Privacy Policy

Last updated: December 2025

Contents

1. Introduction

Disso cares about your privacy and treats your personal data as confidentially as possible.

The protection of your privacy and your personal data is an extremely serious matter for us. We collect, store and use your personal data only in accordance with the contents of this privacy statement ("Privacy Statement") and the applicable regulations on data protection, in particular the provisions of the General Data Protection Regulation ("GDPR") and the national data protection provisions.

This Privacy Statement explains what personal data is collected and processed, for what purposes, how long we keep personal data, what your rights are in this regard and how you can contact us.

This Privacy Statement applies, inter alia, to (i) our website disso.ai (hereinafter our "Website") and Disso platform (hereinafter our "Platform"), and the services and activities associated with it and (ii) all relationships through any other means of communication between you and us in which Disso acts as data controller.

For clarity: Disso acts as a data controller only for the limited personal data described above (such as website interactions, contact details, account information, and demo access). Any personal data processed through a client’s use of the Disso platform—whether hosted by Disso or deployed inside the client’s own cloud environment—is processed by Disso solely as a data processor under the relevant DPA and contractual terms.

2. General information applicable to all our personal data processing activities

2.1. Who is the controller?

Disso Security, a private limited company, with registered office at Juliaan Dillensstraat 10, 2018 Antwerpen, Belgium and registered in the Belgian Crossroads Bank for Enterprises under the number 1016.749.842 (hereinafter "Disso", "we" or "us"), is responsible for processing your data as described in this Privacy Statement.

Please note that Disso is a data controller, which means that we have a direct responsibility to you in relation to the processing of your personal data in the situations covered by this Privacy Statement. This Privacy Statement relates solely to our relationship with you as a data controller (for example, when you visit our Website, communicate with us, or when we manage contract and billing information).

It is important to clarify that Disso is not the data controller of the personal data processed through the Disso services (such as employee communications or other personal data handled by our Gen-AI communication security functionality). For all use of the Disso platform—whether delivered as a hosted SaaS service, a private deployment inside a client’s cloud environment, or any other implementation—the client determines the purposes and means of the processing and therefore acts as the data controller. Disso acts as the data processor solely in accordance with the applicable contractual documentation, including the Subscription Agreement, Data Processing Agreement, and, where relevant, the Architecture Documentation for private deployments. These documents govern how personal data is processed within the service.

2.2. How do we receive your personal data?

Personal data is data that can be used to directly or indirectly identify natural person. We may collect and process personal data in various ways, e.g. when:

  • you contact or have contacted us (e.g. via the contact form on the Website, via the chatbot, when you book a meeting via our Website, etc.);
  • we provide or have provided any of our services to you;
  • you wish to apply for a job at Disso;
  • when you create an account via our Website/Platform;
  • when you subscribe to our newsletter;
  • etc.

Usually, you give us your personal data yourself. Sometimes we receive your contact details through third parties, e.g:

  • via the contact form on our Website, e.g. a colleague of yours can invite you as a 'guest' to get acquainted by providing us with your e-mail address.

We may also find, update, supplement and improve your data through public sources (e.g. Crossroads Bank for Enterprises, etc.) and social networks (e.g. LinkedIn, etc.).

The above relates only to personal data that Disso processes as a data controller (e.g., website interactions, contact details, demo access, etc.). Any personal data processed through a client’s use of the Disso platform is handled by Disso solely as a data processor under the applicable DPA and contractual terms. Disso does not extract or copy employee communication data from a client’s environment unless expressly instructed and contractually agreed.

2.3. Do we share your personal data outside the European Union?

In principle, we use your personal data only for providing the services you request. If we use external service providers to provide these services, these service providers also have access to your personal data exclusively within the scope of their services. We have implemented necessary technical and organizational measures to ensure compliance with data protection regulations and also require external service providers to adhere to these provisions. We have entered into data processing agreements with relevant third parties, which include necessary safeguards regarding the confidentiality and privacy compliance of your personal data.

Notwithstanding the foregoing, it is possible that Disso may disclose your personal data to competent authorities (i) if Disso is required to do so by law or legal process and/or (ii) to protect and defend our rights.

In principle, we aim to store your personal data on IT systems in the European Economic Area ("EEA").

If personal data are transferred to countries or organisations outside the EEA, appropriate safeguards will always be provided. Any transfer of personal data outside the EEA to a recipient in a country not covered by a decision of the European Commission to provide an adequate level of protection, will be subject to the provisions of a data transfer agreement, which will include (i) the standard contractual clauses issued by the European Commission, or (ii) any other mechanism in accordance with the GDPR, or any other regulation relating to the processing of personal data such as the EU-U.S. Data Privacy Framework for transfers to the U.S. If you have any questions regarding these safeguards or their accessibility, please contact us by e-mail or post using the details below (under title 2.5).

These provisions relate only to personal data that Disso processes as a data controller (such as contact, account, and billing information). Any personal data processed through a client’s use of the Disso platform is handled by Disso solely as a data processor under the applicable DPA—whether the platform is hosted by Disso or deployed inside the client’s own cloud environment. In private deployments, employee communication data remains within the client’s environment and is not transferred out unless expressly agreed.

2.4. What rights do you have as a data subject?

You have several rights:

  • You have a right to access your personal data. This allows you to check what personal data we process about you;
  • You have a right to correct your personal data. This allows you to correct or supplement any incorrect or incomplete personal data we process about you;
  • You have a right to erasure of your personal data. This allows you to permanently erase personal data that we process about you. We are not always obliged to erase your personal data at your request – this right only applies in the cases and to the extent provided by law;
  • You have a right to restrict the processing of your personal data. This allows you to freeze our use of your personal data without erasing it. We are not always obliged to restrict your personal data at your request – this right applies only in the cases and to the extent provided for by law;
  • You have the right to object to the processing of your personal data. This allows you to object to the further processing of your personal data. We are not always obliged to honor your objection – this right only applies when we process your personal data based on our legitimate interests;
  • You always have the right to withdraw your consent when the processing of your personal data is based on your consent;
  • You always have the right to object the processing of your personal data for direct marketing purposes;
  • You have the right to data portability. This allows you to transfer, copy or forward personal data smoothly from one controller to another. This right can only be exercised if the processing is based on your consent or on an agreement with you.

If you wish to exercise any of the rights listed above, please contact us by e-mail or post using the details below (under title 2.5).

When you make a request to exercise your rights, we will first verify your identity through the appropriate and least privacy-intrusive means. We do this to prevent your data from falling into the wrong hands.

The exercise of your rights is in principle free of charge. If your request is manifestly unfounded or excessive, we may charge you a reasonable fee in light of the administrative costs incurred by us. In such cases, however, we may also choose not to comply with your request. You will be notified of the reasons for this, if applicable.

In any case, we will always inform you of the outcome of your request no later than within one month. For complex or multiple requests, this period may be extended by two months, but we will also inform you of this necessary extension within the initial month.

Please note that the above relates only to personal data for which Disso acts as a data controller (such as website, account, and contact information). Personal data processed through the Disso platform—whether hosted by Disso or deployed privately inside a customer’s cloud environment—is controlled by the customer. In those cases, your rights should be exercised with your employer or the relevant enterprise customer, who is the data controller for that processing.

2.5. Want to exercise your rights, have questions or a complaint?

For the exercise of your rights, for any questions or complaints related to the processing of personal data, you can always contact us:

  • via email: [email protected]
  • via letter:
    Disso Security BV
    FAO: the data protection manager
    Juliaan Dillensstraat 10,
    2018 Antwerpen
    Belgium

You can also file a complaint with the supervisory authority in the location where you reside. For Belgium, this is the Data Protection Authority:

  • via the website: gegevensbeschermingsautoriteit.be
  • via e-mail: [email protected]
  • by phone: +32 2 247 48 00
  • via letter:
    Gegevensbeschermingsautoriteit
    Drukpersstraat 35
    1000 Brussels

For more information regarding complaints and remedies, we invite you to consult the Data Protection Authority's website: gegevensbeschermingsautoriteit.be/burger/acties/klacht-indienen.

3. Specific processing activities that may apply to you

Under what circumstances Disso collects, uses or otherwise processes different categories of personal data from you, for what purpose, on what legal basis, for what period and with whom it is shared, is described below.

3.1. You are a client of Disso?

Disso provides Gen-AI driven email and communication security, giving your business more control over its communication safety and protecting it against modern cyber threats.

As controller, Disso may collect and process one or more of the following personal data about your representatives and contacts:

  • contact information and account creation data: e.g. name, first name, profession, telephone and mobile number, e-mail address, address details and other contact information; company information;
  • test phase data: e.g. e-mail address(es) and other personal data and/or communications used during the test phase only if you choose to share such data with us outside your environment; this is not mandatory, as sample or synthetic data can also be used;
  • correspondence and other forms of communication: e.g. letters, e-mails and other (forms of) communication;
  • billing and administrative data: e.g. bank account numbers, and any other payment information.

However, we will never collect more personal data from you than is strictly necessary to achieve the purposes for which we have collected your personal data.

Disso processes the above personal data for the following purposes:

  1. to provide you with more information about our services and products at your request or at our initiative, if deemed necessary to accurately perform our services for you;
  2. to provide you with the services as agreed with you;
  3. to handle any complaint and/or feedback;
  4. to make or collect payments;
  5. to maintain a business relationship with you as a client.

Disso processes the personal data listed above on the following legal grounds:

  • the processing is necessary for the performance of an agreement to which you are a party or to take steps at your request prior to the conclusion of an agreement (purposes I to IV above);
  • the processing is necessary for the purposes of the legitimate interests pursued by Disso or a third party (purpose V above). Our legitimate interest is to serve you as a client even better by keeping you informed about our activities, services and products (purpose V above).

Disso will retain your personal data for a period of 6 months after the completion of the service or termination of the agreement. This retention period allows us to handle any post-service inquiries, complaints, or administrative follow-ups.

In certain cases, we may retain your personal data for a longer period, including but not limited to the following situations:

  • if applicable laws require us to retain specific data, we will retain the data for the duration of the legally required period;
  • data necessary to establish, exercise, or defend legal claims will be retained for the duration of the applicable statutory limitation period.

In pursuit of these purposes, we may disclose your personal data to:

  • subcontractors who process personal data on our behalf (https://disso.ai/data-agreement/subprocessors), e.g. in relation to hosting, mailing, marketing initiatives, etc. They only process your personal data under our written instructions and in accordance with an agreed processing agreement;
  • judicial, police or administrative authorities, if required by law or court proceedings.

This section covers only the personal data for which Disso acts as a data controller. Any personal data processed through the Disso platform, whether in our SaaS cloud or in your private deployment, is processed under your control as the data controller, with Disso acting as your data processor as defined in the DPA.

3.2. You are a supplier or subcontractor of Disso?

Disso may collect and process one or more of the following personal data:

  • contact information: name, title, function, telephone and mobile number, e-mail address, office address and other contact and/or company information;
  • correspondence and other forms of communication: letters, e-mails and other (forms of) communication; and
  • information on the delivery of the product/service and any information on our engagement with the supplier/subcontractor: bank account numbers and any other information on payments.

However, we will never collect more personal data from you than is strictly necessary to achieve the purposes for which we have collected your personal data.

Disso processes the above personal data for the following purpose:

  1. to buy goods or services.

Disso processes the personal data listed above on the following legal basis:

  • the processing is necessary for the performance of an agreement to which the supplier/subcontractor is a party or to take steps at the request of the supplier/subcontractor prior to the conclusion of a contract (purpose I above).

We keep your personal data for 3 years after completion of the service, unless Disso is required by law to keep the data longer.

In pursuit of this purpose, we may disclose your personal data to:

3.3. You are a visitor to Disso's Website, a prospect or subscriber to our newsletter?

Disso may collect and process one or more of the following personal data:

  • contact information: e.g. name, first name, e-mail address, company name, role in your company, address;
  • correspondence and other forms of communication: e-mails and other (forms of) communication;
  • your electronic identification data: e.g. your IP address, connection times, etc. following a visit to our Website that uses cookies or similar techniques.

However, we will never collect more personal data from you than is strictly necessary to achieve the purposes for which we have collected your personal data.

Disso processes the above personal data for the following purposes:

  1. to answer your question or request for information, or to schedule an exploratory meeting;
  2. for direct marketing, to keep you informed about, among other things, Disso activities, products and services;
  3. for placing and reading cookies. More information on our use of cookies can be found in our Cookie Statement.

Disso processes the personal data listed above on the following legal grounds:

  • the processing is necessary to take pre-contractual measures at your request (purpose I above);
  • The user/visitor has given consent for the processing of his/her personal data (purposes II and III above). Regarding cookies, we request your consent for categories of cookies other than strictly necessary cookies (e.g., preference cookies, analytical cookies, etc.), insofar as our Website/Platform uses them. For more information, we refer you to our Cookie Statement;
  • The processing is necessary for the protection of the legitimate interests of Disso or a third party (purpose III above). For strictly necessary cookies, which are cookies that ensure functionalities without which you would not be able to use our Website/Platform as intended, we rely on the legal basis of legitimate interest. These cookies are required purely for technical reasons to be able to use the Website/Platform. Given the technical necessity, there is only an obligation to provide information, and we place these cookies as soon as you access the Website/Platform.

Disso will not retain your personal data for longer than necessary for the purposes for which they were collected. The following retention periods apply:

  • Disso will retain your personal data for up to 6 months after the last contact you had with us as a prospect (purpose I above);
  • Disso will retain your personal data until you withdraw your consent to the use of your data. You may withdraw your consent at any time using the procedure described under titles 2.4 and 2.5 of this Privacy Statement (purpose II above);
  • the retention period for cookies varies depending on the type of cookie. More information on our use of cookies can be found in our Cookie Statement (purpose III above).

In pursuit of these purposes, we may disclose your personal data to:

3.4. You are a (potential) job applicant of Disso?

Disso may collect and process one or more of the following personal data:

  • contact information: name, first name, function, telephone and mobile number, home address, e-mail address, social media account and other contact information;
  • correspondence and other forms of communication: letters, e-mails and other (forms of) communication; and
  • other recruitment-related information: gender, date of birth, photograph, application form, CV, interview notes, and other employment history information.

However, we will never collect more personal data from you than is strictly necessary to achieve the purposes for which we have collected your personal data.

Disso processes the above personal data for the following purposes:

  1. to assess the suitability of the (potential) applicant and to start an application process and for the evaluation of the application;
  2. to keep applicants informed of our job openings; and
  3. to invite applicants to our Disso activities and have them participate in our activities.

Disso processes the personal data listed above on the following legal grounds:

  • the processing is necessary to take steps at the applicant's request prior to the conclusion of an agreement to which the applicant becomes a party (purpose I above);
  • the applicant has given consent to the processing of his/her personal data (purposes II and III above).

Disso will delete applicants' personal data no later than 4 weeks after the end of the application process unless the applicant has given his/her express consent to keep his/her data for a longer period. In that case, Disso will keep the personal data for a period of 1 year, after which the applicant will be asked whether he/she wishes to renew his/her consent.

In pursuit of these purposes, we may disclose your personal data to:

3.5. You are a participant in one of our Disso activities

Disso may collect and process one or more of the following personal data:

  • contact information: name, first name, function, telephone and mobile number, e-mail address, social media account and other contact information;
  • correspondence and other forms of communication: letters, e-mails and other (forms of) communication; and
  • other information related to the activity: photographs and videos.

However, we will never collect more personal data from you than is strictly necessary to achieve the purposes for which we have collected your personal data.

Disso processes the above personal data for the following purposes:

  1. to organize the activity and to invite participants to our activities; and
  2. to use visual material (photographs and videos) for marketing purposes (e.g. on our website, social media, etc.).

Disso processes the personal data listed above on the following legal grounds:

  • the processing is necessary for the performance of an agreement to which the participant is a party (purpose I above);
  • the participant has given consent to the processing of his/her personal data (purpose II above).

Disso will delete participants' personal data no later than 5 years after the activity unless the participant has given his/her express consent to keep his/her data for a longer period.

In pursuit of these purposes, we may disclose your personal data to:

4. Changes to this Privacy Statement

We may update this Privacy Statement from time to time. Therefore, we encourage you to consult it regularly so that you are aware of any changes.

Last updated: December 2025