Privacy policy · Datenschutzerklärung · Política de privacidad
Effective 2026-04-30. We update this page when our practices change.
This page describes how Buronia processes personal data when you use the service from Netherlands. The governing law is EU General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679). Complaints can be made to your national data protection authority at https://edpb.europa.eu/about-edpb/about-edpb/members_en.
Who is the controller
Buronia Operations OÜ (EU operating entity) — Lõõtsa 8a, 11415 Tallinn, Estonia. Contact us at privacy@buronia.com.
Data Protection Officer (GDPR Art. 37)
Victor Cheng — dpo@buronia.com. Contact our DPO directly with any data-protection request.
Your rights under GDPR
- Right of access — request a copy of the personal data we hold about you.
- Right to rectification — request that we correct inaccurate or incomplete data.
- Right to erasure — request that we delete your data (subject to legal retention requirements).
- Right to data portability — receive your data in a structured, commonly used, machine-readable format.
- Right to lodge a complaint with your national data protection authority.
To exercise any of these rights, email dpo@buronia.com. We respond within the statutory deadline (typically 30 days; up to 45 days for complex requests).
What we collect, why, and on what legal basis
| Data | Purpose | Legal basis (GDPR Art. 6/9) | Retention |
|---|---|---|---|
| Name, address, date of birth | Generating your application draft | 6(1)(b) — performance of contract | 30 days after last activity, then deleted |
| Income, household size, rent | Eligibility calculation, draft generation | 6(1)(b) — performance of contract | 30 days |
| National ID, IBAN | Filling these into your draft after payment | 6(1)(b) | 30 days; encrypted at rest |
| Disability status (if applicable) | Eligibility for higher allowances | 9(2)(a) — explicit consent | 30 days; encrypted at rest |
| Email, payment data | Stripe checkout, receipt | 6(1)(b) | As required by accounting law (US/EU) |
| Email (account) | Sign-in via magic link, account access | 6(1)(b) | Until you delete the account |
| Uploaded documents (image/PDF) | OCR & drafting your reply to the authority | 6(1)(b) — performance of contract | 30 days, then auto-deleted |
| IP address, browser fingerprint | Security, abuse prevention | 6(1)(f) — legitimate interest | 14 days |
Address autocomplete (Google Maps Places API)
On benefit landing pages, the inline address field uses Google Maps Places API to suggest real addresses while you type. Each keystroke is sent to Google so the API can return matching suggestions. Google receives the partial text, your IP address, and standard request metadata. Google's processing is governed by Google's own privacy policy. If you prefer not to use it, type your address manually and do not select a suggestion — Google still receives the keystrokes during typing, so the only way to fully avoid it is to enter the address on the next page (the full form), which uses no third-party services.
How AI processing works
Your answers are sent to Anthropic (Claude) to generate the application draft. Sensitive fields (national ID, IBAN, exact income) are redacted before being sent to Buronia; the redacted placeholders are substituted on your device after payment. Anthropic does not train models on prompts sent through their API. We do not use your data for any other AI model training.
Where your data lives
Application drafts are stored on EU servers (Frankfurt, Germany). Payment is processed by Stripe (Standard Contractual Clauses for US/EU transfer). The Anthropic API call is routed via Anthropic's EU endpoint where available.
Your rights
- Access — request a copy of your data: privacy@buronia.com.
- Erasure — request deletion before the 30-day automatic window.
- Rectification — fix incorrect data.
- Portability — receive your data in JSON.
- Object to legitimate-interest processing — security/abuse logs only.
- Lodge a complaint with your national supervisory authority. The complete list with direct complaint links is on the complaints page. Examples by country we operate in:
- 🇩🇪 Germany — Bundesbeauftragte für den Datenschutz (BfDI), bfdi.bund.de.
- 🇪🇸 Spain — Agencia Española de Protección de Datos (AEPD), aepd.es.
- 🇫🇮 Finland — Tietosuojavaltuutetun toimisto (Office of the Data Protection Ombudsman), tietosuoja.fi, Lintulahdenkuja 4, 00530 Helsinki.
- 🇱🇹 Lithuania — Valstybinė duomenų apsaugos inspekcija (VDAI), vdai.lrv.lt.
Cookies
We use one functional cookie (formera_country) to remember
which country site you're on. After sign-in we additionally set
formera_user_id (httpOnly, SameSite=Lax) so you stay
logged in for 30 days. We do not use advertising or analytics cookies.