BessieAI
Get started
Legal

Privacy Policy

Last updated: September 16, 2025

1. Who We Are

BessieAI ("we", "us", "our") is operated by KekoLabs, based in Belgium. At the time of this policy, KekoLabs operates as a Belgian business entity (formal incorporation status may evolve).

Contact: support@bessie.kekolabs.eu

For purposes of EU data protection law:

  • For Customer account and website usage data, BessieAI acts as a Data Controller.
  • For charter request data submitted through a Customer’s website, BessieAI acts as a Data Processor on behalf of the Customer (broker/operator).
2. Roles Under GDPR

When an end user submits a charter request through a broker’s website using BessieAI:

  • The Customer (broker/operator) is the Data Controller.
  • BessieAI processes the data solely to structure, validate, and deliver the request.

BessieAI does not determine the purposes of processing charter request data beyond providing the Service.

3. Categories of Personal Data
A. Charter Request Data (Processor Role)

Submitted via the Customer’s website:

  • Trip routing (origin, destination, multi-leg details)
  • Dates and times
  • Passenger count
  • Free-text notes
  • Contact details (name, email, phone)

The Customer determines the lawful basis for collecting this data.

B. Customer Account & Billing Data (Controller Role)

Collected from subscribing brokers/operators:

  • Business name
  • Account email
  • Billing contact information
  • Allowed domain configuration
  • Subscription records

Payments are processed by Lemon Squeezy, which acts as the Merchant of Record and independent payment processor. Lemon Squeezy handles VAT collection, invoicing, and payment compliance. BessieAI does not store full payment card details.

C. Technical & Operational Data

Collected automatically for security and reliability:

  • IP address
  • Browser and device metadata
  • Timestamps
  • System logs and error reports
4. Legal Bases for Processing

Where GDPR applies, we rely on:

  • Contract performance (Art. 6(1)(b)) – providing the Service
  • Legitimate interests (Art. 6(1)(f)) – security, abuse prevention, and reliability
  • Legal obligation (Art. 6(1)(c)) – compliance with applicable law
  • Consent (Art. 6(1)(a)) – where legally required

For charter request data, the Customer is responsible for determining and documenting the appropriate lawful basis.

5. How We Use Data

We use personal data to:

  • Structure and validate charter request information
  • Deliver broker-ready summaries to the Customer
  • Operate, secure, and improve the Service
  • Prevent abuse and unauthorized domain use
  • Provide support and subscription management
  • Comply with legal requirements

We do not sell personal data.

We do not use personal data for automated decision-making producing legal or similarly significant effects within the meaning of Article 22 GDPR.

6. Infrastructure & Subprocessors

We use trusted third-party providers to operate the Service, including:

  • Google Cloud / Firebase (Firestore) for infrastructure and data storage
  • Email delivery providers for notifications
  • Lemon Squeezy (Merchant of Record) for payment processing
  • Monitoring and logging providers

These providers may process data on our behalf under contractual data protection obligations.

A current list of subprocessors is available upon request.

7. International Data Transfers

Our infrastructure provider (Google Cloud / Firebase) and payment provider (Lemon Squeezy) may process data outside the European Economic Area (EEA).

Where required, transfers rely on appropriate safeguards such as:

  • EU Standard Contractual Clauses (SCCs)
  • Adequacy decisions by the European Commission
8. Data Retention
  • Charter request data: retained up to 6 months unless otherwise required by the Customer.
  • Operational logs: typically retained up to 6 months for security and reliability.
  • Account and billing records: retained as required for contractual and legal obligations.

Data may be deleted or anonymized after retention periods expire.

9. Data Subject Rights

Under GDPR, individuals may have the right to:

  • Access personal data
  • Rectify inaccurate data
  • Erase personal data
  • Restrict processing
  • Object to processing
  • Data portability
  • Lodge a complaint with a supervisory authority

If you submitted a charter request via a broker’s website, please contact that broker first, as they are the Data Controller.

You may also lodge a complaint with the Belgian Data Protection Authority (Autorité de protection des données / Gegevensbeschermingsautoriteit).

For account or website data requests: support@bessie.kekolabs.eu

10. Security Measures

We implement appropriate technical and organizational measures, including:

  • Encrypted data transmission (HTTPS)
  • Access controls and role-based permissions
  • Principle of least privilege
  • Infrastructure monitoring and logging
  • Data minimization practices

No system can guarantee absolute security.

11. Cookies & Tracking

We do not use analytics or advertising cookies.

Only strictly necessary technical mechanisms required for secure operation may be used.

12. Data Processing Addendum (DPA)

Customers may request a Data Processing Addendum (DPA) governing BessieAI’s processing of charter request data.

13. Children’s Privacy

The Service is not directed to individuals under 16 years of age.

14. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via website notice or email.

Continued use of the Service constitutes acceptance of the updated Privacy Policy.

15. Contact

Privacy-related inquiries:

support@bessie.kekolabs.eu