Privacy Policy

PBI Docs is operated by Dividata B.V., a company registered in the Netherlands. We are the data controller for the personal data described in this policy.

Contact: privacy@dividata.nl — Dividata B.V., The Netherlands

We collect only what is necessary to provide the service:

• Account data — name, email address, and profile picture obtained from your identity provider (Microsoft, Google, or GitHub) when you sign in.
• Workspace data — tenant name, members you invite, repository names and URLs, and job history for documentation runs.
• Usage data — timestamps of sign-ins and documentation jobs, error logs used for debugging and service improvement.
• Technical data — IP address, browser type, and session tokens collected automatically when you use the service.

We do not sell your data to third parties and do not use it for advertising.

We process your personal data on the following legal bases:

• Contract performance (Art. 6(1)(b)) — processing your account and workspace data to provide the service you subscribed to.
• Legitimate interests (Art. 6(1)(f)) — usage logs and error data to maintain security, detect fraud, and improve the platform.
• Legal obligation (Art. 6(1)(c)) — retaining transaction and billing records as required by Dutch tax law.

• Authenticate you and manage your workspace.
• Process Power BI documentation jobs you initiate.
• Send transactional emails (job completion, invitations, billing receipts).
• Monitor service health and investigate errors.
• Comply with legal obligations.

We share data only with processors under contractual data-processing agreements:

• Microsoft Azure — hosting, database, storage, and message queue (EU West Europe region).
• Anthropic — AI model used to generate documentation. Content is processed transiently; Anthropic's API does not train on customer data by default.
• Stripe — payment processing. We do not store card details ourselves.
• Microsoft / Google / GitHub — OAuth identity providers used for sign-in. Only your name, email, and provider user ID are passed to us.

• Account data is retained for the lifetime of your account plus 30 days after deletion.
• Documentation job outputs are retained for 12 months, then deleted.
• Billing records are retained for 7 years as required by Dutch tax law.
• Server logs are retained for 90 days.

All data is stored within the European Economic Area (Azure West Europe, Netherlands). Anthropic's API servers are located in the United States; transfers are covered by Standard Contractual Clauses under GDPR Art. 46.

Under GDPR you have the right to:

• Access — obtain a copy of your personal data.
• Rectification — correct inaccurate data.
• Erasure — request deletion of your data (“right to be forgotten”).
• Restriction — limit how we process your data in certain circumstances.
• Portability — receive your data in a structured, machine-readable format.
• Objection — object to processing based on legitimate interests.

To exercise any right, email privacy@dividata.nl. We will respond within 30 days. You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at autoriteitpersoonsgegevens.nl.

We use TLS in transit, AES-256 encryption at rest, role-based access control, and automated secret rotation. Access to production systems is restricted to authorised personnel and logged.

We use a small number of strictly-necessary cookies and optional analytics cookies. See our Cookie Policy for details.

We will notify workspace owners by email at least 14 days before making material changes. Continued use of the service after the effective date constitutes acceptance.