Privacy policy
Last updated June 11, 2026
Framed is operated by Solutions Lab Holding B.V., a Dutch company registered with the Chamber of Commerce (KvK) and subject to the GDPR. This page explains, in plain language, what we process, why, where it lives, and what your rights are.
The two roles we play
For your account (name, email, billing, the marketing site and contact form) we are the controller: we decide why and how that data is processed.
For your workspace content — chats, uploads, insights, documents, memory, data from tools you connect — your organisation is the controller and we act as a processor on its instructions. A data processing agreement (DPA) covering this, including the complete named subprocessor register, is available to every business customer on request via the contact page.
What we process
- Account data — name, email address, hashed password, role, language preference.
- Workspace content — everything you or your team put into a workspace: chat conversations, uploaded files and the text we extract from them, generated documents and briefings, workspace memory, agent configuration.
- Connected-tool data — when you connect a tool (e.g. analytics, e-commerce, chat), we process the data those integrations return, strictly to do the work you configure. OAuth tokens are held by our integration platform; Framed stores only a reference, never the token itself.
- Usage & billing metadata — per-action usage records (which feature, which model tier, token counts, cost) used for billing, abuse prevention and the audit trail your admins can see. Plus payment data handled by Stripe — we never see or store card numbers.
- Contact form — name, email, company and your message, forwarded by email to our team so we can respond.
The marketing site sets no advertising or tracking cookies. The app uses only what is strictly necessary to keep you signed in.
How AI processing works
Framed sends your content to leading AI models — Anthropic's Claude and Google's Gemini — to do the work you ask for: answering in chat, drafting documents, running the agents you schedule. Under our agreements with these providers, your content is never used to train their models.
Model requests are routed through a specialised AI gateway under EU-approved safeguards (Standard Contractual Clauses). Model inference may take place outside the EU today; EU-resident inference is on our published roadmap (see Security). Your data at rest never leaves the EU.
The AI only reads what the requesting user is allowed to see — model retrieval runs under the same row-level permissions as the person asking. AI-generated deliveries (email, chat-channel messages) are labeled as AI-generated.
Where your data lives, and who helps us run Framed
All workspace data is stored in the EU (Stockholm, Sweden), isolated per account with row-level security and encrypted in transit and at rest. The services below process data on our behalf; transfers outside the EU are covered by Standard Contractual Clauses and documented transfer assessments.
| Purpose | Provider | Region & notes |
|---|---|---|
| Database, authentication & file storage | EU cloud database platform | EU (Stockholm, Sweden) |
| AI models | Anthropic (Claude) · Google (Gemini) | US / global — never used for training |
| AI request routing | Specialised AI gateway | US |
| Scheduled web research | Web research API | US |
| Connected tools (OAuth) | Integration platform — holds the tokens you authorise | US |
| Browser automation (sources you configure) | Browser automation service | US |
| Background job scheduling | Job orchestration platform | US |
| Email delivery | Transactional email service | US |
| Payments & invoicing | Stripe | US / EU (PCI-DSS — we never see card numbers) |
| Application hosting (static app delivery) | Cloud hosting platform — no workspace data stored here | US provider |
| Public procurement feeds | TenderNed / TED (public EU data, outbound queries only) | EU |
We notify business customers at least 30 days before adding or replacing a subprocessor (see the DPA).
Legal bases & purposes
- Contract — operating your account and workspaces, support, billing.
- Legitimate interest — service security, abuse prevention, aggregate product improvement (never model training), responding to contact-form enquiries.
- Legal obligation — financial record-keeping, responding to lawful requests.
We do not sell personal data. We do not run third-party advertising.
Retention & deletion
Workspace content is kept for as long as the workspace exists, so your team's context keeps compounding — that is the product. Delete a workspace, or end your agreement, and its content is deleted. After termination you have 30 days to retrieve your data (use the self-service export in Settings → Team at any time), after which it is erased. You can also ask us to delete specific data at any point. Billing records are kept as long as Dutch financial law requires.
Your rights
Under the GDPR you can ask for access, correction, deletion, restriction, portability, or object to processing. Workspace members can export their workspace's data themselves (Settings → Team → workspace data). For anything else, write to loek@solutionslab.net or use the contact page; we respond within 30 days. If you process data in Framed on behalf of your employer or client, we may route your request to them as controller. You can complain to the Dutch DPA (Autoriteit Persoonsgegevens) at any time.
If something goes wrong
We notify affected business customers of a personal-data breach within 24 hours of confirming it — faster than the GDPR requires of us — with what we know, what we're doing, and what you may need to do.
Changes & contact
We'll announce material changes to this policy to account admins before they take effect. Questions: loek@solutionslab.net · Solutions Lab Holding B.V., the Netherlands.