Privacy Policy

Last updated: November 2, 2025

1. Introduction

X-Clu ("we", "us", or "our") is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, store, and protect your personal information in accordance with the General Data Protection Regulation (GDPR) and Belgian data protection laws.

This policy applies to all visitors and users of our website www.x-clu.com and our cybersecurity consulting services.

2. Who We Are

Company Name: X-Clu

VAT Number: BE0561947031

Address: Saint-Martinus Street 20, 3806 Velm, Belgium

Email: info@x-clu.com

Privacy Contact: GDPR@x-clu.com

3. What Personal Data We Collect

3.1 Information You Provide Directly

When you contact us through our website contact form, we collect:

  • Company name and address
  • Contact person name
  • Email address
  • Phone number
  • Number of employees
  • Industry sector
  • Approximate budget range
  • Current security issue or challenge
  • Service interest

3.2 Information Collected During Service Delivery

When providing our cybersecurity consulting services, we may collect:

  • Technical information about your IT infrastructure
  • Security assessment findings
  • Communications via email, phone, or meetings
  • Project documentation and deliverables
  • Invoicing and payment information

3.3 Information We Do NOT Collect

We do not use cookies, tracking pixels, or analytics tools on our website. We do not collect any browsing data, IP addresses, or device information beyond what is automatically logged by our web hosting provider for security purposes.

4. Why We Collect Your Data (Legal Basis)

4.1 Contact Form Submissions

Legal Basis: Consent and Legitimate Interest

We process your contact form data to respond to your inquiry and provide you with information about our services. By submitting the form, you consent to us using your data for this purpose.

4.2 Client Relationships

Legal Basis: Contract Performance

When you engage our services, we process your data to fulfill our contractual obligations, deliver cybersecurity consulting services, and manage our business relationship.

4.3 Financial Records

Legal Basis: Legal Obligation

Belgian law requires us to retain invoices, contracts, and financial records for 10 years for accounting and tax purposes.

4.4 Future Marketing (If Applicable)

Legal Basis: Consent

If we introduce marketing communications in the future, we will only send these to individuals who have explicitly opted in. You can withdraw consent at any time.

5. How We Store Your Data

Your personal data is stored securely using:

  • Microsoft Office 365: Email communications and document storage (EU data centers)
  • Microsoft OneNote: Client notes and project information (EU data centers)
  • Future CRM system: When implemented, will be GDPR-compliant with EU data storage

All systems use industry-standard encryption, secure access controls, and regular backups. Access to your data is limited to authorized personnel only.

6. Third-Party Service Providers

We share your data with the following trusted third parties, all of which are GDPR-compliant:

Web3Forms

Processes contact form submissions and forwards them to our email

Purpose: Contact form handling

Microsoft Corporation

Provides Office 365 email and cloud storage services (EU data centers)

Purpose: Data storage and communication

Future CRM Provider (To Be Determined)

Will be used for customer relationship management when selected

Purpose: Client data management

We do not sell, rent, or trade your personal data to third parties for marketing purposes.

7. How Long We Keep Your Data

Data Type Retention Period
Contact form inquiries (no response) 6-12 months
Proposals/quotes (not accepted) 6 months
Active client data Duration of project + 2 years
Project deliverables 5 years after project completion
Invoices, contracts, financial records 10 years (Belgian legal requirement)
Marketing subscribers (if applicable) Until unsubscribe or 2 years of inactivity

After these retention periods, we securely delete or anonymize your personal data unless we are legally required to retain it longer.

8. Your Rights Under GDPR

You have the following rights regarding your personal data:

Right of Access

Request a copy of the personal data we hold about you

Right to Rectification

Request correction of inaccurate or incomplete data

Right to Erasure ("Right to be Forgotten")

Request deletion of your data (subject to legal retention requirements)

Right to Restriction of Processing

Request limitation of how we process your data

Right to Data Portability

Receive your data in a structured, commonly used format

Right to Object

Object to processing based on legitimate interests

Right to Withdraw Consent

Withdraw consent for processing at any time

How to Exercise Your Rights:

Contact us at GDPR@x-clu.com

We will respond to your request within 30 days as required by GDPR.

9. Data Security

We implement appropriate technical and organizational measures to protect your personal data:

  • Encrypted data storage and transmission
  • Access controls and authentication (two-factor authentication)
  • Regular security updates and patches
  • Limited access to personal data (need-to-know basis)
  • Secure backup systems
  • Employee confidentiality agreements

10. Who Has Access to Your Data

Access to your personal data is strictly limited to:

  • X-Clu staff: Owner and authorized freelance consultants who require access to deliver services
  • Third-party processors: Only as listed in Section 6, under strict data processing agreements

All personnel with access to your data are bound by confidentiality obligations and receive appropriate data protection training.

11. International Data Transfers

Currently, we only serve clients within the European Union, and all data is stored and processed within EU data centers.

If we expand our services outside the EU in the future, we will implement appropriate safeguards (such as Standard Contractual Clauses) to ensure your data remains protected to GDPR standards.

12. Cookies and Tracking

Good News: We Don't Use Cookies!

Our website does not use cookies, tracking pixels, analytics tools, or any other tracking technologies. We respect your privacy and do not monitor your browsing behavior.

13. Children's Privacy

Our services are directed at businesses and organizations. We do not knowingly collect personal data from individuals under 16 years of age. If we become aware that we have inadvertently collected such data, we will delete it immediately.

14. Data Breach Notification

In the unlikely event of a data breach that poses a risk to your rights and freedoms, we will notify the Belgian Data Protection Authority (Gegevensbeschermingsautoriteit) within 72 hours and inform affected individuals without undue delay, as required by GDPR.

15. Right to Lodge a Complaint

If you believe we have not handled your personal data in accordance with GDPR, you have the right to lodge a complaint with the Belgian supervisory authority:

Gegevensbeschermingsautoriteit (GBA)

Drukpersstraat 35, 1000 Brussels, Belgium

Phone: +32 2 274 48 00

Email: contact@apd-gba.be

Website: www.gegevensbeschermingsautoriteit.be

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of any significant changes by posting the updated policy on our website with a new "Last Updated" date. We encourage you to review this policy periodically.

17. Contact Us

If you have any questions about this Privacy Policy or how we handle your personal data, please contact us:

Data Protection Contact:

Email: GDPR@x-clu.com

General Inquiries: info@x-clu.com

Address: Saint-Martinus Street 20, 3806 Velm, Belgium

VAT: BE0561947031

© 2025 X-Clu. All rights reserved. | VAT: BE0561947031 | Saint-Martinus Street 20, 3806 Velm, Belgium