Short version: we only collect what we need to help you, we do not sell your data, we do not train AI models on your data, and you can request access or deletion at any time.
MODUS is a brand of ZESTOLOGY BV.
For the purposes of the GDPR and the EU AI Act, we are the controller for the data you share directly with us through the website, email or calendar platform.
ZESTOLOGY BVFor assignments where we process personal data on your behalf, for example when building automations on your customer data, we act as processor.
In that case, we sign a separate Data Processing Agreement ("DPA") in advance, as required by article 28 GDPR.
We may collect:
We may process:
We collect:
Cloudflare temporarily stores IP addresses for security and bot detection, for a maximum of 24 hours.
We use personal data for the following purposes:
To answer your message and follow up on quotes, based on pre-contractual relationship under article 6.1.b GDPR.
To perform the agreed assignment, based on performance of contract under article 6.1.b GDPR.
To handle billing and accounting, based on legal obligation under article 6.1.c GDPR.
To improve our website, based on legitimate interest under article 6.1.f GDPR, using aggregated data.
To secure our systems, including Cloudflare, MFA and logs, based on legitimate interest under article 6.1.f GDPR.
We do not do direct marketing without your explicit consent. We do not add you to a mailing list unless you choose to subscribe.
We build AI applications for clients.
For our own operations and client assignments, we use large language models and automation providers. We are explicit about what this means.
We do not train models on your data. We use business API versions, such as OpenAI Platform, Anthropic API or Azure OpenAI, where training on client data is disabled by default, or we configure explicit opt-out flags.
We do not make automated decisions about you. We do not make decisions with legal effects or similarly significant impact about you as a visitor or client within the meaning of article 22 GDPR.
If the solutions we build for your customers do automate such decisions, you are the controller and we help you with the required assessments.
Human validation remains required. LLM output may contain errors or hallucinations. For any decision with substantial impact, a human remains in the loop — with us and in the solutions we deliver.
We are EU AI Act-aware. We classify AI systems we build according to the risk levels of the EU AI Act, Regulation 2024/1689. For systems that may qualify as high-risk under Annex III, we request a joint risk analysis in advance and help with documentation and transparency obligations.
We keep data only as long as needed.
Contact requests that do not lead to an assignment are kept for a maximum of 12 months and then deleted.
Client data is kept during the term of the contract plus 5 years, in line with the Belgian limitation period for contractual liability under article 2262bis of the Civil Code.
Accounting records are kept for 7 years, as required by article III.86 of the Belgian Code of Economic Law.
Website statistics are aggregated and kept for a maximum of 24 months.
Cloudflare security logs are kept for a maximum of 24 hours.
We only share data with service providers needed to do our work, and only to the extent strictly necessary.
Current subprocessors and service providers:
| Category | Provider | Hosting / location |
|---|---|---|
| Email and documents | Microsoft 365 | EU data centres (EU Data Boundary) |
| Website hosting | Cloudflare Pages | Global CDN, EU edge prioritised |
| Calendar scheduling | Cal.eu | EU hosting |
| Payments (where applicable) | Stripe | EU + US (SCCs) |
| LLM providers (client assignments) | OpenAI, Anthropic, Google, Microsoft Azure OpenAI | US / EU (DPF + SCCs); business API, training off |
| Automation platforms | n8n (self-hosted or cloud), Make, Power Automate | Client tenant or EU |
| Accounting | Accounting firm in Belgium | Belgium |
| Belgian tax authorities | FPS Finance | Belgium |
We do not sell data, use advertising networks or share client data for commercial purposes. For any new subprocessor that gets access to client personal data, we inform the relevant client in advance.
By default, we keep your data in the EU.
Where a specific part of an assignment requires a tool outside the EU, such as an AI provider with servers in the US, we use the legal frameworks provided by the European Commission. This may include:
Under the General Data Protection Regulation, you have the right to:
You can send a request to hello@modus-ops.be. We respond within 30 days, in line with article 12 GDPR.
If you disagree with how we handle your request, you can file a complaint with the Belgian Data Protection Authority:
Gegevensbeschermingsautoriteit / Autorité de protection des donnéesWe secure your data using common best practices:
For client assignments, we work within your own tenant and with your own keys wherever possible.
We do not copy your data into our environment unless strictly necessary and unless you have given permission.
In the very unlikely event of a personal data breach that creates a risk to your rights and freedoms, we notify the Belgian Data Protection Authority within 72 hours after becoming aware of it, as required by article 33 GDPR.
Where the breach creates a high risk, we also notify you directly, as required by article 34 GDPR.
Our services are directed exclusively at organisations and business users.
We do not knowingly collect data from persons under 16.
If this happens, we delete the data as soon as we become aware of it.
We may update this policy if our services or applicable rules change, including EU AI Act implementing measures.
The version and last-updated date at the top show when this last happened.
Substantial changes that affect your rights will be communicated by email to active clients.
Send your question or complaint to hello@modus-ops.be.
A real human will respond within 30 days.