Privacy Policy

my·lobbyist is operated by [Company Legal Name], registered in [Country of Incorporation] under company number [Registration Number], with its registered office at [Registered Address].

For the purposes of the EU General Data Protection Regulation (GDPR) and any equivalent national legislation, we act as the data controller for personal data we collect about our website visitors, trial users and account holders. We act as a data processor for any personal data our customers process through the platform — see the Data Processing Agreement for those terms.

We try to collect only what we need to run the service.

• Account data: your name, work email, company name, role, country and password hash. Provided by you on sign-up.
• Profile data: sector, files you follow, your issue brief inputs — used to render your stakeholder map and recommendations.
• Usage data: pages visited, features used, session metadata (timestamps, browser, approximate region), error logs. Used for product reliability and improvement.
• Content you submit: briefs, prompts and questions you send to the AI agents. Stored in your workspace.
• Billing data: processed by our payment provider — we store invoicing metadata only (company name, VAT, address). We do not see your card number.
• Support correspondence: emails and messages you send us, kept while needed to handle the request and improve support quality.

We do not use third-party advertising cookies, cross-site trackers, session replay tools, or fingerprinting. The only cookies we set are strictly necessary (session, CSRF) and a single first-party analytics cookie used in aggregate.

Provide the service

Authentication, building your stakeholder map, generating recommendations, sending you in-product notifications.

Improve the product

Aggregate usage metrics to understand what works, fix what doesn't and prioritise the roadmap.

Service emails

Login confirmations, security alerts, billing notices, material changes to terms. You cannot opt out of these while you have an account.

Marketing emails

Only with your explicit opt-in. Unsubscribe links in every message.

Security & abuse prevention

Detecting credential stuffing, bot traffic, scraping and other misuse of the platform.

Legal obligations

Accounting records, tax filings, lawful requests from competent authorities.

• Performance of a contract — for everything required to deliver the service you subscribed to.
• Legitimate interest — for product analytics, fraud prevention and platform security, balanced against your rights and freedoms.
• Consent — for optional marketing emails and any non-essential cookies, where applicable.
• Legal obligation — for tax, accounting and regulatory record-keeping.

Our entire production stack runs on Google Cloud and Google Workspace, under contracts negotiated for our company account. We do not operate our own data centres and we do not use any other cloud provider for production workloads.

Primary data residency is in the European Union (Google Cloud EU regions). Where any limited supporting service is provided from outside the EU, transfers rely on Google's Standard Contractual Clauses and supplementary safeguards documented in the Google Cloud Data Processing Addendum.

We do not sell or rent personal data. We do not share personal data with advertisers, data brokers, marketing platforms or analytics companies that profile users across the web.

The only third party that processes personal data on our behalf is Google (Google Cloud, Google Workspace and related services), acting as a sub-processor under the agreements referenced above.

We may disclose personal data when strictly required by law (for example, a binding court order from a competent EU authority). We push back on overbroad requests and we publish notice where we are legally allowed to.

• Account & content data: for as long as your account is active, plus 90 days after closure to handle recovery requests.
• Usage & security logs: up to 12 months, shorter for verbose debug traces.
• Backups: rolling 30-day window; restored data inherits the original retention.
• Billing records: kept for the period required by applicable tax and accounting law (typically 7–10 years in the EU).

You can request earlier deletion at any time — see your rights below.

If you are in the EEA, UK or Switzerland, you can:

• Access the personal data we hold about you
• Ask us to correct anything inaccurate
• Ask us to delete your account and associated personal data
• Restrict or object to specific processing
• Receive a portable copy of your data in a structured format
• Withdraw consent where processing is consent-based
• Lodge a complaint with your local supervisory authority

To exercise any of these, email privacy@mylobbyist.eu. We respond within 30 days; in complex cases we may extend by two months and will tell you why.

We take security seriously, not seriously-on-a-page seriously.

• TLS 1.2+ in transit, AES-256 at rest (inherited from Google Cloud)
• Single sign-on internally; multi-factor authentication on all admin and engineering accounts
• Least-privilege access; production access is logged and reviewed
• Secrets are stored in Google Secret Manager — never in source control
• Vendor due diligence: Google's certifications (ISO 27001, ISO 27017/18, SOC 2 Type II) underpin our security posture
• Incident response process with personal data breach notification within 72 hours of awareness

my·lobbyist is a B2B tool for EU public affairs professionals. The service is not intended for, and we do not knowingly collect data from, anyone under 18.

We will post any updated version on this page with a new "last updated" date. Material changes will be communicated in the product and by email at least 30 days before they take effect.

Questions, requests or complaints about privacy at my·lobbyist:

Privacy team

privacy@mylobbyist.eu

Postal address

[Registered Address], Brussels

Supervisory authority

Belgian Data Protection Authority (APD/GBA) — contact@apd-gba.be