Privacy Statement

1. Data Controller

The controller responsible for processing personal data as described in this privacy statement is:

• NovaTerrae B.V.
• Ericsonstraat 2, 5121 ML Rijen, Netherlands
• Email: info@novaterrae.nl
• Phone: +31 (0)161 55 08 10
• KvK: 81631634
• BTW: NL862163390B01

2. Definitions

In this privacy statement, the following terms are used:

• Personal data — any information relating to an identified or identifiable natural person (the "data subject").
• Processing — any operation performed on personal data, such as collection, recording, storage, retrieval, use, disclosure, erasure, or destruction.
• Data subject — any identified or identifiable natural person whose personal data is processed.
• Controller — the natural or legal person who determines the purposes and means of processing personal data (in this case, NovaTerrae B.V.).
• Processor — a natural or legal person who processes personal data on behalf of the controller.
• Consent — any freely given, specific, informed, and unambiguous indication of the data subject's agreement to the processing of their personal data.

3. What data do we collect?

• Contact details (name, email address, phone number) you provide.
• Company and role information needed for service delivery and onboarding.
• Account and authentication data (user ID, access tokens where applicable).
• Usage data (feature interactions, settings, logs, and diagnostics).
• Technical data (IP address, device, browser, operating system).

4. Purposes and legal bases

We process your personal data for the following purposes, each based on a specific legal basis under Article 6(1) of the GDPR:

• Service delivery and account management — necessary for the performance of a contract with you (Art. 6(1)(b) GDPR).
• Customer support and incident handling — necessary for the performance of a contract (Art. 6(1)(b)) and/or our legitimate interests in providing good service (Art. 6(1)(f)).
• Security, fraud prevention, and compliance — necessary for compliance with a legal obligation (Art. 6(1)(c)) and/or our legitimate interests in protecting our business and users (Art. 6(1)(f)).
• Product improvement and analytics — based on our legitimate interests in improving our services (Art. 6(1)(f)). Analytics cookies are only placed after your consent (Art. 6(1)(a)).
• Marketing and communications — based on your consent (Art. 6(1)(a)). You may withdraw consent at any time.

5. Contact forms and website communication

When you fill in a contact form, request a demo, or send us an email, we collect the data you voluntarily provide (such as name, email address, company name, and your message). We use this data solely to respond to your inquiry and to follow up where appropriate. The legal basis is our legitimate interest in handling your request (Art. 6(1)(f) GDPR) or, where your inquiry relates to a potential contract, the performance of pre-contractual measures (Art. 6(1)(b) GDPR). Contact form data is retained for up to 12 months after your last interaction, unless a contractual relationship is established.

6. Retention periods

We retain personal data only as long as necessary for the purposes described above, unless a longer retention period is required by law. Specific retention periods are:

• Contact form inquiries: up to 12 months after your last interaction.
• Demo and Quickscan requests: up to 24 months after your request, to enable follow-up and evaluation.
• Contractual and billing data: 7 years after the end of the contract, as required by Dutch fiscal legislation.
• Analytics data (Google Analytics): 26 months, anonymized where possible.
• Cookie consent records: retained as long as consent is valid or until withdrawal.
• Support and incident data: duration of the contract plus 2 years after termination.

After the applicable retention period, data is securely deleted or anonymized.

7. Sharing data and processors

We only share personal data with trusted vendors and partners required to deliver our services. We do not sell personal data. The following categories of processors are involved:

• Hosting: Microsoft Azure — our website and services are hosted on Microsoft Azure infrastructure within the EU.
• Analytics: Google Analytics (Google LLC) — website usage analysis, only after your consent. IP addresses are anonymized.
• Form processing: Microsoft Power Automate — contact form and Quickscan submissions are processed via Microsoft Power Automate.

We have appropriate data processing agreements in place with all processors.

8. International transfers

Your data is primarily processed within the European Economic Area (EEA). In some cases, data may be transferred to countries outside the EEA:

• Google Analytics: Google LLC is based in the United States. Google participates in the EU-U.S. Data Privacy Framework. Additionally, Standard Contractual Clauses (SCCs) are in place.
• Microsoft services: Microsoft processes data primarily within the EU. Where data may pass through US infrastructure, Microsoft relies on the EU-U.S. Data Privacy Framework and SCCs.

We only transfer data outside the EEA when appropriate safeguards are in place as required by Chapter V of the GDPR.

9. Security

We take appropriate technical and organizational measures to protect your data against loss, misuse, or unauthorized access, including access controls, encryption where appropriate, and monitoring of our systems.

10. Your rights

Under the GDPR, you have the following rights regarding your personal data:

• Right of access (Art. 15) — You have the right to request a copy of the personal data we hold about you and information about how we process it.
• Right to rectification (Art. 16) — You have the right to request correction of inaccurate or incomplete personal data.
• Right to erasure (Art. 17) — You have the right to request deletion of your personal data when it is no longer necessary for the purposes for which it was collected, or when you withdraw consent.
• Right to restriction of processing (Art. 18) — You have the right to request that we limit the processing of your data in certain circumstances, for example while a complaint is being investigated.
• Right to data portability (Art. 20) — You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transfer it to another controller.
• Right to object (Art. 21) — You have the right to object to processing based on legitimate interests, including profiling. We will cease processing unless we have compelling legitimate grounds.
• Right to withdraw consent (Art. 7(3)) — Where processing is based on your consent, you may withdraw that consent at any time without affecting the lawfulness of processing before withdrawal.

To exercise any of these rights, please contact us at info@novaterrae.nl. We will respond to your request within 30 days.

11. Automated decision-making and profiling

NovaTerrae does not use fully automated decision-making or profiling that produces legal effects or similarly significantly affects you, as described in Article 22 of the GDPR. Where we use AI-powered features or analytics, human oversight is always maintained and decisions are not based solely on automated processing.

12. Cookies and tracking

We use cookies and similar technologies to ensure the website works properly and to understand usage. Non-essential cookies (such as analytics) are only placed after you have given consent via our cookie banner. For more information, see our Cookie Policy.

13. Children's privacy

Our services are not intended for children, and we do not knowingly collect personal data from children without appropriate consent.

14. Changes to this statement

We may update this privacy statement from time to time. The latest version will be posted on this page.

15. Contact and complaints

If you have questions about this privacy statement, want to exercise your rights, or have a privacy-related concern, please contact our privacy contact point:

• NovaTerrae B.V. — Privacy Contact
• Email: info@novaterrae.nl (subject: Privacy)
• Phone: +31 (0)161 55 08 10
• Ericsonstraat 2, 5121 ML Rijen, Netherlands

You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens): www.autoriteitpersoonsgegevens.nl.