Privacy Policy
Last updated: 27 April 2026
For any additional information on personal data protection in the European Union, we invite you to consult: https://commission.europa.eu. Continued browsing of this site implies unreserved acceptance of the provisions and conditions of use below. The current online version is the only version applicable throughout the period of use of the site, until a new version replaces it.
1. Data controller
Personal data collected through the public site is processed by CREOSIT SRL (operating Olvyn), 33 Rue de Namur, 5380 Fernelmont, Belgium, BCE 1021.014.971. Contact: simon@olvyn.eu.
2. Personal data collected
On the public site we collect: (i) data you actively submit through forms (in particular the financial self-diagnostic and contact forms): name, email address and, where you provide it, phone number and company name — diagnostic submissions, including your indicative scores and selected pain point, are stored as a row in our EU-hosted database (Supabase) to enable follow-up, anti-abuse and aggregated, non-identifying improvement of the tool; (ii) strictly necessary technical data such as language preference and an authentication session if you log into the product; (iii) IP address and request metadata processed transiently by Cloudflare (edge security and WAF) and by our edge functions to prevent abuse, fraud, brute-force attempts and denial-of-service — legitimate interest, GDPR Art. 6(1)(f); and (iv) where you have given prior consent via the cookie banner, audience-measurement data collected through Google Analytics (pseudonymous identifiers, pages viewed, approximate location derived from IP, device and browser characteristics). We do not run advertising, remarketing or behavioural-tracking technologies on the public site.
3. Purposes and lawful bases
Data is processed to: (a) respond to your enquiries and deliver any diagnostic report you request — performance of pre-contractual or contractual measures, GDPR Art. 6(1)(b); (b) ensure the security and integrity of the site and prevent abuse — legitimate interest, GDPR Art. 6(1)(f); (c) comply with legal obligations — GDPR Art. 6(1)(c); (d) measure audience and improve the site through Google Analytics — consent, GDPR Art. 6(1)(a) and Art. 129 of the Belgian Electronic Communications Act, given via the cookie banner and revocable at any time. We do not perform behavioural advertising or profiling on the public site.
4. Sub-processors
We use the following sub-processors to operate the public site: OVH (domain-name registration, France/EU), Cloudflare (edge content delivery, security/WAF, and edge bot-aware pre-rendering of public pages via Cloudflare Browser Rendering and Workers KV cache, with EU data localisation where applicable), Supabase (database hosting for diagnostic submissions and authentication, EU region), Resend (transactional email delivery for diagnostic notifications and account-related messages, EU) and — only where you have given prior consent via the cookie banner — Google Ireland Limited / Google LLC for Google Analytics (audience measurement). All sub-processors are bound by data-protection agreements consistent with GDPR Art. 28. The list is updated as the stack evolves.
5. International transfers
Data collected on the public site is stored in the European Union. Where you consent to Google Analytics, data may be transferred to the United States by Google LLC. Such transfers rely on the EU–US Data Privacy Framework (Google LLC is certified) and, as an additional safeguard, on the European Commission's Standard Contractual Clauses together with technical measures such as IP-address truncation. You can withdraw your consent at any time via the cookie banner; no other transfer outside the EEA is performed for the public-site processing operations described in this policy.
6. Your rights
Under the GDPR you have the right to access your data, to obtain its rectification or erasure, to restrict or object to its processing, and to data portability. To exercise these rights, contact us at simon@olvyn.eu or by post at 33 Rue de Namur, 5380 Fernelmont, Belgium. Identity verification is requested only where there is reasonable doubt about the identity of the person making the request, in line with EDPB Guidelines 01/2022. We respond within one month, extendable by two months if the request is complex.
7. Right to lodge a complaint
You have the right to lodge a complaint with the Belgian Data Protection Authority (Autorité de protection des données / Gegevensbeschermingsautoriteit), Rue de la Presse 35, 1000 Brussels — www.autoriteprotectiondonnees.be — or with the supervisory authority of the EU Member State of your habitual residence.
8. Retention
Lead-form and diagnostic-enquiry data is retained for up to 24 months from the last interaction unless the relationship turns into a contract, in which case retention follows the product agreement. Security and abuse-prevention logs are retained for up to 12 months. We may keep some data longer where required to comply with legal obligations or to defend legal claims.
9. Sharing of personal data
Personal data may be shared with the sub-processors listed above, strictly within the EU, to the extent necessary for them to deliver their services. We may also disclose data where required by law, to respond to a legitimate request from a public authority, or to defend our rights in legal proceedings. We do not sell personal data and do not share it for third-party advertising.
10. Commercial communications
We do not currently run a marketing-prospecting programme. If we introduce one in the future, it will be based on explicit opt-in consent and will include a one-click unsubscribe option. To object at any time, write to simon@olvyn.eu.
11. Cookies
The public site uses two categories of cookies and equivalent local storage. (1) Strictly necessary: a language-preference key, your cookie-consent choice and, where you log into the product, an authentication session. These are exempt from prior consent. (2) Audience measurement (Google Analytics): set only after you click 'Accept' on the cookie banner; they generate pseudonymous identifiers used to measure traffic and improve the site, with IP-address truncation enabled. We do not currently use Google Tag Manager for advertising, advertising or remarketing cookies, social-media trackers or DoubleClick; if this changes in the future, we will update this policy and ask for renewed consent before any new tracking technology is set. You can change or withdraw your consent at any time using the 'Cookie settings' link in the site footer, which re-opens the consent banner; alternatively, contact us at simon@olvyn.eu.
12. Security
We apply technical and organisational measures aligned with industry standards (TLS 1.2+ in transit, encryption at rest at the database layer, strict role-based access control, RLS isolation, audit logging and least-privilege principles). The controls in place are documented in our internal security register and reviewed periodically. Where GDPR Art. 33 applies — that is, where a personal data breach is likely to result in a risk to the rights and freedoms of data subjects — we will notify the Belgian Data Protection Authority without undue delay and, where feasible, no later than 72 hours after becoming aware of the breach, and we will inform affected individuals without undue delay where the breach is likely to result in a high risk under Art. 34. Sub-threshold incidents are documented in our internal register but do not trigger external notification.
13. Edge pre-rendering and bot detection
To make the public site discoverable by search engines and AI assistants that do not execute JavaScript, the Cloudflare edge layer inspects the User-Agent header of incoming requests and may serve a pre-rendered HTML snapshot of the requested public page to known crawlers (for example Googlebot, Bingbot, GPTBot, PerplexityBot, ClaudeBot, CCBot, Applebot, LinkedInBot). Snapshots are generated by Cloudflare's Browser Rendering service from public pages only and stored in a short-lived edge cache (Cloudflare Workers KV). This processing concerns automated crawlers, not human visitors; it does not target individuals, does not produce legal effects on data subjects under GDPR Art. 22, and does not involve any personal data submitted via forms — those forms are not present on the pre-rendered marketing pages and are processed by Supabase under the conditions described above. Human visitors continue to receive the standard interactive site without modification.
14. Service enquiries and advisory engagements
When you contact us about Strategic Financial Advisory services, complete the financial self-diagnostic, request a discovery call, or otherwise enquire about an engagement, the personal and business data you provide (name, role, company, email, phone, sector, indicative financial inputs, free-text description of your needs) is processed on the basis of pre-contractual measures taken at your request — GDPR Art. 6(1)(b) — and our legitimate interest in responding to commercial enquiries — Art. 6(1)(f). This data is used solely to qualify the request, prepare a proposal or engagement letter, and follow up. It is not used for behavioural profiling, automated decision-making with legal effects (Art. 22), or any purpose unrelated to the requested engagement. If a written engagement letter is signed, processing of any further client data is governed by that letter and, where applicable, by a dedicated Data Processing Agreement (Art. 28). If no engagement materialises, lead-stage data is retained as described in Article 8 (Retention). Calculator outputs and diagnostic scoring are produced from the inputs you submit and are not used for behavioural profiling, automated decisions with legal effects (Art. 22) or any purpose unrelated to the service you requested; aggregate, non-identifying technical signals may be retained to improve the tools. Onboarding to the Olvyn Finance software platform triggers a separate data-controller / data-processor relationship governed by the platform's own privacy notice and DPA, distinct from the present policy.
The Olvyn Finance application is governed by a separate Terms of Service, Data Processing Agreement and Privacy Notice provided to customers at sign-up. Those documents prevail over the present site terms for product use.