Privacy Statement
- Introduction
- Who we are — Controller identity
- What personal data we collect
- Purposes and legal basis
- Cookies and tracking
- Recipients and processors
- International transfers
- Retention periods
- Your rights
- Automated decision-making
- AI features and transparency
- Customer data — Involv as processor
- Security
- Children’s data
- Contact
- Changes to this statement
1. Introduction
This Privacy Statement applies when you:
- visit the involv-intranet.com website (“the Website”);
- use the Involv intranet software-as-a-service platform (“the Service”);
- contact us through our forms, email, telephone or live chat;
- interact with our marketing communications, webinars or events; or
- apply for a position at Cognit BV.
If anything in this statement is unclear, please contact us using the details in section 15.
2. Who we are — Controller identity
The controller for your personal data is:
Gasthuisstraat 54 · 1760 Roosdaal · Belgium
KBO 0891.127.518 · VAT BE 0891.127.518 · RPR Brussels (Dutch-speaking division)
[email protected]·+32 2 669 0580
When you use the Service as an employee of one of our business customers, that customer is the controller and we act as processor on their behalf (see section 12).
Privacy contact
Cognit BV is not legally required to appoint a Data Protection Officer under Article 37 GDPR, as we do not engage in large-scale processing of special categories of data or systematic monitoring of data subjects on a large scale. Privacy compliance is overseen at management level, and all privacy-related queries are handled by our team. You can reach us at [email protected] for any privacy question, data subject request or complaint.
3. What personal data we collect
3.1 Data you provide directly
| Category | Examples | When |
|---|---|---|
| Identity and contact | Name, business email, phone number, job title, company name | Contact forms, demo requests, newsletter sign-up, support tickets |
| Account data | Username, login credentials, role, language and timezone preferences | Service account creation and configuration |
| Communication content | Messages, attachments, support questions, call recordings (with notice) | Chat, email, phone support, support portal |
| Marketing preferences | Newsletter subscriptions, topics of interest, event registrations, content downloads | Newsletter, webinars, gated content downloads |
| Billing data | Company billing address, VAT number, purchase-order references | Order processing and invoicing |
| Job application data | CV, cover letter, references, interview notes | Recruitment via email or job platforms |
3.2 Data collected automatically
| Category | Examples | Source |
|---|---|---|
| Device and connection | IP address, browser type and version, OS, device identifier, timezone, language | Server logs, cookies |
| Usage data | Pages visited, time on page, referring URL, click-stream, on-site search queries | Analytics cookies (with consent) |
| Session recordings | Mouse movements, clicks, scroll behaviour, form interactions. Passwords, payment data and other sensitive fields are automatically masked before recording. | Microsoft Clarity (with analytics consent) |
| Service telemetry | Feature usage frequency, performance metrics, error logs | Application logging (legitimate interest) |
| Marketing identifiers | Campaign IDs (utm_*), click IDs (gclid, msclkid, li_fat_id, fbclid) | URL parameters appended by ad platforms |
| Referral & company identification | Referral source, company name and approximate location | Referly affiliate / referral tracking (legitimate interest) |
3.3 Data we receive from third parties
- Public business sources: LinkedIn, company websites, KBO/Companies House registers — used to enrich lead records with business contact details (never private or consumer data).
- Microsoft 365: when you sign in to the Service with your Microsoft account, we receive your basic profile (name, email, tenant ID) and the permissions you explicitly grant.
- Channel partners: when a partner refers your organisation to us, they may share your business contact details under their own privacy obligations.
We do not intentionally collect special categories of data (Article 9 GDPR) such as health data, religious beliefs, political opinions or trade union membership. Please do not include such data in messages or support tickets.
4. Purposes and legal basis (Article 6 GDPR)
| Purpose | Legal basis | Detail |
|---|---|---|
| Providing and maintaining the Service | Contract (Art. 6.1.b) | Necessary to perform the SaaS agreement with the customer organisation |
| Account creation and authentication | Contract (Art. 6.1.b) | Required for service delivery |
| Responding to sales, demo or partner enquiries | Legitimate interest (Art. 6.1.f) | Commercial communication with business prospects who have initiated contact |
| Sending newsletters or product updates | Consent (Art. 6.1.a) | Opt-in via subscription form; withdrawn at any time via unsubscribe link |
| Direct marketing to existing business customers | Legitimate interest (Art. 6.1.f) | Soft opt-in for B2B, always with easy and immediate opt-out |
| Personalising your experience (analytics, content recommendations) | Consent (Art. 6.1.a) | Via cookie banner; no personalisation without consent |
| Advertising and remarketing (Google Ads, LinkedIn, Meta) | Consent (Art. 6.1.a) | Via cookie banner; pixels fire only after consent |
| Session recordings (Microsoft Clarity) | Consent (Art. 6.1.a) | Activated only with analytics consent; sensitive fields auto-masked |
| Referral and B2B visitor tracking (Referly) | Legitimate interest (Art. 6.1.f) | Tracks referral source and identifies referring company; balanced against visitor privacy |
| Product improvement and research | Legitimate interest (Art. 6.1.f) | Aggregated and anonymised usage analytics to improve features and UX |
| Detecting and preventing fraud, abuse, security incidents | Legitimate interest (Art. 6.1.f) | Essential to protect users and infrastructure |
| Complying with legal obligations (accounting, tax, regulatory) | Legal obligation (Art. 6.1.c) | Belgian accounting, tax and corporate law |
| Defending or pursuing legal claims | Legitimate interest (Art. 6.1.f) | Protection of legitimate business interests |
Balancing test: Where we rely on legitimate interest, we have documented a balancing test (Legitimate Interest Assessment) weighing our interest against your rights and freedoms. The outcome of each assessment is available on request. You have the right to object to any processing based on legitimate interest — see section 9.
5. Cookies and tracking
The Website uses cookies and similar technologies. We categorise cookies as follows:
| Category | Consent required | Examples |
|---|---|---|
| Strictly necessary | No (exempt under ePrivacy Directive) | Session cookies, load balancing, CSRF protection, cookie consent state |
| Functional | Yes | Language preferences, chat widget state |
| Analytics | Yes | Google Analytics (GA4), Microsoft Clarity session recordings |
| Marketing / advertising | Yes | Google Ads, LinkedIn Insight Tag, Meta Pixel, remarketing cookies |
Consent management: All non-essential cookies are placed only after your explicit consent through our cookie banner, powered by CookieScript (CookieScript UAB, Lithuania, EEA). You can change or withdraw your cookie consent at any time via the “Cookie preferences” link in the Website footer.
For full details — including specific vendors, retention periods and third-country transfers per cookie — see our Cookie Policy.
6. Recipients and processors (Article 13.1.e)
6.1 Categories of recipients
- Cognit BV employees with a need-to-know basis, bound by contractual confidentiality obligations.
- Sub-processors — see section 6.2 below.
- Channel partners — only with your consent, in the context of a referral or quote handover.
- Professional advisors — lawyers, accountants, auditors, bound by professional secrecy.
- Authorities — when legally required (court order, tax authority, Belgian Data Protection Authority).
6.2 Main sub-processors
| Sub-processor | Purpose | Data hosting location |
|---|---|---|
| Microsoft Corporation — Azure / M365 | Cloud hosting for Service infrastructure | EU (West Europe / North Europe) |
| Microsoft Corporation — Clarity | Session recordings, heatmaps (with consent) | USA (DPF certified) |
| HubSpot Inc. | CRM, marketing automation, live chat, meetings, knowledge base | EU (Frankfurt, Germany) |
| Google LLC | Analytics (GA4), Google Ads, Tag Manager (server-side, deployed via our first-party endpoint at collector.involv-intranet.com — see our Cookie Policy for details), YouTube embeds | USA (DPF certified) |
| Meta Platforms Ireland Ltd. | Meta Pixel for Facebook/Instagram retargeting (with consent) | EU (Ireland) + USA (DPF certified) |
| Cloudflare Inc. | CDN, bot protection and DDoS mitigation | Global edge network (EU processing for EU visitors) |
| CookieScript UAB | Cookie consent management platform | EU (Lithuania) |
| Referly Inc. | Affiliate and partner referral tracking, B2B visitor identification | USA (DPF certified) |
A complete and up-to-date list of sub-processors is published at involv-intranet.com/sub-processors/. We notify customers of material changes to this list at least 30 days in advance, giving customers the opportunity to object before the change takes effect.
7. International transfers (Article 13.1.f)
Some of our sub-processors are based outside the European Economic Area (EEA), notably in the United States. We ensure lawfulness of each transfer using the following safeguards:
- EU–U.S. Data Privacy Framework (DPF): For processors certified under the DPF, which was granted an adequacy decision by the European Commission on 10 July 2023 (Implementing Decision C(2023) 4745). Certification status can be verified at dataprivacyframework.gov.
- Standard Contractual Clauses (SCCs): The 2021 SCCs adopted by the European Commission (Implementing Decision 2021/914), supplemented by a documented Transfer Impact Assessment (TIA) evaluating the legal framework in the recipient country and by technical, organisational and contractual measures following the CJEU Schrems II judgment (16 July 2020).
- Adequacy decisions: For countries the Commission has determined provide an adequate level of data protection (Article 45 GDPR).
You can request a copy of the relevant safeguards, including our TIA summaries, via [email protected].
8. Retention periods (Article 13.2.a)
| Data category | Retention period | Basis |
|---|---|---|
| Customer account data | Duration of contract + 5 years | Belgian statutory limitation period (Art. 2262bis Civil Code) |
| Customer billing data | 7 years from end of financial year | Belgian accounting and tax law |
| Service usage / telemetry logs | Maximum 12 months | Operational necessity; anonymised after expiry |
| Sales prospect data (CRM) | 3 years from last meaningful interaction | Deleted or anonymised after expiry |
| Newsletter subscribers | Until unsubscribe + 30 days technical removal | Consent withdrawal |
| Job application data | 2 years after position filled (with consent) or end of recruitment process (without) | Legitimate interest for talent pool (with consent) |
| Website analytics (consented) | 14 months | GA4 default retention; aggregated data retained longer |
| Session recordings (Clarity) | 30 days | Microsoft Clarity default; no long-term storage |
| Referral tracking data (Referly) | 12 months | Purged by Referly after expiry |
| Security and audit logs | 24 months | Legitimate interest in security monitoring |
| Support tickets | 3 years after ticket closure | Contract performance and quality assurance |
| Cookie consent records | Duration of consent + 3 years | Demonstrating valid consent (accountability principle) |
After the applicable retention period, data is securely deleted or irreversibly anonymised. We review retention compliance annually.
9. Your rights (Articles 15–22 GDPR)
| Right | What it means |
|---|---|
| Access (Art. 15) | Obtain confirmation of whether we process your data and receive a copy in a commonly used electronic format |
| Rectification (Art. 16) | Have inaccurate or incomplete personal data corrected without undue delay |
| Erasure (Art. 17) | Request deletion of your data where there is no compelling reason to continue processing (“right to be forgotten”) |
| Restriction (Art. 18) | Limit processing of your data while a dispute or verification is pending |
| Data portability (Art. 20) | Receive your data in a structured, commonly used, machine-readable format and transmit it to another controller |
| Object (Art. 21) | Object to processing based on legitimate interest. For direct marketing, the right is absolute and we will cease processing immediately |
| Withdraw consent (Art. 7.3) | Withdraw any consent at any time, without affecting the lawfulness of processing carried out before withdrawal |
| No automated decisions (Art. 22) | Not be subject to decisions based solely on automated processing that produce legal or similarly significant effects |
How to exercise your rights
Email [email protected] with your request. We will:
- acknowledge your request within 5 business days;
- respond substantively within one month (extendable by two months for complex requests, with advance notice);
- verify your identity to prevent unauthorised disclosure; and
- not charge a fee unless requests are manifestly unfounded or excessive (Article 12.5 GDPR).
Right to lodge a complaint
You may also lodge a complaint with the supervisory authority in your country of habitual residence or place of work (Article 77 GDPR).
10. Automated decision-making and profiling
We do not make decisions about you based solely on automated processing that have legal or similarly significant effects (Article 22 GDPR).
We do use limited profiling for the following purposes, always with appropriate safeguards:
- Lead scoring: Our CRM assigns a score based on company firmographics (size, industry, geography), website engagement (pages visited, content downloaded) and interaction history (meetings, emails). This score is used solely to prioritise internal sales follow-up. It has no effect on your ability to purchase or use the Service, and never results in automated decisions with legal or significant effects.
- Content recommendations: On the Website, we may recommend content based on pages you have visited. This occurs only with your analytics consent and has no material impact on your rights.
You may object to any profiling at any time via [email protected].
11. AI features and transparency (EU AI Act)
The Involv intranet Service includes AI-powered features such as smart search, content suggestions and text summarisation. This section explains how we use AI in compliance with the EU AI Act (Regulation 2024/1689) and the GDPR.
11.1 Purpose and design
- AI features are designed to assist users, not to replace human decision-making.
- All AI-generated content is clearly identified where it is presented to users, in line with the transparency obligations under Article 50 of the EU AI Act.
- We classify our AI features as limited-risk AI systems. No high-risk AI systems (Annex III, EU AI Act) are deployed within the Service.
11.2 Customer data and model training
Customer content is never used to train, fine-tune or improve third-party foundation models. AI processing of customer content occurs exclusively within the boundaries of the Data Processing Agreement (DPA) signed with each customer. Specifically:
- AI prompts and responses are processed in real time and are not stored beyond the user session unless the customer explicitly enables logging.
- No customer content is transmitted to AI model providers for training purposes. Our AI infrastructure agreements contain explicit contractual prohibitions on model training with customer data.
- AI processing takes place within the Microsoft Azure EU data boundary (West Europe / North Europe regions) by default.
11.3 Opt-out
Customers can disable AI features at tenant level through the Involv administration panel. Individual users can also disable AI suggestions in their personal settings. Disabling AI features does not affect any other functionality of the Service.
11.4 Further information
For detailed information about which AI models are integrated and how they operate, see our LLM Information page.
12. Customer data — Involv as processor
When your employer or organisation subscribes to the Service, that organisation is the controller of the personal data that flows through the Service (employee profiles, posts, documents, comments, etc.). Cognit BV acts as processor under Article 28 GDPR and processes this data only:
- on documented instructions from the customer (Article 28.3.a GDPR);
- under a signed Data Processing Agreement (DPA) that meets the requirements of Article 28.3 GDPR;
- with appropriate technical and organisational measures, including encryption in transit (TLS 1.2+), encryption at rest (AES-256), access controls and audit logging; and
- subject to the sub-processor management described in section 6.
If you have questions about how your employer uses your data within the Service, please contact your employer’s data protection officer or HR department in the first instance. We will forward data subject requests to the relevant customer where appropriate and assist the customer in fulfilling their obligations under Articles 15–22 GDPR.
Our standard Data Processing Agreement (DPA) is available on request via [email protected].
13. Security (Article 32 GDPR)
We have implemented appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access. Key measures include:
- TLS 1.2+ encryption for all data in transit
- AES-256 encryption for all data at rest
- Multi-factor authentication (MFA) for all administrative and production access
- Role-based access controls (RBAC) on a strict need-to-know basis
- Segregated production, staging and development environments
- Regular vulnerability scanning and periodic security assessments
- Automated backup procedures with tested restore capability
- Documented incident response plan with defined roles, escalation paths and communication procedures
- Annual data protection training for all employees
- Vendor due diligence and signed data processing agreements with all sub-processors
Data breach notification
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms:
- we will notify the Belgian Data Protection Authority (GBA) within 72 hours of becoming aware of the breach (Article 33 GDPR);
- where the breach is likely to result in a high risk, we will inform affected individuals without undue delay (Article 34 GDPR);
- we will notify affected customers (in our role as processor) without undue delay, enabling them to fulfil their own notification obligations.
14. Children’s data
The Website and the Service are designed for business professionals and are not directed at children. We do not knowingly collect personal data from anyone under the age of 16 (the default age of consent for information society services under Article 8.1 GDPR).
If we become aware that we have inadvertently collected personal data from a child under 16, we will take steps to delete that data as quickly as possible. If you believe a child has provided us with personal data, please contact us at [email protected].
15. Contact
Gasthuisstraat 54 · 1760 Roosdaal · Belgium
[email protected]·+32 2 669 0580
For general (non-privacy) enquiries, see our contact page.
16. Changes to this statement
We may update this Privacy Statement to reflect changes in our practices, technology or legal obligations. We distinguish between:
- Material changes (changes to purposes, legal bases, categories of recipients, international transfers, or your rights): communicated at least 30 days in advance via a banner on the Website and, where appropriate, by email to active subscribers and customer administrators. If you object to a material change, you may contact us before the effective date and we will work with you to find a resolution.
- Non-material changes (typographical corrections, clarifications, updated contact details): applied directly and reflected in the “Last updated” date.
Previous versions are available on request via [email protected].
