Legal

Privacy Policy

Last updated: 23 February 2026 · This policy is effective as of the date above and remains in force until superseded by a newer version · AIvelli, the Netherlands

Your privacy matters to us. This policy explains exactly what data we collect, why, and how we use it — written in plain language. We operate under EU/GDPR rules as our default standard, applying the highest level of data protection to every user regardless of location. Questions or requests: le***@*****li.com

Who We Are

Aivelli is operated as a sole proprietorship registered in the Netherlands. We teach professionals how to apply Artificial Intelligence in their project management work through digital educational products — specifically AI-powered playbooks available for purchase on this website.

Aivelli (eenmanszaak)

Registered in the Netherlands · KvK: 98190431

le***@*****li.com · aivelli.com

Scope of This Policy

This Privacy Policy applies to all visitors and customers of aivelli.com, regardless of where you are located. Our services are intended exclusively for professional adults aged 18 and over. We do not knowingly collect data from or market to minors.

If you are located in the European Economic Area (EEA), you benefit from the full protections of the General Data Protection Regulation (EU) 2016/679 (GDPR). If you are located in California (USA), additional rights under the California Consumer Privacy Act (CCPA) apply — see Section 14. All other users benefit from equivalent protections we apply as our global minimum standard.

Data We Collect

We collect only the minimum data necessary to provide our services.

3.1 Data You Provide Directly

Email address — provided when purchasing a product or subscribing to our newsletter. This is the only personal identifier we ask for at the point of account creation.
Password — you create your own password after we send you a secure setup link. We store only a hashed (encrypted) version. We never see your plain-text password.
Contact form submissions — name, email address, and the message content you submit through our contact form.

3.2 Data Generated Automatically

Usage data — pages visited, time spent, clicks, and navigation paths on our website, collected via Google Analytics (anonymised IP).
Device and browser data — browser type, operating system, screen resolution, referral URL, and approximate location (country/city level) derived from your IP address.
Cookie data — see our Cookie Policy for full details. Functional, analytical, and marketing cookies are used, subject to your consent.
Click-tracking data — when you click tracked links (managed via Pretty Links plugin), we record the click event and the link destination. No personal data beyond what you have already provided is captured.

3.3 Data We Do NOT Collect

We do not collect, store, or process: payment card details, bank account numbers, or any financial credentials — all payment processing is handled entirely by Stripe on their own platform. We also do not collect full names, phone numbers, postal addresses, government identification numbers, or any special category data (health, race, religion, political opinions, etc.).

How We Use Your Data

We use your personal data only for the following purposes, each supported by a lawful basis under GDPR Article 6.

4.1 To Deliver Your Purchase (Contractual Necessity — Art. 6(1)(b))

Send you account setup credentials and purchase confirmation
Provide access to the digital content you have purchased via MemberPress
Respond to customer service enquiries related to your purchase

4.2 Marketing and Newsletter (Legitimate Interest — Art. 6(1)(f))

When you purchase a product from Aivelli, we will add you to our newsletter mailing list. You will be informed of this clearly on the purchase page before completing your order. This practice is based on our legitimate interest in communicating with existing customers about similar products and services (GDPR Recital 47; ePrivacy Directive Art. 13(2)).

When you subscribe via our standalone newsletter form, consent (Art. 6(1)(a)) is the legal basis.

You may unsubscribe at any time by clicking the unsubscribe link in any email we send, or by emailing le***@*****li.com. Unsubscribing does not affect your access to products you have already purchased. We have conducted a Legitimate Interests Assessment (LIA) for this activity and concluded that our interests do not override your fundamental rights.

4.3 Website Analytics (Legitimate Interest — Art. 6(1)(f))

Understand how visitors navigate our website to improve content and user experience
Identify and fix technical issues
Monitor security and prevent abuse

We have conducted a Legitimate Interests Assessment (LIA) for these activities and concluded they do not override your fundamental rights, given the anonymised nature of the data and the low privacy impact. You may object to this processing at any time — see Section 12.

4.4 Legal Compliance (Legal Obligation — Art. 6(1)(c))

Retain purchase transaction records for 7 years as required by Dutch tax law (Belastingdienst bewaarplicht)
Respond to lawful requests from courts or regulatory authorities

Purchase & Payment Processing

Understanding our payment flow is important for your data protection:

You select a product on aivelli.com and provide your email address
You are redirected to Stripe’s secure checkout page (stripe.com)
All payment details (card number, billing address, etc.) are entered directly on Stripe’s platform
Aivelli never sees, receives, or stores your payment credentials
Stripe handles VAT/tax calculation and collection globally
After successful payment, Stripe notifies us and we send your account setup email

Stripe acts as an independent data controller for payment data. Their processing is governed by Stripe’s Privacy Policy and their EU Standard Contractual Clauses. Stripe is certified under the EU-US Data Privacy Framework. Through our Stripe dashboard we can see: your email address, country of purchase, transaction amount, VAT amount applied, and product purchased. We do not receive your full billing address or card details. Transaction-level data is retained for 7 years for Dutch tax law and EU OSS VAT obligations.

Newsletter & Email Marketing

Our email marketing is managed via the Newsletter plugin integrated with our WordPress website. Email delivery is processed through Strato’s SMTP servers (EU-hosted).

You will receive marketing emails either because you purchased a product (legitimate interest as an existing customer, informed at point of purchase) or because you subscribed independently via our newsletter form (explicit consent)
Every marketing email includes a one-click unsubscribe link
We use automated newsletter sequences (Newsletter Autoresponder plugin) to deliver onboarding and educational content
We segment our newsletter list based on engagement (Newsletter Geolocation and Reports plugins) to improve relevance. This segmentation does not involve automated individual decision-making.

Third-Party Data Processors

We work with carefully selected third-party service providers who process data on our behalf. Each has been assessed for GDPR compliance and has signed a Data Processing Agreement (DPA) with us where required under GDPR Article 28.

Service	Purpose	Data Shared	Location	Transfer Mechanism
Strato AG (Hosting)	Website hosting, file storage, SMTP email delivery	All website data, user accounts, purchase records, emails sent	Germany (EU)	No transfer — EU-based. GDPR Art. 28 DPA in place.
Stripe (Payments)	Secure payment processing, VAT/tax collection	Email address, transaction reference, product purchased	USA / Global	EU-US Data Privacy Framework + SCCs. Stripe is an independent controller for payment data.
Newsletter plugin (Email marketing)	Email list management, newsletter delivery	Email address, engagement data (opens, clicks)	EU (via Strato SMTP)	Processing on EU infrastructure. No US transfer for SMTP delivery.
Meta / Facebook (Analytics & Ads)	Facebook Pixel — advertising effectiveness, retargeting	Browsing behaviour, page views, events (consent-gated)	USA	EU-US Data Privacy Framework + SCCs. Only fires after cookie consent.
Google Analytics (Site Kit)	Website analytics, traffic analysis	Anonymised IP, page views, session data	USA	EU-US Data Privacy Framework + SCCs. IP anonymisation enabled.
MemberPress	Membership and digital content access management	Email address, purchase records, content access logs	Netherlands (Strato server)	No transfer — hosted on EU infrastructure.
Contact Form 7 + Flamingo	Contact form processing and message storage	Name, email, message content	Netherlands (Strato server)	No transfer — EU-based.
Pretty Links	URL shortening and click tracking	Anonymised click events, link destinations	Netherlands (Strato server)	No transfer — EU-based.
CookieYes / GDPR Cookie Consent	Cookie consent management	Cookie preferences and consent timestamps	Netherlands (Strato server)	No transfer — EU-based.
Anti-Spam by CleanTalk	Spam protection on forms	IP address, form data for spam scoring	USA	SCCs in place. Minimal data — scoring only, not retained.

We do not sell your personal data to any third party. We do not share your data with third parties for their own marketing purposes.

International Data Transfers

Our primary infrastructure is hosted in Germany (Strato AG), meaning most of your data never leaves the European Economic Area. Where data is transferred to countries outside the EEA (such as the USA for Google, Meta, and Stripe), we ensure appropriate safeguards are in place as required by GDPR Chapter V.

EU-US Data Privacy Framework (DPF) — for processors certified under this framework (Stripe, Google, Meta/Facebook)
Standard Contractual Clauses (SCCs) — EU Commission-approved clauses incorporated into our contracts with non-EEA processors, providing binding obligations on data protection
GDPR Article 28 Data Processing Agreements — signed with all processors that handle personal data on our behalf

You can request a copy of the relevant SCCs or DPAs by contacting us at le***@*****li.com.

Data Retention

We retain your data only for as long as necessary for the purposes described in this policy or as required by law.

Data Category	Retention Period	Legal Basis
Account / purchase records (email, transaction reference)	7 years from date of purchase	Dutch tax law — Belastingdienst bewaarplicht (Art. 6(1)(c))
Active newsletter subscribers	Until you unsubscribe or withdraw consent	Consent (Art. 6(1)(a))
Inactive newsletter subscribers (no opens in 24 months)	Deleted or anonymised after 24 months of inactivity	Legitimate interest — list hygiene
Contact form submissions	12 months from date of submission	Legitimate interest — customer service follow-up
Website analytics data (Google Analytics)	14 months (Google’s default retention setting)	Legitimate interest — anonymised analytics
Cookie consent records	12 months	Legal obligation — evidence of consent
Server logs (Strato)	Up to 90 days	Legitimate interest — security monitoring
Deleted accounts	Personal data anonymised within 30 days of deletion request; tax records retained for 7 years	Legal obligation / contractual

Note on account deletion: If you request deletion of your account, we will anonymise your personal data within 30 days. However, transaction records (purchase reference, amount, date) must be retained for 7 years under Dutch tax law. These records will no longer be linked to your identifiable personal data after anonymisation.

Data Security

We implement appropriate technical and organisational measures in accordance with GDPR Article 32, including:

SSL/TLS encryption for all data transmitted to and from aivelli.com
Password hashing — user passwords are stored as salted hashes; plain-text passwords are never stored
Access controls — only authorised personnel have access to user data, on a need-to-know basis
EU-hosted infrastructure — primary data storage on Strato servers in Germany, within the EEA
Regular plugin and software updates to patch security vulnerabilities (WordPress maintenance protocols active)
Secure password setup flow — new accounts receive a one-time setup link rather than having passwords assigned by us

No method of internet transmission or electronic storage is 100% secure. In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) within 72 hours, and affected individuals without undue delay, as required by GDPR Articles 33–34.

Cookies & Tracking Technologies

We use cookies and similar tracking technologies on our website. Cookies are managed through our CookieYes consent tool, which presents you with a clear choice before any non-essential cookies are set. We use three categories of cookies:

Strictly Necessary — required for the website to function (session management, security). These are set without consent.
Analytical — used to understand how visitors use our website (Google Analytics via Site Kit). These are set only after you consent.
Marketing — used for advertising effectiveness measurement (Facebook Pixel). These are set only after you consent.

Facebook Pixel: The Meta/Facebook Pixel on our website is configured to fire only after you have actively consented to marketing cookies. It does not activate on page load. Full details are in our Cookie Policy.

You can change your cookie preferences at any time by clicking the ‘Cookie Settings’ link in the footer of our website, or by clearing your browser cookies and reloading the page.

Your Rights Under GDPR

As a resident of the EEA (or as someone whose data we process under GDPR), you have the following rights under Chapter III of the GDPR:

Right of Access (Art. 15) — request a copy of all personal data we hold about you, along with information about how it is processed
Right to Rectification (Art. 16) — request correction of inaccurate or incomplete personal data
Right to Erasure / Right to be Forgotten (Art. 17) — request deletion of your personal data, subject to our legal retention obligations (e.g., 7-year tax records)
Right to Restriction of Processing (Art. 18) — ask us to limit how we use your data while a dispute is resolved
Right to Data Portability (Art. 20) — receive a copy of your data in a structured, commonly used, machine-readable format
Right to Object (Art. 21) — object to processing based on legitimate interests (including direct marketing). We will stop unless we can demonstrate compelling legitimate grounds.
Right to Withdraw Consent (Art. 7(3)) — where processing is based on your consent, you can withdraw it at any time without affecting the lawfulness of prior processing
Right Not to Be Subject to Automated Decision-Making (Art. 22) — we do not use automated decision-making or profiling that produces legal or similarly significant effects

To exercise any of these rights, contact us at le***@*****li.com. We will respond within 30 days. If your request is complex or numerous, we may extend this by a further two months (and will inform you within the first 30 days). We will not charge a fee for reasonable requests.

You also have the right to lodge a complaint with the Dutch Data Protection Authority:
Autoriteit Persoonsgegevens · autoriteitpersoonsgegevens.nl
Tel: +31 88 1805 250 · Postbus 93374, 2509 AJ Den Haag, Netherlands

Children’s Privacy

Our services are directed exclusively at working professionals and are not intended for individuals under the age of 18. We do not knowingly collect personal data from minors. If you believe we have inadvertently collected data from a minor, please contact us immediately at le***@*****li.com and we will delete the data without delay.

California Residents — CCPA Notice

If you are a California resident, the California Consumer Privacy Act (CCPA) grants you the following additional rights:

Right to Know — you may request disclosure of the categories and specific pieces of personal information we have collected about you
Right to Delete — you may request deletion of personal information we have collected, subject to certain exceptions
Right to Opt-Out of Sale — we do not sell your personal information to third parties. You therefore have no need to opt out, but we confirm this right applies and we honour it.
Right to Non-Discrimination — we will not discriminate against you for exercising any CCPA rights

To exercise these rights, contact us at le***@*****li.com. We will respond within 45 days as required by CCPA.

Summary of Legal Bases (GDPR Article 6)

For transparency, here is a consolidated summary of the legal bases we rely on:

Contractual Necessity — Art. 6(1)(b)

Account creation, purchase fulfilment, product access delivery.

Consent — Art. 6(1)(a)

Newsletter marketing via standalone signup form, marketing cookies, and Facebook Pixel.

Legitimate Interests — Art. 6(1)(f)

Website analytics, security monitoring, link tracking, contact form retention, and newsletter marketing to existing customers.

Legal Obligation — Art. 6(1)(c)

7-year retention of tax/transaction records, data breach notifications to authorities.

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will update the ‘Last updated’ date at the top of this document and, where required, notify you by email or via a prominent notice on our website.

We encourage you to review this policy periodically. Continued use of our website or services after changes take effect constitutes acceptance of the updated policy.

Contact & Data Controller

For any questions about this Privacy Policy, to exercise your rights, or to report a concern, please contact us. We aim to respond to all privacy-related enquiries within 5 business days. For formal data subject requests under GDPR, we will respond within 30 days.

Aivelli

Sole proprietorship · Registered in the Netherlands · KvK: 98190431

le***@*****li.com · aivelli.com