Privacy Policy
Status note. AmPhi Labs B.V. is currently being incorporated under Dutch law. Until KvK registration completes, the founders act personally and jointly with the company-in-formation as joint controllers. Registered office: Singel 542, 1017AZ Amsterdam, Netherlands. KvK and VAT numbers will be added here within 10 working days of incorporation.
1. Who we are and what this notice covers
This Privacy Policy explains how AmPhi Labs B.V. i.o. ("AmPhi Labs", "we", "us") processes personal data when you:
a. visit tetrik.ai or any subdomain; b. submit a research survey hosted by us; c. join our early-adopter waiting list or pilot programme; d. correspond with us by email; or e. use the Tetrik service as an authorised user of a pilot customer.
It is written to meet Regulation (EU) 2016/679 (GDPR), the Dutch implementing law Uitvoeringswet AVG (UAVG), the UK GDPR and Data Protection Act 2018, and the Swiss Federal Act on Data Protection (revFADP, 2023).
If you only want the short version: we collect as little as we can, we never sell your data, you can withdraw consent at any time, and you can email hello@tetrik.ai to exercise any of your rights.
2. The personal data we process and why
| # | Purpose | Categories of data | Legal basis (GDPR Art. 6) | Retention |
|---|---|---|---|---|
| 1 | Operate the website (security, load balancing, fraud prevention) | IP address, user-agent, request timestamps, page paths | Art. 6(1)(f) — legitimate interest in a secure, functioning site | Server logs deleted after 30 days |
| 2 | Run the research surveys (void-space, packaging operations, PPWR readiness, etc.) | Survey answers, company type, company size, country, role, optional email | Art. 6(1)(a) — explicit consent | Identifiable answers deleted 24 months after submission, or earlier on request. Aggregated/anonymised statistics may be kept indefinitely. |
| 3 | Maintain the early-adopter / pilot waiting list and contact you about access | Name, business email, company, country | Art. 6(1)(a) — consent (you ticked the box) | Until you unsubscribe or 24 months of inactivity, whichever comes first |
| 4 | Send product newsletters and early-adopter updates | Email, engagement metrics (opens, clicks) | Art. 6(1)(a) — consent | Until you unsubscribe |
| 5 | Provide the Tetrik service to a pilot customer | Authorised-user name, business email, account log-in events, in-app actions | Art. 6(1)(b) — performance of the pilot agreement with your employer | Duration of the pilot + 12 months, then deleted or anonymised |
| 6 | Process customer-uploaded SKU and order data for box-size optimisation | Product dimensions, weights, order line items; no consumer personal data is required | Art. 6(1)(b) — we act as processor for the pilot customer under a DPA | Per the DPA — typically 30 days after pilot ends |
| 7 | Comply with legal obligations (accounting, tax, lawful requests) | Whatever the obligation requires | Art. 6(1)(c) — legal obligation | Dutch statutory periods (commercial books: 7 years) |
| 8 | Defend or bring legal claims | Correspondence, contracts, logs | Art. 6(1)(f) — legitimate interest | Up to the relevant Dutch limitation period (max 20 years for some claims) |
We do not process special categories of personal data (Art. 9 GDPR), and we do not carry out automated decision-making with legal or similarly significant effects on you (Art. 22 GDPR).
3. Where the data lives — sub-processors
We host and process personal data with the following sub-processors. The current list is maintained at tetrik.ai/legal/sub-processors and you will be notified of material changes.
| Sub-processor | Function | Location of processing | Safeguards |
|---|---|---|---|
| Netlify, Inc. | Website hosting, form delivery, CDN, basic analytics | EU edge + US | Standard Contractual Clauses (EU 2021/914), EU-US Data Privacy Framework |
| Google Ireland Ltd. / Google LLC (Workspace, Sheets, Apps Script, Gmail) | Survey response capture, internal email, document storage | EU primary, US fallback | SCCs, EU-US DPF |
| Google LLC (Gmail / Workspace) | Transactional email + early-adopter outreach (via Gmail) | EU primary, US fallback | SCCs / EU-US DPF |
We will publish a final, confirmed sub-processor list before the pilot opens. If a new sub-processor processes personal data, we update the list at least 30 days before they go live so you can object.
4. International transfers
Where data leaves the EEA / UK / Switzerland — for example to a US sub-processor — we rely on one or more of:
- the EU Commission adequacy decision for the country in question, where one exists;
- the EU-US Data Privacy Framework for certified US importers;
- the 2021 Standard Contractual Clauses (with the UK Addendum and the Swiss adaptations where relevant);
- supplementary technical measures (encryption in transit and at rest).
A copy of the relevant SCCs is available on request at hello@tetrik.ai.
5. Your rights
Under the GDPR/UK GDPR/FADP, you have the right to:
- access the personal data we hold about you;
- rectify inaccurate data;
- erase your data ("right to be forgotten");
- restrict or object to processing based on legitimate interest;
- data portability for data you provided to us under consent or contract;
- withdraw consent at any time, without affecting the lawfulness of processing before the withdrawal; and
- lodge a complaint with a supervisory authority — in the Netherlands this is the Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl), in the UK the ICO (ico.org.uk), in Switzerland the FDPIC (edoeb.admin.ch).
To exercise any right, email hello@tetrik.ai. We respond within one month as required by Art. 12(3) GDPR. We may ask for proportionate proof of identity if your request is unclear.
6. Survey participants — opt-in and opt-out in plain English
You only enter a Tetrik research survey by clicking through to it yourself. Inside the survey:
- Email is optional. Surveys are answerable without giving us any contact details. If you skip the email field, your responses cannot be tied back to you.
- Explicit consent. If you do provide an email, you must tick the GDPR consent box before submitting. The box is not pre-ticked (consent must be a clear affirmative act — Art. 4(11) GDPR).
- Opt-out at any time. Email hello@tetrik.ai with the subject "SURVEY OPT-OUT" and your email address. We will delete your identifiable response within 14 days and confirm in writing. Aggregated statistics that no longer identify you may be retained.
- Withdrawal does not affect lawfulness of processing before withdrawal.
We do not enrich survey responses with third-party data, we do not share them with advertisers, and we do not sell them. Aggregated, anonymised insights may be published in white papers and presentations.
7. Cookies and similar technologies
See our separate Cookie Policy at tetrik.ai/legal/cookies. Short version: we use one strictly-necessary cookie for the consent banner itself; everything else (analytics, embedded media) loads only after you actively consent.
8. Security
We apply commercially reasonable technical and organisational measures, including TLS 1.2+ in transit, encryption at rest in our sub-processors' default configurations, least-privilege access, single-sign-on with two-factor authentication for the team, and quarterly access reviews. No system is perfectly secure; if a personal-data breach occurs that is likely to result in a risk to your rights and freedoms we will notify the relevant supervisory authority within 72 hours (Art. 33 GDPR) and you without undue delay if the risk is high (Art. 34 GDPR).
9. Children
The Tetrik service is a B2B tool. We do not knowingly process personal data of anyone under 16. If you believe we have, contact us and we will delete it.
10. Changes to this policy
We will publish any material change at tetrik.ai/legal/privacy at least 14 days before it takes effect, and notify pilot customers and waiting-list subscribers by email.
11. Contact
AmPhi Labs B.V. i.o. Email: hello@tetrik.ai Postal: Singel 542, 1017AZ Amsterdam, Netherlands KvK: in progress · VAT: in progress
If you are unable to resolve a concern with us, you may contact your local supervisory authority:
- Netherlands — Autoriteit Persoonsgegevens — autoriteitpersoonsgegevens.nl
- United Kingdom — Information Commissioner's Office — ico.org.uk
- Switzerland — Federal Data Protection and Information Commissioner — edoeb.admin.ch
- Any other EEA member state — your national DPA.