Privacy Policy

At Altruon B.V. (“Altruon”, “we”, “us”, or “our”), we are committed to protecting your privacy. This Privacy Policy explains how we collect, use, share, and protect personal data when you use our fintech middleware services or visit our website, in compliance with the EU General Data Protection Regulation (GDPR). We have structured this policy for clarity and readability, but if you have any questions, please contact us using the information in Section 13 below.

1. Data Controller Information

Altruon B.V. is the data controller for the personal data described in this policy (unless otherwise stated). Our details are:

• Company: Altruon B.V. (registered in the Netherlands)
• Headquarters: Amsterdam, Netherlands
• Contact Email (for privacy inquiries): operations@altruon.io

As Altruon is established in the European Union, we do not require an EU representative under GDPR. If you have any questions about this policy or how we handle your data, please reach out to us at the email above.

2. Categories of Personal Data

We only collect and process personal data that is necessary for the purposes described in this policy. The categories of personal data we handle include:

• Merchant Business Information: If you are a merchant (our customer), we collect information such as your name, business name, business email address, billing address, payment or billing details, and account credentials. This information is needed to create your account, provide our services, and communicate with you.
  
• End-Customer Personal Data: Through our payment orchestration platform, we process certain personal data about your end-customers on your behalf. This may include identifiers like customer names, email addresses, order or invoice details, and transaction information provided via the billing platforms or payment gateways. Important: Altruon does not collect or store sensitive payment card details or bank account numbers of end-customers. We utilize tokenization and let connected payment gateways handle actual payment data, meaning that credit card or payment details are stored by the third-party payment gateway, not by Altruon. We only store non-sensitive reference tokens or IDs related to those payment details for transaction processing.
  
• API Credentials and Webhook Data: To enable our integrations, merchants provide us with API keys, tokens, or credentials for their chosen billing platforms and payment gateways. We store these credentials securely to connect to those services. We also process webhook event data sent from billing platforms and gateways (for example, notifications of transactions, subscription events, or payment status). These events may contain personal data such as customer IDs, names, email, transaction amounts, and statuses necessary for us to orchestrate payments and update the relevant systems.
  
• Website Visitor Data: When you visit our website (including our documentation or dashboard), we collect certain data automatically through cookies and similar tracking technologies. This includes your IP address, browser type, device information, pages viewed, and browsing behavior on our site. We also collect cookie preferences and analytics data if you have consented (see Section 9 on Cookies). This information helps us understand how our site is used, to improve user experience, and to ensure security (e.g., detecting unusual activities).
  
• No Special Category Data: We do not intentionally collect any special categories of personal data as defined by GDPR (such as data about racial or ethnic origin, political opinions, religious beliefs, health, genetic or biometric data, or sexual orientation). Our services are business-oriented and not designed to process sensitive personal information. We also do not knowingly collect any data relating to criminal convictions or offenses.
  
  

3. Purposes and Legal Bases for Processing

We process personal data only for specific, explicit purposes and as permitted by GDPR. For each processing activity, we rely on one or more of the legal bases allowed under Article 6 GDPR. Below are the purposes for which we use personal data and the corresponding legal bases:

• Account Creation and Service Provisioning: We use merchant business information to set up and maintain your account, authenticate you, provide our middleware services, and offer customer support. This is necessary for the performance of our contract with you (GDPR Article 6(1)(b)). Without this data, we cannot provide you with the Altruon services you’ve requested.
  
• Payment Transaction Facilitation: As a core function of our platform, we process end-customer personal data by transmitting it between your billing platform and your chosen payment gateway to execute transactions (e.g., charging a customer’s card for a subscription invoice). We do this to fulfill our service contract with the merchant and in furtherance of our legitimate interest in ensuring the payment transactions are completed smoothly (GDPR Article 6(1)(b) and Article 6(1)(f)). This includes using stored tokens/reference IDs to retrieve payment information from the gateway and sending transaction results back to the billing system. Our involvement in processing end-customer data is strictly for facilitating the transaction workflow you have initiated.
  
• Security Monitoring and Fraud Prevention: We monitor activities on our platform (including analyzing IP addresses, device information, and transaction patterns) to detect and prevent fraudulent transactions, security breaches, or misuse of our services. This processing is based on our legitimate interests (GDPR Article 6(1)(f)) in safeguarding our platform, protecting our merchant clients and their customers, and maintaining the integrity of financial transactions. These measures help us keep the service secure for everyone. For example, we may use automated tools to flag suspicious activity (see Section 11 on Automated Decision Making) and take steps to prevent fraud or cyber-attacks.
  
• Marketing and Communications: We may use contact information (such as your email address) to send you product updates, newsletters, event invitations, or other marketing communications:
  
  • If you are an existing customer (merchant) of Altruon, we may send you marketing or product-related emails about similar services based on our legitimate interest in growing our business and keeping you informed, in line with applicable ePrivacy rules (often referred to as “soft opt-in”). You will always have the opportunity to opt out of these emails easily, and we will honor any opt-out request.
  • If you are not yet a customer or for certain types of communications (e.g., newsletters), we will only send you marketing emails if we have obtained your consent (GDPR Article 6(1)(a)). For example, if you sign up on our website to receive updates, we will use the email you provided for that purpose with your consent. You can withdraw your consent at any time by clicking the unsubscribe link in the email or contacting us.
  • We will not spam you or send excessive communications, and we do not share your contact details with third parties for their own marketing without your explicit consent.
• Compliance with Legal Obligations: We process personal data when necessary for compliance with our legal obligations (GDPR Article 6(1)(c)). This includes obligations such as:
  
  • Financial and Tax Regulations: Keeping records of transactions, payments, and invoices for accounting, audit, and tax compliance (for example, under Dutch law, businesses must retain certain records for a number of years).
  • Regulatory Compliance: Complying with know-your-customer (KYC) or anti-money laundering (AML) regulations if applicable, and responding to lawful requests by public authorities.
  • Legal Process and Rights: Retaining or disclosing information as required to enforce our contracts, resolve disputes, respond to subpoenas or court orders, or protect our legal rights (such as handling chargebacks or fraud disputes in collaboration with payment providers).

In any case where we rely on legitimate interests as a legal basis, we have balanced those interests against your rights and freedoms to ensure they do not override your privacy rights. If you have questions about the specific legal basis for any processing or need more detail, please contact us.

4. Cross-Border Data Transfers

Altruon primarily stores and processes personal data on servers located within the European Union. We strive to keep your data within the EU/European Economic Area (EEA) to benefit from the GDPR’s protections. However, in certain situations, your personal data may be transferred to or accessed from countries outside the EEA:

• Use of Third-Party Service Providers: We may use trusted third-party services (for example, cloud hosting providers, email and support tools, or analytics services) that are based outside of the EEA. For instance, if we use a cloud infrastructure or email service headquartered in the United States or another country, your data may be stored or processed on servers in that country.
  
• Standard Contractual Clauses (SCCs) and Safeguards: Whenever we transfer personal data outside the EEA to a country that the European Commission has not deemed to have an adequate level of data protection, we will ensure appropriate safeguards are in place as required by GDPR. Typically, we will use the European Commission’s approved Standard Contractual Clauses (SCCs) in our contracts with the receiving party. These SCCs impose data protection obligations on the recipient to ensure your data remains protected. In some cases, we might rely on other transfer mechanisms, such as an adequacy decision (if the country is recognized by the EU as having essentially equivalent privacy laws) or, where applicable, your explicit consent for the transfer.
  
• Transfers to Our Merchants: If you are an end-customer whose data we process on behalf of a merchant, and that merchant requests the data to be sent to them or to a designated third party, such transfer will occur according to the merchant’s instructions. We ensure that any such transfers as part of our service also comply with GDPR requirements.
  

We remain responsible for the protection of your personal data, regardless of where it is processed. You can contact us for more information about the specific safeguards we have in place for cross-border transfers or to obtain a copy of the relevant contractual protections (we may redact commercial terms for confidentiality).

5. Data Retention Policies

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, as outlined in this Privacy Policy, and to comply with our legal and contractual obligations. We have different retention periods depending on the type of data and the purposes of processing:

• Merchant Account Data: If you are a merchant customer, we keep your account information for the duration of our business relationship. This includes your registration details, profile information, and billing records. After you stop using Altruon (for example, if you terminate your account), we will retain relevant data for a limited period in case you reactivate your account or for any post-termination issues. Generally, once our contract is fully ended, we will delete or anonymize your personal data within a reasonable time unless certain data must be kept longer to meet legal requirements. For example, financial and invoicing records will be retained for the period required by Dutch law (which is typically 7 years for tax and accounting records) or other applicable regulations. During the retention period, your data will be securely stored and restricted to only those purposes (e.g., audit, compliance) for which it is retained.
  
  
• End-Customer Transaction Data: Personal data about end-customers that we process for transaction facilitation is not stored by us longer than necessary. We usually handle this data transiently (passing it between systems). However, logs of transactions and related events may be retained for recordkeeping, dispute resolution, and fraud prevention purposes. We retain transaction records for as long as our merchant client’s contract is active and for a certain period after, as needed for the merchant to download records or for us to comply with legal obligations (e.g., transaction logs may be kept for a few years to resolve chargebacks or fraud claims). When end-customer personal data is no longer needed for these purposes, we either delete it or anonymize it (so it can no longer be linked to an individual). If we are acting as a data processor for this data (on behalf of a merchant), we will also follow the merchant’s instructions regarding deletion, subject to legal requirements.
  
  
• API Credentials and Webhook Data: API credentials that you provide to us (for integrations with payment gateways and billing platforms) are retained as long as you use our service to connect to those platforms. You can update or revoke these credentials at any time, which will cause us to delete or stop using the old credentials. Webhook events and logs are kept for troubleshooting and audit purposes. We typically retain detailed logs for a short period (for example, a few months) unless needed longer; aggregated or high-level logs may be kept longer for analytics and system performance monitoring. All such data is protected and access is limited to authorized personnel.
  
  
• Website Visitor Data (Cookies and Analytics): Data collected via cookies and similar technologies is retained according to the nature of the cookie:
  
  • Essential cookies (for site functionality and security) are generally session-based or short-term, and may persist only for as long as necessary (e.g., session cookies are deleted when you close your browser).
  • Analytics cookies (used only with consent) may have a set expiration (e.g., Google Analytics cookies that last 14 months or a duration you accept). We configure our analytics tools to not retain personal data longer than necessary. Aggregated analytics data (which no longer identifies individuals) may be kept longer for statistical purposes.
  • IP addresses and device data collected for security are typically stored briefly and deleted or anonymized soon after (for instance, IP logs might be kept for a few weeks for security analysis unless required for an investigation of malicious activity).
  • You can control cookie storage as explained in Section 9, and you can delete cookies from your browser at any time, which will also remove the data those cookies stored on your device.
• General retention practices: When a retention period expires, or if you request deletion and we have no lawful basis to retain the data, we will ensure that the personal data is securely deleted, destroyed, or anonymized. We also periodically review the data we hold and erase or anonymize information that is no longer needed. If complete deletion is not immediately possible (for example, the data is stored in a secured archive or backups), we will isolate the data from further use until deletion is possible.
  

Please note that in certain cases we may retain information for a longer period if required to do so by law, to resolve disputes, or to enforce our agreements. We always do so in accordance with GDPR’s data minimization and storage limitation principles.

6. Data Subject Rights

Under the GDPR, individuals (data subjects) have a number of rights regarding their personal data. Altruon is committed to respecting these rights. You have the following rights concerning personal data that we hold about you:

• Right of Access: You have the right to ask us whether we are processing your personal data, and if so, to request access to that data. This allows you to receive a copy of the personal data we hold about you and certain information about how we use it.
  
• Right to Rectification: If any of your personal data that we are processing is inaccurate or incomplete, you have the right to have it corrected or updated. For example, if you change your business email or notice an error in data we have on file, you can ask us to correct it.
  
• Right to Erasure: Also known as the “right to be forgotten,” this right allows you to request the deletion of your personal data when there is no compelling reason for us to keep it. You can ask us to erase your data if it’s no longer needed for the purposes it was collected, if you have withdrawn your consent (where applicable) or objected to processing and we have no other lawful basis to continue, or if we are required to delete it to comply with legal obligations. Please note that this right is not absolute – sometimes we must retain certain information (see Data Retention above) for legal or contractual reasons, in which case we will inform you.
  
• Right to Restrict Processing: You have the right to request that we restrict (pause) the processing of your personal data under certain circumstances. For instance, if you contest the accuracy of the data, you can ask us to restrict processing while we verify the data; or if you object to our processing based on legitimate interests, you can request restriction while we evaluate the request. When processing is restricted, we will still store your data but not use it further until the restriction is lifted (unless for legal reasons).
  
• Right to Data Portability: For personal data you have provided to us, you have the right to receive it back from us in a structured, commonly used, machine-readable format and/or to request that we transmit it directly to another data controller (for example, another service provider), where technically feasible. This right applies when the processing is based on your consent or on a contract with you, and the processing is carried out by automated means. We will assist with such transfer requests to the extent possible.
  
• Right to Object: You have the right to object to our processing of your personal data in certain situations:
  
  • Legitimate Interests: If we are processing your data based on our legitimate interests (Article 6(1)(f) GDPR), you can object to that processing. If you do, we will reassess our processing in light of your objection. We will stop processing your data unless we can demonstrate compelling legitimate grounds for the processing that override your rights, or if the processing is needed for legal claims.
  • Direct Marketing: You have an absolute right to object to your personal data being used for direct marketing purposes. If you object or opt-out, we will cease using your data for marketing. (For example, you can unsubscribe from our marketing emails at any time, and we will remove you from our mailing list.)
• Right to Withdraw Consent: In cases where we rely on your consent for processing (such as certain marketing communications or optional analytics cookies), you have the right to withdraw your consent at any time. Withdrawing consent will not affect the lawfulness of any processing we performed before your withdrawal. If you withdraw consent, we will stop the processing that was based on consent. For example, if you gave consent for receiving a newsletter, you can later opt out and we will stop sending it.
  
• Right not to be Subject to Automated Decision-Making: You have the right not to be subject to a decision based solely on automated processing (without human involvement) if it produces legal effects or similarly significant effects on you. Altruon generally does not carry out such solely automated decision-making except for some automated fraud detection as described in Section 11, and we ensure human review in those processes. If you believe you have been affected by an automated decision, you can contact us to request further information, express your point of view, or challenge the decision.
  

Exercising Your Rights: You can exercise any of these rights by contacting us at operations@altruon.io with your request. Please specify which right you wish to exercise and provide enough information for us to verify your identity (we need to make sure we’re dealing with the right person before releasing or correcting data, to protect your privacy). For example, we may ask you to provide the email address associated with your account or other details for verification. We will respond to your request as soon as possible, and in any case within one month as required by GDPR (this timeframe may be extended by an additional two months for complex requests, but we will inform you if an extension is needed).

If you are an end-customer of one of our merchant clients and you wish to exercise your data rights, it is generally best to direct your request to the merchant (the business that collected your data), since they are the primary data controller for your information. We act as a data processor on behalf of our merchants for end-customer data. However, we will assist our merchants in responding to any data subject requests and, if you contact us directly, we will do our best to help facilitate your request in line with our legal obligations.

We do not charge a fee for responding to reasonable requests to exercise your rights. However, if a request is manifestly unfounded or excessive (for example, repetitive requests), we may charge a reasonable fee or refuse to act on the request as permitted by law. We will always inform you of our reasoning in such cases.

‍

7. Third-Party Disclosures

We do not sell your personal data to third parties. However, in the course of providing our services and running our business, we may share personal data with certain trusted third parties. We only share what is necessary and we ensure any third party that receives personal data from us is bound to protect it in accordance with GDPR (through contracts or other legal mechanisms). The key types of third parties with whom we may share data are:

• Payment Gateways and Billing Platforms: As part of our payment orchestration service, we transmit necessary personal data to third-party payment processors/gateways and subscription billing platforms that you have connected via Altruon. For example, if a transaction needs to be processed, we will send the required data (such as a customer’s identifier, tokenized payment information, transaction amount) to the chosen payment gateway to complete the charge, and then relay the result back to your billing system. Similarly, if your billing platform sends us customer or transaction details via webhook, we may pass some of that information to the payment gateway to process the payment. These third parties (payment processors and billing SaaS platforms) will use the data in accordance with their own privacy policies and your agreements with them, acting as independent controllers for their respective services. We recommend that our merchants ensure their own privacy notices inform their end-customers of these disclosures.
  
  
• Service Providers (Processors): We use a number of service providers to help operate and support our platform. These include:
  
  • Hosting and Infrastructure Providers: e.g., cloud data center providers or managed hosting services that securely store our databases and application (they may host servers in the EU or in other jurisdictions as discussed in Section 4).
  • Email and Communication Tools: e.g., services to send transactional emails (like account notifications, password resets) or newsletters, and customer support ticketing systems. These providers may process contact information and message content on our behalf.
  • Analytics and Monitoring Tools: e.g., analytics services that process website usage data, or uptime/error monitoring services that may incidentally process IP addresses or user IDs for performance tracking.
  • Other IT and Security Service Providers: e.g., services for data backup, DDoS protection, content delivery networks (CDNs), or fraud detection tools.
• These service providers act under our instructions (as “processors” under GDPR) and only for the purposes we specify. We have Data Processing Agreements in place with them as required by law, ensuring they implement appropriate data protection measures. They are not allowed to use your personal data for their own purposes.
  
  
• Business Partners: In some cases, we may share data with integration partners or other companies you engage that interact with our service. For example, if we develop a feature in collaboration with a technology partner or you choose to enable an integration with another service via Altruon, we might exchange relevant data with that partner based on your instructions. Any such sharing will be transparent to you through the use of our service.
  
  
• Corporate Transactions: If Altruon undergoes a business transaction such as a merger, acquisition by another company, reorganization, or sale of all or part of our assets, personal data may be transferred to the successor or acquiring entity as part of the transaction. We will ensure that any such transfer is handled securely and continues to respect your privacy rights. If required by law, we will notify you and give you an opportunity to exercise your rights or choices in connection with such a transfer.
  
  
• Legal and Regulatory Disclosures: We may disclose personal data to third parties (such as law enforcement agencies, government authorities, or courts) if required to do so by law or legal process, or if we have a good-faith belief that such disclosure is necessary to (i) comply with a legal obligation, (ii) respond to valid legal requests (such as a subpoena, court order, or search warrant), (iii) enforce our terms of service or other agreements, (iv) prevent fraud, security issues, or other harm, or (v) protect the rights, property, or safety of Altruon, our customers, or the public. We will endeavor to notify you about such requests when permissible and practical.
  

In all cases of sharing, we strive to minimise the personal data shared to what is strictly necessary. We also require any third-party recipient to handle the data with confidentiality and security. For third parties acting as our processors, they are contractually obligated to process data only for our specified purposes and to implement adequate security.

If you have questions about the third parties with whom we may share your data (for example, specifics of our current subprocessors), feel free to contact us for an up-to-date list.

8. Security Measures

Altruon takes the security of personal data very seriously. We implement a range of technical and organizational measures to protect your data against unauthorized access, loss, alteration, or disclosure. Some of the key security measures we have in place include:

• Encryption: All data transmitted between your browser and our platform is protected using encryption protocols such as HTTPS/TLS. This means information (including personal data) is encrypted in transit. We also encrypt sensitive data at rest in our databases or storage, especially for any particularly confidential information. For example, password data is stored in hashed form, and any sensitive credentials you provide (like API keys) are encrypted in our systems.
  
• Tokenization of Payment Data: As noted, we do not store raw payment card details. We use tokenization through the payment gateways, so that what resides on our system are reference tokens or encrypted identifiers rather than actual credit card numbers or bank details. This significantly reduces the risk associated with payment data, as those tokens on their own cannot be used to reconstruct the original payment details by any unauthorized party.
  
• Access Control and Authentication: We restrict access to personal data to authorized Altruon personnel and service providers who need it for operating our service or supporting you. Internal access to systems holding personal data is controlled through role-based access controls and multi-factor authentication. Staff are granted the minimum access necessary (principle of least privilege) and access rights are regularly reviewed. Employees and contractors with such access are bound by confidentiality obligations.
  
• Monitoring and Threat Detection: Our systems are monitored for security events, and we employ firewalls and intrusion detection/prevention systems to guard against malicious access. We keep our software and infrastructure up-to-date with security patches. We also log access and actions within the system, enabling us to detect unusual behavior and trace issues if they arise. Automated tools may be used to flag potential fraud or misuse (see Section 11) and to ensure high availability and integrity of our platform.
  
• Regular Security Assessments: We conduct periodic security reviews and testing. This may include vulnerability scanning, penetration testing by third-party security experts, and code reviews to catch and fix security issues early. We also follow industry best practices for software development (such as secure coding guidelines) to reduce vulnerabilities.
  
  
• Organizational Practices: All Altruon team members receive training on data protection and information security best practices. We have internal policies in place to ensure data is handled safely and consistently with this Privacy Policy. For example, we have defined procedures for data incident response, and we limit the use of production data in testing environments to prevent unnecessary exposure.
  
  
• Certifications and Compliance: While Altruon is not a payment processor that stores card data, we align our security program with industry standards. We abide by relevant aspects of the Payment Card Industry Data Security Standard (PCI DSS) by virtue of not storing sensitive card data and using compliant gateways. We also strive to follow the principles of ISO/IEC 27001 (an international standard for information security management) in our practices. If we obtain any formal security certifications in the future, we will update this policy or our website to inform you.
  

Despite all these measures, it’s important to note that no method of transmission over the internet or method of electronic storage is 100% secure. However, we are continuously working to update and improve our security practices to protect your data. In the unlikely event of a data breach that poses a high risk to your rights and freedoms, we will notify you and the relevant authorities as required by GDPR (Articles 33 and 34) without undue delay.

If you have any questions about the security of your data, or if you believe your account or information may have been compromised, please contact us immediately.

9. Cookies and Tracking Technologies

We use cookies and similar tracking technologies on our website and platform to provide, personalize, and improve our services, as well as to understand user interactions. A cookie is a small text file stored on your device that allows us or a third-party to recognize you and make your next visit easier and more useful to you. When you first visit our site, we will request your consent for non-essential cookies via a cookie banner or pop-up, in accordance with applicable law. Here’s an overview of how we use these technologies:

• Essential Cookies: These cookies are necessary for the website to function properly and cannot be switched off in our systems. For example, they include session cookies that keep you logged in as you navigate through secure areas of the site, or preferences cookies that remember your language or other choices. Because these cookies are strictly necessary for delivering the service you requested, they do not require consent. You can set your browser to block or alert you about these cookies, but some parts of the site may not work if they are blocked.
  
  
• Analytics Cookies: We use analytics cookies to collect information about how visitors use our website, such as which pages are visited most often, how users navigate the site, and if they encounter errors. This helps us improve the website’s performance and user experience. For example, we might use Google Analytics or a similar tool that sets cookies to gather usage data and report trends (Google Analytics is configured to anonymize IP addresses in our case, to reduce the amount of personal data collected). We only deploy analytics cookies if you have given your consent via our cookie consent banner. The data collected by these cookies is aggregated and not intended to identify you directly. You can choose not to allow these cookies; if you opt out, your visit will not be tracked in our analytics.
  
• Marketing and Advertising Cookies: As a B2B service, we have limited online advertising. However, we may occasionally use tracking pixels or cookies for marketing campaigns — for instance, a cookie to see if someone who visited our site later signed up, or to deliver targeted messages through third-party platforms like LinkedIn or Google Ads. These cookies collect information about your browsing habits to make advertising more relevant to you. We will only use such marketing cookies if you consent. If we run any retargeting or advertising campaigns, we will provide details in our cookie consent manager and allow you to opt in or out.
  
• Functionality Cookies: These cookies enable enhanced functionality and personalization, such as live chat support or other interactive features on our site (if we offer them). They may be set by us or by third-party providers whose services we have added to our pages. If you do not allow these cookies, some or all of these additional features may not function properly. We will treat these similarly to essential cookies when they are required for a service you request, but where they are optional, we will ask for consent.
  
• Your Cookie Choices: Upon your first visit to our site (and periodically thereafter), you will see a cookie notice allowing you to set your preferences. You can accept all cookies, reject non-essential ones, or customize your choices. If you change your mind, you can adjust your preferences at any time by accessing our Cookie Settings link (typically available in the footer of our site) or by clearing cookies in your browser. Most web browsers also allow you to control cookies through their settings (for example, you can refuse new cookies, delete existing ones, or have the browser notify you when new cookies are set). Please note that rejecting or deleting cookies may impact your experience on our site. For instance, if you block all cookies, you may not be able to log in or use certain features that rely on cookies.
  
• Do Not Track and Similar Signals: Our website currently does not respond to “Do Not Track” (DNT) signals from browsers, because there is no uniform standard for DNT. However, we honor your selections in our cookie consent tool regarding analytics and marketing cookies, which serves a similar purpose of not tracking you when you have opted out.
  
  

For more detailed information about the cookies and tracking technologies we use, you can refer to our detailed Cookie Policy (if available) or contact us with any questions. We will also list the types of cookies and their purposes in our cookie consent banner interface.

10. Children’s Privacy

Our services are not directed to children and we do not knowingly collect personal data from individuals under the age of 16. Altruon is a business-to-business (B2B) platform intended for use by companies and adult representatives of those companies. We expect that anyone using our website or services is 16 years of age or older. If you are under 16, please do not provide any personal information to us or use our service.

In the unlikely event that we discover we have collected personal data from a child under 16 (for example, if a child impersonated an adult to sign up or an end-customer is identified as a minor), we will take immediate steps to delete that information from our servers (unless we are required by law to keep it) and will block the child’s account or usage. We also encourage parents or guardians to contact us if they believe their child may have provided us with personal data without consent, so we can promptly investigate and address it.

11. Automated Decision-Making

In principle, Altruon does not make any decisions about individuals that are based solely on automated processing (without human intervention) that produce legal effects or similarly significant effects. Most of our data processing involves facilitating transactions under the control of our merchant users, and not making unilateral decisions about people. However, we do employ some automated processes as part of our service operations, particularly for security and fraud detection, which we want users to be aware of:

Thank you for reading our Privacy Policy. If you have any questions about this policy or our data practices, please contact us at operations@altruon.io. We value your privacy and are dedicated to protecting your personal data while providing you with our fintech middleware services.

• Fraud and Risk Monitoring: We use automated algorithms to help identify potentially fraudulent or suspicious activities on our platform. For example, our systems might automatically flag a transaction if it originates from a high-risk IP range, or if multiple failed payment attempts occur in a short time, or if other patterns match known fraudulent behavior. This kind of automated analysis helps us protect our merchants and their customers from fraud.
  
• Outcome of Automated Flags: If a transaction or account is flagged by our system, it does not automatically mean a permanent decision is made. Typically, such flags will either:
  
  • Prevent the specific transaction from processing temporarily until further review, or
  • Send an alert to our team to manually review the situation, or
  • In some cases, automatically decline what appears to be a clearly fraudulent transaction (for example, blocking a payment attempt using a known stolen card number provided by a fraud detection service).
• These measures could have an effect like a transaction being declined or an account action being paused, but we include human oversight either before or immediately after such an event. For any significant action (like suspending a merchant’s account due to suspicious activity), our team will review and make the final determination, not a computer alone.
  
  
• No Automated Profiling for Marketing Decisions: We do not engage in profiling of individuals in a way that would result in automated decisions affecting someone’s access to services, pricing, or legal rights. Any profiling we do (like understanding how a typical merchant uses our service) is for improving the product and is aggregated or business-focused, not to evaluate individual customers or end-users in a way that produces significant effects.
  
  
• Your Rights Regarding Automated Decisions: If you believe you have been subject to a decision based solely on automated processing by Altruon that significantly affects you, you have the right under GDPR to request human intervention, to express your point of view, and to contest the decision. For example, if an end-customer feels a transaction was unfairly blocked due to an automated fraud filter, they (or the merchant on their behalf) can contact us to review the case. We will examine the request and ensure a proper human review is conducted, and explain the decision to you. However, in general, our automated systems are in place to protect users, and we make sure to involve human judgment for important matters.
  

If in the future we introduce any new form of automated decision-making that falls under Article 22 of the GDPR (automated decisions with legal or similarly significant effects), we will update this Privacy Policy and provide any required notices or opt-out options.

12. Policy Updates

We may update or modify this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make changes, we will update the “Last Updated” date at the top of this policy. For substantial or material changes, we will take additional steps to notify you of the updates:

• Notification of Changes: If we make any significant changes to this Policy, we will notify our merchant customers via email or through an in-app notification on our platform. For visitors or end-users, we will post a prominent notice on our website (for example, a banner or pop-up) to inform you of the change. We may also summarize the key changes for clarity.
  
• Reviewing Updates: We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting the personal data we collect. If you continue to use our website or services after a Privacy Policy update, it will signify your acceptance of the updated terms (to the extent permitted by law). However, if the changes require consent (for example, if we were to start processing data for a new purpose that requires consent), we will obtain that consent from you.
  
• Version History: For transparency, we maintain an archive of previous versions of this Privacy Policy. If you wish to see prior versions, you can contact us for a copy or visit our website if we provide archived policies there. This allows you to see how our policy has evolved over time.
  

We will not reduce your rights under this Privacy Policy or under applicable data protection laws without your consent. If you have any questions about the changes or need clarification, feel free to reach out to us.

13. Complaint Procedures

Your privacy is extremely important to us, and we are committed to resolve any concerns you might have. If you have questions, concerns, or complaints about our data practices or this Privacy Policy, here are the steps you can take:

• Contact Altruon First: We encourage you to contact us directly with any privacy-related questions or complaints. You can email us at operations@altruon.io. Our team will acknowledge and investigate your inquiry, and we will do our best to respond promptly and resolve the issue to your satisfaction. Whether you have a question about exercising your rights, a concern about how your data is handled, or a complaint about a potential privacy violation, we want to hear from you and we’ll work with you in good faith to address it.
  
• Internal Resolution: When we receive a privacy inquiry or complaint, we will review it and may reach out to you for further information if needed. We aim to respond to all legitimate requests within one month, or faster if possible. For complaints, if we find that something went wrong on our end, we will take steps to fix it. If we cannot fulfill a request (for example, due to legal requirements) or if we disagree with a complaint, we will provide an explanation.
  
  
• Lodging a Complaint with a Supervisory Authority: If you are not satisfied with our response, or if you believe we are processing your personal data in a way that is not lawful, you have the right to lodge a complaint with a data protection supervisory authority. Altruon’s lead supervisory authority is the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) since we are based in the Netherlands. You can contact the Autoriteit Persoonsgegevens or submit a complaint through their website.
  
  • Autoriteit Persoonsgegevens (Dutch DPA) – Website: https://autoriteitpersoonsgegevens.nl (information is available in both Dutch and English). They provide guidance on how to file a complaint. Address: PO Box 93374, 2509 AJ DEN HAAG, Netherlands. Telephone: +31 (0)70-8888-500.
• If you reside or work in another EU/EEA country, you may instead contact your local Data Protection Authority. Under the GDPR, you have the right to approach any EU supervisory authority, and they will coordinate to handle your complaint. A list of national data protection authorities can be found on the European Data Protection Board’s website.
  

We genuinely hope to resolve any privacy concerns directly and amicably. Your trust is important to us, and we will take every complaint seriously.

Altruon B.V. KVK 97816418

‍