Privacy Policy

Last updated: February 1, 2026

Version: 2.0

1. Data Controller

Data Controller under GDPR:

WetWijzer/LisLoi

WetWijzer/LisLoi ("we", "our", "the Service") is responsible for the processing of your personal data as described in this privacy policy. We act in accordance with the General Data Protection Regulation (GDPR - Regulation (EU) 2016/679) and the Belgian Law of July 30, 2018 on personal data protection.

2. Description of Service

WetWijzer/LisLoi is an unofficial research platform on Belgian legislation. The Service offers:

Searchable databases of laws, decrees, ordinances, and case law
An AI chatbot that answers questions about Belgian legislation
Optional user accounts for extended chatbot functionality

3. Data Collection Overview

3.1 Automatically Collected Data

Data	Purpose	Retention Period
IP address	Security, abuse prevention, rate limiting	90 days
Browser/device info (User-Agent)	Technical optimization, compatibility	90 days
Visit timestamp	Security logs	90 days
Pages visited	Anonymized statistics	90 days (anonymized indefinitely)

3.2 Account Data (upon registration)

Data	Required?	Purpose
Email address	Yes	Account verification, password recovery, communication
Name	No	Personalization
Password	Yes	Authentication (encrypted with bcrypt, never stored in plain text)
Language preference	Yes	Service delivery in chosen language
2FA secret	No	Two-factor authentication (AES-256 encrypted)

3.3 Payment Data

Data	Processed by	Stored by us?
Credit card/payment data	Stripe	No - never
Billing address	Stripe + WetWijzer	Yes
VAT number	Stripe + WetWijzer	Yes
Transaction history	Stripe + WetWijzer	Yes (7-year legal retention)

3.4 Chatbot Interactions

🔒 Privacy by Design: We do NOT store your chatbot conversations in our database.

Your questions are sent directly to Azure OpenAI and are not stored on our servers
Conversation context remains only locally in your browser during the session
After closing your browser, all conversation history disappears

⚠️ Warning: Do not share personal, confidential, or sensitive information in chatbot conversations. Conversations are processed by external AI providers.

4. Legal Bases for Processing

In accordance with GDPR Article 6, we process your personal data on the following legal bases:

Processing	Legal Basis (Art. 6 GDPR)	Explanation
Account creation and management	6(1)(b) Contract	Necessary for service delivery
Payment processing	6(1)(b) Contract	Necessary for purchase execution
Billing data retention	6(1)(c) Legal obligation	Accounting retention requirement (7 years)
PEPPOL electronic invoicing	6(1)(c) Legal obligation	Mandatory B2B e-invoicing law
Security logs	6(1)(f) Legitimate interest	Protection against fraud and cyberattacks
Technical debugging	6(1)(f) Legitimate interest	Service improvement
Anonymized statistics	6(1)(f) Legitimate interest	Service optimization

5. Data Sharing

5.1 Sub-processors

Party	Location	Purpose	GDPR Safeguard
Azure OpenAI (Microsoft)	Sweden (EU)	AI chatbot processing	EU Data Boundary, DPA
Stripe, Inc.	Ireland (EU)	Payment processing	GDPR compliant, DPA
Hetzner Online GmbH	Germany (EU)	Server hosting	GDPR compliant, DPA
Migadu	Switzerland	Email delivery	Adequacy decision CH
Storecove	Netherlands (EU)	PEPPOL e-invoicing	GDPR compliant, DPA

5.2 No Sale of Data

We NEVER sell, rent, or trade your personal data.

6. International Data Transfers

6.1 Data within EU

Your data is processed exclusively within the European Economic Area (EEA):

Application servers: Germany (Hetzner)
AI processing: Sweden (Azure OpenAI)
Payments: Ireland (Stripe)
Email: Switzerland (Migadu - adequacy decision)

6.2 No Transfer to Third Countries

No personal data is transferred to countries outside the EEA/Switzerland.

7. Retention Periods

Category	Retention Period	Reason
Server logs (incl. IP)	90 days	Security and debugging
Chatbot conversations	Not stored	Privacy by Design
Account data	Until account deletion + 30 days	Service delivery
Security log	1 year	Fraud detection
Billing data	7 years	Legal retention requirement (accounting law)
Anonymized statistics	Indefinite	Not traceable to individuals

8. Security Measures

We implement appropriate technical and organizational measures in accordance with GDPR Article 32:

8.1 Technical Measures

Encryption in transit: TLS 1.3 for all communications (HTTPS)
Encryption at rest: Encrypted storage of passwords (bcrypt) and 2FA secrets (AES-256)
Security headers: CSP, HSTS, X-Frame-Options, X-Content-Type-Options
Firewall: Server firewall with limited access
Rate limiting: Protection against brute force attacks
Account lockout: After 5 failed login attempts

9. Automated Decision-Making and Profiling

9.1 AI Chatbot

The AI chatbot generates responses based on artificial intelligence. This is not automated decision-making within the meaning of GDPR Article 22 because:

No decisions with legal effects on you are made
Results are informational and contain no binding advice
You are not obligated to follow the results

9.2 No Profiling

We do not create user profiles for marketing, advertising, or price personalization. No profiling within the meaning of GDPR Article 4(4) takes place.

10. Cookies

🍪 Minimal Cookie Use: Not logged in? We place NO cookies.

10.1 Session Cookie (only when logged in)

Cookie	Purpose	Expiration	Type
_wetwijzer_session	Maintain login	30 days or on logout	Strictly necessary

10.2 Privacy-Friendly Analytics

We use Umami, a privacy-friendly analytics solution that:

Does not place cookies
Does not collect personal data (no IP address tracking)
Is fully hosted in the EU on our own servers (Germany)
Is open source and GDPR compliant

Umami collects only anonymized statistics such as page views and referrers, without identifying individual users.

10.3 No Invasive Tracking

We do not use:

Google Analytics or other tracking tools that use cookies
Advertising cookies
Cross-site tracking
Social media pixels or widgets

11. Your GDPR Rights

As a data subject, you have the following rights:

Right	GDPR Article	Description
Access	Art. 15	Request a copy of your personal data
Rectification	Art. 16	Request correction of inaccurate data
Erasure	Art. 17	Request deletion of your data ("right to be forgotten")
Restriction	Art. 18	Request restriction of processing
Portability	Art. 20	Receive your data in a structured, common format
Objection	Art. 21	Object to processing based on legitimate interest

11.1 Exercising Your Rights

You can exercise your rights by:

Sending an email to info@wetwijzer.be
Deleting your account via the account page (for erasure right)

We respond within 30 days. For complex requests, this period may be extended by 60 days.

12. Minor Data

The Service is not intended for persons under 16 years of age. We do not knowingly collect personal data from children under 16. If you are a parent or guardian and discover your child has provided us with data, please contact us for deletion.

13. Changes to This Policy

We may update this privacy policy. For substantial changes:

We post a visible notice on the website
We email registered users
We update the "last updated" date

14. Contact

For questions about this privacy policy or to exercise your GDPR rights:

WetWijzer/LisLoi

Email: info@wetwijzer.be

Website: wetwijzer.be / lisloi.be

15. Supervisory Authority

You have the right to lodge a complaint with the Belgian Data Protection Authority:

Belgian Data Protection Authority (GBA/APD)

Rue de la Presse 35 / Drukpersstraat 35, 1000 Brussels

Tel: +32 (0)2 274 48 00

Email: contact@apd-gba.be

Website: www.gegevensbeschermingsautoriteit.be / www.autoriteprotectiondonnees.be

Nederlandse versie | Version française | Deutsche Version | Terms of Service | Back to WetWijzer