Contacts
+1 800 529 10 37
Follow us:
Get in Touch
Close

Contacts

Gouda, The Netherlands

hello@ctrl-alt-create.eu

Call us: +1 800 529 10 37
Follow us:
Get in Touch
Get in Touch

Privacy Policy

Last updated: February 14, 2026

1. Introduction

Ctrl-Alt-Create (“we”, “us”, or “our”), operated by Björn Ullrich, is committed to protecting your personal data. This Privacy Policy explains how we collect, use, store, and protect your information when you visit our website (www.ctrl-alt-create.eu) and use our services.

We process personal data in compliance with the General Data Protection Regulation (GDPR, Regulation (EU) 2016/679), the Dutch Implementation Act for the GDPR (Uitvoeringswet AVG, UAVG), and the EU AI Act (Regulation (EU) 2024/1689).

2. Data Controller

Ctrl-Alt-Create
Björn Ullrich
Gouda, The Netherlands
Email: hello@ctrl-alt-create.eu
KvK: 99737515
BTW-id: NL005407435B95

As a small-scale data controller, we are not required to appoint a Data Protection Officer (DPO). For any data protection enquiries, please contact us directly at the email address above.

3. What Data We Collect and Why

3.1 Website Visits (Server Logs)

When you visit our website, our hosting provider (Strato) automatically collects the following data in server log files:

  • IP address
  • Date and time of the request
  • Page visited and HTTP status code
  • Browser type and operating system
  • Referring URL

Purpose: Ensuring the security and stability of our website.
Legal basis: Article 6(1)(f) GDPR — legitimate interest in maintaining a secure website.
Retention: Server logs are automatically deleted after 7 days.

3.2 Website Analytics (Google Analytics)

We use Google Analytics 4 to understand how visitors interact with our website. Google Analytics uses cookies and collects the following data:

  • Anonymised IP address (IP anonymisation is enabled by default in GA4)
  • Pages visited and time spent
  • Device type, browser, and operating system
  • Geographic region (country/city level, not precise location)
  • Referral source

Purpose: Analysing website usage to improve our content and user experience.
Legal basis: Article 6(1)(a) GDPR — your consent, obtained via our cookie banner.
Data processor: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
Data transfer: Google may transfer data to the United States. Google is certified under the EU-US Data Privacy Framework. Additionally, Standard Contractual Clauses (SCCs) are in place.
Retention: Analytics data is automatically deleted after 14 months.
Opt-out: You can withdraw consent at any time via our cookie settings, or use the Google Analytics Opt-Out Browser Add-on.

3.3 Contact Form (WPForms)

When you submit our contact form, we collect:

  • Name
  • Email address
  • Message content

Purpose: Responding to your enquiry and potential follow-up communication.
Legal basis: Article 6(1)(b) GDPR — necessary for pre-contractual measures taken at your request.
Storage: Form submissions are stored on our EU-based server (Strato, Germany). They are not transmitted to third-party services.
Retention: Contact form data is deleted within 6 months after the enquiry has been resolved, unless a contractual relationship is established.

3.4 Client Services (AI Chatbot, Voice Agent, Avatar)

When end users interact with our AI-powered services deployed for our clients, the following data may be processed:

  • Conversation content (text input and AI responses for chatbots)
  • Audio data (for voice agents, processed in real-time and not permanently stored)
  • Video data (for avatar interactions, processed in real-time)
  • Usage metadata (conversation duration, timestamps, response times)
  • Technical data (browser type, device type, IP address)

Purpose: Providing and improving the contracted AI service.
Legal basis: Article 6(1)(b) GDPR — performance of a contract (between us and our client). For end users of our clients, our client is the data controller and we act as data processor. A Data Processing Agreement (DPA) governs this relationship.
Data hosting: AI chatbot data is processed and stored exclusively within the EU (AWS Frankfurt, Germany). Voice and avatar services may involve additional processors with appropriate DPAs in place.
Retention: Conversation logs are retained for the duration of the client contract plus 30 days, then permanently deleted.

4. AI Transparency

In accordance with Article 50 of the EU AI Act (applicable from August 2, 2026), we provide the following information about our AI systems:

  • Our chatbots, voice agents, and avatars are artificial intelligence systems. Users interacting with these systems are informed that they are communicating with an AI, not a human.
  • AI responses are generated based on large language models and curated knowledge bases. They are not pre-written by humans.
  • Conversations may be analysed in aggregated and anonymised form for quality improvement purposes.
  • Our AI avatar service generates synthetic video content. Users are informed of the artificial nature of this content.
  • No automated individual decision-making as defined in Article 22 GDPR takes place through our services.

Users always have the right to request human assistance from the respective client organisation.

5. Cookies

Our website uses the following categories of cookies:

Essential Cookies
Required for the website to function properly (e.g., session management, security). These do not require consent.

Analytics Cookies (Google Analytics)
Used to collect anonymised usage statistics. These are only placed after you have given your consent via our cookie banner.

You can manage your cookie preferences at any time through the cookie settings on our website. You can also delete cookies through your browser settings.

6. Data Sharing and Processors

We do not sell, rent, or trade your personal data. We share data only with the following categories of processors, all bound by Data Processing Agreements:

  • Strato AG (website hosting, server located in Germany)
  • Amazon Web Services EMEA SARL (AI chatbot infrastructure, Frankfurt data centre)
  • Google Ireland Limited (website analytics)

For avatar and voice services, additional processors may be engaged. Clients are informed of all relevant processors in their service agreement and DPA.

7. International Data Transfers

We process data within the EU/EEA wherever possible. Where data is transferred to third countries (e.g., Google Analytics data to the US), we ensure appropriate safeguards are in place:

  • EU-US Data Privacy Framework (for certified US companies)
  • Standard Contractual Clauses (SCCs) as adopted by the European Commission

We do not transfer data to countries without an adequate level of protection unless the above safeguards are in place.

8. Data Security

We implement appropriate technical and organisational measures to protect your personal data as required by Article 32 GDPR, including:

  • SSL/TLS encryption (HTTPS) for all data in transit
  • EU-based hosting infrastructure with access controls
  • Regular software updates and security monitoring
  • Encrypted database connections
  • Access limited to authorised personnel only

9. Your Rights Under the GDPR

You have the following rights regarding your personal data:

Right of access (Article 15) — You can request a copy of the personal data we hold about you.

Right to rectification (Article 16) — You can request correction of inaccurate personal data.

Right to erasure (Article 17) — You can request deletion of your personal data, subject to legal retention obligations.

Right to restriction of processing (Article 18) — You can request that we limit the processing of your data.

Right to data portability (Article 20) — You can request your data in a structured, commonly used, machine-readable format.

Right to object (Article 21) — You can object to processing based on legitimate interest. We will cease processing unless we demonstrate compelling legitimate grounds.

Right to withdraw consent — Where processing is based on consent (e.g., analytics cookies), you can withdraw consent at any time without affecting the lawfulness of processing before withdrawal.

To exercise any of these rights, please email us at hello@ctrl-alt-create.eu. We will respond within one month of receiving your request. This period may be extended by two further months where necessary, taking into account the complexity of the request.

10. Data Retention Summary

Data CategoryRetention Period
Server logs7 days
Google Analytics data14 months
Contact form submissions6 months after resolution
Client conversation logsContract duration + 30 days
Invoicing and contract data7 years (Dutch fiscal retention obligation)

11. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements. Material changes will be communicated through a notice on our website. The date at the top of this page indicates when this policy was last updated.

12. Complaints

If you believe your data protection rights have been violated, you have the right to lodge a complaint with the Dutch supervisory authority:

Autoriteit Persoonsgegevens
PO Box 93374, 2509 AJ The Hague
Website: autoriteitpersoonsgegevens.nl
Phone: +31 70 888 8500

You also have the right to seek judicial remedy before a competent court.

13. Contact

For any questions regarding this Privacy Policy or data protection, please contact:

Ctrl-Alt-Create — Björn Ullrich
Email: hello@ctrl-alt-create.eu

AI Strategy and Consulting

Provide expert guidance on developing an AI strategy

Filter by pricing

Adress

Logico, USA, New York - 1060 Str. First Avenue 1

Contacts

Aiero, New York - 1060 Str. First Avenue 1

+1 (368) 567 89 54
+ 800 350 84 31

support@aiero.com