Privacy Statement
Version: 2.1
Effective Date: June 23, 2026
__LEGAL_SPACER__
Introduction
Rembrandt (operated by Mindmapp B.V., trading as Rembrandt) is a business intelligence platform that identifies actionable account-level business signals and matches companies to commercial intent profiles. Signals may be generated from publicly available business sources and from Customer-provided first-party data, such as CRM, prospect, website engagement, report download, sales activity, and meeting data, where a Customer chooses to provide or connect those data sources.
This Privacy Notice describes Rembrandt’s policies and practices regarding the collection and use of personal data. Rembrandt updates this Privacy Notice from time to time as our services, data practices, or legal requirements change.
__LEGAL_SPACER__
Data Protection Officer
Rembrandt is headquartered in Amsterdam, Netherlands (Weesperstraat 107, 1018VN, Amsterdam). Rembrandt has appointed an internal data protection officer for questions or concerns about Rembrandt’s personal data policies or practices.
Data Protection Officer
Rembrandt (Mindmapp B.V.)
Weesperstraat 107
1018VN Amsterdam
Netherlands
Email: privacy@rembrandtagents.com
__LEGAL_SPACER__
How We Collect and Use Personal Information
Rembrandt collects personal information about website visitors, platform users, customers, and, where our customers provide or connect first-party data sources, individuals included in customer-controlled business data.
__LEGAL_SPACER__
Information Collected via Our Marketing Website
• Contact information provided through email inquiries or contact forms, such as name, email address, company name, and message content
• Website usage data, such as IP address, browser type, operating system, approximate location, pages viewed, and cookie or similar tracking data
We use marketing website information to respond to inquiries, operate and improve our website, analyze usage, and improve marketing communications.
__LEGAL_SPACER__
Information Collected via the Rembrandt Platform
• Administrator and Authorized User Information: First name, last name, email address, authentication data, organization membership, role information, preferences, and notification settings
• Usage Data: Aggregated platform interaction metrics, feature usage, performance, support, and security data
• Public Business Data: Publicly available information from sources such as company websites, job postings, public platforms, news, reports, press releases, and other public web content
• Customer-Provided First-Party Data: Data that a customer provides, uploads, connects, or authorizes Rembrandt to retrieve, including CRM records, prospect and contact data, website engagement, report downloads, product or content engagement, sales activity, meeting notes, meeting transcripts, and GTM engagement data
• Derived Signal Data: Account-level signals, Rembrandt scores, buying journey insights, recommendations, evidence, summaries, and analytics generated by the platform
Customer-provided first-party data may include personal data relating to business contacts, prospects, customers, website visitors, meeting participants, and other individuals. In these cases, Rembrandt generally acts as a processor for the Customer, and the Customer acts as the controller responsible for lawful basis, notices, consents, and data subject requests.
__LEGAL_SPACER__
How We Use Platform Information
We use platform information to:
• authenticate users and provide secure account access;
• process and deliver the services subscribed to by customers;
• generate account-level signals, scores, business intelligence, recommendations, alerts, and reports;
• process Customer-configured first-party data sources as signal inputs where enabled by the Customer;
• manage account settings, user permissions, organization configuration, and integrations;
• synchronize or export data to Customer-authorized third-party systems such as CRM, sales engagement, marketing automation, analytics, ABM, or other GTM tools;
• provide technical support and respond to service requests;
• communicate about account, service, security, billing, and product updates;
• monitor platform usage, performance, availability, and security;
• analyze aggregated or anonymized usage patterns to improve our services and develop new features;
• detect, prevent, and address technical issues, security threats, fraud, or misuse;
• comply with legal obligations, enforce our agreements, and protect our rights and the rights of users and customers.
We do not sell personal information.
__LEGAL_SPACER__
Use of the Rembrandt Platform
When customers use my.rembrandtagents.com, Rembrandt may process public business data and Customer-provided first-party data to generate signals and account-level scoring. This processing may include automated analysis, AI-assisted classification, extraction, summarization, scoring, and recommendation generation.
__LEGAL_SPACER__
AI Processing
Rembrandt uses AI model providers, including OpenAI, to evaluate, summarize, classify, and generate signals from data processed through the platform. Customer-provided personal data used for AI processing is routed through EU-resident AI processing where enabled and available. Where non-EEA subprocessors are used, Rembrandt relies on Standard Contractual Clauses and supplementary safeguards as described in the DPA.
Rembrandt does not use Customer Service Data to train third-party foundation models unless expressly agreed in writing.
__LEGAL_SPACER__
Workflow Orchestration
Rembrandt uses Inngest Cloud for workflow orchestration, scheduling, retries, and operational event processing. Rembrandt designs Inngest event payloads to contain identifiers and operational metadata rather than raw Customer Personal Data, such as full CRM payloads, contact details, meeting transcripts, or notes.
__LEGAL_SPACER__
Observability
Rembrandt uses self-hosted Langfuse on Rembrandt-controlled AWS infrastructure in eu-central-1 for LLM observability and tracing.
__LEGAL_SPACER__
Cookies and Tracking Technologies
Rembrandt uses cookies and similar tracking technologies on our marketing website to collect and store information about website use. We use cookies for:
• essential website functionality;
• analytics and performance monitoring;
• user experience customization.
You can control cookies through your browser settings. If you do not accept cookies, some portions of our website may not function properly.
__LEGAL_SPACER__
When and How We Share Information with Third Parties
Rembrandt shares personal data only as needed to provide, secure, support, or improve the Services; comply with law; enforce agreements; or act on Customer instructions.
__LEGAL_SPACER__
Our Subprocessors
Rembrandt engages third-party service providers to facilitate the delivery of our services. These include:
• AWS (Amazon Web Services) - Cloud hosting, compute, database, storage, KMS encryption, networking, and infrastructure services in eu-central-1
• OpenAI - AI model processing and data classification, with EU-resident processing where enabled and available and SCCs/supplementary safeguards where non-EEA processing applies
• Inngest - Workflow orchestration, scheduling, retries, and operational event processing, with payloads designed to avoid raw Customer Personal Data where feasible
• SuperTokens Cloud - Authentication and user management services in the EU
• Stripe - Payment processing in the EU
• Sentry - Error monitoring and application performance in the EU
Mastra is used as a software framework within Rembrandt-controlled infrastructure and is not a separate subprocessor. Langfuse is self-hosted by Rembrandt on AWS eu-central-1.
A complete and up-to-date list of subprocessors, including purpose, data access scope, and location, is detailed in Section 5 (Subprocessors) of the Rembrandt Data Processing Agreement (DPA) (https://rembrandtagents.com/dpa).
__LEGAL_SPACER__
Customer-Authorized Third-Party Tools
Customers may authorize Rembrandt to connect to, retrieve data from, or export data to third-party tools such as CRM, sales engagement, marketing automation, analytics, ABM, or other GTM systems. These tools are generally controlled and contracted by the Customer, not Rembrandt. Customer-authorized transfers are made on Customer’s instructions and may be subject to Customer’s separate agreements and transfer mechanisms with those third-party providers.
__LEGAL_SPACER__
Other Disclosures
We may disclose information:
1. when you or a Customer requests or authorizes it;
2. to comply with law, legal process, or government requests;
3. to enforce our agreements or protect the rights, property, or safety of Rembrandt, our customers, users, or others;
4. to service providers acting on our behalf;
5. to address emergencies, disputes, claims, or requests by authorized representatives;
6. in aggregated or anonymized form that does not identify Customer or individuals.
__LEGAL_SPACER__
Transferring Personal Data Outside the EEA
Rembrandt is headquartered in Amsterdam, Netherlands. Our primary infrastructure runs in AWS eu-central-1 (Frankfurt, Germany).
__LEGAL_SPACER__
EU Processing
Platform user data, Customer Service Data stored in the platform, and self-hosted observability data are primarily processed on Rembrandt-controlled infrastructure in the EU.
__LEGAL_SPACER__
AI Processing
Customer-provided Personal Data used for AI processing is routed through EU-resident AI processing where enabled and available. Where AI processing or other subprocessor services occur outside the EEA, Rembrandt relies on appropriate safeguards, including Data Processing Agreements, Standard Contractual Clauses, transfer impact assessments where required, encryption in transit, access controls, and data minimization.
__LEGAL_SPACER__
Workflow Metadata
Inngest Cloud may process workflow orchestration metadata outside the EEA. Rembrandt designs event payloads to avoid raw Customer Personal Data where feasible and uses contractual and technical safeguards for applicable transfers.
For detailed information about data processing locations, subprocessors, and international transfers, please refer to Section 9 (International Data Transfers) of the Rembrandt Data Processing Agreement (DPA) (https://rembrandtagents.com/dpa).
__LEGAL_SPACER__
Data Subject Rights
Privacy laws, including the GDPR, provide certain rights for data subjects. These may include:
• right to be informed;
• right of access;
• right to rectification;
• right to erasure;
• right to restrict processing;
• right of data portability;
• right to object;
• rights related to automated decision-making, including profiling.
For personal data that Rembrandt controls directly, you may contact us at privacy@rembrandtagents.com.
For Customer-provided first-party data processed by Rembrandt on behalf of a Customer, the Customer is generally the controller. Data subject requests relating to such data should be directed to the relevant Customer. Rembrandt will assist Customers with validated requests in accordance with the DPA.
You may also lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) or your local supervisory authority.
__LEGAL_SPACER__
Security of Your Information
Rembrandt implements appropriate technical and organizational security measures to protect personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:
• Encryption: Data encrypted at rest and in transit using industry-standard encryption protocols
• Access Controls: Role-based access controls and organization-level data isolation
• Data Minimization: Workflow event payloads designed to use identifiers and operational metadata rather than raw Customer Personal Data where feasible
• Monitoring and Logging: Continuous monitoring and logging to detect and respond to security events
• Intrusion Detection: Intrusion detection systems to prevent and identify potential security attacks
• Incident Response: Operational procedures for managing security incidents and breaches
• Regular Security Assessments: Regular security assessments of systems and infrastructure
No method of transmission over the Internet or electronic storage is 100% secure. However, we use commercially reasonable means to protect personal information.
__LEGAL_SPACER__
Data Storage and Retention
Personal data is stored by Rembrandt on AWS servers located in eu-central-1 (Frankfurt, Germany) and, where applicable, by authorized cloud service providers engaged by Rembrandt.
__LEGAL_SPACER__
Data Retention Periods
• Administrator and Authorized User Data: Retained as long as necessary to provide the Services, manage accounts, comply with legal obligations, and resolve disputes
• Customer-Provided First-Party Data: Retained for the duration of the customer relationship or shorter Customer-configured retention period where available, subject to legal retention obligations
• Raw Meeting Transcripts and Notes: Retained only as long as necessary for the configured processing purpose or Customer-configured retention period where available
• Signal Data and Account Scores: Retained for the duration of the customer relationship plus 2 years for analytics and historical context unless otherwise agreed
• Public Data and Customer-Specific Configurations: Retained while the customer actively uses the platform and for up to 7 years for historical analysis unless otherwise agreed
• Workflow Metadata: Retained according to applicable workflow provider retention terms and Rembrandt configuration
• Website Logs: Retained for security and compliance purposes for up to 365 days
• Account Termination: Upon account termination, Customer account data is generally deleted within 90 days unless retention is legally required
All personal data that Rembrandt controls may be deleted upon verified request from data subjects or their authorized agents, subject to legal retention requirements.
__LEGAL_SPACER__
Questions, Concerns, or Complaints
If you have questions, concerns, complaints, or would like to exercise your rights, please contact us at:
Rembrandt (Mindmapp B.V.)
Data Protection Officer
Weesperstraat 107
1018VN Amsterdam
Netherlands
Email: privacy@rembrandtagents.com
General Inquiries: info@rembrandtagents.com
Data Protection Authority:
Autoriteit Persoonsgegevens (Dutch DPA)
Bezuidenhoutseweg 30
2594 AV Den Haag
Netherlands
Website: https://autoriteitpersoonsgegevens.nl
Phone: +31 (0)70 888 8500
Last Updated: June 23, 2026
Next Review: June 2027