Privacy Policy
This document is an English-language version provided for information purposes only. The original Dutch version is the legally binding text. In the event of any discrepancy or dispute, including in court proceedings, the Dutch version shall prevail.
Bimizi B.V. ("Bimizi", "we", "us" or "our") is committed to protecting your personal data. This privacy policy explains which personal data we collect, why we collect it, how we use it, with whom we share it, and what rights you have. We process personal data in accordance with the General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"), the Dutch GDPR Implementation Act (Uitvoeringswet AVG) and all other applicable legislation.
1. Who Are We?
Bimizi B.V. is the controller of the personal data processed through the Platform. Where you use the Platform on behalf of your employer or client, your organisation acts as the controller and Bimizi acts as a processor. In that case, the Data Processing Agreement applies.
Contact details:
Bimizi B.V.Hanenweg 1, 4317 NJ Noordgouwe, The Netherlands
Email: hello@bimizi.com
Chamber of Commerce (KvK) number: [to be completed]
2. What Personal Data Do We Process?
We process the following categories of personal data, depending on how you interact with us and use the Platform:
2.1 Account Data
When you create an account, we collect:
- Name (first name and surname)
- Email address
- Phone number (optional)
- Company name and job title
- Company details (address, VAT number)
- Password (stored only in hashed and encrypted form)
2.2 Subscription and Billing Data
When you take out a subscription, we process:
- Subscription type and duration
- Billing details (name, address, VAT number)
- Transaction information (amount, date, status)
We do not store payment details such as credit card numbers or bank account numbers. The processing and storage of payment data is handled exclusively by our third-party payment processor (Stripe or Mollie) under its own terms and privacy policy.
2.3 Usage Data
When you use the Platform, we process:
- IP address
- Browser type and operating system
- Login times and session duration
- Activity on the Platform (uploaded drawings, generated quotations, actions performed)
- Log files for debugging and security purposes
2.4 Project Data
The Platform processes data that you enter or upload, including:
- Construction drawings
- Bills of Quantities (BOQ) and unit prices
- Quotations and calculations generated by the Platform
These documents may contain personal data, such as the names of clients, project managers or contact persons. You are responsible for the lawfulness of the data you enter into the Platform.
2.5 Communications Data
When you contact us, we process:
- The content of your messages (email, phone, contact form)
- Your contact details
2.6 Website Data
When you visit our website, we may process:
- IP address
- Browser type and device information
- Pages visited and click behaviour
- Referring website
- Cookie data (see Section 9)
3. Why Do We Process Your Personal Data?
We process your personal data for the following purposes and on the following legal bases:
| Purpose | Legal basis (Art. 6 GDPR) |
|---|---|
| Creating and managing your account | Performance of a contract (Art. 6(1)(b)) |
| Providing the Platform and AI service | Performance of a contract (Art. 6(1)(b)) |
| Processing subscriptions and payments | Performance of a contract (Art. 6(1)(b)) |
| Providing customer support | Performance of a contract (Art. 6(1)(b)) |
| Sending service notifications and operational messages | Performance of a contract (Art. 6(1)(b)) |
| Improving and developing the Platform | Legitimate interest (Art. 6(1)(f)) |
| Securing the Platform and preventing fraud | Legitimate interest (Art. 6(1)(f)) |
| Improving AI models using anonymised data | Legitimate interest (Art. 6(1)(f)) |
| Analysing use of the website and Platform | Consent (Art. 6(1)(a)) or legitimate interest (Art. 6(1)(f)) |
| Complying with legal obligations (tax, accounting) | Legal obligation (Art. 6(1)(c)) |
| Sending newsletters or marketing communications | Consent (Art. 6(1)(a)) |
Where we rely on a legitimate interest, we have carried out a balancing test between our interest and your privacy rights. You may contact us to enquire about the outcome of this assessment.
4. Use of Artificial Intelligence
Our Platform uses artificial intelligence to analyse construction drawings and generate quotations. In the interest of transparency, we inform you of the following:
- The drawings you upload and the data you enter are processed by our AI system to segment building elements, calculate areas and volumes, and generate quotations.
- The AI processing is automated, but it does not involve automated decision-making with legal or similarly significant effects on you within the meaning of Article 22 GDPR. The generated output must always be verified by you before use.
- We may use anonymised, non-identifiable data to improve our AI models. Data used for this purpose no longer qualifies as personal data.
- If you do not wish your anonymised data to be used for model improvement, you may object by contacting us.
- We take appropriate measures to prevent personal data contained in uploaded documents from being unintentionally disclosed to unauthorised third parties through AI output.
In accordance with Regulation (EU) 2024/1689 (the AI Act), we strive for full transparency regarding the use of AI within the Platform.
5. With Whom Do We Share Your Personal Data?
We share your personal data with third parties only where necessary for the purposes described above, or where we are legally obliged to do so. We do not sell your personal data to third parties.
5.1 Processors
We engage the following categories of processors:
| Category | Party | Purpose | Location |
|---|---|---|---|
| Hosting | [to be completed] | Hosting the Platform and storing data | EU/EEA |
| Payment processing | Stripe, Inc. / Mollie B.V. | Processing payments | EU/EEA (Stripe: partly US) |
| Email service | [to be completed] | Sending operational and service emails | [to be completed] |
| Analytics | [to be completed, e.g. none or Plausible/Matomo] | Website analytics | [to be completed] |
| Customer support | [to be completed, if applicable] | Handling enquiries | [to be completed] |
We have entered into a Data Processing Agreement with all processors in accordance with Article 28 GDPR.
5.2 Other Recipients
We may share your personal data with:
- The Dutch Tax Authority, supervisory authorities or other competent authorities, where we are legally required to do so;
- Legal advisers or accountants, where necessary for the performance of their duties, subject to confidentiality obligations;
- A successor to Bimizi in the event of a merger, acquisition or transfer of business, in which case we shall inform you in advance.
6. Transfers Outside the EEA
We process your personal data within the European Economic Area (EEA) as a general rule. Where a transfer to a country outside the EEA takes place (for example, where Stripe is used), this is done solely on the basis of:
- an adequacy decision by the European Commission (Article 45 GDPR); or
- appropriate safeguards, such as Standard Contractual Clauses (SCCs) adopted by the European Commission (Article 46 GDPR).
You may contact us to enquire about the safeguards in place for any specific transfer.
7. How Long Do We Retain Your Personal Data?
We do not retain your personal data for longer than is necessary for the purpose for which it was collected, unless a longer retention period is required by law.
| Data | Retention period |
|---|---|
| Account data | Duration of the account plus 30 days after deletion |
| Subscription and billing data | 7 years after the financial year (Dutch fiscal retention obligation) |
| Project data (drawings, quotations) | Duration of the account plus 30 days after termination, unless you request earlier deletion |
| Usage data and log files | Maximum of 12 months |
| Communications data | Maximum of 24 months after resolution |
| Website data and cookies | See our Cookie Policy |
Once the retention period has expired, the data is deleted or anonymised.
8. How Do We Protect Your Personal Data?
We take appropriate technical and organisational measures to protect your personal data against loss, unauthorised access, alteration or disclosure. These measures include:
- Encryption of data at rest (AES-256) and in transit (TLS 1.2 or higher)
- Multi-factor authentication (MFA) for access to production systems
- Access restriction based on the need-to-know principle
- Daily automated backups
- Periodic vulnerability scans and penetration testing
- Confidentiality obligations for all staff
- Security awareness training
Further details of our security measures can be found in Annex A to the Data Processing Agreement.
10. Your Rights
Under the GDPR, you have the following rights in respect of your personal data:
Right of access (Article 15 GDPR) — You have the right to know whether we process personal data about you and to receive a copy of that data.
Right to rectification (Article 16 GDPR) — You have the right to have inaccurate or incomplete personal data corrected or supplemented.
Right to erasure (Article 17 GDPR) — You have the right to request that we delete your personal data, unless there is a legal ground for continuing the processing.
Right to restriction of processing (Article 18 GDPR) — You have the right to have the processing of your personal data restricted in certain circumstances.
Right to data portability (Article 20 GDPR) — You have the right to receive the personal data you have provided to us in a structured, commonly used and machine-readable format, and to have that data transferred to another controller.
Right to object (Article 21 GDPR) — You have the right to object to the processing of your personal data where we rely on a legitimate interest. We shall cease the processing unless we demonstrate compelling legitimate grounds that override your interests. You may object to processing for direct marketing purposes at any time.
Right to withdraw consent — Where processing is based on your consent, you have the right to withdraw that consent at any time. Withdrawal of consent shall not affect the lawfulness of any processing carried out before the withdrawal.
Right to lodge a complaint — You have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) if you believe that we are processing your personal data unlawfully.
How Can You Exercise Your Rights?
You may submit your request by sending an email to hello@bimizi.com. We shall deal with your request free of charge and respond within thirty (30) days. If your request is complex or we receive a large number of requests, we may extend this period by a further sixty (60) days, of which we shall inform you within the initial thirty-day period. We may ask you to verify your identity before we process your request.
11. Minors
The Platform is not intended for persons under the age of sixteen (16). We do not knowingly collect personal data from minors. If we discover that we have inadvertently processed the personal data of a minor, we shall delete such data as soon as possible.
12. Third-Party Links
The Platform or our website may contain links to third-party websites or services. We are not responsible for the privacy policies or data processing practices of those third parties. We recommend that you consult the privacy policy of the relevant third party.
13. Data Breaches
If a data breach occurs that is likely to pose a risk to your rights and freedoms, we shall report it to the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) within 72 hours. If the data breach is likely to pose a high risk to your rights and freedoms, we shall also inform you as soon as possible, unless one of the exceptions set out in Article 34 GDPR applies.
14. Changes to This Privacy Policy
We reserve the right to amend this privacy policy. Amendments are published on this page with the effective date indicated. In the event of material changes that significantly affect your rights, we shall actively notify you, for example by email or by means of a notification on the Platform. We recommend that you consult this privacy policy regularly.
15. Contact and Complaints
If you have any questions, comments or complaints about this privacy policy or about how we process your personal data, please contact us:
Bimizi B.V.Hanenweg 1, 4317 NJ Noordgouwe, The Netherlands
Email: hello@bimizi.com
If we are unable to resolve your concern, you have the right to lodge a complaint with the Dutch Data Protection Authority:
Autoriteit PersoonsgegevensPO Box 93374, 2509 AJ The Hague, The Netherlands
Website: https://www.autoriteitpersoonsgegevens.nl