Privacy statement.
SAIG processes personal data with care, exclusively for clearly defined purposes and no longer than necessary, in accordance with the General Data Protection Regulation (GDPR). This statement explains which data we process, why, on what legal basis, for how long, and what rights you have.
Last updated: 14 July 2026 · version 1.0
1. Data controller
Stichting ter Bevordering van AI-Geletterdheid (SAIG) is the data controller for the processing activities described in this statement.
- Organisation
- Stichting ter Bevordering van AI-Geletterdheid
- Address
- Marco Pololaan 16, 3526 GJ Utrecht, the Netherlands
- CoC
- 96795247
- contact@saig.nl
SAIG is a small organisation and is not legally required to appoint a data protection officer. You can direct privacy questions and requests regarding your data to contact@saig.nl.
2. What personal data we process
Depending on your relationship with SAIG, we process:
- Certificate holders. First and last name, certification level, registration reference, examination provider, issue and expiry date, scheme version, and the status of the certificate (active, expired or withdrawn).
- Underlying examination data. The examination result and the data required for the certification decision, provided by the recognised training or examination partner.
- Contact. Name, e-mail address and the content of your message when you contact us.
- Administrators. The e-mail address of staff with access to the management environment, solely for authentication.
- Website use. Strictly necessary, functional data; see the cookie statement.
3. Purposes and legal bases
We process your data only for the following purposes, each on a legal basis under Article 6 GDPR:
- Issuing and managing certificates and the register: performance of the contract with the certificate holder or their training partner, and our legitimate interest in a reliable, verifiable register.
- Verification of certificates by third parties: our legitimate interest, and that of the certificate holder, in the demonstrability of certificates obtained (Article 4 EU AI Act).
- Answering your enquiry: your consent, or our legitimate interest in handling contact requests.
- Secure access to the management environment: our legitimate interest in the security of the register.
- Compliance with legal obligations: compliance with a legal obligation, where one applies to us.
4. The closed register
The register is not a public list of names. A certificate may only be verified using the name and registration reference together, or via the QR code on the certificate. There is no searchable list and no raw data export. This follows the principles of data minimisation and purpose limitation: only someone who wishes to verify a certificate and already holds the details can check its validity.
5. Retention periods
We do not retain personal data for longer than is necessary for the purpose for which they were collected:
- Certificate and register data are retained for the validity period of the certificate and for up to five years after it expires or is withdrawn, so that issued certificates remain verifiable. After that we erase or anonymise these data.
- Underlying examination data are retained for at least one full certification cycle, in part to handle objections and appeals and for auditing the quality system.
- Contact data from the contact form are retained for as long as needed to handle your enquiry, and for a maximum of twelve months thereafter.
- Where a statutory retention obligation applies (for example the seven-year fiscal retention obligation for administrative data), we observe that period.
6. Processing and storage within Europe
SAIG processes and stores personal data exclusively within Europe. We deliberately work with European processors, with whom we have concluded data processing agreements:
- The register. The certificate register is hosted with Supabase, in a data centre within the European Union (EU).
- Contact form. Messages from the contact form are sent via Resend, with data region Ireland (EU).
- E-mail. Our e-mail environment runs with Infomaniak in Switzerland. Switzerland is covered by an adequacy decision of the European Commission and therefore offers a level of protection equivalent to that of the EU.
Beyond these processors, we do not transfer personal data to third countries.
7. Sharing with third parties
SAIG does not sell your data and does not share them with third parties for commercial purposes. We provide data only to the processors named above, to the extent necessary for their service, or where a legal obligation requires us to. Recognised training and examination partners supply examination data; they are themselves responsible for their own processing activities.
8. Security
We take appropriate technical and organisational measures to protect your data against loss, misuse and unauthorised access. These include encrypted connections (TLS), access to the management environment via personal authentication, and access on a need-to-know basis. Do you suspect a vulnerability or a data breach? Please report it via contact@saig.nl so that we can act quickly.
9. Cookies
By default our website places only strictly necessary, functional cookies. We place analytical or tracking cookies solely with your consent. See the cookie statement for the details.
10. Automated decision-making
Certification decisions are made on the basis of examination results assessed by people. SAIG does not use solely automated decision-making producing legal effects or similarly significant effects within the meaning of Article 22 GDPR.
11. Your rights
You have the right of access, rectification, erasure, restriction of processing, objection, and data portability. You may also withdraw consent you have given. Requests may be submitted via contact@saig.nl. To prevent misuse, we may ask you to identify yourself. We respond to your request within four weeks.
12. Complaints
Do you have a complaint about how we handle your data? Please contact us first via contact@saig.nl so that we can resolve it together. If we cannot reach a solution, you have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).
13. Changes to this statement
We may amend this privacy statement when our processing activities or the applicable rules give cause to. The current version is always available on this page; the date and version number at the top indicate when the text was last amended.