Privacy Policy

Belya S.A. is a public limited company (société anonyme) incorporated under Luxembourg law, with registered office in Luxembourg. We are the data controller for the personal data we collect through our platform and services.

For any data protection inquiries, contact our Data Protection Officer (DPO) at dpo@belya.lu or write to us at contact@belya.lu.

We collect only the data necessary to provide our research intelligence services:

• Account data: name, email address, organization, job title, billing information
• Usage data: reports accessed, preferences selected, interaction with our platform
• Technical data: IP address, browser type, device information, pages visited
• Communication data: correspondence with our team, support requests, feedback

We do not collect sensitive personal data (racial or ethnic origin, political opinions, religious beliefs, health data, biometric data) unless voluntarily provided by you in communications.

Your personal data is processed exclusively for the following purposes:

• Providing and managing your subscription (legal basis: Art. 6(1)(b) GDPR — contract performance)
• Personalizing reports and recommendations (legal basis: Art. 6(1)(b) GDPR — contract performance)
• Service communications — invoices, updates, technical notices (legal basis: Art. 6(1)(b) and (f) GDPR)
• Improving our platform and services through analytics (legal basis: Art. 6(1)(f) GDPR — legitimate interest)
• Fraud prevention, rate limiting, and security — including storing the IP address at signup (legal basis: Art. 6(1)(f) GDPR — legitimate interest)
• Complying with legal obligations (legal basis: Art. 6(1)(c) GDPR)

We do not use your data for automated decision-making that produces legal effects concerning you, except for the personalization of report content, where you have the right to request human intervention. In compliance with the EU AI Act (Regulation 2024/1689), we transparently disclose that our reports are AI-generated. Human oversight is applied to methodology design, source selection, and quality assurance.

We retain your personal data only as long as necessary:

• Account data: for the duration of your subscription plus one (1) year for evidentiary purposes
• Usage data: anonymized after 12 months
• Technical data (logs): 6 months
• Billing data: 10 years (Luxembourg legal obligation)

After the retention period, data is permanently deleted or anonymized.

We never sell, rent, or trade your personal data to third parties for their own commercial purposes.

We may share data with trusted service providers who process data on our behalf (sub-processors), including:

• Cloud hosting infrastructure (Netlify, Inc. — United States)
• Security and bot protection (Cloudflare, Inc. — United States, Turnstile CAPTCHA)
• Payment processing services
• Analytics services (Umami — privacy-friendly, anonymized, no cookies)
• Email communication services

All sub-processors are bound by data processing agreements that comply with GDPR requirements. Where data is transferred outside the European Economic Area, we ensure appropriate safeguards are in place (Standard Contractual Clauses or adequacy decisions).

Under the GDPR, you have the following rights regarding your personal data:

• Right of access: obtain confirmation of whether we process your data and receive a copy
• Right to rectification: correct inaccurate or incomplete data
• Right to erasure ("right to be forgotten"): request deletion of your data
• Right to restriction: limit how we process your data
• Right to data portability: receive your data in a structured, machine-readable format
• Right to object: object to processing based on legitimate interest or for direct marketing
• Right to withdraw consent: where processing is based on consent, you may withdraw at any time

To exercise any of these rights, email us at contact@belya.lu. We will respond within 30 days. You also have the right to lodge a complaint with the Luxembourg data protection authority (Commission Nationale pour la Protection des Données — CNPD).

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These include encryption in transit (TLS 1.3), encryption at rest, access controls, and regular security audits.

In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the Luxembourg data protection authority (CNPD) within 72 hours of becoming aware of the breach. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you without undue delay.

The Belya platform is not intended for individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that a child under 16 has provided us with personal data, we will delete it promptly. If you believe a child has provided us with data, please contact us immediately.

We may update this Privacy Policy from time to time. Material changes will be notified to you by email or through a notice on our platform. The "Last updated" date at the top of this page indicates when the policy was last revised.

For any questions, concerns, or requests regarding your personal data:

Belya S.A.
Data Protection Officer (DPO)
Email: dpo@belya.lu
General inquiries: contact@belya.lu