Privacy Policy

How Clever Initiative collects, uses, and protects personal data — written in plain language, aligned with the GDPR.

Your privacy at Clever Initiative

We treat your data the way we want our own to be treated

Last updated: 30 April 2026

Clever Initiative is a Dutch B2B software platform. We host, license, and white-label a multi-tenant SaaS platform for businesses across Europe. Privacy is not a checkbox for us — it is built into the architecture of the product itself.

This page explains exactly what personal data we process, why we process it, who we share it with, and the choices you have. If anything is unclear, write to info@cleverinit.com and we will answer in plain English.

Who is responsible for your data

For data we collect about visitors, prospects, and customers of cleverinit.com, the data controller is:

  • EntityClever Initiative B.V. (Netherlands BV — registration in progress)
  • AddressTitaan Saturnusstraat 95, 2516 AG The Hague, The Netherlands
  • Privacy contactinfo@cleverinit.com
  • General contacthello@cleverinit.com

When we host the platform on behalf of a tenant, we act as a data processor for the personal data the tenant uploads about its own users. The tenant remains the controller of that data; this policy describes only the processing for which we are the controller.

What personal data we process

We deliberately collect as little personal data as we can while still running a useful business. The categories below cover everything we touch.

Website visitors

  • IP address and request headers — used transiently to serve the page and protect against abuse
  • Anonymous usage statistics (page views, referrer, viewport, language)
  • Cookies set by Google reCAPTCHA v3 on the contact form (anti-spam only)

People who contact us

  • Name, work email, and (optional) company submitted via the contact form
  • Subject category, message body, and the locale you submitted the form in
  • An anti-abuse signal from Google reCAPTCHA
  • The same data is mailed to hello@cleverinit.com and a confirmation copy is sent back to you

Customers and prospects in active conversation

  • Business contact details, company information, and the engagement model you are evaluating
  • Contracts, NDAs, proposals, and supporting documents you exchange with us
  • Invoices and payment information limited to what is necessary for accounting and Dutch tax law

End users on tenant platforms — we are processor, not controller

  • Authentication identifiers (email or phone), hashed credentials, and session tokens
  • Audit log entries that record significant state changes (we never store passwords, OTP codes, or connection strings in the audit log)
  • Tenant-defined business data — we have no contractual right to use this data for our own purposes

Why we are allowed to process it

Article 6 of the GDPR requires a lawful basis for every processing activity. Ours map cleanly onto these four:

Contract — Art. 6(1)(b)

Processing necessary to deliver the service you signed up for. Authentication, tenant resolution, billing, support, and platform operation all sit here.

Legitimate interests — Art. 6(1)(f)

Running the website, protecting it from abuse, responding to inbound enquiries, and improving the product. We balance these interests against your rights and never use your data for purposes you would not reasonably expect.

Legal obligation — Art. 6(1)(c)

Dutch tax, accounting, and corporate law oblige us to retain certain transactional records — typically seven years for invoicing data.

Consent — Art. 6(1)(a)

We only ask for consent where it is required, for example before sending marketing email. Consent can be withdrawn at any time without affecting the lawfulness of prior processing.

Who we share data with

We never sell personal data. We share it only with sub-processors who are contractually bound to handle it under instructions equivalent to ours. Each one is selected for a specific purpose:

Sub-processorPurposeRegion
Twilio SendGridTransactional email delivery (contact form confirmations, account notifications)EU + US (SCCs)
Twilio (SMS)Two-factor authentication and SMS notifications, where enabled by a tenantEU + US (SCCs)
Google reCAPTCHA v3Bot prevention on the contact formEU + US (SCCs)
Hetzner Online GmbHProduction hosting for cleverinit.com and platform servicesEU (Germany)
Docker HubDistribution of signed application container imagesEU + US
GitHubSource control, CI/CD pipelines, and module artifact signingEU + US (SCCs)

If you are an enterprise tenant with a Data Processing Addendum, your DPA lists the authoritative, version-controlled register of sub-processors for your environment.

How our multi-tenant architecture protects your data

Database-per-tenant is the cornerstone of how we keep customer data isolated. Every tenant gets its own dedicated SQL Server database. There are no shared tables and no row-level filters substituting for real isolation. A bug in a single query cannot leak across tenants — there are no cross-tenant rows to leak.

Tenant database connection strings are encrypted with AES-256 using ASP.NET Core Data Protection before they are written to the host database. They are never logged at any log level, never returned in any API response, and never serialised into telemetry.

On every request, the platform identifies the tenant through a strict five-step resolution chain (JWT claim, X-Tenant-Id header, custom domain, platform subdomain, and a development-only query string). If no tenant resolves, the request is rejected before any business logic runs.

Your rights under the GDPR

If we process your personal data, you can exercise the rights below. We answer requests within one calendar month and never charge a fee for reasonable requests.

Right of access

Ask for a copy of the personal data we hold about you and confirmation that we are processing it.

Right to rectification

Ask us to correct inaccurate or incomplete data — usually a single email is enough.

Right to erasure

Ask us to delete your personal data when there is no overriding lawful reason to keep it.

Right to restrict processing

Ask us to pause processing while we investigate a dispute about accuracy or lawful basis.

Right to data portability

Receive the personal data you provided to us in a structured, machine-readable format and transmit it to another controller.

Right to object

Object to processing based on our legitimate interests, including profiling. Marketing opt-outs are honoured immediately.

To exercise any of these rights, write to info@cleverinit.com from the email address associated with the data. We may need to verify your identity before we act.

How long we keep your data

We keep personal data only as long as we have a clear reason to. After that, we delete or anonymise it.

  • Contact-form submissions — 12 months from the date we last spoke, then deleted
  • Customer account data — for the duration of the contract plus 90 days, then exported and deleted
  • Audit log entries — minimum 12 months, configurable per tenant up to 7 years
  • Invoicing and accounting records — 7 years (Dutch fiscal law)
  • Marketing consents — until withdrawn, plus an opt-out record we keep indefinitely
  • Server access logs — 30 days for operational diagnostics, then purged

How we secure your data

Security is engineered into the platform at every layer. The list below is a non-exhaustive summary of the controls that apply to all customer data.

  • Database-per-tenant isolation enforced at the persistence layer
  • AES-256 encryption of tenant connection strings at rest using ASP.NET Core Data Protection
  • TLS 1.2+ in transit, with HSTS preload across cleverinit.com and *.cleverinit.com
  • BCrypt password hashing at cost factor 12, refreshed annually as hardware accelerates
  • Two-factor authentication via TOTP or one-time codes, configurable per tenant
  • Layered authorisation — controller-level [HasPermission] checks plus handler-level re-checks
  • Immutable audit logging of every significant state change, with sensitive fields excluded by allow-list
  • Sub-processor due diligence, signed Data Processing Agreements, and an annual review cycle
  • Container images signed with RSA-4096 and verified by the host before any module loads

International data transfers

We host primary infrastructure in the European Union. Where a sub-processor (for example Twilio SendGrid or GitHub) processes personal data outside the EEA, the transfer is covered by the European Commission's Standard Contractual Clauses and additional safeguards reviewed annually. We will publish updates to this list whenever we add or change a transfer mechanism.

Cookies and analytics

cleverinit.com uses only the cookies that are strictly necessary to make the site work and to protect it from automated abuse. We do not run cross-site advertising trackers, behavioural profiling pixels, or third-party analytics that share your data outside of our control. The contact form loads Google reCAPTCHA v3 only when needed; reCAPTCHA sets its own cookies and processes traffic signals on Google's infrastructure.

Children

Clever Initiative is a B2B platform. Our services are not directed at children under 16. We do not knowingly collect personal data from children. If you believe we have, write to info@cleverinit.com and we will delete it immediately.

Changes to this policy

When we change this policy in a material way, we update the "Last updated" date at the top and notify active customers by email. The version history of the file is kept in our public repository so you can compare any two versions.

How to file a complaint

If you believe we have mishandled your personal data, please contact info@cleverinit.com first — we want the chance to put it right. You also always have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) or the supervisory authority in your country of residence.

Questions about this policy? Contact our team or write to info@cleverinit.com.