Pre-contractual necessity
Message content	Respond to your inquiry	Pre-contractual necessity

2.3 Clients (Under Service Agreement)

When you become a client, we additionally collect:

Data	Purpose	Legal Basis
Company registration details (KvK/VAT number)	Invoicing and legal compliance	Contract performance (Article 6(1)(b) GDPR)
Billing contact details	Payment processing	Contract performance
Technical configuration details	Service delivery	Contract performance
Support communications	Resolve issues and maintain service	Contract performance
SSH access logs	Security audit trail for maintenance	Legitimate interest (Article 6(1)(f) GDPR)
Operational telemetry metadata (service-health flags, channel status, cron outcomes, version state, timestamps, host identifier)	Deliver Always-On Watch, alerting, and incident response	Contract performance (Article 6(1)(b) GDPR); legitimate interest (Article 6(1)(f) GDPR)

2.4 Free Demo Period

If you participate in our free 3-day demo, we collect:

Data	Purpose	Handling
Company name and contact info	Set up demo and follow up	Retained as business contact data (see Section 8).
WhatsApp messages during demo	Demonstrate AI agent capabilities	Processed on edge247 infrastructure. Deleted within 30 days of demo ending.
Publicly available company information	Configure demo agent context	Sourced from public websites only. Not stored after demo.

During the demo, edge247 is the data controller for demo interaction data. Legal basis: pre-contractual necessity (Article 6(1)(b) GDPR). You may request deletion of demo data at any time.

2.5 Temporary Data During Implementation

Data	Purpose	Handling
Mac Mini admin credentials	Software installation	Deleted immediately after installation. Client should change password after setup.
WhatsApp/Telegram phone number	Channel configuration	Stored on Client's hardware only, not on our systems.
Network configuration details	Tailscale VPN setup	Used during setup, not stored by us after configuration.

3. What We Do NOT Collect

We want to be explicit about what we do not collect:

Your Full-Time Agent's conversations or chat history (stored on your hardware only)

Your Full-Time Agent's memory or notes (stored on your hardware only)

Your employees' or customers' personal data processed by the agent

Message content for monitoring purposes

Tracking cookies or advertising identifiers from our website

Behavioural analytics or browsing profiles

Location data

Biometric data, health data, or special category data of any kind

4. Your Agent Data Stays on Your Hardware

After deployment, your Full-Time Agent's data remains entirely on your Mac Mini:

Conversations and session transcripts, stored locally
Memory and notes, stored locally in your agent's workspace
Configuration files, stored locally
Credentials and tokens, stored locally with restricted file permissions

We do not have continuous access to this data. We access your system only during scheduled maintenance windows via Tailscale VPN (encrypted end-to-end), and only for the purpose of technical maintenance and support.

For Always-On Watch, we may copy limited infrastructure telemetry metadata to our internal operations systems for maintenance and incident handling. This does not include conversation content or business documents.

AI API Data Flow and Zero Data Retention

While your agent data is stored locally, conversation data is transmitted to AI model providers for real-time processing to generate responses. We enforce Zero Data Retention (ZDR) across the entire AI processing chain:

All AI API requests are routed through OpenRouter (OpenRouter Inc., Delaware, USA) with ZDR enabled at the account level;
OpenRouter routes requests only to AI providers (Anthropic, Google, and others) with verified zero-retention policies;
Providers process your data transiently in-memory only. No prompts, completions, or conversation data is stored;
No provider trains on your data. ZDR-compliant endpoints are contractually prohibited from using your data for model training;
API calls originate from your Mac Mini, through OpenRouter, to the AI provider. No conversation data passes through or is stored on edge247 infrastructure.

Depending on the arrangement specified in your Proposal, API keys may be provided by edge247 or provisioned directly by the Client.

What ZDR means in practice: your conversation with the AI agent is processed in real-time to generate a response, then immediately discarded by all providers in the chain. No record of the conversation exists outside your own Mac Mini.

5. Our Role Under GDPR

5.1 Data Controller

We are the data controller for:

Business contact information you provide to us (name, email, phone, company)
Billing and invoicing data
Support and communication records
Website analytics data (anonymous)

5.2 Our Maintenance Access

We are an IT deployment and maintenance service provider. During maintenance, we access your system via Tailscale SSH for technical administration only: software updates, health monitoring, error log review, and security patching. We do not access, review, or process your business data (conversations, memory, notes).

Our personnel are bound by confidentiality obligations. Upon termination, we revoke our access and destroy any credentials we hold. If your legal counsel determines that our maintenance access requires a Data Processing Agreement under GDPR Article 28, we will enter into one upon request.

5.3 You Are the Data Controller for Agent Data

You are the data controller for all personal data processed by your Full-Time Agent, including conversations between the agent and your employees or customers, personal data contained in the agent's memory and notes, and any personal data accessed by the agent through connected services (email, calendar, and similar).

As data controller, you are responsible for:

Maintaining a lawful basis for this processing;
Informing data subjects (employees, customers) about the AI agent;
Responding to data subject access, correction, and deletion requests;
Disclosing in your own privacy policy that AI processing involves data transfer to OpenRouter and upstream AI providers (US-based), with Zero Data Retention enabled.

We can provide template language for your privacy policy upon request.

6. Sub-Processors

6.1 Our Service Providers (We Are Controller)

Provider	Purpose	Data Location	Safeguards
Zoho Corporation	Email hosting (contact@edge247.ai)	EU (Amsterdam data center)	Zoho DPA, EU servers
Vercel Inc.	Website hosting and anonymous analytics	Global CDN (US headquarters)	EU-US Data Privacy Framework
Bunq B.V.	Payment processing	Netherlands	Dutch banking regulation, GDPR compliant

6.2 AI Service Providers (Used in Client Deployments)

The following providers may be used depending on the API arrangement specified in your Proposal:

Provider	Purpose	Data Location	Safeguards
OpenRouter Inc.	AI API gateway with Zero Data Retention	USA (Delaware)	ZDR policy, SOC-2 compliant, Standard Contractual Clauses
Anthropic PBC	AI model (Claude) for agent responses (via OpenRouter)	USA	Zero Data Retention, EU-US Data Privacy Framework
Google LLC	Embedding model for memory search (processed locally on Client hardware by default; cloud fallback via OpenRouter if configured)	USA	Zero Data Retention, EU-US Data Privacy Framework
Tailscale Inc.	Encrypted VPN for remote maintenance	USA (coordination servers); data is end-to-end encrypted peer-to-peer	WireGuard encryption, minimal metadata

OpenRouter routes AI requests only to providers with verified Zero Data Retention policies. No conversation data is stored or retained by any provider in this chain.

7. International Data Transfers

Some of our service providers are located in the United States. We ensure lawful data transfers through the following mechanisms:

EU-US Data Privacy Framework (DPF): Anthropic, Google, and Vercel are certified under the EU-US DPF, which provides an adequate level of data protection recognized by the European Commission (Adequacy Decision of July 10, 2023).
Standard Contractual Clauses (SCCs): Where DPF certification is not available, we rely on EU Commission-approved Standard Contractual Clauses.
End-to-end encryption: Tailscale uses WireGuard encryption for all connections. Maintenance traffic is encrypted peer-to-peer; Tailscale coordination servers only handle encrypted metadata.

We monitor developments regarding the EU-US Data Privacy Framework. Should the framework be invalidated, we will implement alternative transfer mechanisms (SCCs) promptly.

8. Data Retention

We retain personal data only as long as necessary for the purpose for which it was collected:

Data Category	Retention Period	Reason
Website analytics	26 months	Standard analytics window
Business contact data (non-clients)	2 years from last contact	Sales follow-up
Client contract and billing data	Duration of contract + 7 years	Dutch tax law (Algemene wet inzake rijksbelastingen) requires 7-year retention of financial records
Support communications	Duration of contract + 2 years	Liability and warranty period
Implementation credentials (admin passwords, etc.)	Deleted immediately after installation	No longer needed
SSH access logs	Duration of contract + 1 year	Security audit trail
Operational telemetry metadata	90 days	Incident investigation, service quality tracking, and audit trail

After the retention period expires, we delete or anonymize the data. You may request earlier deletion of non-legally-required data at any time.

9. Data Security

We protect your personal data through the following measures:

Encryption in transit: All communications use TLS 1.3. Maintenance access uses Tailscale WireGuard encryption (end-to-end).
Access controls: Tailscale VPN with ACL-based access policies. Each client's device is cryptographically isolated on our Tailscale network.
Minimal data collection: We collect only what is necessary for service delivery (privacy by design, GDPR Article 25).
Credential management: Implementation credentials are deleted immediately after setup. API keys are stored with restricted file permissions (chmod 600) on client hardware.
Security audits: We run regular security audits on client deployments.
EU-based email: Our email is hosted on Zoho's EU (Amsterdam) servers.

For your Full-Time Agent on your hardware, you are responsible for physical security of the Mac Mini, device encryption (FileVault), network security at your premises, and not sharing credentials with unauthorized parties.

10. Cookies

We do not use cookies for tracking, advertising, or behavioural analytics.

Our website (edge247.ai) uses:

Vercel Analytics: Cookieless, anonymous, aggregated website statistics. No personal data is collected.
Functional cookies: Minimal cookies set by Next.js for basic website functionality (session handling). These are strictly necessary and do not require consent under the Dutch Telecommunicatiewet (Article 11.7a).

No cookie consent banner is required for our current website configuration.

11. Your Rights Under GDPR

You have the following rights regarding your personal data:

Right	Description	GDPR Article
Access	Request a copy of the personal data we hold about you	Article 15
Rectification	Request correction of inaccurate or incomplete data	Article 16
Erasure	Request deletion of your data ("right to be forgotten")	Article 17
Restriction	Request that we limit how we use your data	Article 18
Portability	Receive your data in a structured, machine-readable format	Article 20
Object	Object to our processing based on legitimate interest	Article 21
Withdraw consent	Where processing is based on consent, withdraw it at any time	Article 7(3)

To exercise any of these rights, contact us at contact@edge247.ai. We will respond within 30 days (extendable by 60 days for complex requests, with prior notice).

We will not charge a fee for reasonable requests. If a request is manifestly unfounded or excessive, we may charge a reasonable fee or refuse the request, in accordance with Article 12(5) GDPR.

12. Complaints

If you believe we have not handled your personal data properly, you have the right to lodge a complaint with the Dutch Data Protection Authority:

Autoriteit Persoonsgegevens

Website: autoriteitpersoonsgegevens.nl

Phone: +31 (0)88 1805 250

Address: Bezuidenhoutseweg 30, 2594 AV Den Haag, Netherlands

If you are located in another EU member state, you may also lodge a complaint with your local supervisory authority.

13. Client Privacy Obligations

If you are a client using our Full-Time Agent service, please note:

13.1 Your Employees and Customers

When your employees or customers interact with your Full-Time Agent via WhatsApp, Telegram, or other channels, you are the data controller for those interactions. You must:

Include the AI agent in your own privacy policy;
Inform users that they are chatting with an AI agent (required under the EU AI Act from August 2, 2026);
Disclose that conversation data is processed transiently (Zero Data Retention) via OpenRouter and upstream AI providers (US-based);
Have a lawful basis for processing employee data via the AI agent (typically employment contract or legitimate interest);
Respond to data subject requests regarding agent interactions.

13.2 WhatsApp Compliance

If your Full-Time Agent uses WhatsApp:

WhatsApp Business terms apply to your use of the platform;
You must comply with WhatsApp's policies regarding AI-powered messaging;
We recommend the agent's first message to new contacts includes a disclosure: "I am [Company]'s AI assistant. How can I help you?"

13.3 Template Language

We can provide template privacy policy language covering the Full-Time Agent as part of our Implementation service. Contact us at contact@edge247.ai.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page. For significant changes affecting client data, we will notify clients by email at least 30 days in advance. Previous versions are available upon request.

Questions about your privacy?

EdgeBuddy B.V. trading as edge247

KvK: 97717193

contact@edge247.ai

This Privacy Policy is provided in English. If you require a Dutch translation, please contact us.