This privacy statement explains what personal data Start 2 Scale processes when you use our website start2scale.ai, our platform saldus.ai, or contact us about our services. We keep it concise and specific — no vague language that covers everything but explains nothing.
1. Who is the data controller
Start 2 Scale is based in Noordwijk and registered with the Dutch Chamber of Commerce (Kamer van Koophandel) under number 77099257. For GDPR purposes, we are the data controller for your personal data.
2. What data we process
We only process what we need. Specifically:
- For introductory calls via Calendly: name, email address, company, optionally phone number, and the date and time of the call.
- When submitting the AI-readiness scan: email address, optionally name, company name, role and company size, plus your answers to the 21 scan questions.
- For email correspondence: the content of your emails and any attachments.
- During an AI assessment or Saldus implementation: the data required for the project scope (process documentation, anonymised or pseudonymised general ledger extracts, names and roles of staff involved). Specific arrangements are documented in a data processing agreement.
We do not process special categories of personal data (such as health or criminal records). Business and financial data do not fall under special categories.
3. Why we process this data
- To get in touch with you — scheduling a call, answering a question, sending a proposal.
- To deliver our services — assessment, sprints, implementation of Saldus.ai.
- To deliver requested products — for example, the report from the AI-readiness scan.
- To improve our website — aggregated page-visit statistics, without tracking individual users.
- To comply with legal obligations — bookkeeping, statutory tax retention requirements.
4. Legal basis
For each processing activity we rely on one of these GDPR legal bases:
- Performance of a contract — when you are a client or have engaged a service.
- Consent — when you actively provide your email address, for example to receive a report or to opt in to new resources.
- Legitimate interest — for general website statistics and responding to an unsolicited enquiry.
- Legal obligation — for statutory retention periods on invoices and accounting records.
5. Retention periods
- Contact forms and scan submissions: up to 2 years after the last contact, then deleted.
- Client and project files: up to 7 years after completion (statutory tax retention).
- Invoices and accounting records: 7 years (legal obligation).
- Newsletter opt-ins: until you unsubscribe.
On request we will delete your data earlier, except for what we are legally required to retain.
6. Who we share it with
We do not share data with third parties except where necessary for the service, and always with a data processing agreement where the GDPR requires one:
- Email provider: Google Workspace (EU region). For sending and receiving email.
- Calendly: for scheduling calls. Calendly is based in the US — we use the EU data-residency setting where available.
- Form service (Formspree or equivalent): for receiving submissions from the website.
- Accountant: for processing invoices.
- AI model providers used in client projects (Anthropic, OpenAI, Google) — for client data we enter into a data processing agreement per engagement and configure the tier that excludes training on client data.
We never sell your data. Full stop.
7. How we secure it
In line with our audit-grade standard, these are our baseline measures:
- Encrypted connections (HTTPS) for all web and email communication.
- Multi-factor authentication on accounts with access to client data.
- EU hosting and EU DPA where possible; data outside the EU only with explicit agreement and appropriate safeguards.
- Pen-tested platform components on Saldus.ai (annual external penetration test).
- Audit log of every AI action within Saldus.ai (which agent, which prompt, which data, which result).
- Data breach procedure: if a breach is suspected, we notify the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) within 72 hours and notify you if your data is involved.
8. Your rights
Under the GDPR you have a number of rights. We respect all of them:
- Access — request to see which data we hold about you.
- Rectification — have inaccurate data corrected.
- Erasure — have your data deleted (“right to be forgotten”), except for what we are legally required to retain.
- Restriction — have processing temporarily suspended.
- Portability — receive your data in a commonly used file format.
- Objection — object to processing based on legitimate interest.
- Withdrawal of consent — where processing is based on your consent.
To exercise your rights, email hans@start2scale.ai. We will respond within 30 days. To verify your identity we may ask for additional information.
9. Cookies
Our website uses no tracking cookies. No Google Analytics, no Meta pixel, no advertising networks. We want to know whether the site is usable — not who you are. Where needed we use only functional cookies (for example, to maintain a logged-in session on Saldus.ai). Functional cookies do not require consent.
If we want to measure aggregated statistics in the future, we will do so with a cookieless tool (such as Plausible or Fathom) so that we remain outside the cookie-consent obligation.
10. Complaints and changes
Not satisfied with how we handle your data? Email hans@start2scale.ai first — we will resolve it. If we cannot reach a solution together, you have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).
We may update this privacy statement when our services or applicable law changes. The most current version is always available on this page, with the date of the last update shown at the top.