Privacy Policy

This Privacy Policy explains how Equall ("we", "us") collects, uses, and protects personal data when you visit equallscan.com, join our Cloud waitlist, or otherwise interact with our website. It is written to comply with the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") and applies to anyone whose personal data we process, regardless of where you are located.

The Equall CLI (open-source software you run locally on your own machine) is out of scope: it does not transmit any data to us. This policy covers only data processed by our website and server-side services.

1. Data Controller

The data controller responsible for the processing described in this policy is:

Bureau 61 SRL
Avenue Georges Lecointe 50, 1180 Uccle, Belgium
Company number: BE 0798.930.404
Contact: admin@bureau61.com

We have not appointed a Data Protection Officer because we are not required to do so under Article 37 GDPR. For any privacy-related question, write to the address above.

2. Data we collect

We only collect the data we genuinely need to operate the website and the waitlist.

2.1 Waitlist sign-up

When you submit the waitlist form, we collect:

• Your full name
• Your work email address
• Your professional role (selected from a fixed list)
• The timestamp and proof of your consent
• The source of the sign-up (e.g. landing)

2.2 Technical data

When you visit the website, our hosting provider and Supabase automatically receive standard technical information that any web server logs: IP address, user-agent, requested URL, referrer, and timestamp. These logs are kept for a short period for security, abuse prevention, and debugging.

2.3 What we do not collect

We do not run analytics, advertising, or third-party tracking on this website. We do not build user profiles, and we do not perform any automated decision-making or profiling within the meaning of Article 22 GDPR.

3. Why we collect it & legal basis

Each processing activity has a specific purpose and legal basis under Article 6 GDPR:

• Waitlist communications — to email you about the Equall Cloud beta, launch invites, and related product updates. Legal basis: your explicit consent (Art. 6(1)(a) GDPR), given by ticking the consent checkbox on the form.
• Website operation, security, and abuse prevention — to serve pages, prevent spam, detect attacks, and keep logs of incidents. Legal basis: our legitimate interest (Art. 6(1)(f) GDPR) in running a secure, functional website.
• Compliance with legal obligations — for example, responding to lawful requests or honouring your GDPR rights. Legal basis: legal obligation (Art. 6(1)(c) GDPR).

Providing your data is entirely voluntary. If you do not give consent or do not provide the information requested by the form, we simply will not be able to add you to the waitlist; there is no other consequence.

4. Retention

• Waitlist entries: kept until you withdraw your consent or ask us to delete your data, and in any case no longer than 24 months after the public launch of Equall Cloud, whichever comes first. After that, the entry is deleted or irreversibly anonymised.
• Server and security logs: kept for up to 30 days, then deleted, except where a longer period is necessary to investigate a specific security incident.
• Privacy-related correspondence: kept for as long as needed to handle your request and to demonstrate compliance, typically up to 3 years after the last exchange.

5. Sharing & processors

We do not sell your personal data and we do not share it with third parties for their own purposes. We rely on a small number of carefully selected processors who act only on our documented instructions, under written data-processing agreements compliant with Article 28 GDPR:

• Supabase (Supabase, Inc.) — database and authentication backend used to store waitlist entries. Region: EU (Ireland, eu-west-1) — data is stored within the European Economic Area. See supabase.com/privacy.
• Vercel (Vercel Inc., USA) — hosts the website and processes incoming HTTP requests, including short-term request and security logs. Vercel acts as a data processor under the GDPR. See vercel.com/legal/privacy-policy.
• Google — Material Symbols icon font(Google Ireland Ltd. / Google LLC) — the Material Symbols icon font is loaded at runtime from Google's CDN (fonts.googleapis.com and fonts.gstatic.com), so Google receives your IP address and user-agent each time a page that uses an icon is loaded. The body and monospace fonts (Onest, Geist Mono) are self-hosted by Next.js at build time and are not fetched from Google at runtime. We do not embed any other Google service. See policies.google.com/privacy.

We may also disclose personal data when required by law, by a competent authority, or to defend our legal rights. In such cases we limit disclosure to what is strictly necessary.

6. International transfers

Some of our processors are located outside the European Economic Area (EEA), in particular in the United States. When personal data is transferred outside the EEA, we rely on the safeguards provided by Chapter V of the GDPR — primarily the European Commission's Standard Contractual Clauses (Decision 2021/914) and, where applicable, the EU–US Data Privacy Framework. You can ask us for a copy of the relevant safeguards by writing to admin@bureau61.com.

7. Cookies & tracking technologies

The public landing page does not set advertising or analytics cookies and does not use any cross-site tracking technology, so no cookie banner is required. The only cookies that may be set are strictly necessary cookies used by the authenticated product area (e.g. Supabase session cookies on /dashboard) once you sign in. These cookies are exempt from consent under Article 5(3) of the ePrivacy Directive because they are required to deliver a service you have explicitly requested.

8. Security

We use technical and organisational measures appropriate to the risk, including TLS encryption in transit, encryption at rest at the database layer, restricted access to production systems, row-level security policies, and a least-privilege access model. No system is perfectly secure; if we ever become aware of a personal-data breach affecting you, we will notify the competent supervisory authority and, where required, you, in accordance with Articles 33 and 34 GDPR.

9. Your rights

Under the GDPR, you have the following rights regarding your personal data:

• Right of access (Art. 15) — obtain confirmation of whether we process your data and a copy of it.
• Right to rectification (Art. 16) — correct inaccurate or incomplete data.
• Right to erasure(Art. 17) — request deletion of your data ("right to be forgotten").
• Right to restriction (Art. 18) — ask us to limit processing in specific situations.
• Right to data portability (Art. 20) — receive your data in a structured, commonly used, machine-readable format.
• Right to object (Art. 21) — object to processing based on legitimate interests.
• Right to withdraw consent (Art. 7(3)) — withdraw consent at any time, without affecting the lawfulness of processing carried out before the withdrawal.
• Right to lodge a complaint (Art. 77) — file a complaint with a supervisory authority, in particular in the EU Member State of your habitual residence, place of work, or place of the alleged infringement. As Bureau 61 SRL is established in Belgium, our lead supervisory authority is the Belgian Data Protection Authority (APD/GBA), Rue de la Presse 35, 1000 Brussels.

To exercise any of these rights, email us at admin@bureau61.com. We will respond within one month of receiving your request, as required by Article 12(3) GDPR. For security reasons we may need to verify your identity before acting on the request. Exercising your rights is free of charge, except where a request is manifestly unfounded or excessive.

10. Children

Equall is a developer tool intended for professional use. It is not directed at children, and we do not knowingly collect personal data from anyone under the age of 16. If you believe a child has submitted personal data to us, contact admin@bureau61.com and we will delete it.

11. Changes to this policy

We may update this Privacy Policy to reflect changes in our practices, our processors, or the law. The "Last updated" date at the top of this page always reflects the current version. For material changes — for example, the introduction of a new processing purpose or a new processor — we will notify waitlist members by email before the change takes effect.

12. Contact

For any question, request, or complaint regarding this policy or the way we handle your personal data, write to admin@bureau61.com. We aim to answer within a few working days, and in any case within the one-month statutory deadline.