Last Updated:

Feb 6, 2026

Privacy Policy

Privacy Policy

Lisa (info@lisa.works) respects your privacy. We process personal data only when necessary for our services, such as assessing and executing ISAs for education. This policy explains what we do.



  1. Who are we?


Lisa is the data controller.
Contact: info@lisa.works
Address: Prinsengracht 769, 1017 JZ, Amsterdam, NL
We do not have a separate Data Protection Officer (DPO).



  1. What data do we collect?


• Website visitors: IP address, browser info, log files (for security and analysis).

• Applicants/students: name, email, phone, date of birth, education, work/income data, bank account (IBAN), ID proof (for KYC/AML).

• Investors: name, email, KYC data, investment info.
Data comes directly from you, or indirectly from schools/employers/credit bureaus (e.g., Equifax).​



  1. Why do we process this data?


• Performance of ISA agreement (assessment, payments).

• Legal obligations (fraud prevention, taxes).

• Legitimate interest (website security, product improvement).

• Consent (marketing, newsletter).
For profiling (scoring model for approval), we rely on contract necessity.​



  1. Cookies and tracking


We use essential cookies for site functionality. Optional: Google Analytics for usage analysis (anonymized IP). You can refuse cookies via your browser, but this may limit functionality. Cookie banner shows options.



  1. With whom do we share data?


• Processors: hosting (e.g., AWS EU), payments (e.g., Stripe), CRM (e.g., Salesforce), analytics (Google). All with data processing agreement (DPA).

• Third parties: schools (status confirmation), investors (anonymized), authorities (legally required).
No data sales.​​



  1. Transfers outside EU?


Yes, to US providers (Google, Stripe) with EU standard contractual clauses (SCC) and Data Privacy Framework (DPF).​​



  1. How long do we retain data?


• Rejected applications: max. 2 years.

• Active ISAs: up to 10 years post-end (contract term + 7 years fiscal).

• Website logs: 1 month.
Then delete or anonymize.​



  1. Your rights


You have the right to:

• Access, rectification, erasure, restriction.

• Object to processing (incl. marketing).

• Data portability.

• Complain to Dutch Data Protection Authority (autoriteitpersoonsgegevens.nl).
Send requests to info@lisa.works; we respond within 1 month.



  1. Security


Data is encrypted (TLS), access-restricted, and regularly audited. No 100% guarantee, but appropriate measures.​



  1. Children


Our site is not for under 18s without parental consent.​



  1. Changes


We update as needed and notify major changes via site/email.

Questions? Email info@lisa.works.​

Lisa (info@lisa.works) respects your privacy. We process personal data only when necessary for our services, such as assessing and executing ISAs for education. This policy explains what we do.



  1. Who are we?


Lisa is the data controller.
Contact: info@lisa.works
Address: Prinsengracht 769, 1017 JZ, Amsterdam, NL
We do not have a separate Data Protection Officer (DPO).



  1. What data do we collect?


• Website visitors: IP address, browser info, log files (for security and analysis).

• Applicants/students: name, email, phone, date of birth, education, work/income data, bank account (IBAN), ID proof (for KYC/AML).

• Investors: name, email, KYC data, investment info.
Data comes directly from you, or indirectly from schools/employers/credit bureaus (e.g., Equifax).​



  1. Why do we process this data?


• Performance of ISA agreement (assessment, payments).

• Legal obligations (fraud prevention, taxes).

• Legitimate interest (website security, product improvement).

• Consent (marketing, newsletter).
For profiling (scoring model for approval), we rely on contract necessity.​



  1. Cookies and tracking


We use essential cookies for site functionality. Optional: Google Analytics for usage analysis (anonymized IP). You can refuse cookies via your browser, but this may limit functionality. Cookie banner shows options.



  1. With whom do we share data?


• Processors: hosting (e.g., AWS EU), payments (e.g., Stripe), CRM (e.g., Salesforce), analytics (Google). All with data processing agreement (DPA).

• Third parties: schools (status confirmation), investors (anonymized), authorities (legally required).
No data sales.​​



  1. Transfers outside EU?


Yes, to US providers (Google, Stripe) with EU standard contractual clauses (SCC) and Data Privacy Framework (DPF).​​



  1. How long do we retain data?


• Rejected applications: max. 2 years.

• Active ISAs: up to 10 years post-end (contract term + 7 years fiscal).

• Website logs: 1 month.
Then delete or anonymize.​



  1. Your rights


You have the right to:

• Access, rectification, erasure, restriction.

• Object to processing (incl. marketing).

• Data portability.

• Complain to Dutch Data Protection Authority (autoriteitpersoonsgegevens.nl).
Send requests to info@lisa.works; we respond within 1 month.



  1. Security


Data is encrypted (TLS), access-restricted, and regularly audited. No 100% guarantee, but appropriate measures.​



  1. Children


Our site is not for under 18s without parental consent.​



  1. Changes


We update as needed and notify major changes via site/email.

Questions? Email info@lisa.works.​