ÆNOA logo
ÆNOA
Connected beverage access

Privacy Policy

Last updated: 27 March 2026

1. Data controller

The controller responsible for the processing of your personal data is:

AENOA SA
Avenue Louise 345
1050 Brussels, Belgium
Company number: 0444.813.888

If you have any questions about this privacy policy or the way we handle your personal data, please contact us at the address above.

2. What data we collect

Depending on how you interact with our website and services, we may collect the following categories of personal data:

  • Identity data: first name, last name, date of birth.
  • Contact data: email address, phone number, postal address.
  • Account data: username, password (hashed), account preferences.
  • Transaction data: drink voucher purchases, consumption history, payment references.
  • Technical data: IP address, browser type, operating system, device identifiers, access timestamps.
  • Usage data: pages visited, features used, interaction patterns within the ÆNOA app and website.
  • Location data: approximate location derived from IP address or, with your consent, precise location for venue discovery.

3. How we use your data

We process your personal data for the following purposes:

  • To create and manage your ÆNOA account.
  • To process drink voucher transactions and provide beverage access services.
  • To display participating beverage points and venue information.
  • To generate consumption analytics for operators (in aggregated, non-identifying form).
  • To communicate service updates, security alerts and support messages.
  • To improve our platform, detect fraud and ensure the security of our services.
  • To comply with legal obligations, including tax and accounting requirements.

4. Legal basis for processing

Under the General Data Protection Regulation (GDPR), we rely on the following legal bases:

  • Contract performance: processing necessary to provide our services to you (account management, voucher transactions, venue discovery).
  • Legitimate interest: platform improvement, fraud prevention, aggregated analytics for operators, and ensuring network security.
  • Consent: precise location data, optional marketing communications, and non-essential cookies.
  • Legal obligation: compliance with Belgian and EU regulatory requirements.

5. Data sharing

We do not sell your personal data. We may share your data with the following categories of recipients, only to the extent necessary:

  • Venue operators: aggregated and anonymised consumption data to support operational visibility. Individual user data is not shared without your explicit consent.
  • Service providers: hosting providers, payment processors and analytics tools that process data on our behalf under strict contractual obligations.
  • Legal authorities: when required by law, regulation or court order.

6. International transfers

Your data is primarily stored and processed within the European Economic Area (EEA). If any data is transferred outside the EEA, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses approved by the European Commission, or an adequacy decision.

7. Data retention

We retain your personal data only for as long as necessary to fulfil the purposes described in this policy:

  • Account data: retained for the duration of your account and up to 12 months after account deletion.
  • Transaction data: retained for 7 years to comply with Belgian accounting and tax law.
  • Technical and usage data: retained for up to 26 months for analytics and security purposes.
  • Marketing consent records: retained for 3 years from your last interaction.

8. Cookies and tracking

Our website uses cookies and similar technologies. Essential cookies are required for the website to function and cannot be disabled. Non-essential cookies (analytics, marketing) are only placed with your prior consent.

You can manage your cookie preferences at any time through your browser settings. Disabling certain cookies may affect the functionality of the website.

9. Your rights

Under the GDPR, you have the following rights regarding your personal data:

  • Right of access: obtain confirmation of whether we process your data and request a copy.
  • Right to rectification: correct inaccurate or incomplete personal data.
  • Right to erasure: request deletion of your data when it is no longer necessary for the purposes collected, subject to legal retention obligations.
  • Right to restrict processing: request limitation of processing in certain circumstances.
  • Right to data portability: receive your data in a structured, commonly used, machine-readable format.
  • Right to object: object to processing based on legitimate interest, including profiling.
  • Right to withdraw consent: withdraw consent at any time, without affecting the lawfulness of processing carried out before withdrawal.

To exercise any of these rights, contact us at the address listed in Section 1. We will respond within 30 days of receiving your request. If we need more time, we will inform you of the extension and the reasons for it.

10. Data security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure or destruction. These measures include encryption of data in transit (TLS), access controls, regular security assessments and staff training.

11. Children's privacy

Our services are not directed at individuals under the age of 18. We do not knowingly collect personal data from minors. If we become aware that we have collected data from a person under 18 without appropriate parental consent, we will take steps to delete that data promptly.

12. Supervisory authority

If you believe that our processing of your personal data infringes the GDPR, you have the right to lodge a complaint with a supervisory authority. For Belgium, this is:

Autorité de protection des données (APD)
Rue de la Presse 35
1000 Brussels, Belgium
Website: www.dataprotectionauthority.be

13. Changes to this policy

We may update this privacy policy from time to time to reflect changes in our practices or legal requirements. The updated version will be posted on this page with a revised "last updated" date. We encourage you to review this policy periodically.