Legal
Privacy Policy
Effective date: June 13, 2026
1. Who we are
poisettx is a platform for AI-powered cybersecurity tabletop exercises, operated by FH Holding B.V. (trade name poisettx), registered with the Dutch Chamber of Commerce under number 96980206, with its registered office at Boezemlaan 52 A, 3034 XD Rotterdam, the Netherlands. For the personal data described in this policy, FH Holding B.V. acts as the data controller, except for data inside customer workspaces (documents, simulations, session transcripts), which we process on behalf of the customer organization as a processor.
Questions or requests: support@poisettx.com.
2. What data we collect
- Account data — name, work email, and the organization you belong to.
- Organization data — organization profile (industry, size, revenue band, systems, frameworks, website) you provide to make exercises realistic.
- Documents — policy documents you generate or upload (e.g. incident response plans), including version history.
- Exercise data — simulations, session transcripts (including messages you send), attachments, debriefing reports, and per-member performance reviews.
- Leads — name, email, company, and phone number you submit through the product tour or contact form.
- Payment data — handled by Stripe; we store billing status and plan, never card numbers.
- Technical data — authentication cookies and logs strictly necessary to operate the service. We do not use advertising or cross-site tracking cookies.
3. Why we process it
| Purpose | Legal basis (GDPR) |
|---|---|
| Providing the platform (accounts, exercises, reports) | Performance of a contract (art. 6(1)(b)) |
| Generating AI content from your organization context | Performance of a contract (art. 6(1)(b)) |
| Billing and administration | Legal obligation & contract (art. 6(1)(b)(c)) |
| Following up on demo and contact requests | Legitimate interest (art. 6(1)(f)) |
| Security, abuse prevention, and service integrity | Legitimate interest (art. 6(1)(f)) |
4. AI processing
poisettx uses large language models from Anthropic to generate simulations, documents, agent responses, and debrief reports. To do that, relevant context is sent to the Anthropic API: your organization profile, the document content you selected as ground truth, and session transcripts. Anthropic does not use API data to train its models. We never sell your data or use it to train models of our own.
5. Subprocessors
We use the following subprocessors to deliver the service:
| Vendor | Purpose | Data involved | Location & safeguards |
|---|---|---|---|
| Supabase | Database, authentication, and file storage | Account data, organization data, documents, simulations, session transcripts | EU region (hosted on AWS). Data processing agreement; encryption at rest and in transit. |
| Vercel | Application hosting and content delivery | Request data passing through the application | Global edge network; compute in EU/US regions. Data processing agreement; EU Standard Contractual Clauses. |
| Anthropic | AI generation (simulations, documents, agents, debriefs) | Organization profile, selected document content, and session transcripts needed to generate exercises and reports | United States. API data is not used to train models; EU Standard Contractual Clauses / EU-US Data Privacy Framework. |
| Stripe | Subscription billing and payment processing | Billing contact details and payment information | EU/US. PCI-DSS certified; EU Standard Contractual Clauses. |
| Voyage AI | Document embeddings for in-exercise document search | Chunks of uploaded policy documents | United States. EU Standard Contractual Clauses. |
| Calendly | Demo scheduling | Name and email when you book a demo | United States. EU Standard Contractual Clauses. |
6. International transfers
Where data is processed outside the European Economic Area (see the table above), we rely on the European Commission's Standard Contractual Clauses and, where applicable, the EU-US Data Privacy Framework, supplemented by encryption in transit and at rest.
7. Retention
Workspace data (documents, simulations, transcripts, reports) is retained for as long as your organization's account exists and is deleted upon account deletion. Lead data is retained for up to 24 months after last contact. Billing records are retained for 7 years as required by Dutch tax law.
8. Security
Data is encrypted in transit (TLS) and at rest. Organizations are isolated from each other at the database level through row-level security. Authentication is passwordless via signed magic links. See our security page for the full overview.
9. Your rights
Under the GDPR you can request access, rectification, erasure, restriction, portability, and object to processing based on legitimate interest. Email support@poisettx.com and we will respond within one month. You also have the right to lodge a complaint with the Dutch supervisory authority, the Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl).
10. Changes
We may update this policy as the service evolves. Material changes are announced in the application or by email. The effective date at the top reflects the latest version.