Privacy Policy
INTRODUCTION
Dealsup S.A. (also operating under the commercial name “Deelan.ai”, and referred to in this Policy as “we”, “us”, or “our”) respects your privacy and is committed to protecting your personal data. This privacy policy (the “Policy”) explains how we collect, use and protect Personal Data in connection with: (i) the website https://deelan.ai and any related domains we operate (the “Website”); (ii) the Deelan.ai software-as-a-service platform, including its AI-based content generation, AI roleplay simulation, analytics and related features (the “Platform”); and (iii) our pre-contractual, customer-support, billing and other business communications (together, the “Services”).
We act as a controller in respect of Personal Data we process for our own purposes, including: (i) operation of the Website and our marketing and sales activities; (ii) management of pre-contractual and contractual relationships with our business customers and their administrators; (iii) provision of customer support; (iv) operation of our recruitment and supplier-management activities; and (v) compliance with our own legal obligations. In respect of Personal Data that we process on behalf of our business customers through their use of the Platform (in particular prompts, content uploaded to the Platform, AI-generated outputs, audio/video roleplay recordings, and end-user usage data), we act as a processor. That processing is governed primarily by the data processing agreement entered into between us and the relevant customer, and end users of the Platform should refer to their own organization’s privacy notice for further information.
This Policy describes the categories of Personal Data we process, the purposes and legal bases for that processing, the recipients with whom we share Personal Data, the safeguards applicable to international transfers, the retention periods we apply, and the rights you have under Regulation (EU) 2016/679 (the “GDPR”) and the Luxembourg Act of August 1, 2018, on the organization of the National Commission for Data Protection and the general data protection framework (the “Luxembourg Data Protection Act”).
Unless otherwise defined, capitalized terms used in this Policy that are defined in the GDPR shall have the same meaning. References to articles are references to articles of this Policy unless expressly indicated otherwise.
DATA CONTROLLER AND CONTACT
The controller of your Personal Data in respect of the Website, the Platform and the Services is:
Dealsup S.A., incorporated and existing under the laws of Luxembourg, having its registered office at 32, rue Charles Darwin, L-1433 Luxembourg, and registered with the Luxembourg Business Registers (le Registre de Commerce et des Sociétés) under number B284055. Dealsup S.A. operates the Platform under the commercial name “Deelan.ai”.
General contact: marketing@deelan.ai
Privacy queries and requests: privacy@deelan.ai
HOW WE COLLECT AND USE PERSONAL DATA
The Personal Data we collect and the way we use it depend on how you interact with us — through the Website, the Platform, in the context of our Services or in a business-to-business setting. The following articles describe our processing activities for each category of data subject. For each category, we identify the categories of Personal Data, the purposes of the processing, the legal basis under Article 6 GDPR and the applicable retention period.
Website visitors
Personal Data collected | When you visit the Website, we may process your IP address, browser type and version, device identifiers, the pages you view, the date and time of your visit, the duration of your visit, referring URLs, and city-level location data inferred from your IP address. Where we use cookies or similar technologies for analytics or advertising purposes, we may also collect tracking identifiers and behavioural data, in accordance with our Cookie Notice. |
Purpose of processing | To operate the Website, ensure its security and integrity, prevent abuse, analyse usage and improve user experience. |
Legal basis (Art. 6 GDPR) | (i) Our legitimate interest in operating a secure and well-functioning Website (Art. 6(1)(f) GDPR); and (ii) your prior consent for non-essential cookies and similar technologies, where required (Art. 6(1)(a) GDPR). |
Retention | Server logs: [12] months. Analytics data: as set out below and in the Cookie Notice. |
Newsletter and marketing recipients
Personal Data collected | Name, business e-mail address, professional role, employer, language preference and engagement data (e.g. whether an e-mail was opened or a link clicked). |
Purpose of processing | To send our newsletter, product and feature announcements, event invitations, demo and webinar invitations, and other promotional communications about the Platform and our Services, and to measure the effectiveness of those communications. |
Legal basis (Art. 6 GDPR) | Your consent (Art. 6(1)(a) GDPR), and where permitted under applicable law (in particular the Luxembourg Act of 30 May 2005), our legitimate interest in promoting our Services to existing customers (Art. 6(1)(f) GDPR). You may withdraw your consent or object at any time by clicking the unsubscribe link in any e-mail or by contacting us; withdrawal does not affect the lawfulness of processing carried out before the withdrawal. |
Retention | For the duration of your subscription and for [12] months thereafter for evidence purposes. |
Persons who contact us
Personal Data collected | Name, e-mail address, telephone number, employer or company you represent, role, and any other information you include in your enquiry, demo request, support request or proposal. |
Purpose of processing | To respond to your request, provide information about the Services, deliver pre-contractual demonstrations, scope an engagement and follow up on commercial discussions. |
Legal basis (Art. 6 GDPR) | (i) Pre-contractual measures taken at your request (Art. 6(1)(b) GDPR); (ii) our legitimate interest in handling enquiries and managing customer relationships (Art. 6(1)(f) GDPR); and (iii) where applicable, your consent (Art. 6(1)(a) GDPR). |
Retention | [24] months following the last meaningful contact, unless a contractual relationship is established (in which case Article 3.5 applies) or a longer retention is required by law. |
Customer administrators and end users of the Platform
Personal Data collected | Account and contact data for the Controller’s administrators (name, business e-mail, role, organization, telephone number where provided); authentication and security data (login credentials, MFA tokens, session tokens); commercial and contractual data; correspondence and support communications. In respect of end users of the Platform (e.g. the Controller’s revenue-team members), we typically process: account and contact data; authentication data; in-product activity, engagement and analytics data; prompts and instructions submitted to AI Features; content uploaded to the Platform (which may include third-party Personal Data); AI-generated outputs; audio and (where the feature is enabled) video recordings of roleplay sessions; speech transcripts and AI-generated scoring; support communications; and technical metadata (IP address, device identifiers, login times, session duration). |
Purpose of processing | To make the Platform available and operate its AI-based features; to manage administrator and end-user accounts; to provide customer support; to generate analytics for the Controller; to invoice and collect fees; to investigate misuse or security incidents; and to comply with our legal obligations. In respect of end-user content (prompts, uploads, outputs, recordings), we act as processor under the data processing agreement and the purposes are determined by the Controller. |
Legal basis (Art. 6 GDPR) | Where we act as controller (e.g. for administrator accounts, customer support and analytics relating to our own business operations): (i) performance of the contract with the Controller (Art. 6(1)(b) GDPR); (ii) our legitimate interest in operating, securing and improving the Platform and our business (Art. 6(1)(f) GDPR); and (iii) compliance with our legal obligations (Art. 6(1)(c) GDPR). Where we act as processor in respect of end-user content, the lawful basis is determined by the Controller. |
Retention | Administrator account data: for the duration of the contractual relationship and for [up to 10 years thereafter for accounting/contractual evidence purposes]. End-user content processed as processor (prompts, uploads, outputs, recordings, usage data): for the duration of the Main Agreement, plus the post-termination Export Window agreed with the Controller (typically up to 60 days), plus any legally required retention. |
Business customers and their representatives
Personal Data collected | Name, business contact details, role, organisation, correspondence, contract data (including the Order Form, fees, term, billing details), administrator credentials, support communications, and any Personal Data shared by the Controller in the course of pre-contractual or contractual discussions. |
Purpose of processing | To enter into and perform the Order Form and SaaS Terms; provide and operate the Platform; manage the customer relationship and administrator accounts; invoice and collect fees (including through online payment processors); maintain commercial records; and comply with our legal obligations. |
Legal basis (Art. 6 GDPR) | (i) Performance of the contract with the client (Art. 6(1)(b) GDPR); (ii) compliance with our legal obligations (Art. 6(1)(c) GDPR); and (iii) our legitimate interest in managing client relationships and developing our business (Art. 6(1)(f) GDPR). |
Retention | For the duration of the subscription and for [up to 10 years following its end] for accounting, tax and limitation-period evidence purposes, unless a longer or shorter period is mandated by law |
Suppliers, contractors and business partners
Personal Data collected | Name, business contact details, role, organisation, banking and tax data necessary for invoicing and payment, and any correspondence relating to the engagement. |
Purpose of processing | To negotiate, conclude and perform supplier and partner agreements; manage the relationship; pay invoices; and comply with our legal obligations. |
Legal basis (Art. 6 GDPR) | (i) Performance of the contract with the relevant organisation (Art. 6(1)(b) GDPR); (ii) compliance with our legal obligations, including AML obligations where applicable (Art. 6(1)(c) GDPR); and (iii) our legitimate interest in managing supplier and partner relationships (Art. 6(1)(f) GDPR). |
Retention | For the duration of the relationship and [ten (10) years thereafter] for accounting and tax purposes. |
Job applicants
Personal Data collected | Name, contact details, CV, cover letter, references, professional history, education, and any additional information you choose to share. We do not request, and ask you not to share, special categories of Personal Data within the meaning of Article 9 GDPR unless strictly necessary and lawful. |
Purpose of processing | To assess your application, conduct interviews, communicate about the recruitment process and, with your consent, retain your application for future opportunities. |
Legal basis (Art. 6 GDPR) | (i) Pre-contractual measures taken at your request (Art. 6(1)(b) GDPR); (ii) our legitimate interest in conducting recruitment (Art. 6(1)(f) GDPR); and (iii) your consent for retention of unsuccessful applications for future opportunities (Art. 6(1)(a) GDPR). |
Retention | Unsuccessful applications: [6 months] from the closure of the recruitment process, or [24] months with your consent. Successful applications: incorporated into the employee file under our employee privacy notice. |
RECIPIENTS AND THIRD-PARTY SERVICE PROVIDERS
We do not sell your Personal Data. We only share Personal Data with the following categories of recipients, and only to the extent necessary for the purposes set out in this Policy:
(a) Service providers acting as processors — including providers of website hosting, e-mail and marketing automation, payment processing, analytics, learning-management and course-delivery platforms, video-conferencing tools, customer-relationship management, accounting, ticketing and IT-support services. Each such processor is bound by a written data-processing agreement that meets the requirements of Article 28 GDPR; For the Platform specifically, our processors typically include: cloud-hosting providers; AI model providers (large language model and speech-processing providers); analytics and product-instrumentation providers; payment processors; customer-support tooling and ticketing providers; and e-mail / customer-communication providers. A current list (with the country of establishment for each, in particular for providers established in the United States) is published in our sub-processor register, available at deelan.ai/sub-processors.
(b) Independent controllers — including the Company's professional advisers (lawyers, auditors, tax advisers), banks and insurance providers, where they act as separate controllers for the relevant processing;
(c) Public authorities — including the CNPD, tax and social-security authorities, and judicial or law-enforcement authorities, where disclosure is required by law or court order;
(d) Corporate transactions — in the event of a merger, acquisition, restructuring or sale of all or part of the Company's business, Personal Data may be transferred to the relevant counterparty subject to appropriate confidentiality and data-protection safeguards.
An up-to-date list of the principal third-party service providers we use, and their privacy policies, is available on request via the contact details set out above.
INTERNATIONAL TRANSFERS
The Company is established in the Grand Duchy of Luxembourg and processes Personal Data primarily within the European Economic Area (the “EEA”). Some of our service providers may, however, process Personal Data outside the EEA, in particular in the United Kingdom, Switzerland and the United States. We identify in our sub-processor register the country of establishment of each sub-processor (including those established in the United States) and the transfer mechanism applicable to it.
Where Personal Data is transferred to a country outside the EEA that does not benefit from an adequacy decision adopted by the European Commission under Article 45 GDPR, we put in place appropriate safeguards under Article 46 GDPR, in particular:
(a) the Standard Contractual Clauses adopted by the European Commission in Implementing Decision (EU) 2021/914;
(b) where transfers are made to a recipient certified under the EU-U.S. Data Privacy Framework, reliance on that adequacy decision; and
(c) supplementary technical, contractual and organizational measures, identified through a Transfer Impact Assessment carried out in line with EDPB Recommendations 01/2020, where required by the circumstances of the transfer.
You may obtain further information about the transfers we carry out and a copy of the safeguards in place by contacting us using the details above. Where required by law, certain elements of the safeguards may be redacted on commercial-confidentiality grounds.
RETENTION
We retain your Personal Data only for as long as is necessary to achieve the purposes for which it was collected, unless a longer retention period is required or permitted by law. The retention periods applicable to each processing activity are set out above.
In addition to the periods set out above , we may retain Personal Data for a longer period where this is necessary: (i) to comply with a legal or regulatory obligation (including the ten-year retention required under Article 16 of the Luxembourg Commercial Code for accounting records and supporting documents); (ii) to establish, exercise or defend legal claims; or (iii) to enforce our agreements.
Where Personal Data has been collected on the basis of your consent, we will retain it until you withdraw your consent, unless we are required by law to retain it for longer.
Once the applicable retention period has expired, we will securely delete or anonymise the Personal Data. Once the data has been deleted, the rights of access, rectification, erasure and portability can no longer be exercised in respect of that data.
SECURITY
We have implemented appropriate technical and organisational measures within the meaning of Article 32 GDPR to ensure a level of security appropriate to the risk presented by the processing, including, where relevant: (i) encryption of Personal Data in transit and at rest; (ii) access controls based on the principle of least privilege; (iii) regular backups; (iv) monitoring of systems and networks; (v) confidentiality undertakings imposed on staff and contractors; and (vi) periodic review and testing of our security measures.
Where we engage processors, we contractually require them to implement appropriate technical and organisational measures and to assist us in complying with our obligations under Articles 32 to 36 GDPR.
In the event of a Personal Data breach which is likely to result in a risk to the rights and freedoms of natural persons, we will notify the CNPD within 72 hours of becoming aware of the breach in accordance with Article 33 GDPR, and will inform affected data subjects without undue delay where Article 34 GDPR requires us to do so.
AUTOMATED DECISION-MAKING AND PROFILING
We do not use your Personal Data to take decisions based solely on automated processing – including profiling – which produce legal effects concerning you or similarly significantly affect you, within the meaning of Article 22 GDPR. The Platform makes use of AI-based features (including AI-generated courses, scenario generation, roleplay simulations, voice analysis and skills scoring). Outputs of these features are produced for the Controller and its end users, and are not used by us to take decisions concerning you that produce legal or similarly significant effects within the meaning of Article 22 GDPR; any such decisions are made by the Controller, which is responsible for ensuring appropriate human oversight.
Where we use automated tools to support marketing segmentation, course recommendations or analytics, the resulting outputs are reviewed by a human before any decision is taken that meaningfully affects you. If we ever introduce processing falling within the scope of Article 22(1) GDPR, we will update this Policy and, where required, obtain your explicit consent or rely on another lawful basis under Article 22(2) GDPR.
COOKIES
The Website uses cookies and similar technologies, the use of which is governed by Article 2 of the Luxembourg Act of 30 May 2005 on electronic communications networks and services, as amended, transposing Article 5(3) of Directive 2002/58/EC (the “ePrivacy Directive”). Detailed information about the cookies we use, their purposes, retention periods, and the means by which you can grant or withdraw your consent is set out in our separate cookie notice available at deelan.ai/cookie-policy (the “Cookie Notice”).
Strictly-necessary cookies are placed on the basis of our legitimate interest in providing a functional Website. All other cookies (including analytics and marketing cookies) are placed only with your prior consent, which you can withdraw at any time via the cookie-management interface accessible from the Website.
CHILDREN
The Website, the Platform and the Services are intended for business users and are not directed at children. We do not knowingly collect Personal Data from children under 16 years of age. If we become aware that we have collected such data without the consent of the holder of parental responsibility, we will take appropriate steps to delete it.
LINKS TO THIRD-PARTY WEBSITES
The Website may contain links to third-party websites or services. We are not responsible for the privacy practices of those third parties and we encourage you to review their privacy notices independently.
YOUR RIGHTS
Subject to the conditions and limits set out in Articles 15 to 22 GDPR, you have the following rights in respect of your Personal Data:
Right of access (Art. 15) | To obtain confirmation as to whether we process Personal Data concerning you and, if so, to receive a copy of that data and information about the processing. |
Right to rectification (Art. 16) | To have inaccurate Personal Data corrected and incomplete Personal Data completed without undue delay. |
Right to erasure (Art. 17) | To request the deletion of your Personal Data, in particular where it is no longer necessary, you have withdrawn your consent or you object to the processing. |
Right to restriction (Art. 18) | To request restriction of the processing in certain circumstances, in particular where you contest the accuracy of the data. |
Right to data portability (Art. 20) | Where the processing is based on consent or contract and is carried out by automated means, to receive your Personal Data in a structured, commonly used, machine-readable format and to transmit it to another controller. |
Right to object (Art. 21) | To object, on grounds relating to your particular situation, to processing based on legitimate interests; you have an unconditional right to object to processing for direct-marketing purposes. |
Right to withdraw consent (Art. 7(3)) | Where the processing is based on your consent, to withdraw that consent at any time, without affecting the lawfulness of processing carried out before the withdrawal. |
Rights in respect of automated decisions (Art. 22) | Not to be subject to a decision based solely on automated processing — including profiling — that produces legal effects or similarly significantly affects you, except where Article 22(2) GDPR applies. |
Right to lodge a complaint (Art. 77) | To lodge a complaint with a supervisory authority, in particular the CNPD (see below). |
Where we process your Personal Data on the basis of our legitimate interests (Art. 6(1)(f) GDPR), you can object to the processing on grounds relating to your particular situation. We will stop the processing unless we can demonstrate compelling legitimate grounds that override your interests, rights and freedoms, or where the processing is necessary for the establishment, exercise or defense of legal claims.
HOW TO EXERCISE YOUR RIGHTS
To exercise any of the rights set out above, please contact us by e-mail at privacy@deelan.ai or by post at the address set out above. There is no fee for submitting a request, except where the request is manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse to act on the request, in accordance with Article 12(5) GDPR.
We will respond to your request within one (1) month of receipt. Where the request is complex or where we receive a number of requests, we may extend that period by a further two (2) months and will inform you of the extension and the reasons for it within one month of receipt.
Where we have reasonable doubts about your identity, we may request additional information necessary to confirm it. We will use that information solely for the purpose of identity verification.
SUPERVISORY AUTHORITY
If you consider that our processing of your Personal Data infringes the GDPR or the Luxembourg Data Protection Act, you have the right to lodge a complaint with the competent supervisory authority. As the Company is established in Luxembourg, the lead supervisory authority is:
Commission nationale pour la protection des données (CNPD)
15, Boulevard du Jazz
L-4370 Belvaux, Grand Duchy of Luxembourg
Tel.: +352 26 10 60 1
Website: www.cnpd.lu
You also have the right to lodge a complaint with the supervisory authority of the Member State of your habitual residence or place of work.
CHANGES TO THIS POLICY
We may update this Policy from time to time. Where we do, we will update the date stated at the top of this document. We encourage you to review this Policy regularly. Where we make material changes, we will notify you by appropriate means, including by posting a notice on the Website.
Where a change affects processing carried out on the basis of your consent, we will request your renewed consent before the change takes effect.