Privacy Policy

1. Who We Are

By Cordo is a Netherlands-based personal concierge and life management service. We offer dedicated personal assistant services primarily to clients in the United States and other English-speaking markets, supported by a custom client portal.

• Business name: By Cordo
• Legal form: Sole Proprietorship/Eenmanszaak
• Location: The Netherlands
• Contact email: info@bycordo.com
• Website: bycordo.com

By Cordo acts as the data controller for personal data collected through our website (bycordo.com). When processing personal data on behalf of a client to deliver concierge services, By Cordo acts as a data processor under the terms of our Data Processing Addendum (DPA), which forms part of the Service Level Agreement.

2. What This Privacy Statement Covers

This privacy statement explains how By Cordo collects, uses, stores, and protects personal data when you:

• Visit our landing page (bycordo.com)
• Book or participate in an introductory call
• Become a client and use our concierge services
• Use the By Cordo client portal (portal.bycordo.com)
• Communicate with us via email, portal chat, or other channels
• Interact with us on social media

We apply European privacy standards (GDPR) to all users and clients, regardless of location. This is a deliberate choice and a core part of our values.

3. What Personal Data We Collect

3.1 Website Visitors

When you visit bycordo.com, we may collect:

• Technical data: IP address, browser type, device type, operating system, screen resolution
• Usage data: Pages visited, time spent on site, referring URLs, click behavior
• Cookie data: See Section 11 (Cookie Policy) for details

We use Vercel Analytics to collect this data, which is not used to identify individual visitors. It is used in aggregate to understand how our website is used and to improve it.

3.2 Prospective Clients

When you express interest in our services or book an introductory call, we may collect:

• Name and email address
• Phone number (if provided)
• Scheduling preferences (via Calendly)
• Information you share during our introductory conversation

3.3 Active Clients

When you become a By Cordo client, we collect and process additional data necessary to deliver our services:

• Identity data: Full name, email address, phone number, mailing address
• Preferences: Optional details you may choose to provide to tailor your service (you can always opt out of sharing any specific detail): communication style, travel logistics (preferred airlines, hotels, seat preferences, loyalty programs), dietary preferences, important dates, and key contacts
• Household and family data: Schedules, children's names and ages, school information, family contacts (only as provided by you and necessary for service delivery)
• Financial data: Payment method details (processed and stored securely by Stripe; By Cordo does not store card numbers), billing address, transaction history
• Task and request data: Details of tasks submitted through the portal, email, or chat, including notes, context, and task history
• Communication data: Messages exchanged through the portal chat and emails between you and your assistant
• Portal usage data: Login activity, feature usage, session data
• AI preference data: Your opt-in or opt-out choices regarding AI-assisted features

3.4 Data We Do Not Collect

• Data collected directly from children under 16; our services are directed at adults only and we do not knowingly collect data from minors as service users.
• Special category data (racial or ethnic origin, political opinions, religious beliefs, biometric data, health data) as a matter of routine collection. Where you voluntarily share such data in the course of a task (for example, dietary requirements or health information relevant to travel), it is processed solely for that purpose and subject to the same protections described in this statement.
• Data from third-party data brokers or data enrichment services.

We never purchase, trade, or otherwise acquire personal data from external sources.

4. Legal Basis for Processing

Under the GDPR, we must have a lawful basis for every processing activity. We rely on the following:

Where we rely on consent, you may withdraw it at any time by contacting us at info@bycordo.com. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.

5. How We Use Your Data

• Service delivery: To provide, manage, and improve the concierge services you have requested, including task management, research, bookings, and coordination on your behalf.
• Portal operation: To maintain your client portal account, enable task tracking, messaging, shared notes, calendar, and preference management.
• Communication: To respond to your requests, provide task updates, send check-in messages, and coordinate with you.
• Billing and payments: To issue invoices, manage your subscription, and process payment transactions via Stripe.
• Service improvement: To understand how our services and portal are used, identify improvements, and develop new features. This is based on aggregated, non-identifying data.
• AI-assisted features (opt-in only): Where you have opted in, to use AI tools for summarizing research and drafting communications. All AI outputs are reviewed by a human before reaching you.
• Legal compliance: To comply with applicable laws, regulations, and legal processes.

We will never use your data for purposes incompatible with those listed above without informing you and, where required, obtaining your consent.

6. AI & Automation

By Cordo may use artificial intelligence tools to enhance service delivery. Our approach is built on transparency and choice:

• Opt-in, not opt-out: AI features are always presented as options. If you prefer zero AI involvement, you lose nothing in service quality.
• Human oversight: Every AI-generated output is reviewed by your assistant before it reaches you. AI assists; it never decides on your behalf.
• No data exploitation: Your data is never used to train AI models, never shared with third-party AI providers for their own purposes, and never monetized.
• Transparency: During onboarding, we explain our AI usage. You can change your AI preferences at any time.

If we introduce new AI features, we will inform you before they affect your data and give you the opportunity to opt in or out.

7. Who We Share Your Data With (Subprocessors)

We do not sell, rent, or trade your personal data. We only share data with third-party service providers (“subprocessors”) who help us operate our business. Each subprocessor is contractually bound to process data only as instructed and in compliance with GDPR.

SCCs = Standard Contractual Clauses, the EU-approved legal mechanism for transferring personal data to countries outside the European Economic Area. These clauses ensure that your data receives the same level of protection regardless of where it is processed.

We will update this list if we add or change subprocessors. Material changes will be communicated to active clients.

8. International Data Transfers

By Cordo is based in the Netherlands (EU). However, several of our subprocessors are based in the United States. When personal data is transferred outside the European Economic Area (EEA), we ensure adequate safeguards are in place:

• Standard Contractual Clauses (SCCs): EU-approved contractual terms that bind the receiving party to protect data to European standards.
• Adequacy decisions: Where the European Commission has determined that a country provides adequate data protection.
• Supplementary measures: Additional technical and organizational safeguards where required, such as encryption in transit and at rest.

We do not transfer data to countries or organizations that cannot demonstrate adequate protection. You may contact us at info@bycordo.com to request information about the specific safeguards in place for any transfer.

9. How Long We Keep Your Data

Upon termination of services, all personal data is deleted or anonymized within 30 days, except where retention is required by law (e.g., financial records). You may request earlier deletion at any time.

10. Your Rights

Under the GDPR, you have the following rights regarding your personal data:

• Right of access (Art. 15): You can request a copy of all personal data we hold about you.
• Right to rectification (Art. 16): You can ask us to correct any inaccurate or incomplete data.
• Right to erasure (Art. 17): You can ask us to delete your personal data. We will comply unless we have a legal obligation to retain it.
• Right to restrict processing (Art. 18): You can ask us to temporarily stop processing your data while we resolve a concern.
• Right to data portability (Art. 20): You can request your data in a structured, commonly used, machine-readable format.
• Right to object (Art. 21): You can object to processing based on legitimate interest. We will stop unless we can demonstrate compelling grounds.
• Right to withdraw consent (Art. 7): Where processing is based on consent, you can withdraw it at any time.
• Right to lodge a complaint: You have the right to file a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) or your local supervisory authority.

To exercise any of these rights, contact us at info@bycordo.com. We will respond within 30 days. There is no charge for exercising your rights, unless requests are manifestly unfounded or excessive.

Dutch Data Protection Authority (Autoriteit Persoonsgegevens): autoriteitpersoonsgegevens.nl

11. Cookies

Our website may use cookies and similar technologies. Cookies are small text files stored on your device when you visit a website.

Types of cookies we may use:

• Strictly necessary cookies: Required for the website to function (e.g., session management, security). These do not require consent.
• Analytics cookies: Help us understand how visitors use our website (e.g., pages visited, time on site). Only placed with your consent.
• Functional cookies: Remember your preferences (e.g., language, region). Only placed with your consent.

We do not use advertising or tracking cookies. We do not serve ads and we do not share cookie data with third parties for advertising purposes.

If analytics cookies are used, we will display a cookie consent banner on your first visit. You can manage your cookie preferences at any time through your browser settings or through the consent tool on our website.

12. How We Protect Your Data

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction:

• Encrypted data transmission (HTTPS/TLS) across all services
• Encrypted data storage for sensitive information
• Password management via Dashlane with unique, strong credentials
• Two-factor authentication on all critical accounts and the portal
• Invite-based portal access only; no public signup
• Regular access reviews and principle of least privilege
• Secure communication channels within the portal
• Mutual NDA with every client as standard practice

In the event of a data breach that affects your personal data, we will notify you without undue delay and provide details of what happened and what steps we are taking. Where required, we will also notify the Dutch Data Protection Authority within 72 hours.

13. Children's Privacy

Our services are not directed at children under the age of 16. We do not collect personal data directly from children under 16. If you believe we have inadvertently collected such data, please contact us at info@bycordo.com and we will delete it promptly.

When clients share information about their children in the context of service delivery (e.g., school schedules, activity coordination), this data is processed solely for the purpose requested and is subject to the same protections described in this statement.

14. Third-Party Links

Our website may contain links to third-party websites or services (e.g., Calendly for scheduling, Stripe for payments). We are not responsible for the privacy practices of these external sites. We encourage you to read their privacy statements before providing any personal data.

15. Changes to This Privacy Statement

We may update this privacy statement from time to time to reflect changes in our practices, services, or legal requirements. When we make material changes:

• We will update the “Last updated” date at the top of this statement.
• For active clients, we will notify you via email or portal notification.
• For significant changes affecting your rights, we will seek your renewed consent where required.

We encourage you to review this statement periodically.

16. Contact Us

If you have questions about this privacy statement, your personal data, or wish to exercise any of your rights, please contact us:

We aim to respond to all privacy-related inquiries within 30 days.

If you are not satisfied with our response, you have the right to lodge a complaint with the Autoriteit Persoonsgegevens (Dutch Data Protection Authority) at autoriteitpersoonsgegevens.nl, or with your local supervisory authority.