Privacy Policy

Legal · Privacy

This Privacy Policy explains how Pera Meta B.V. ("we", "us", "our") processes personal data when you use the AI Skills Assessment platform accessible at aios.perabytelabs.com (operating under the trade name "PeraByte Labs") and at perameta.nl and its subdomains (operating under the "Pera Meta" brand). Both services are operated by the same legal entity, Pera Meta B.V., KvK 42015001, registered in Amsterdam, the Netherlands. References to "PeraByte Labs" in this document mean the same legal entity.

1. Data controller

For the purposes of the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") and the Dutch Implementation Act (Uitvoeringswet AVG), the data controller is:

• Pera Meta B.V.
• registered in Amsterdam, the Netherlands
• KvK 42015001
• Privacy contact (consumer service): [email protected]
• Privacy contact (corporate service): [email protected]

2. Scope and our role

For our consumer service (PeraByte Labs), we act as the data controller for personal data you provide as an individual user. For our corporate service (Pera Meta), where an organisation invites its employees or members to take an assessment, that organisation is the data controller and we act as a data processor on its behalf under a separate Data Processing Agreement (Article 28 GDPR). This Privacy Policy describes our processing in our role as controller. Where we act as processor, the customer organisation's privacy notice governs.

3. Personal data we collect

We collect and process the following categories of personal data:

• Account data: email address, hashed password, account creation date, authentication identifiers (e.g. Google OAuth subject ID if you sign in with Google), email confirmation status.
• Profile data: full name (if provided), age range, country, industry, job function, plus marketing and curriculum-notification preferences.
• Assessment data: your answers to survey questions, time spent, completion status, calculated scores, and category breakdowns. Assessment responses are linked to your user account. They are not anonymous in our internal systems.
• Consent records: the consents you give at signup and in your account settings (terms, data use for product improvement, marketing emails, curriculum updates), including timestamps.
• Communications: emails you exchange with us, support requests, and feedback you submit through in-app forms.
• Technical data: IP address, browser type and version, device type, operating system, referring URL, pages visited, approximate geolocation derived from IP, and timestamps. Some of this is processed automatically by our hosting and analytics providers.
• Payment data (paid features only): if you purchase the curriculum module or other paid features, our payment processor handles your card details directly. We receive only a transaction identifier, the amount, and the status. We do not store full card numbers.

We do not knowingly collect special categories of personal data (Article 9 GDPR), such as data revealing health, racial or ethnic origin, political opinions, religious beliefs, or sexual orientation. Please do not include such data in free-text answers.

4. Purposes and legal bases

Under Article 6 GDPR, we process your personal data on the following legal bases:

• Performance of a contract (Art. 6(1)(b)): creating and maintaining your account, delivering the assessment, generating your results, providing support, and (where applicable) delivering paid features such as the curriculum module.
• Consent (Art. 6(1)(a)): sending you marketing emails, sending you curriculum or training notifications, using your assessment responses for product improvement and aggregated research, and setting non-essential cookies. You can withdraw any consent at any time without affecting the lawfulness of prior processing.
• Legitimate interests (Art. 6(1)(f)): ensuring the security and integrity of our platform, preventing fraud and abuse, maintaining server logs for diagnostics, and producing aggregated, de-identified statistics about platform usage. We balance these interests against your rights and freedoms; you can object at any time (see Section 9).
• Legal obligation (Art. 6(1)(c)): responding to lawful requests from competent authorities, complying with tax, accounting, and consumer-protection laws.

5. Sharing and subprocessors

We do not sell your personal data. We share personal data only with service providers who process it on our behalf under written contracts that meet the requirements of Article 28 GDPR, and only to the extent necessary for the purposes set out above. We use providers in the following categories:

• Hosting and database infrastructure (storing your account, assessment responses, and platform data).
• Authentication and identity (validating sign-in, including third-party sign-in such as Google).
• Email delivery (sending transactional emails such as confirmations and password resets, and, where you have consented, marketing emails).
• Privacy-friendly product analytics (measuring aggregate visitor numbers and page performance without using third-party advertising cookies).
• Payment processing (only when you purchase paid features).

Some of these providers are established outside the European Economic Area, including in the United States. Where personal data is transferred outside the EEA, we rely on appropriate safeguards under Chapter V GDPR, including the European Commission's Standard Contractual Clauses and any supplementary measures required by applicable case law (including the EDPB's recommendations following Schrems II). A current list of subprocessors is available on request from the privacy contacts above.

We may also disclose personal data: (a) to professional advisers (lawyers, accountants, auditors) bound by confidentiality; (b) to competent authorities where required by law; and (c) in connection with a corporate transaction (merger, acquisition, restructuring), in which case we will require the recipient to honour this Privacy Policy or notify you of any material change.

6. Retention

We retain personal data only for as long as necessary for the purposes for which it was collected, or as required by law:

• Account and profile data: until you delete your account, then removed within 30 days from active systems and from backups within a further 60 days.
• Assessment responses and results: retained for the life of your account so that you can revisit your results. After account deletion, identifiable assessment data is deleted on the same timeline as account data; we may retain aggregated, de-identified statistics that cannot reasonably be linked back to you.
• Consent records: retained for as long as needed to demonstrate compliance, plus the applicable limitation period.
• Server and security logs: typically retained for up to 12 months for security and diagnostic purposes.
• Billing records (paid services): retained for the period required by Dutch tax law (currently seven years).
• Email communications: retained for as long as necessary to handle the matter and defend against any related claims.

7. International transfers

Where we transfer personal data outside the EEA, we rely on one or more of the following safeguards under Articles 44–49 GDPR: (a) European Commission adequacy decisions where they apply; (b) Standard Contractual Clauses approved by the European Commission, supplemented where necessary by additional technical and organisational measures; and (c) other lawful transfer mechanisms. You can request a copy of the relevant safeguards by contacting us using the addresses above.

8. Cookies and similar technologies

We use only strictly necessary cookies (for authentication and session management) and a privacy-friendly, cookieless analytics service to measure aggregate visitor counts and performance. We do not use advertising cookies, social media tracking pixels, or third-party marketing trackers. Because no non-essential cookies are set, we do not display a cookie consent banner; consent is not required for strictly necessary cookies under Article 5(3) of the ePrivacy Directive. For details, see our Cookie Policy.

9. Your rights

Subject to the conditions set out in the GDPR, you have the right to:

• access the personal data we hold about you (Art. 15);
• have inaccurate or incomplete data corrected (Art. 16);
• have your data erased ("right to be forgotten") in certain cases (Art. 17);
• have processing restricted in certain cases (Art. 18);
• receive your data in a structured, commonly-used, machine-readable format and to transmit it to another controller (Art. 20);
• object to processing based on our legitimate interests, and to object to direct marketing at any time (Art. 21);
• withdraw any consent you have given, without affecting the lawfulness of prior processing (Art. 7(3));
• not be subject to a decision based solely on automated processing, including profiling, that produces legal effects (Art. 22). We do not currently take any such decisions.

You can exercise most of these rights directly in your account settings, including deleting your account. You can also email [email protected] or, for deletion specifically, [email protected] with the subject line "Delete". We will respond within one month of receipt and, where the request is complex, may extend this period by a further two months with notice. We may need to verify your identity before fulfilling a request.

10. Marketing communications

We send marketing or product-update emails only where you have opted in. Each marketing email includes an unsubscribe link, and you can also change your preferences in your account settings at any time. Service emails (such as account confirmations, password resets, and notices about material changes to these documents) are necessary for the operation of the service and are not marketing.

11. Children

Our services are intended for users aged 18 or older. We do not knowingly collect personal data from anyone under 18. If you believe a minor has provided us with personal data, please contact us and we will delete it.

12. Security

We implement appropriate technical and organisational measures to protect personal data, including encryption of data in transit (HTTPS), encryption at rest provided by our infrastructure providers, hashed password storage, role-based access controls, audit logging, and row-level security on our database. No system is completely secure; we cannot guarantee absolute security and you use the service at your own risk in this respect.

13. Data breach notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) without undue delay and, where the risk is high, communicate the breach to affected users in accordance with Articles 33–34 GDPR.

14. Changes to this policy

We may update this Privacy Policy from time to time. We will post the updated version on this page and update the "last updated" date below. For material changes, we will notify you by email or through an in-product notice. Your continued use of the service after changes take effect constitutes acceptance of the updated policy.

15. Complaints and supervisory authority

If you believe we have processed your personal data in breach of applicable law, you have the right to lodge a complaint with the Dutch supervisory authority:

• Autoriteit Persoonsgegevens, Postbus 93374, 2509 AJ Den Haag, the Netherlands. Website: autoriteitpersoonsgegevens.nl

You may also lodge a complaint with the supervisory authority in your country of residence or place of work.

16. Contact

For any question about this Privacy Policy or about how we process personal data, contact us at [email protected] (consumer service) or [email protected] (corporate service).

Last updated: 2026-05-09 · Pera Meta B.V.