Version: 1.0 Last updated: 1 March 2026
1. Introduction
1.1.
This Privacy Policy explains how Think-Tank BV, a limited liability company under Belgian law with registered office at Mezenstraat 80, 3061 Leefdaal, Belgium, company number 1031.720.902 (RLE Leuven) ("ThinkTank", "we", "us" or "our"), processes personal data in connection with:
i. the website think-tank.io (the "Website"); and ii. the ThinkTank platform, tools and related services (the "Services").
1.2.
This Privacy Policy applies to personal data processed when you:
i. visit our Website; ii. contact us or request information; iii. create an account or use the Services; or iv. otherwise interact with us in the context of our business activities.
1.3.
Where customers use the Services to process personal data, ThinkTank acts as a processor on behalf of the customer, who acts as the controller within the meaning of the GDPR. In those cases, the processing of personal data is governed by the applicable customer agreement and the ThinkTank Data Processing Agreement ("DPA"). The current version of the DPA is available at think-tank.io/legal/dpa.
1.4.
For privacy-related questions, you can contact us at privacy@think-tank.io.
2. Controller and Processor Roles
2.1. ThinkTank as controller
ThinkTank acts as controller, determining the purposes and means of the processing, for personal data processed for its own purposes, including in relation to:
i. the operation and security of the Website; ii. account administration and customer relationship management; iii. billing and contractual administration; iv. responding to enquiries and support requests; v. security, logging and fraud prevention; and vi. improving and maintaining the Services.
2.2. ThinkTank as processor
When customers use the Services to submit prompts, files, documents, messages, datasets, API inputs or other content that may contain personal data, ThinkTank acts as a processor on behalf of the customer. In those cases:
i. the customer acts as the controller within the meaning of the GDPR; ii. the customer determines the purposes and means of the processing; and iii. ThinkTank processes personal data only on the customer's documented instructions, as set out in the applicable customer agreement and DPA.
2.3. Data subject requests
2.3.1.
Where ThinkTank processes personal data as controller in accordance with Article 2.1, data subjects may exercise their rights under the GDPR by contacting ThinkTank at privacy@think-tank.io.
2.3.2.
Where ThinkTank processes personal data as processor on behalf of a customer in accordance with Article 2.2, requests relating to such processing should be addressed to the relevant customer acting as controller.
2.3.3.
If ThinkTank receives a request relating to personal data processed on behalf of a customer, ThinkTank may forward the request to the relevant customer or otherwise assist the customer in responding to the request, in accordance with the applicable customer agreement and DPA.
3. Categories of Personal Data
Depending on how you interact with ThinkTank and how the Services are used, ThinkTank may process the following categories of personal data:
3.1. Website and communication data
When you visit the Website or contact ThinkTank, we may process the following personal data:
i. name; ii. e-mail address; iii. telephone number; iv. company name; v. job title; and vi. information included in communications, contact forms or requests.
3.2. Account and customer relationship data
When you create an account or use the Services, we may process the following personal data:
i. account identifiers; ii. login and authentication information; iii. account configuration and preferences; iv. subscription and billing information; v. support requests and related communications; and vi. information necessary to manage the customer relationship.
3.3. Service usage data
When the Services are used, ThinkTank may process data relating to the operation and use of the Services, which may contain personal data depending on the content submitted by users of the Services, including:
i. prompts, inputs, uploads, files, documents, datasets, messages and API calls submitted through the Services; ii. generated outputs; iii. associated metadata; and iv. usage, activity and audit logs.
3.4. Technical and device data
When you access the Website or Services, ThinkTank may automatically process certain technical information, including:
i. IP address; ii. browser type and version; iii. device type; iv. operating system; v. timestamps and access logs; and vi. other technical information necessary for security, diagnostics and service operation.
3.5. Personal data included in customer content
3.5.1.
Customers may submit content to the Services that contains personal data. This may include personal data relating to:
i. customer personnel; ii. customers' clients or business contacts; or iii. any individual whose personal data appears in prompts, inputs, uploads, files or datasets submitted to the Services.
3.5.2.
ThinkTank does not control the categories of personal data included in such content. Customers are responsible for determining what personal data is submitted to the Services and for ensuring that such processing complies with applicable data protection law.
4. Purposes and Legal Bases for Processing
4.1. Processing where ThinkTank acts as controller
4.1.1.
Where ThinkTank processes personal data as controller, personal data may be processed for the following purposes:
i. operating, maintaining and securing the Website and Services; ii. managing user accounts and customer relationships; iii. administering subscriptions, billing and contractual obligations; iv. responding to enquiries, requests and support communications; v. monitoring, detecting and preventing security incidents, fraud or misuse of the Services; and vi. improving, maintaining and developing the Website and Services.
4.1.2.
Such processing is carried out on one or more of the following legal bases:
a. performance of a contract (Article 6(1)(b) GDPR); b. compliance with legal obligations (Article 6(1)(c) GDPR); and/or c. ThinkTank's legitimate interests (Article 6(1)(f) GDPR), such as maintaining the security, reliability and improvement of the Services.
4.2. Processing where ThinkTank acts as processor
4.2.1.
Where ThinkTank processes personal data on behalf of customers in accordance with Article 2.2, such processing is carried out solely on the documented instructions of the customer, as set out in the applicable customer agreement and DPA.
4.2.2.
The customer determines the purposes and legal basis for such processing.
5. Processing of User Content and Service Data
5.1. Processing of user content
The Services process prompts, uploaded files, documents, datasets, messages, API inputs and other content submitted by users (collectively, "User Content"). User Content may contain personal data depending on the information submitted by users of the Services.
5.2. Operational processing
ThinkTank may store, log and process User Content and related metadata where necessary for the operation of the Services, including for:
i. generating outputs requested by users; ii. maintaining system functionality and operational continuity; iii. logging and auditability; iv. detecting, preventing and investigating security incidents, fraud or misuse; v. troubleshooting and technical support; and vi. complying with legal and regulatory obligations.
5.3. Service improvement and development
5.3.1.
Where permitted under the applicable customer agreement, the DPA and applicable law, ThinkTank may process User Content and related data for purposes such as:
i. improving and developing the Services; ii. testing, evaluating and optimising system performance; iii. research and development relating to the Services; and iv. creating aggregated, de-identified or anonymised datasets that do not identify any individual data subject or customer.
5.4. Responsibility for submitted content
5.4.1.
Customers and users are responsible for the content they submit to the Services and for ensuring that such submissions comply with applicable law and their own data protection obligations.
5.4.2.
Customers should avoid submitting special categories of personal data within the meaning of Article 9 GDPR or personal data relating to criminal convictions and offences within the meaning of Article 10 GDPR unless appropriate safeguards are in place and such processing is permitted under the applicable customer agreement.
6. Sharing of Personal Data
6.1. Service providers and subprocessors
6.1.1.
ThinkTank may share personal data with third-party service providers that support the operation of the Website and the Services. These providers may include providers of:
i. cloud hosting and infrastructure services; ii. content delivery and security services; iii. analytics, monitoring and logging services; iv. technical support and development tools; and v. other services necessary for the operation, maintenance and security of the Services.
6.1.2.
Where such providers process personal data on behalf of ThinkTank or its customers, they act as processors or subprocessors and are subject to contractual data protection obligations.
6.2. Subprocessors for the Services
6.2.1.
Where ThinkTank processes personal data as processor on behalf of a customer, ThinkTank may engage subprocessors to support the provision of the Services.
6.2.2.
Such subprocessors are engaged in accordance with the applicable customer agreement and the Data Processing Agreement (DPA). A current list of subprocessors is available under the DPA.
6.3. Legal and regulatory disclosures
6.3.1.
ThinkTank may disclose personal data where necessary to:
i. comply with applicable laws, regulations or legal processes; ii. respond to requests from competent authorities; iii. protect the rights, property or safety of ThinkTank, its customers or users; or iv. detect, prevent or address fraud, security or technical issues.
6.4. Business transfers
6.4.1.
Personal data may be disclosed or transferred in connection with a corporate transaction, such as a merger, acquisition, restructuring or sale of assets, subject to appropriate safeguards.
7. International Data Transfers
7.1. Processing within and outside the European Economic Area
7.1.1.
Personal data processed by ThinkTank may be stored and processed within the European Economic Area ("EEA"). In certain circumstances, personal data may also be processed in countries outside the EEA, including where ThinkTank uses service providers or subprocessors located in other jurisdictions.
7.2. Transfer mechanisms
7.2.1.
Where personal data is transferred outside the EEA, ThinkTank ensures that such transfers take place in accordance with applicable data protection legislation and are subject to appropriate safeguards, which may include:
i. an adequacy decision adopted by the European Commission; ii. the use of the Standard Contractual Clauses (SCCs) adopted by the European Commission; or iii. another valid transfer mechanism permitted under applicable data protection law.
7.3. Transfers in connection with the Services
Where ThinkTank processes personal data as processor on behalf of customers, international transfers of personal data may occur through the use of subprocessors or infrastructure providers supporting the Services. Such transfers are governed by the applicable customer agreement and the DPA.
8. Data Retention
8.1. General retention principles
ThinkTank retains personal data for no longer than is necessary for the purposes for which it is processed, taking into account contractual, operational, legal and regulatory requirements. Retention periods may vary depending on the nature of the data and the context in which it is processed.
8.2. Retention in connection with the Services
8.2.1.
Where personal data is processed in connection with the use of the Services, personal data may be retained for:
i. the duration of the applicable customer relationship or user account; ii. a reasonable period thereafter for support, troubleshooting, auditability and compliance purposes; and iii. the periods required to comply with applicable legal or regulatory obligations.
8.2.2.
Prompts, uploads, outputs, usage data, logs and related metadata may be retained as necessary to operate, maintain and improve the Services, and in accordance with ThinkTank's operational retention practices.
8.3. Backups and system logs
8.3.1.
Personal data may be retained in system backups or logs for limited periods necessary to ensure system integrity, security monitoring and disaster recovery. Data stored in such systems may remain until the relevant backup or log retention cycles expire.
8.4. Deletion following termination
8.4.1.
Upon termination or expiry of the applicable customer agreement, personal data processed on behalf of customers will be deleted or returned in accordance with the applicable agreement and the DPA, subject to applicable legal or operational retention requirements.
9. Security Measures
9.1. General security approach
9.1.1.
ThinkTank implements appropriate technical and organisational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data.
9.1.2.
These measures are designed taking into account the nature of the processing, the sensitivity of the data and the risks involved.
9.2. Technical and organisational safeguards
Depending on the context, measures may include:
i. access controls and authentication mechanisms designed to restrict access to authorised personnel and systems; ii. logging and monitoring of system activity; iii. encryption or secure transmission of data in transit; iv. security monitoring and incident response procedures; v. vulnerability management and security updates; and vi. the use of secure cloud infrastructure and service providers.
9.3. Organisational measures
ThinkTank implements organisational safeguards, such as:
i. confidentiality obligations for personnel with access to personal data; ii. internal policies governing the handling and protection of personal data; iii. training and awareness programmes relating to data protection and information security; and iv. supplier and subprocessor management processes.
9.4. Limitations of security
While ThinkTank takes reasonable steps to protect personal data, no method of transmission over the internet or electronic storage system can be guaranteed to be completely secure.
10. Data Subject Rights
10.1. Rights under data protection law
Where ThinkTank processes personal data as controller, individuals may have the following rights under applicable data protection legislation, including the GDPR:
i. the right of access to their personal data; ii. the right to rectification of inaccurate or incomplete personal data; iii. the right to erasure of personal data in certain circumstances; iv. the right to restriction of processing in certain circumstances; v. the right to data portability where applicable; vi. the right to object to processing based on legitimate interests; and vii. the right to withdraw consent at any time where processing is based on consent.
10.2. Exercising your rights
Requests relating to the rights described above may be submitted to ThinkTank by contacting privacy@think-tank.io. ThinkTank may request additional information where necessary to verify the identity of the person making the request.
10.3. Processing on behalf of customers
Where ThinkTank processes personal data on behalf of a customer as processor (as described in Article 2.2), requests relating to such processing should be directed to the relevant customer acting as controller.
10.4. Right to lodge a complaint
Individuals have the right to lodge a complaint with a competent supervisory authority if they believe that the processing of their personal data violates applicable data protection law. In Belgium, the competent supervisory authority is as follows:
Gegevensbeschermingsautoriteit / Autorité de protection des données (GBA/APD)
Drukpersstraat 35 / Rue de la Presse 35, BE-1000 Brussels
www.dataprotectionauthority.be
11. Changes to This Privacy Policy
11.1.1.
ThinkTank may update this Privacy Policy from time to time to reflect changes in the Services, applicable law or our data processing practices.
11.1.2.
The most recent version of the Privacy Policy will always be made available on the Website. Where appropriate, ThinkTank may provide additional notice of material changes.
12. Contact
If you have any questions about this Privacy Policy or about how ThinkTank processes personal data, you may contact us at:
Think-Tank BV
Mezenstraat 80, BE-3061 Leefdaal
Email: privacy@think-tank.io