Skip to main content

Privacy Policy

Tooli
(Last updated: November 1, 2025)

1. About This Policy

This Privacy Policy (the “Policy”) describes how we (as defined below) collect, share, and use any information that, used alone or in combination with other information, relates to you (“Personal Data”) when you (“you” and “your”, “User”) create an account to access the intelligent legal assistant (“Tooli”) made available to you on the website https://tooli.be/. The Policy also applies to account access management, collection of aggregated data for statistical or tracking purposes, and communication of information relating to Tooli’s activities and operation. For Personal Data we collect outside of Tooli, please refer to our Personal Data Protection Policy available at: https://www.Buildwise.be/fr/expertise-soutien/dispositions-legales/#confidencialite. Please take the time to carefully read this Policy. If you have questions or comments, please contact our data protection officer at: [email protected].

Data Controller and Processor Roles

For the purposes of this Policy, Buildwise, headquartered at Kleine Kloosterstraat 23, 1932 Zaventem, registered with the Belgian Crossroads Bank for Enterprises under number 0407.695.057, (“Buildwise”, “we”, “our”) acts as data controller for Personal Data collected to offer its service, Tooli. However, the User acts as data controller under applicable data protection legislation regarding the use of Tooli and all data they integrate into it. In this context, Buildwise acts as data processor. This Policy sets out Buildwise’s commitments regarding data protection and the measures implemented to guarantee the security and confidentiality of your personal data. It also specifies the rights you have in this regard and the practical procedures for exercising them with us.

2. Categories of Data Collected and Purposes

The types of Personal Data we collect and the reasons we process them include:
Processing PurposeTypes of Data ProcessedLegal Basis
User account creation and managementName, surname, professional email address, password, organization/professionContract execution
Secure access and Tooli maintenanceTechnical and connection data (logs, identifiers)Legitimate interest (security and operation)
Experience improvement and platform developmentAggregated usage data, interactions, usage statisticsLegitimate interest
Statistical analysis and growth measurementAggregated tracking and internet connection dataConsent
Response to requests or assistanceName, surname, email, message contentLegitimate interest (user support)
Communication of information or newsName, surname, professional emailConsent, legitimate interest
If we were to request other Personal Data not mentioned above, we will clearly indicate, at the time of collection, the nature of the information requested and the reasons for this request. Some Personal Data may also be obtained indirectly, for example when a User associates you with their account to allow you access to their space.

Automatically Collected Technical Information

We may automatically collect certain technical information related to your device, including:
  • IP address
  • Device type used
  • Unique identifiers
  • Browser type
  • Approximate location (country or city)
  • Other technical data
We may also collect information about your interaction with Tooli, such as pages viewed or links selected. This data helps us better understand Tooli users’ profiles, their origin, and content that interests them. It’s used for internal analysis and to improve Tooli’s relevance and overall experience. Some of this information may be collected through cookies or similar technologies, in accordance with our Cookie Notice available at [link].
Personal Data collected is used only for the purposes described in this Policy or those brought to your attention at the time of collection. We may process it for other purposes, provided they are compatible with initially communicated purposes and authorized by applicable data protection legislation.

3. Recipients of Your Personal Data

We may transmit your Personal Data to the following categories of recipients:

Technical Providers & Subcontractors

Developers, hosts, analytics tool providers, or support providers acting under strict Buildwise instructions. We require these subcontractors to process Personal Data strictly according to our instructions and take appropriate measures to ensure Personal Data remains protected.

Authorities or Public Bodies

Any competent law enforcement body, regulator, government agency, court, or other third party when we believe disclosure is necessary under applicable laws or regulations, or to establish or defend our rights, or to protect your vital interests or those of any other person.

External Advisors

Auditors, advisors, legal representatives, and similar agents in the context of advisory services they provide to us and subject to confidentiality commitments.

Authorized Third Parties

Any other person provided you have given prior consent to disclosure.

4. Protection Principles

In accordance with this Policy, we will process Personal Data as follows:
Personal Data will be processed fairly and transparently. We commit to clearly inform about processing methods and act in compliance with applicable legislation.
No processing will be carried out without a valid legal basis; any use of Personal Data will rest on a legal foundation.
Personal Data will only be collected and processed for specific, explicit, and legitimate purposes. They will not be subject to any subsequent use incompatible with these initial purposes.
Data is adequate, relevant, and limited to what is necessary for the purposes for which it is processed.
We implement reasonable measures to ensure Personal Data is accurate, complete, and regularly updated when needed. However, you remain obliged to notify us without delay of any changes or inaccuracies to maintain the accuracy of your information.
Personal Data is processed to ensure its security, including protection against unauthorized access, unlawful processing, loss, destruction, or accidental damage, through appropriate technical and organizational measures.
Buildwise assumes responsibility for compliance with these principles and is able to demonstrate, at any time, the compliance of implemented processing, notably through maintaining adequate documentation, establishing internal procedures, and conducting impact analyses or compliance audits when required.

5. Security

We use appropriate technical and organizational measures to protect the Personal Data we collect and process about you. The measures we use are designed to provide a level of security appropriate to the risk of processing your Personal Data.

Security Measures Include:

Data Encryption

In Transit & At RestAll communications protected by HTTPS/TLS (TLS 1.3, with TLS 1.2 support if necessary). Data encrypted at rest.

Environment Isolation

Strict Tenant IsolationEach organization’s data (conversations, configurations, user accounts, audit logs, MCP connections) is logically separated and protected against inter-tenant access.

Secure Credential Management

Protected AuthenticationPasswords are hashed (bcrypt), access tokens (JWT) are cryptographically signed, and sensitive keys/APIs are never stored in plain text.

Enhanced Authentication

Limited Session DurationShort-duration access tokens and rotating refresh tokens limit risks. We support local authentication, Buildwise SSO, Google Authentication, and Azure AD/Entra ID.

Additional Security Features

  • Access Controls
  • Audit & Monitoring
  • Abuse Prevention
  • External Testing
Principle of Least PrivilegeEach user, agent, or tool can only operate within the limits of permissions explicitly assigned to them. No internal mechanism allows AI to bypass authorizations.
Ephemeral Data Processing by Model Providers: When an external model (Azure, AWS Bedrock, Google) is used, data is processed only in memory and is never retained or reused for training.

6. International Data Transfers

Your Personal Data may be transferred to and processed in countries other than where you reside. These countries may have data protection laws that differ from your own country’s laws and, in some cases, may be less protective.

EU Hosting

Primary LocationOur servers are located within the European Economic Area (EEA).

Third Country Transfers

Protected TransfersSome service providers may be established outside the EEA. We ensure these transfers comply with GDPR Chapter V and guarantee adequate protection.

Transfer Safeguards

We use one or more of the following mechanisms:
  • European Commission adequacy decision
  • Standard contractual clauses adopted by the European Commission, with additional measures if necessary
  • Any other appropriate safeguards provided by GDPR
We do not transfer any data outside the EEA without implementing these safeguards and ensuring data subjects have enforceable rights and effective remedies.

7. Data Retention

We retain Personal Data we collect from you when we have a legitimate business need (for example, to provide a service you requested or to comply with applicable legal requirements).

Retention Periods:

Account Management

2 years from last activity

Support Requests

2 years after last contact date

User Experience Improvement

[x] years from last activity

Statistical Analysis

[x] years from last activity
When we no longer have a legitimate business need to process your Personal Data, we anonymize it, delete it, or if deletion is not possible (for example, your Personal Data has been stored in backup archives), we securely store and isolate it from any other processing until deletion becomes possible.

8. Your Data Protection Rights

You have the following data protection rights, which you can exercise by contacting us at [email protected]:
You may request access to your Data, correct it if inaccurate, update it, or request its deletion.
In certain circumstances, you may object to processing of your Data, request limitation of their use, or seek portability of your Data to yourself or a third party.
If you have concerns about how we process your Data, we invite you to contact us first. If you feel your request has not been sufficiently addressed, you have the right to lodge a complaint with the competent supervisory authority.

Contact the Data Protection Authority

Belgian Data Protection Authority
Rue de la Presse 35
1000 Brussels
Phone: +32 (0)2 274 48 00
Email: [email protected]
Website: www.autoriteprotectiondonnees.be We respond to all requests we receive from individuals wishing to exercise their Personal Data protection rights in accordance with applicable data protection laws.

9. Policy Updates

We may revise this Policy from time to time to account for evolving legal, technical, or organizational requirements. In case of substantial changes, we will take appropriate measures to inform you, depending on the nature and impact of the changes. The date of the last update appears at the top of this Policy and allows you to verify the most recent version.

10. Contact

If you have questions about the processing of your Personal Data or wish to exercise your rights, please contact us by email at [email protected].

Data Protection Officer

Email: [email protected]
Subject: Data Protection Inquiry - Tooli