Privacy Policy

Effective date: 29 April 2026 Last updated: 29 April 2026 Binding language: English. Translations are for information only.

About Firestarter B.V. (in oprichting) Firestarter B.V. is currently in formation (in oprichting) under Dutch law. Once registration with the Dutch Chamber of Commerce (KvK) is complete, KvK and VAT details will be added to this page.

1. Who we are

This Privacy Policy describes how Firestarter B.V. (in oprichting) ("Firestarter", "we", "us", "our") processes personal data as a controller within the meaning of Article 4(7) of the General Data Protection Regulation ("GDPR").

Controller: Firestarter B.V. (in oprichting) Keizersgracht 127, 1015 CJ Amsterdam, the Netherlands Email: hallo@fire-starter.ai

This Privacy Policy applies to personal data we process as controller, including:

• visitors to our website (fire-starter.ai and related domains);
• people who pre-register, request information, or otherwise contact us;
• prospects, leads, and business contacts;
• representatives of customers who use our Service (account administrators, billing contacts, authorised users);
• recipients of our marketing communications;
• candidates applying for jobs with us;
• contacts of business partners and suppliers.

This Privacy Policy does not cover personal data we process on behalf of our customers when they use the Firestarter Service (for example: contacts in their CRM, recipients of their marketing emails, leads they manage). For that processing, Firestarter acts as a processor, and the relevant terms are set out in our Data Processing Agreement (DPA), available on our website. The customer is the controller of that data.

2. What personal data we process and why

2.1 Pre-registration and waitlist data

What: name, business email address, and any other information you choose to share when pre-registering, requesting a demo, or otherwise expressing interest in Firestarter.

Source: provided by you.

Purpose: to add you to our waitlist, to send you information about Firestarter and our launch, and to respond to your enquiries.

Legal basis: consent (Article 6(1)(a) GDPR) for waitlist communications, and our legitimate interest (Article 6(1)(f)) in operating our pre-launch process and responding to enquiries.

Retention: until you unsubscribe or for as long as you remain on the waitlist; reviewed at least annually.

2.2 Account data (for users of the Service, post-launch)

What: name, business email address, business phone number, job title, employer, account credentials (hashed), profile photo (if provided), language and timezone preferences.

Source: provided by the user when registering or by the customer's account administrator.

Purpose: to create and operate the user's account, authenticate access, provide support, and communicate about the Service.

Legal basis: performance of a contract (Article 6(1)(b) GDPR — the contract between Firestarter and the customer), and our legitimate interest (Article 6(1)(f)) in operating the Service securely.

Retention: for the duration of the user's access to the Service, plus 90 days after the customer's subscription ends, after which the account and associated personal data are deleted (subject to legal retention obligations).

2.3 Billing and contract data

What: company name, KvK / company registration number, VAT number, billing contact name and email, billing address, payment-method metadata (we do not store full card numbers — these are handled by our payment processor), invoices, contracts, and order forms.

Source: provided by the customer.

Purpose: to invoice the customer, process payments, perform the contract, and meet our legal accounting and tax obligations.

Legal basis: performance of a contract (Article 6(1)(b)), legal obligation (Article 6(1)(c) — Dutch tax and accounting law).

Retention: for the duration of the contract plus seven (7) years thereafter, in line with Dutch statutory retention obligations (fiscale bewaarplicht, Article 52 of the Dutch General Tax Act).

2.4 Usage and log data

What: IP address, device and browser identifiers, operating system, pages and features accessed, timestamps, error logs, session identifiers, and similar telemetry.

Source: automatically collected when you interact with our website or Service.

Purpose: to operate, secure, monitor, troubleshoot, and improve our website and Service; to detect and prevent abuse and fraud; to generate aggregate analytics.

Legal basis: legitimate interest (Article 6(1)(f)) in operating and securing the Service. For non-essential analytics that involve cookies, we rely on consent (Article 6(1)(a) GDPR and Article 11.7a of the Dutch Telecommunications Act).

Retention: raw logs for up to 12 months; aggregated and anonymised analytics for longer.

2.5 Sales and marketing data

What: name, business email, job title, employer, business phone, communication history with us, content viewed or downloaded, demo bookings, event participation.

Source: provided by the prospect (forms, demo requests, events) or collected from public business sources (such as LinkedIn, company websites, business databases).

Purpose: to respond to enquiries, schedule and conduct demos, send relevant business information, run targeted B2B marketing campaigns, and follow up on commercial opportunities.

Legal basis: legitimate interest (Article 6(1)(f) — promoting our B2B services to relevant business contacts), and consent (Article 6(1)(a)) where required for electronic marketing under the ePrivacy Directive.

Retention: while the contact is commercially relevant; reviewed at least annually. Contacts who object or unsubscribe are added to a suppression list and are no longer marketed to.

2.6 Communications and support data

What: the content of emails, chat messages, support tickets, and any other communications between you and Firestarter.

Source: you.

Purpose: to respond to enquiries, provide support, and improve our service.

Legal basis: performance of a contract (Article 6(1)(b)) for customer support; legitimate interest (Article 6(1)(f)) for general enquiries.

Retention: up to 24 months after the last interaction, unless longer retention is necessary for legal or compliance reasons.

2.7 Recruitment data

What: CV, cover letter, contact details, employment and education history, references, interview notes, assessment results.

Source: the candidate.

Purpose: to evaluate applications and conduct recruitment.

Legal basis: taking steps prior to entering into a contract at the candidate's request (Article 6(1)(b)), and legitimate interest (Article 6(1)(f)) in selecting suitable candidates.

Retention: up to four (4) weeks after the recruitment process ends, or up to one (1) year with the candidate's consent for future opportunities.

3. Cookies and similar technologies

We use cookies and similar technologies on our website. We seek consent for non-essential cookies via a cookie banner. The categories of cookies we use are:

• Strictly necessary cookies: required for the website to function. No consent required (Article 11.7a(3) Dutch Telecommunications Act).
• Analytics cookies: used to understand how the website is used, including via Google Analytics (configured with IP anonymisation). Consent-based.
• Marketing cookies: if and when used, for example for retargeting or conversion measurement. Consent-based.

You can manage your cookie preferences via the cookie banner on our website — reopen cookie settings. You can also refuse or delete cookies through your browser settings, but doing so may affect the functionality of the website.

4. Where we get personal data from

We receive personal data:

• directly from the data subject (e.g. when you fill in a form, sign up, contact us);
• from our customers (e.g. when a customer's administrator adds a user to their account);
• from public business sources (e.g. LinkedIn, company websites, business directories);
• from service providers and partners (e.g. event organisers who share attendee lists with consent, marketing data providers);
• automatically (e.g. log data, cookies).

5. Who we share personal data with

We share personal data only with the following categories of recipients, and only to the extent necessary:

5.1 Service providers (sub-processors and other processors)

We use carefully selected third-party providers to operate our business, including:

• cloud hosting and infrastructure (Microsoft Azure, EU region);
• AI inference providers (currently: Anthropic);
• email delivery and communications;
• analytics (Google Analytics);
• accounting, invoicing, and payment processing;
• customer support tools;
• error monitoring and logging.

We maintain a current overview of providers involved in operating our Service. All providers are bound by appropriate data protection terms.

5.2 Professional advisors

Where necessary, we share personal data with our lawyers, accountants, auditors, and insurers, who are bound by professional confidentiality.

5.3 Authorities

We disclose personal data to public authorities where required by law (for example, in response to a valid court order or regulatory request) or where necessary to protect our or others' rights, property, or safety. Where legally permissible, we will inform the affected data subject.

5.4 Corporate transactions

In the event of a merger, acquisition, financing, reorganisation, or sale of assets, personal data may be transferred to the relevant counterparty or successor entity, subject to confidentiality obligations and continued protection consistent with this Privacy Policy.

5.5 We do not sell personal data

Firestarter does not sell personal data, does not engage in cross-context behavioural advertising based on personal data, and does not share personal data with third parties for their own independent marketing purposes.

6. International transfers

We host customer data and most operational systems on Microsoft Azure infrastructure in the European Union. Some of our service providers — in particular AI inference providers — may process data outside the EU/EEA. Where this is the case, we transfer data only on the basis of a valid transfer mechanism under Chapter V GDPR (such as the European Commission's Standard Contractual Clauses or, where applicable, the EU-US Data Privacy Framework). We are formalising our processor agreements and transfer documentation as part of our pre-launch readiness.

7. How we protect personal data

We apply technical and organisational security measures appropriate to the risk, including:

• encryption in transit (HTTPS/TLS);
• encryption at rest on Microsoft Azure infrastructure;
• multi-factor authentication for administrative access;
• access controls based on least-privilege principles;
• automated backups within our hosting infrastructure;
• staff awareness of data protection and confidentiality obligations.

No system is completely secure. We commit to applying industry-standard practices and to notifying affected parties of personal data breaches in line with Articles 33 and 34 GDPR.

8. Your rights under the GDPR

If you are an individual whose personal data we process, you have the following rights:

• Right of access (Article 15): to obtain confirmation of whether we process your personal data, and a copy of that data.
• Right to rectification (Article 16): to have inaccurate or incomplete personal data corrected.
• Right to erasure (Article 17, "right to be forgotten"): to have personal data deleted in defined circumstances.
• Right to restriction of processing (Article 18): to have processing restricted in defined circumstances.
• Right to data portability (Article 20): to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit it to another controller.
• Right to object (Article 21): to object to processing based on legitimate interests, including profiling, and to object at any time to processing for direct marketing.
• Right to withdraw consent (Article 7(3)): where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of past processing.
• Right not to be subject to automated decision-making (Article 22): in defined circumstances. Firestarter does not make decisions producing legal or similarly significant effects on individuals based solely on automated processing of personal data we hold as controller.

To exercise any of these rights, contact us at hallo@fire-starter.ai. We will respond within one month, in line with Article 12(3) GDPR. We may need to verify your identity before responding.

If we process personal data about you on behalf of one of our customers (i.e. as a processor), please contact that customer directly. We will support the customer in responding to your request.

Right to lodge a complaint

You have the right to lodge a complaint with a supervisory authority. The Dutch supervisory authority is the Autoriteit Persoonsgegevens (AP):

• Website: https://www.autoriteitpersoonsgegevens.nl
• Address: Postbus 93374, 2509 AJ Den Haag, the Netherlands

You may also lodge a complaint with the supervisory authority of your country of residence within the EU/EEA.

9. Children

The Service is intended for business use only and is not directed to individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have collected such data, we will delete it.

10. Marketing communications

We send marketing communications to business contacts in line with applicable law:

• Existing customers: we may send service-related communications (these are not marketing) and marketing communications about similar products and services, with the option to unsubscribe at any time.
• Prospects, waitlist members, and other contacts: we send marketing communications based on consent, or on legitimate interest in B2B marketing where permitted by law. Every marketing email contains an unsubscribe link.

You can opt out of marketing at any time by clicking the unsubscribe link in any marketing email or by contacting us at hallo@fire-starter.ai.

Service-related communications (e.g. security alerts, billing notices, important changes to the Service) are sent for as long as you have an account and are not subject to opt-out.

11. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. The most current version will always be posted on our website. Material changes will be notified to active users by email or in-product notification at least 30 days before the changes take effect.

12. Contact

For any questions, requests, or concerns about this Privacy Policy or our processing of personal data, please contact us:

Firestarter B.V. (in oprichting) Keizersgracht 127, 1015 CJ Amsterdam, the Netherlands Email: hallo@fire-starter.ai