Privacy policy.

1. Data Controller

The data controller for this website and associated services is:

• Company: WLKNSN bv
• Country: Belgium
• Email: hello@afdinstitute.com
• Website: afdinstitute.com

WLKNSN bv operates the AFD Institute website, learning portal, certification programme, and related services (collectively, the "Services").

2. Personal Data We Collect

We collect and process the following categories of personal data:

2.1 Data you provide directly

• Account information: name, email address, password (stored as a cryptographic hash — we never store plaintext passwords)
• Billing information: billing name, address, VAT number (where applicable). Card and payment details are handled directly by our EU payment processor (Mollie) and never touch our servers.
• Profile information: job title, organisation, professional background (optional)

2.2 Data generated through use of the Services

• Course progress: module completions, time spent, bookmarks
• Quiz attempts: answers submitted, scores, timestamps
• Certification records: tier achieved, issue date, expiry date, certificate ID

2.3 Data collected automatically

• Technical data: IP address, user agent (browser type and version), device type, operating system
• Usage data: pages visited, referral source, session duration

3. Purposes and Legal Basis for Processing

We process your personal data only where we have a lawful basis under the General Data Protection Regulation (GDPR). The table below sets out each purpose and its corresponding legal basis.

3.1 Performance of a contract (Article 6(1)(b) GDPR)

• Creating and managing your account
• Delivering course content and tracking your progress
• Issuing and verifying certifications
• Processing payments and generating invoices
• Providing customer support related to your purchases

3.2 Legal obligation (Article 6(1)(c) GDPR)

• Retaining invoices and financial records for 10 years as required by Belgian tax law
• Responding to lawful requests from regulatory authorities

3.3 Consent (Article 6(1)(a) GDPR)

• Sending marketing emails and newsletters
• Placing non-essential cookies (if introduced in future)

You may withdraw consent at any time by clicking the unsubscribe link in any marketing email, or by contacting us at hello@afdinstitute.com. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

3.4 Legitimate interest (Article 6(1)(f) GDPR)

• Monitoring and improving the security of our Services
• Preventing fraud and abuse
• Analysing aggregated usage patterns to improve the platform
• Maintaining audit logs for system integrity

4. Recipients and Data Processors

We share your personal data with the following third-party processors, each bound by a Data Processing Agreement (DPA):

• Supabase (self-hosted, EU) — Database hosting and user authentication. Data remains within our own infrastructure hosted in the European Union.
• Mollie B.V. (Netherlands, EU) — Payment processing. Mollie processes card and payment details directly; data remains within the European Union.
• Brevo (France, EU) — Marketing email delivery. Data remains within the European Union.
• Hetzner Online GmbH (Germany, EU) — Hosting of the website, application, and database, and TLS termination. Data remains within the European Union.

We do not sell, rent, or trade your personal data to any third party. We do not transfer data to countries outside the EU/EEA unless adequate safeguards (such as SCCs) are in place.

4A. AFD Knowledge MCP

We operate the AFD Knowledge MCP — a free, registration-gated Model Context Protocol server at mcp.afdinstitute.com that lets an AI assistant (such as Claude, GitHub Copilot, or Cursor) query the AFD methodology, and optionally contribute a case study. Registering for the MCP creates a separate, lightweight identity — an email address and a hashed API key — and is not the same as a portal account. The data we process for that service (your registration email, the API-key hash, usage logs, and any case you choose to contribute) is described in the dedicated AFD Knowledge MCP Privacy Notice, which supplements this policy. Contributing a case through the MCP requires a full portal account and is additionally governed by the AFD Contribution Licence.

5. Retention Periods

We retain personal data only for as long as necessary for the purposes described above:

• User profiles: retained until you request deletion, plus 30 days for backup removal
• Enrolment and course progress data: 7 years after last activity
• Orders and invoices: 10 years (Belgian legal requirement)
• Consent records: 5 years after consent is revoked
• Audit logs: 2 years
• CRM leads and enquiries: 2 years from last contact

After the applicable retention period expires, data is securely deleted or anonymised.

6. Your Rights

Under the GDPR, you have the following rights regarding your personal data:

• Right of access (Article 15): request a copy of the personal data we hold about you
• Right to rectification (Article 16): request correction of inaccurate or incomplete data
• Right to erasure (Article 17): request deletion of your personal data ("right to be forgotten")
• Right to data portability (Article 20): receive your data in a structured, machine-readable format
• Right to restriction (Article 18): request that we limit the processing of your data
• Right to object (Article 21): object to processing based on legitimate interests
• Right to withdraw consent: where processing is based on consent, withdraw it at any time

To exercise any of these rights, contact us at hello@afdinstitute.com. We will respond within 30 days. We may ask you to verify your identity before processing your request.

7. Automated Decision-Making

Quiz grading within the learning portal is performed automatically based on predefined correct answers. This automated scoring determines whether you pass or fail a certification assessment. You may request a manual review of any assessment result by contacting us.

We do not engage in automated profiling that produces legal or similarly significant effects.

8. Data Security

We implement appropriate technical and organisational measures to protect your personal data, including:

• Encryption of data in transit (TLS 1.2+) and at rest
• Password hashing using industry-standard algorithms
• Row-level security (RLS) policies on all database tables
• Regular security audits and access reviews
• Nightly encrypted backups with 30-day retention

9. Children's Privacy

Our Services are not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a minor, please contact us and we will promptly delete it.

10. Changes to This Policy

We may update this privacy policy from time to time. Material changes will be communicated via email or a prominent notice on our website. The "Last updated" date at the top of this page indicates when the policy was last revised.

11. Supervisory Authority

If you believe that our processing of your personal data infringes the GDPR, you have the right to lodge a complaint with the Belgian Data Protection Authority:

• Autorité de protection des données / Gegevensbeschermingsautoriteit
• Rue de la Presse 35 / Drukpersstraat 35
• 1000 Brussels, Belgium
• Website: www.dataprotectionauthority.be

12. Contact

For any questions or requests regarding this privacy policy or your personal data, contact us at:

• Email: hello@afdinstitute.com
• Company: WLKNSN bv, Belgium