Privacy Policy
Last updated: April 20, 2026 (rev. 3)
1. Controller
Ned Karlovich, operating under the name Atelier de Commerce (provider of the Ardor service)
Stettineiland 21, 1014 ZE Amsterdam, The Netherlands
CoC No. 34390253 · VAT ID NL002462276B15
Contact: /contact
2. Overview of Data Processing
We process personal data only to the extent necessary to provide our services. Processing is carried out on the basis of the General Data Protection Regulation (GDPR) and the Dutch Uitvoeringswet AVG.
3. Access Data and Hosting
This website is hosted by Vercel Inc. (San Francisco, USA). Each time a page is accessed, the following data is automatically transmitted by the browser and stored in server log files:
- IP address (server logs deleted after 30 days)
- Date and time of access
- Requested page and referrer URL
- Browser type and operating system
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in the secure provision of the website). Vercel processes data in accordance with the EU-US Data Privacy Framework.
4. Report Ordering (Wizard)
When you order a BAFA waste heat report through the wizard, we collect the following data:
- Name and address of the data center
- Technical facility data (IT rated capacity, cooling type, PUE, year of construction)
- GPS coordinates of the location
- Email address for report delivery
- Payment data (processed by Stripe, not stored on our servers)
Legal basis: Art. 6(1)(b) GDPR (performance of a contract). The data is used for the creation and delivery of the commissioned report and is retained for the duration of the Dutch tax retention obligation (7 years, Art. 52 AWR) for invoice-related data. As a German operator, you may be subject to your own 10-year retention obligation under Section 257 HGB for the received report.
5. Interactive Heat Map
The heat map at /products/heatmap uses Mapbox GL JS. When the map loads, your IP address is transmitted to Mapbox Inc. (USA) to retrieve map tiles (api.mapbox.com). Mapbox processes data in accordance with the EU-US Data Privacy Framework. Mapbox telemetry (events.mapbox.com) is blocked via our Content Security Policy; no usage events are sent to Mapbox.
When clicking on a facility, an AI-powered district heating analysis is generated. Your IP address is temporarily processed to enforce rate limiting (1 analysis per IP per facility per hour). The IP address is not stored permanently.
The analysis is generated via the Anthropic API (Claude, Anthropic PBC, USA). Only publicly available facility data is transmitted to Anthropic; no personal data is shared. Anthropic processes data on the basis of Standard Contractual Clauses (Art. 46(2)(c) GDPR).
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in providing an interactive map view). No automated decision-making within the meaning of Art. 22 GDPR takes place — the analysis is an informational indication, not a decision with legal or similarly significant effect.
6. Email Collection
On certain pages (e.g. /products/feasibility, /products/marketplace) we offer the option to leave an email address for notifications. The address is used exclusively for the stated purpose and is not shared with third parties.
Legal basis: Art. 6(1)(a) GDPR (consent). You may withdraw your consent at any time by emailing contact@ardor.institute.
7. Payment Processing
Payment processing is handled by Stripe Inc. (USA). Your payment data (card number, expiration date, CVC) is processed directly by Stripe and does not reach our servers. Stripe is PCI DSS Level 1 certified and processes data in accordance with the EU-US Data Privacy Framework.
Legal basis: Art. 6(1)(b) GDPR (performance of a contract).
7a. Database and User Accounts
Account data (email address, company name, contact person) and report contents are stored in a PostgreSQL database hosted by Supabase Inc. (US-based company). Data is hosted in the eu-west-1 region (Dublin, Ireland). In normal operations, no personal data is transferred outside the EU; support and administrative access by Supabase is subject to EU Standard Contractual Clauses (Art. 46(2)(c) GDPR, Module 2 — Controller to Processor) as well as supplementary technical safeguards (TLS 1.2 in transit, AES-256 at rest, FIPS 140-2 HSM-secured key management). Supabase has conducted the Transfer Impact Assessment required under Schrems II and makes it available upon request.
Legal basis: Art. 6(1)(b) GDPR (performance of a contract). The retention period is determined by the Dutch retention obligation for business records (7 years, Art. 52 AWR) for invoice- and account-related data.
7b. Transactional Emails
For sending transactional emails (e.g. report completion, team workspace invitations, password reset), we use Resend Inc. (USA). Only the recipient email address, sender, subject, and email content are transmitted.
Legal basis: Art. 6(1)(b) GDPR (performance of a contract). Resend processes data on the basis of Standard Contractual Clauses (Art. 46(2)(c) GDPR).
7c. PDF Report Generation
The generation of the BAFA report as a PDF document is performed by a dedicated service hosted on Railway Corp. (US-based company) with deployment in the EU (Amsterdam, GCP europe-west4). The facility data collected in the wizard and the operator contact details are transmitted for document generation. The generated PDF files are temporarily stored in Vercel Blob (EU region) and deleted within 30 days after retrieval by the operator, unless a retention obligation applies.
Legal basis: Art. 6(1)(b) GDPR (performance of a contract). Railway processes data on the basis of Standard Contractual Clauses (Art. 46(2)(c) GDPR).
7d. Marketplace — Supplier Side
Operators may optionally make their facility data visible on the Ardor marketplace to be contacted by verified heat offtakers. Participation is voluntary and can be revoked at any time.
By default, only aggregated, pseudonymized facility data is displayed in search results (region, size class, cooling type, feasibility grade). The facility name and operator contact details are only disclosed upon explicit approval by the operator in the context of a specific matchmaking request to the requesting offtaker.
Legal basis: Art. 6(1)(b) GDPR (performance of a contract) for the masked base listing; Art. 6(1)(a) GDPR (consent) for the disclosure of identifying data in the context of a matchmaking request. Listing deletion within 30 days of account closure or revocation.
7e. Marketplace — Buyer Side
Verified heat offtakers (e.g. district heating operators, industrial heat customers) may subscribe to a paid plan to use search features and submit matchmaking requests. The following data is processed: name, email address, company name, optional phone number, subscription tier, and logs of submitted matchmaking requests.
Legal basis: Art. 6(1)(b) GDPR (performance of a contract). Subscription payment processing is handled by Stripe (see Section 7). Data is retained for the duration of the subscription and seven years after its termination, insofar as it pertains to invoice- or account-related content (Art. 52 AWR).
8. Cookies and Local Storage
This website does not use tracking cookies or analytics services (no Google Analytics, no Matomo, no comparable tools).
The wizard stores your progress in your browser's localStorage so you can resume an interrupted session. This data remains exclusively on your device and is not transmitted to our servers.
Mapbox sets technically necessary cookies for map rendering. These are required for the heat map to function and are not used for tracking purposes.
9. Third-Party Providers
| Service | Provider | Purpose | Privacy Policy |
|---|---|---|---|
| Vercel | Vercel Inc., USA | Hosting | vercel.com/legal/privacy-policy |
| Supabase | Supabase Inc., USA (infrastructure EU-Ireland) | Database, authentication | supabase.com/privacy |
| Railway | Railway Corp. (US), deployment in EU (Amsterdam) | PDF report generation | railway.com/legal/privacy |
| Resend | Resend Inc., USA | Transactional emails | resend.com/legal/privacy-policy |
| Mapbox | Mapbox Inc., USA | Map rendering, geocoding | mapbox.com/legal/privacy |
| Anthropic | Anthropic PBC, USA | AI analysis (Claude) | anthropic.com/privacy |
| Stripe | Stripe Inc., USA | Payments | stripe.com/privacy |
| Zoho Mail | Zoho Corp. (IN), mailbox hosting in EU (NL) | Email mailbox contact@ardor.institute | zoho.com/privacy.html |
All US-based providers process data in accordance with the EU-US Data Privacy Framework or on the basis of Standard Contractual Clauses (Art. 46(2)(c) GDPR).
10. Your Rights
Under the GDPR, you have the following rights:
- Access to your stored data (Art. 15)
- Rectification of inaccurate data (Art. 16)
- Erasure of your data (Art. 17)
- Restriction of processing (Art. 18)
- Data portability (Art. 20)
- Objection to processing (Art. 21)
To exercise your rights, please contact contact@ardor.institute. You also have the right to lodge a complaint with a supervisory authority. Competent authority: Autoriteit Persoonsgegevens (AP), The Hague, The Netherlands.
11. Changes
We reserve the right to amend this privacy policy as needed to reflect changes in legislation or modifications to our service. The current version is always available on this page.