Privacy policy

Cookie policy
Privacy policy
General terms of sale
In het Nederlands
En Français
Date : May 2026

1. Who processes your personal data?

1.1. Abbove SA, a public limited company under Belgian law, having its registered office at Cours Saint-Michel 30a, 1040 Etterbeek (Belgium) and registered with the Crossroads Bank for Enterprises under company number 0678.616.849 (the "Company", "we", "us", "our") processes personal data relating to the users of the wealth management Platform that it has developed (the "Platform"), representatives of its clients, representatives of its suppliers, candidates for work with the Company, visitors of the Company’s website, visitors to the Company workplaces and other persons concerned (the "persons concerned", "you", "your", “data subject”).

1.2. This privacy policy (the "Policy") applies to any processing by the Company of your personal data.

2. What is our commitment to data protection?

2.1 The Company undertakes to use its best efforts to ensure that its personal data processing activities comply with applicable data protection legislation, including EU Regulation 2016/679 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (the "GDPR") and the Law of 30 July 2018 on the protection of individuals with regard to the processing of personal data, as amended, supplemented or replaced from time to time (the "Applicable Data Protection Legislation").

3. For what purposes do we process your personal data?

3.1. If you are a data subject (i.e. any person concerned by data processing carried out through the Platform), we process the following categories of personal data, in particular for the purposes described below:
● Your personal identification data, your telephone number and your e-mail address
to identify you on the Platform;
● Your family composition to feed a family structure;
● Your financial and patrimonial data to complete the patrimonial and donation inventory and to feed our financial projection tool, our reporting tool and our inheritance simulator;
● Your personal data included in the files (for example, contracts or certain officialdocuments concerning yourself) for secure hosting in the Platform's digital safe.

3.2. If you are a user of the Platform, we process the following categories of personal data, in particular for the purposes described below:
● Your personal identification data, telephone number and e-mail address, to create your user profile on the Platform;
● Your telephone number and e-mail address to enable our support team to contact you for support activities or to contact you for marketing and/or transactional communications;
● Your electronic identification data to authenticate you on the Platform, for the activation, suspension and withdrawal of user accounts and for the detection and prevention of fraud and computer security breaches;
● Your bank details to check the payment of invoices related to your use of the Platform (only insofar as you are also a Platform subscriber).

3.3. If you are the representative of one of our customers or prospects, we process your personal identification data, your professional identification data and your contact data (telephone number, email address, etc.) to contact you for the provision of our services,
to send you order forms, to organise business meetings or to develop our business relationship.

3.4. If you are a representative of one of our suppliers, we process your personal identification data, your professional identification data and your contact data (telephone number, email address, etc.) for the management of our business relationship.

3.5. If you are a candidate for a job with the Company, we process your personal identification data, professional identification data and data relating to your professional life (skills, qualifications, experience, etc.), to assess your profile in relation to our recruitment needs.

3.6. If you visit our website, we process electronically identifying data about you in aggregate form to measure traffic on our website, to improve the browsing experience and for the detection and prevention of fraud and computer security breaches.

3.7. If you visit our workplaces, we are able to request access to images of you recorded by surveillance cameras only where such access is necessary to pursue our legitimate interest in detecting offences or incivilities and to the extent permitted by applicable law. The surveillance cameras installed in the building where our premises are located are operated and controlled exclusively by the building owner, who acts as data controller for this processing. Abbove SA is not responsible for this monitoring and does not hold or
directly access the footage; images may only be accessed by Abbove upon specific request to the building owner, where strictly necessary (for example, in the context of a security incident or theft). Compliance obligations under the Belgian Camera Surveillance Act (Loi sur la surveillance par caméras / Wet op de camerabewaking) of 21 March 2007 as amended by the Law of 21 March 2018 — including registration with the competent local police zone and display of notification pictograms — rest with the building owner as controller of this processing.

3.8. We may also process your personal data:
● To carry out company restructuring operations;
● For the performance of internal and external audits;
●For the management of disputes with customers, suppliers and other data subjects and when the processing is necessary for the establishment, exercise or defence of a legal claim.

3.9. The processing of personal data in the context of company restructuring operations and voluntary internal or external audits is based on the Company’s legitimate interests within the meaning of Article 6(1)(f) GDPR, in particular to ensure sound corporate
governance, business continuity, and effective risk management.

3.10. Where internal or external audits are required by applicable law, the related processing of personal data is carried out on the basis of the Company’s legal obligations pursuant to Article 6(1)(c) GDPR, in order to comply with statutory audit, accounting, or regulatory
requirements.

3.11. The processing of personal data for the management of disputes and, when necessary, for the establishment, exercise or defence of legal claims is carried out on the basis of the Company’s legitimate interests in establishing, exercising or defending legal claims.

3.12. The Company does not subject data subjects to decisions based exclusively on automated processing that produces legal effects concerning them or affects them in a similarly significant way.

4. In what capacity do we process your personal data?

4.1. We process your personal data in the capacity of data controller, with the exception of processing that we carry out when we provide the Platform to clients in the context of their wealth and financial management consulting activities. In this case, we process your personal data (in particular personal identification data, telephone number, e-mail address, postal address, bank details, identification data, family composition and financial and asset data of the data subjects and/or users as well as the personal data of the data subjects contained in the files saved in the Platform) in the capacity of processor on behalf of our clients and in accordance with their instructions.

4.2. However, we process in our capacity as data controllers the electronic identification data of users for the purposes of authenticating them on the Platform, for the activation, suspension and withdrawal of their accounts and for the detection and prevention of fraud and computer security breaches.

5. On what basis do we process your personal data?

5.1. The provision of your personal data may be necessary:
● To the execution of a contract to which you are a party (for example, the contract for the supply of the Platform) or to the execution of pre-contractual measures taken at your request (for example, in the event of solicitation for work with our human resources team);
● Compliance with a legal obligation applicable to the Company (e.g. invoicing, fraud detection, building security, taxation, etc.);
● For the purposes of the legitimate interests pursued by the Company (or a data recipient) provided that these interests take precedence over your fundamental rights and freedoms. These interests specifically include:
   - (i) securing our IT systems and preventing cyberattacks or unauthorised access;
   - (ii) detecting and preventing fraud;
   - (iii) defending against or exercising legal rights in litigation or pre-litigation disputes;
   - (iv) ensuring business continuity in the context of corporate restructuring, merger or acquisition operations; and (v) ensuring the physical security of our premises and their occupants.

5.2. In some situations, Company can rely on the consent you give us for processing your personal data. Consent is a ground for processing in case you: reach out to us through the contact form on our website, accept any cookies upon visiting our Website or Platform, if when you agree to receive a newsletter and/or advertisement.

5.3. We ask for your prior, freely given, specific, informed and unambiguous consent before processing some of your personal data (e.g. the use of photographs of you for corporate communications, the use of your email address for marketing purposes if you are not yet a user with us, etc.).

5.4. The provision of certain types of your personal data (e.g. your personal identification data, your professional identification data, etc.) is a condition for the conclusion of the contract concluded with us for the supply of the Platform.

5.5. The possible consequences of not providing your personal data could include our inability to fulfil our obligations under a contract (for example, the contract for the supply of the Platform) or a breach by us of one or more obligations under applicable legislation (for example, accounting and tax legislation).

6. How do we collect your personal data?

6.1. The personal data we process is collected from the following information sources:
● Information that we receive from the Users of the Platform;
● Information that we receive directly from you through our website or any other media;
● Information that we receive from a third party, provided that you gave your explicit consent to this third party to share that information with us;
● Information that is publicly available.

6.2. Where we receive personal data about data subjects indirectly; for example, where a financial advisor or client uploads personal data about their own clients into the Platform -we process that data in our capacity as processor on behalf of the relevant client/controller. The obligation to inform those data subjects in accordance with Article 14 GDPR (including the categories of data collected, the source of the data, the purposes and legal basis of processing, and the identity of the controller) rests with our client as data controller. In the event that we process any such data in our own capacity as data controller, we will provide the relevant Article 14 information to the data subjects
concerned within one month of the initial collection of their data, or earlier if we are required to use that data to contact them.

7. Who has access to yout personal data?

7.1. The following recipients may receive or have access to some of your personal data (only if necessary for the performance of their tasks):
● The customer support team has access to the personal identification data, professional identification data and contact data of Platform users only in the context of their support operations. Members of our support team do not have access to the assets and financial data of the persons concerned;
● As with most SaaS products, a limited number of designated members of our technical staff must be able to access certain personal data at the express request of our customers, when such access is essential for debugging or correction purposes on the Platform. We keep logs of these accesses (identity of the employee who accessed the data, time of access, duration of access, etc.) for as long as necessary for security audits.
● The business development team has access to the personal identification data, business identification data and contact data of representatives of our customers or prospects and representatives of our suppliers only for the purposes of our business management and supplier management;
● Our legal advisers and lawyers have access to certain personal data of the persons concerned in the context of corporate restructuring operations or litigation.
● Our accountants and auditors have access, within the framework of their mission, to financial data (including invoices) which may include personal data of representatives of our clients and suppliers.

7.2. Our subcontractors may process certain personal data concerning you only to the extent necessary to carry out their tasks in accordance with Applicable Data Protection Legislation (“Subprocessors”). These Subprocessors include but are not limited to those who:
● Provide market and statistical research;
● Software and cloud providers;
● Hosting of the website and related databases;
● Email and communication delivery services;
● Customer support tools;
● Identify verification authentication and security tools;
● Payment and billing processors.

7.3. In the case of a corporate reorganization transaction (e.g. a merger, acquisition or financing transaction), we may transfer certain personal data about representatives of our customers and suppliers to a third party involved in the transaction (e.g. a buyer or investor) in accordance with Applicable Data Protection Legislation.

8. How do we manage our subcontractors?

8.1. We take adequate measures to ensure that our Subprocessors process your personal data in accordance with Applicable Data Protection Legislation.

8.2. Among other things, we ensure that our Subprocessors undertake to process personal data only on our instructions, not to engage another Subprocessor without our prior consent or without having had the opportunity to object, and to take the appropriate technical and organisational measures to guarantee the security of personal data, to ensure that persons authorised to access personal data are subject to adequate obligations of confidentiality, to return and/or destroy the personal data they process at the end of their services, to comply with audits and to provide us with assistance in following up on requests from data subjects to exercise their rights in relation to their
personal data. An up-to-date list of our Subprocessors is available upon request.

9. Where do we process your personal data?

9.1. We host users' personal data exclusively on servers located in the European Economic Area ("EEA").

9.2. Some of the recipients of personal data may be companies whose registered office is located in a country outside the EEA such as, for example, the United States.

9.3. The Company will not transfer Personal Data to a Third Country unless:
    - (i) there has been an adequacy decision made by the European Commission in respect of that Third Country in accordance with Applicable Data Protection Legislation and the transfer falls within the scope of that adequacy decision, or
    - (ii) the Subscriber and/or the Company has entered into an agreement with the entity located in a Third Country containing the standard contractual clauses as approved by the European Commission pursuant to its decision 2021/914 of 4 June 2021 (“EU SCCs”) or by another competent public authority in accordance with Applicable Data Protection Legislation (to the extent necessary, the Subscriber authorises the Company to enter into such agreement in the name and on behalf of the Subscriber). The Company shall ensure that it implements all appropriate measures to ensure an essentially equivalent level of protection of Personal Data in the Third Country compared to the level of protection in the European Economic Area. The Company will terminate any transfer in respect of which an essentially equivalent level of protection of Personal Data cannot be guaranteed.

9.4. If you would like more information about the Company's safeguards for transfers of personal data outside the EEA, please contact our Privacy Contact using the contact details set out in the Policy.

10. What are the applicable retention periods?

10.1. We ensure that your personal data is only kept for as long as is necessary for the purposes for which it is processed.

10.2. The Company uses the following criteria to determine the length of time personal data is kept according to the context and purposes of each processing operation:
● The date on which the licence to use the Platform or services provided by the Company expires;
● The date of the end of the relationship with the customer or supplier;
● Security reasons (e.g. security of buildings or our information systems);
● Any current or potential dispute or litigation with the person concerned;
● Any legal obligation to retain or delete personal data (e.g. a retention obligation imposed by an accounting or tax law).

10.3. In application of the above criteria, and subject to mandatory Belgian and EU legal retention requirements, the indicative retention periods are as follows: personal data of Platform users and data subjects is retained for the duration of the applicable licence agreement and deleted within 90 days of its termination; accounting and tax records are retained for 7 years (Belgian Accounting Law); recruitment data is retained for a maximum of 2 years from the date of the recruitment decision (APD/GBA guidance); prospect and marketing data is retained for a maximum of 3 years from the date of the last contact or interaction.

11. What are your rights?

11.1. Subject to Applicable Data Protection Legislation, you have a right to information, a right of access to, correction of and deletion of your personal data, a right to object to or limit the processing of your personal data, a right to portability of personal data and a right to
withdraw your consent.

11.2. You will find below a table describing each of your rights in more detail:

   - Access: You have the right to obtain confirmation as to whether or not personal data concerning you are being processed and, if so,
access to such personal data. You have the right to obtain a copy of your personal data, unless the exercise of this right infringes the rights and freedoms of others.

   - The right of rectification: You have the right to obtain the rectification of your personal data if they prove to be inaccurate. You also have the right to obtain the completion of your personal data if it proves to be incomplete.

    - The right to erasure (the "right to forget"): You have the right to obtain the deletion of your personal data. However, the right to erasure (or the "right to forget") is not absolute and is subject to specific conditions. We may retain some of your personal data to the extent permitted by applicable law, and in particular where processing remains necessary to comply with a legal obligation to which the Company is subject or to establish, exercise or defend a legal claim.

   - Right to object: You have the right to object to certain types of processing (e.g. where the processing is based on the legitimate interests of the Company and, taking into account your particular circumstances, your interests or fundamental rights and freedoms prevail).

   - Right to restrict processing: You have the right to request we restrict the processing of your personal data. The processing shall be restricted when:
● the accuracy of the personal data is contested by you, for a period enabling the controller to verify the accuracy of the personal data;
● the processing is unlawful and you oppose the erasure of the personal data and requests the restriction of their use instead;
● the controller no longer needs the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defence of legal claims;
● you have objected to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the controller override those of the data subject.

   - Right to data portability: You have the right, in certain circumstances, to receive the personal data concerning you that you have provided to the Company in a structured, commonly used and machine-readable format and to pass it on to another controller.

11.3. Please note that you may only exercise your rights vis-à-vis the Company to the extent that we process your personal data in the capacity of data controller. We will forward to the relevant controller any request to exercise your rights in relation to your personal data if such request relates to a processing operation for which we act in a processing capacity, and we will do so without undue delay so as to enable the controller to respond within the applicable statutory deadline.

11.4. Please address any request relating to your rights in relation to your personal data that we process in our capacity as data controller to our Privacy Contact using the contact details provided in the Policy. We undertake to deal with your request as soon as materially possible and always within the time limits provided for by the Applicable Data Protection Legislation. Please note that we may retain your personal data for certain purposes where required or permitted by law. Please note that if we have any doubts about your identity, we may ask you for proof of identity to prevent unauthorised access to your personal data.

12. What level of security do we provide?

12.1. We take appropriate technical and organisational measures to ensure a level of security appropriate to the risks associated with the processing of your personal data.

12.2. We undertake to maintain at all times during your use of the Platform appropriate technical and organisational measures to guarantee the security, confidentiality and integrity of your personal data. More specifically, we take appropriate measures to prevent the occurrence of any security incident. In this regard, we undertake, in particular, to
  (i) maintain secure access to the Platform through a double authentication factor or any other authentication system that meets the applicable security standards;
   and (ii) encipher/encrypt your personal data (in transit and/or on disk) to the extent provided in accordance with the applicable security standards.

13. Do you have any questions or complaints?

13.1. Should you have any questions or complaints about the way in which the Company processes your personal data, please address them in advance to the Privacy Contact by email at legal@abbove.com or by post to Abbove SA, Cours Saint-Michel 30a, 1040 Etterbeek (Belgium).

13.2. You have the right to lodge a complaint with the competent supervisory authority. The competent authority for Belgium is:

Data Protection Authority
Rue de la Presse 35, 1000 Brussels
+32 (0)2 274 48 00
contact@apd-gba.be

14. Anything else?

14.1. The Company reserves the right to update the Policy from time to time. We will notify you of any changes we make to the Policy. This Privacy Policy was last updated 11 May 2026.

14.2. In the event of a conflict or inconsistency between a provision of the Policy and a provision of another Company policy or document relating to the processing of personal data, the provision of the Policy shall prevail.

By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.
PreferencesDenyAccept
Cookies