Robert is an EU policy intelligence service operated from Belgium. We take data protection seriously and comply with the General Data Protection Regulation (GDPR) and the ePrivacy Directive. This policy explains what data we collect, why, and what rights you have.
Robert has two audiences. General EU policy coverage is freely accessible without an account; no personal data is collected or processed for these visitors. The specialist intelligence service requires an account, and the data practices below apply to registered users.
Data we collect
Account data
When you create an account we store your email address, name, and a hashed password. This is the minimum required to provide the service. We never store passwords in plain text.
Service data
As you use Robert, we store your email delivery preferences, subscription tier, and any corrections or feedback you submit. This data is necessary to deliver personalised briefings and improve analytical quality.
Waitlist data
If you join our waitlist, we store your email address until you are invited or request removal.
What we do not collect
- No analytics or tracking scripts (no Google Analytics, no pixels)
- No advertising data or ad-related cookies
- No third-party tracking of any kind
- No browsing behaviour outside of the Robert application
- No personal data about public figures beyond their professional roles and public statements
Cookies & local storage
Robert uses only strictly necessary cookies and local storage. Under the ePrivacy Directive, these do not require consent because the service cannot function without them.
| Name | Type | Purpose | Expiry |
|---|---|---|---|
| authjs.session-token | Cookie | Keeps you signed in (HTTP-only, secure) | 8 hours |
| authjs.csrf-token | Cookie | Protects against cross-site request forgery | Session |
| theme | Local storage | Remembers your light/dark mode preference | Persistent |
That is everything. No marketing cookies, no analytics cookies, no third-party cookies.
Legal basis for processing
| Data | Basis (GDPR Art. 6) |
|---|---|
| Account data (email, name) | Contractual necessity (Art. 6(1)(b)) |
| Session cookie | Contractual necessity (Art. 6(1)(b)) |
| Preferences & feedback | Contractual necessity (Art. 6(1)(b)) |
| Public EU data (legislation, proceedings) | Legitimate interest (Art. 6(1)(f)) |
| Waitlist email | Consent (Art. 6(1)(a)) |
Data sharing & sub-processors
We share data only with the service providers necessary to operate Robert:
- Anthropic & Google: AI model providers. We send publicly available policy content to these services for analysis. No personal user data is included in AI requests.
- Resend: transactional email delivery. Receives your email address to deliver briefings and account notifications.
- GCP (Google Cloud Platform): infrastructure hosting in the
europe-west1region (Belgium).
We do not sell, rent, or share your data with advertisers, data brokers, or any party not listed above.
Data retention
| Data | Retention |
|---|---|
| Account data | Until you delete your account |
| Report history | 12 months, then archived |
| System logs | 6 months (detailed), then anonymised aggregates |
| Audit logs | 24 months, then anonymised |
| Inactive accounts | 12 months inactivity triggers notification, 30-day grace, then deactivation |
Your rights
Under the GDPR, you have the right to:
- Access: request a copy of all data we hold about you
- Rectification: correct inaccurate personal data
- Erasure: request deletion of your account and all associated data
- Data portability: receive your data in a structured, machine-readable format
- Object: object to processing based on legitimate interest
- Withdraw consent: where processing is based on consent (e.g. waitlist)
To exercise any of these rights, contact us at the address below. We will respond within 30 days.
Email communications
Robert sends briefings, alerts, and account notifications by email. You can manage your email preferences in Settings or unsubscribe from any email using the link in its footer. Account-critical notifications (e.g. password resets, security alerts) cannot be disabled.
Security
All traffic is encrypted via HTTPS. Passwords are hashed using bcrypt. Session tokens are HTTP-only and secure. The application enforces a strict Content Security Policy that blocks third-party scripts. Infrastructure is hosted in the EU (Belgium, europe-west1).
Contact
For privacy-related questions or to exercise your rights, contact us at privacy@brusselsbot.eu.
If you believe your data protection rights have not been addressed, you have the right to lodge a complaint with your national data protection authority. In Belgium, this is the Data Protection Authority (Autorité de protection des données).
For information about our data collection practices, AI-generated content disclaimers, and intellectual property, see our Legal Notice.