Skip to main content

Privacy Policy

Last updated: 2026-06-02 · Effective: 2026-06-02

This Privacy Policy explains how AI Happens B.V. (“Nevel”, “we”, “us”) collects, uses, and protects personal data when you use nevel.ai, the Nevel web application, the Nevel mobile apps, and related services (collectively, the “Service”).

We are committed to processing personal data in accordance with the EU General Data Protection Regulation (GDPR) and the Dutch implementation thereof.

1. Data Controller

The data controller responsible for your personal data is:

AI Happens B.V.
KVK (Dutch Chamber of Commerce) number: 97734098
Registered office: Lomanstraat 82-H, 1075 RG Amsterdam, the Netherlands
Email: support@nevel.ai

2. What we collect

We collect the following categories of personal data:

  • Account data: email address, name (if provided), password hash, account creation date, account settings.
  • Content data: prompts, messages, attached files (.docx, .xlsx, .pptx, images), memory entries, projects, and chat history that you create within the Service.
  • Billing data: billing email, subscription plan, invoice history. Payment card details are handled by our payment processor and never stored on Nevel servers.
  • Technical data: IP address, browser type, device identifiers, operating system, language preferences, log files, and cookies (see Section 8).
  • Usage data: aggregated, pseudonymised metrics about feature usage (e.g. which models you use, message volume) for product analytics and capacity planning.
  • Communications: correspondence you send to support, sales, or via contact forms.

3. Purposes and legal bases (GDPR Art. 6)

  • Provide the Service (account creation, model routing, memory, file editing) — legal basis: performance of a contract (Art. 6(1)(b)).
  • Billing and tax compliance — legal basis: contract and legal obligation (Art. 6(1)(b)(c)).
  • Security, fraud prevention, abuse detection — legal basis: legitimate interest (Art. 6(1)(f)).
  • Product analytics and improvement — legal basis: legitimate interest (Art. 6(1)(f)). We use pseudonymised metrics and do not profile individual users.
  • Communications about your account or service changes — legal basis: contract / legitimate interest.
  • Marketing emails (if any) — legal basis: your consent (Art. 6(1)(a)). You may withdraw consent at any time via the unsubscribe link in each email.

4. The Privacy Proxy

Nevel routes your prompts to third-party AI providers (OpenAI, Anthropic, Google, xAI, and others) through a privacy proxy that depersonalises content before transmission. The proxy strips or replaces direct identifiers (names, emails, phone numbers, addresses, identifiers in pasted documents) with placeholders, so providers receive only the context needed to generate a response.

Re-identification happens locally on the response side, before the answer is shown to you. Providers do not receive your account identifier and do not link prompts to your Nevel account.

5. Third-party processors

We rely on the following sub-processors to operate the Service:

  • AI model providers: OpenAI (USA), Anthropic (USA), Google LLC (USA), xAI (USA) — receive depersonalised prompts only, via the privacy proxy.
  • Hosting and infrastructure: Vercel Inc. (USA / EU), AWS (EU regions).
  • Product analytics: Vercel Analytics and Vercel Speed Insights — cookieless, no personal data, aggregated only. PostHog Inc. (PostHog Cloud, EU region, Frankfurt) — used only with your consent for product analytics and session recordings (with all form inputs masked). You can change or withdraw this consent at any time from “Cookie settings” in the footer.
  • Payment processing: Stripe Payments Europe Ltd. (Ireland) and other processors as listed at checkout.
  • Email delivery: transactional email providers for account and billing notifications.

We have data processing agreements (DPAs) in place with each sub-processor as required by Art. 28 GDPR.

6. International data transfers

Where personal data is transferred outside the European Economic Area (EEA), we rely on the European Commission’s Standard Contractual Clauses (SCCs) and, where applicable, on adequacy decisions and supplementary measures (encryption in transit and at rest, pseudonymisation via the privacy proxy).

7. Retention

  • Account data: retained for the duration of your account plus 30 days after deletion, except where longer retention is required by law (e.g. tax records for 7 years under Dutch law).
  • Content data (chats, memory, files): retained while your account is active. You can delete individual items or your entire account at any time from the dashboard. Deletion is permanent within 30 days.
  • Log files and security events: retained for up to 90 days.
  • Billing records: retained for 7 years as required by Dutch tax law.

8. Cookies and similar technologies

We use the minimum number of cookies and similar technologies needed to operate the Service:

  • Essential cookies: authentication, CSRF protection, session management, and storage of your cookie preferences. These cannot be disabled.
  • Analytics (cookieless): Vercel Analytics and Vercel Speed Insights — measure aggregate traffic and Core Web Vitals without setting any tracking identifier in your browser. Legal basis: legitimate interest (Art. 6(1)(f)).
  • Analytics (consent-based): PostHog (EU) — collects product-usage events, autocaptured interactions, and session recordings with all form inputs masked. Enabled only after you click “Accept all” or enable the Analytics category in the cookie banner. Legal basis: consent (Art. 6(1)(a)). You can withdraw your consent at any time via the “Cookie settings” link in the footer.

We do not use advertising cookies and do not share data with ad networks.

9. Your rights under the GDPR

You have the following rights regarding your personal data:

  • Access — request a copy of the data we hold about you (Art. 15).
  • Rectification — correct inaccurate data (Art. 16).
  • Erasure — request deletion of your data (Art. 17).
  • Restriction — limit how we process your data (Art. 18).
  • Portability — receive your data in a structured, machine-readable format (Art. 20).
  • Objection — object to processing based on legitimate interest (Art. 21).
  • Withdraw consent — for processing based on consent (Art. 7(3)).

To exercise any of these rights, contact us at support@nevel.ai. We respond within 30 days.

You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, autoriteitpersoonsgegevens.nl) or your local supervisory authority.

10. Security

We protect personal data with industry-standard safeguards: TLS 1.3 in transit, encryption at rest, least-privilege access controls, multi-factor authentication for staff with access to production systems, and continuous monitoring. No method of transmission or storage is 100% secure, but we work to maintain a high standard of protection.

11. Children

The Service is not intended for users under 16. We do not knowingly collect data from children. If you believe a child has provided us with personal data, contact support@nevel.ai and we will delete it.

12. Changes to this Policy

We may update this Privacy Policy from time to time. Material changes will be notified by email or via a banner on the Service at least 14 days before they take effect. The current version is always available at nevel.ai/privacy.

13. Contact

For questions about this Privacy Policy or our processing of your personal data, contact support@nevel.ai or write to AI Happens B.V., Lomanstraat 82-H, 1075 RG Amsterdam, the Netherlands.