Privacy Policy

Ground Control is operated by Velvet Lab SComm, a software and IT consultancy registered in Belgium (Brussels). We build and operate custom SaaS products for European technology companies, including the Ground Control platform. Data controller contact: privacy@groundcontrol.land.

We collect information you provide directly (name, email, company, billing details), usage data generated by your interaction with the Service (scan results, API calls, session logs), and technical data required for security and reliability (IP addresses, browser type, timestamps). We do not collect data beyond what is necessary to operate the Service.

Your data is used to provide and improve the Service, send transactional and operational emails (account alerts, scan reports, invoices), comply with legal obligations under EU law, and prevent fraud and abuse. We do not use your data for advertising. We do not sell your data to third parties.

We process your personal data under the following bases defined by GDPR Art. 6: performance of a contract (service delivery), legitimate interests (security monitoring, fraud prevention), legal obligation (tax and compliance records), and consent (where explicitly requested, e.g. marketing emails). You may withdraw consent at any time.

All data is stored and processed in the European Union. Our primary infrastructure is hosted in Frankfurt, Germany. We do not transfer personal data outside the EEA without adequate safeguards (Standard Contractual Clauses or equivalent). Sub-processors are contractually bound to equivalent data protection standards.

Account data is retained for the duration of your subscription plus 90 days after termination, during which you may request a full export. Billing records are retained for 7 years as required by Belgian accounting law. Scan result data is retained for 12 months on paid plans and 30 days on free plans.

Under GDPR, you have the right to access, rectify, or erase your personal data; to restrict or object to processing; to data portability; and to lodge a complaint with your national supervisory authority. To exercise any of these rights, contact privacy@groundcontrol.land. We respond within 30 days.

We use strictly necessary cookies for authentication and security. We do not use tracking or advertising cookies. No third-party analytics scripts are loaded on the marketing site without consent. You can disable cookies in your browser, but this will affect authentication functionality.

We use a limited set of sub-processors to deliver the Service: cloud infrastructure (Hetzner, Frankfurt), transactional email delivery, and payment processing (Stripe, governed by their own Privacy Policy and DPA). A full list of sub-processors is available on request.

We may update this policy when required by law or changes to our Service. Material changes will be communicated by email at least 30 days before they take effect. The date at the top of this page reflects the last revision.