Privacy Policy

Last updated: March 4, 2026

1. Introduction

Brookhuis Applied Technologies ("we", "us", "our"), located at Twentepoort West 17, 7609 RD Almelo, The Netherlands, operates the Brookhuis Cleanroom Risk Engine (the "Service") at risk-engine.brookhuis.com.

This Privacy Policy explains how we collect, use, and protect your personal data when you use the Service. We are committed to protecting your privacy in compliance with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

2. Data controller

Brookhuis Applied Technologies is the data controller for your personal data. For questions or requests regarding your data, contact us at info@brookhuis.com.

3. What data we collect

3.1 Account data

When you create an account, we collect:

• Email address
• Name (if provided)
• Password (stored as a secure hash, never in plain text)

3.2 Calculation data

When you use the calculator, we store:

• Calculation input parameters (particle sizes, product areas, exposure times)
• Calculation results (deposition rates, ISO classifications, risk assessments)
• Session identifiers to associate calculations with your account

This data is stored to provide your simulation history and enable PDF report generation. Free-tier users' calculation data is stored temporarily in the session and is not retained long-term.

3.3 Payment data

All payment processing is handled by our payment provider, Paddle (Paddle.com Market Ltd). We do not store credit card numbers, bank account details, or other financial information on our servers. Paddle processes payments as the Merchant of Record and maintains its own privacy policy regarding payment data.

We store only a Paddle customer identifier and subscription identifier to manage your subscription status.

3.4 Technical data

We automatically collect:

• IP address (anonymized - the last octet is removed before storage, making the address non-identifiable)
• Browser type and version
• Pages visited and features used
• Timestamps of interactions

4. How we use your data

We use your personal data for the following purposes:

• Providing the Service - performing calculations, storing your simulation history, generating reports
• Account management - authentication, password resets, email verification
• Subscription management - processing payments via Paddle, managing your plan status
• Service improvement - understanding usage patterns to improve the calculator (aggregated, non-identifiable data only)
• Communication - sending transactional emails (account verification, password resets, subscription confirmations)

5. Legal basis for processing

We process your data based on the following legal grounds:

• Contract performance (Art. 6(1)(b) GDPR) - to provide the Service you have signed up for
• Legitimate interest (Art. 6(1)(f) GDPR) - for security, fraud prevention, and service improvement
• Legal obligation (Art. 6(1)(c) GDPR) - for tax and accounting requirements related to subscriptions

6. Cookies

We use essential cookies required for the Service to function and analytics cookies to improve our service:

• Session cookie - maintains your login state and stores calculation data during your session
• CSRF token - protects against cross-site request forgery attacks
• Cookie consent - remembers your cookie consent preference
• Google Analytics (_ga, _ga_*) - collects anonymous usage statistics such as page views, feature usage, and visitor counts. No personally identifiable information is collected. Data is processed by Google. See Google's Privacy Policy.

We do not use advertising cookies or social media cookies. Analytics data is collected anonymously and is not linked to your account or personal information.

7. Data sharing

We share your data only with the following parties, and only as necessary:

• Paddle (Paddle.com Market Ltd) - our payment provider and Merchant of Record. Paddle processes your payment data and handles billing, invoicing, and tax compliance. See Paddle's Privacy Policy.
• Amazon Web Services (AWS) - our hosting provider. All data is processed and stored in the EU (Frankfurt, Germany region). See AWS Privacy Policy.
• Google (Google LLC) - we use Google Analytics and Google Tag Manager for anonymous usage statistics. No personally identifiable information is shared. See Google's Privacy Policy.

We do not sell, rent, or trade your personal data to any third parties.

We have Data Processing Agreements (DPAs) in place with both AWS and Paddle to ensure your data is processed in accordance with GDPR requirements.

8. Data storage and security

Your data is stored on servers located in the European Union (AWS Frankfurt, Germany). We implement appropriate technical and organizational measures to protect your data, including:

• Encrypted data transmission (HTTPS/TLS)
• Encrypted storage of sensitive configuration data
• Secure password hashing
• Network isolation via Virtual Private Cloud (VPC)
• Regular security updates

9. Data retention

• Account data - retained for as long as your account is active, and deleted upon account deletion
• Calculation history - retained for as long as your account is active
• Payment records - retained as required by tax and accounting regulations (typically 7 years)
• Session data - automatically expires and is deleted after the session ends

10. Your rights

Under the GDPR, you have the following rights:

• Access - request a copy of your personal data
• Rectification - correct inaccurate or incomplete data
• Erasure - request deletion of your personal data ("right to be forgotten")
• Restriction - request restriction of processing in certain circumstances
• Data portability - receive your data in a structured, machine-readable format
• Objection - object to processing based on legitimate interest

You can exercise several of these rights directly from your dashboard:

• Data export - download all your personal data in JSON format from your account dashboard
• Account deletion - permanently delete your account and all associated data from your account dashboard

For other requests, contact us at info@brookhuis.com. We will respond within 30 days.

You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at autoriteitpersoonsgegevens.nl.

11. International data transfers

All data processing takes place within the European Union. We do not transfer your personal data outside the EU/EEA. Our payment provider Paddle may process payment data in accordance with their own privacy policy and applicable data transfer mechanisms.

12. Changes to this policy

We may update this Privacy Policy from time to time. We will notify registered users of material changes via email. The current version is always available at this page.

13. Contact

For questions about this Privacy Policy or your personal data, contact us at:

Brookhuis Applied Technologies
Twentepoort West 17
7609 RD Almelo
The Netherlands
info@brookhuis.com