Skip to content

Legal

Privacy Policy

Last updated: April 10, 2026

1. Who we are (controller)

For the purposes of the GDPR and Belgian law, the controller of personal data collected through warroom.assista.plus is:

  • Jo Suttels, eenmanszaak (sole proprietorship), operating under the trading name assista plus
  • Address: Lijsterhof 38, 3300 Tienen, Belgium
  • VAT: BE 1008196620
  • Email: jo@assista.plus

The marketing name “The War Room” refers to this undertaking. “We,” “us,” and “our” refer to the controller above.

2. What data we collect

You provide:

  • Email address (newsletter, free kit, assessment results, purchase-related messages)
  • Name and other details when you apply for programmes or contact us
  • Payment-related data: handled by Stripe (we do not store full card numbers)
  • Assessment or quiz responses you submit
  • Where you tick consent boxes, a record that consent was given (and when, if stored)

Automatically:

  • IP address, browser, device, pages viewed, approximate region (via hosting or analytics)
  • Referral URL and UTM parameters where present
  • Technical logs for security and reliability

3. Purposes and legal bases (GDPR Art. 6)

We process personal data on the following bases:

  • Contract (Art. 6(1)(b)): processing necessary to deliver products you bought, provide download links, and manage payments via Stripe.
  • Consent (Art. 6(1)(a)): marketing emails, non-essential cookies/analytics (where we ask for consent via our cookie banner), and any optional processing we describe at collection.
  • Legitimate interests (Art. 6(1)(f)): securing the Site, fraud prevention, improving our content and UX, and measuring aggregate performance — balanced against your rights; you may object as described below.
  • Legal obligation (Art. 6(1)(c)): retaining accounting and tax records, responding to lawful requests.

4. Processors and international transfers

We use service providers who process data on our instructions. They include (non-exhaustive):

  • Stripe (Ireland / USA) — payments, invoices, fraud checks. Data may be transferred outside the EEA under Stripe’s Data Processing Agreement, the Standard Contractual Clauses (SCCs), and other safeguards described in Stripe’s legal centre.
  • Xano (hosting region per your workspace) — API/backend for subscriptions, webhooks, and related data. Review Xano’s DPA and subprocessors in your agreement.
  • Vercel (USA / global edge) — hosting and deployment. Transfers may rely on SCCs and (where applicable) the EU-US Data Privacy Framework as described in Vercel’s documentation.
  • Resend (USA) — transactional email when used. Transfers typically covered by SCCs / DPA.
  • Google Analytics (optional) — only if you accept “Accept analytics” in our cookie banner and we have enabled GA4 in our deployment settings. Google may process data in the USA; see Google’s GDPR and SCC documentation.

We do not sell your personal data. We do not share it for third-party marketing unrelated to our own services.

5. Cookies and similar technologies

We use essential technologies needed for the Site to function (e.g. security, load balancing). When you first visit, a cookie preferences banner lets you choose Essential only (no analytics scripts) or Accept analytics (loads Vercel Web Analytics and, where configured, Google Analytics 4). Your choice is stored in your browser (e.g. localStorage) until you clear site data.

For more on managing cookies, see your browser settings.

6. Retention

We keep data only as long as needed: subscriber emails until you unsubscribe or request deletion (subject to overrides below); purchase and tax records as required by law (often several years); logs for a limited period for security. Specific retention may vary by system; contact us for details about your data.

7. Your rights (GDPR)

Depending on your situation, you may have the right to:

  • Access your personal data
  • Rectify inaccurate data
  • Erase data (“right to be forgotten”) where conditions are met
  • Restrict processing in certain cases
  • Data portability for data you provided, where processing is based on consent or contract and automated
  • Object to processing based on legitimate interests (including profiling in scope of that objection)
  • Withdraw consent at any time, without affecting prior lawful processing
  • Lodge a complaint with a supervisory authority

8. Supervisory authority

If you are in Belgium or the issue relates to our Belgian establishment, you may contact the Belgian Data Protection Authority (Gegevensbeschermingsautoriteit / APD-GBA): gegevensbeschermingsautoriteit.be.

9. Children

Our services are not directed at children under 16. We do not knowingly collect their personal data.

10. Changes

We may update this policy; the “Last updated” date will change. Material changes may be highlighted on the Site or by email where appropriate.

11. Contact

Privacy requests and questions: jo@assista.plus