GDPR Compliance | Value Adders World

🇪🇺 Our Commitment

Value Adders World is committed to protecting personal data in accordance with the General Data Protection Regulation (EU) 2016/679. We process personal data lawfully, fairly, and transparently.

📍 Data Controller Information

The data controller for personal data processed through our services is:

Value Adders World
Amsterdam, Netherlands 🇳🇱

Privacy Contact: privacy@addvalue.ai
Response Time: Within 30 days for all data subject requests

⚖️ Legal Bases for Processing

We process personal data under the following legal bases as defined in Article 6 of the GDPR:

Processing Activity	Legal Basis	GDPR Article
Providing AI agent services	Performance of contract	Art. 6(1)(b)
Account management	Performance of contract	Art. 6(1)(b)
Billing and invoicing	Performance of contract / Legal obligation	Art. 6(1)(b), (c)
Security and fraud prevention	Legitimate interest	Art. 6(1)(f)
Service improvement	Legitimate interest	Art. 6(1)(f)
Marketing communications	Consent	Art. 6(1)(a)
Legal compliance	Legal obligation	Art. 6(1)(c)

🛡️ Your Rights Under GDPR

As an EU data subject, you have the following rights:

📋

Right of Access

Request a copy of all personal data we hold about you (Article 15)

✏️

Right to Rectification

Correct any inaccurate or incomplete personal data (Article 16)

🗑️

Right to Erasure

Request deletion of your personal data ("right to be forgotten") (Article 17)

⏸️

Right to Restriction

Limit how we process your data in certain circumstances (Article 18)

📦

Right to Portability

Receive your data in a machine-readable format (Article 20)

🚫

Right to Object

Object to processing based on legitimate interest (Article 21)

↩️

Right to Withdraw Consent

Withdraw consent at any time where consent is the legal basis (Article 7)

🤖

Automated Decision-Making

Not be subject to solely automated decisions with legal effects (Article 22)

How to Exercise Your Rights:
Email privacy@addvalue.ai with your request. We will verify your identity and respond within 30 days. No fee is required for standard requests.

🤖 AI and Automated Decision-Making

Our AI agents make decisions and take actions on your behalf. Under Article 22 of GDPR, you have rights regarding automated decision-making.

How We Comply

Transparency: Every AI decision is logged with full reasoning
Human Oversight: You can set thresholds requiring human approval
Meaningful Information: We explain the logic behind agent decisions
Right to Intervene: You can pause, override, or reverse agent actions

Our AI agents do not make decisions with significant legal or similarly significant effects without human oversight. All high-impact decisions can be configured to require human approval.

🌍 International Data Transfers

Our primary data processing occurs in the EU. When we transfer data outside the EU/EEA, we ensure adequate protection through:

Standard Contractual Clauses (SCCs): EU-approved contract terms with sub-processors
Data Processing Agreements: Binding agreements with all third parties
Technical Safeguards: Encryption in transit and at rest

Sub-Processors Outside EU

Sub-Processor	Location	Purpose	Safeguard
OpenAI	United States	AI model inference	SCCs + DPA

📅 Data Retention

We retain personal data only as long as necessary for the purposes collected:

Data Category	Retention Period	Justification
Account data	Duration of account + 30 days	Contract performance
Agent operational data	Configurable (default 90 days)	Service provision
Audit logs	2 years	Security / legitimate interest
Billing records	7 years	Legal obligation (tax law)

🔐 Security Measures

In accordance with Article 32 of GDPR, we implement appropriate technical and organizational measures to ensure security:

Encryption: AES-256-GCM at rest, TLS 1.3 in transit
Access Control: Role-based permissions, API key authentication
Logging: Complete audit trail of all data access
Incident Response: Documented procedures for breach notification

For detailed security information, see our Security Whitepaper.

🚨 Data Breach Notification

In the event of a personal data breach, we will:

Notify the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) within 72 hours if the breach is likely to result in risk to rights and freedoms (Article 33)
Notify affected data subjects without undue delay if the breach is likely to result in high risk (Article 34)
Document all breaches and remediation actions

📝 Data Processing Agreements

When we act as a data processor on behalf of customers (e.g., processing your customer data through our AI agents), we enter into Data Processing Agreements (DPAs) that include:

Subject matter, duration, nature, and purpose of processing
Types of personal data and categories of data subjects
Obligations and rights of the controller
Processor's obligations regarding sub-processors
Technical and organizational security measures
Assistance with data subject requests
Breach notification procedures
Audit rights

To request a DPA, contact privacy@addvalue.ai.

📞 Supervisory Authority

If you believe we have not handled your personal data correctly, you have the right to lodge a complaint with a supervisory authority.

Dutch Data Protection Authority
Autoriteit Persoonsgegevens
Bezuidenhoutseweg 30, 2594 AV Den Haag
Postbus 93374, 2509 AJ Den Haag

Website: autoriteitpersoonsgegevens.nl

📬 Contact Us About GDPR

For any GDPR-related questions or to exercise your rights:

Email: privacy@addvalue.ai
Response Time: Within 30 days

We're committed to transparent, lawful data processing. Don't hesitate to reach out.