Privacy Policy

1. Data Controller

SpySecure B.V., based in Amsterdam and registered with the Dutch Chamber of Commerce under number 87334542, is the data controller responsible for the processing of personal data as described in this policy.

2. Which data do we collect?

a. Data provided by you

• Name, job title, and company details
• Address and contact details (such as email address and phone number)
• Information provided via forms, onboarding, quotations, or support requests

b. Automatically collected data

• IP address, browser type, device data, and session duration
• Log data from security services (such as detections, alerts, and system information)
• Use of our website, portals, and security solutions

c. Data from third parties

In some cases, we receive data from suppliers, security tools, or partners, for example for detection, monitoring, license management, or incident handling.

3. Purposes and legal bases for processing

We process personal data for the following purposes:

• Delivering our cybersecurity and Software-as-a-Service services
• Monitoring, detection, incident response, and other security analyses
• Account management, onboarding, and license activation
• Customer service and technical support
• Administration, billing, and contract management
• Improving our products, services, and security solutions
• Marketing communications, such as newsletters, if you have given consent
• Complying with legal obligations and requests from supervisory authorities

Processing is based on the following legal grounds under the GDPR: performance of a contract, compliance with a legal obligation, consent (for marketing), and legitimate interests (such as security, service improvement, and fraud and abuse prevention).

4. How do we protect your data?

We implement extensive technical and organizational security measures to protect your data, including:

• Encryption of data in transit and at rest
• Multi-factor authentication and role-based access control
• Regular security and vulnerability scans
• Logging, auditing, and monitoring of systems and access
• Data minimization and strict authorization policies

5. With whom do we share your data?

We only share personal data when necessary for the delivery of our services or to comply with legal obligations.

Categories of recipients:

• Hosting and cloud providers
• Security vendors (such as EDR, MDR, SIEM, and email security)
• Payment and subscription processors
• CRM, ticketing, and support providers
• Administration and accounting partners

We enter into data processing agreements in accordance with the GDPR with parties acting as processors. We never sell your personal data to third parties.

6. International data transfers

For certain services, it may be necessary for personal data to be processed outside the European Economic Area (EEA), for example by international cloud or security providers. In such cases, we only use appropriate safeguards, such as Standard Contractual Clauses (SCCs) or other legally permitted mechanisms.

7. Retention periods

We do not retain personal data longer than necessary for the purposes for which it was collected, unless a longer retention period is legally required. In general, we apply the following periods:

• Customer and contract data: for the duration of the contract plus up to 7 years (statutory retention obligation)
• Security logs and detection data: up to 12–24 months, unless longer required for investigation or incident handling
• Marketing data: until you unsubscribe or object to processing
• Communications and support tickets: up to 24 months after resolution

8. Your rights

Under the GDPR, you have the following rights, among others:

• The right to access your personal data
• The right to rectification of inaccurate or incomplete data
• The right to erasure of your data (where permitted)
• The right to restriction of processing
• The right to object to processing based on legitimate interest
• The right to data portability
• The right to withdraw consent for marketing communications at any time

You can exercise your rights by sending a request to contact@spysecure.nl.

If you believe that we are not handling your data correctly, you have the right to lodge a complaint with the Dutch Data Protection Authority.

9. Data breaches

In the event of a data breach, we take immediate measures to limit the impact and prevent recurrence. Where legally required, we report the breach to the Dutch Data Protection Authority and inform affected customers when the breach is likely to pose a high risk to their rights and freedoms.

10. Profiling and automated decision-making

SpySecure does not use automated decision-making or profiling within the meaning of the GDPR that produces legal effects concerning you or similarly significantly affects you.

11. Cookies

We use functional and analytical cookies to ensure our website works properly and to improve it. Where legally required, we request your consent before placing certain cookies. More information can be found in our cookie policy.

12. Partners and resellers

Partners offering SpySecure services under their partner license process personal data in accordance with their own privacy policy and the partner agreement concluded with SpySecure. In such cases, SpySecure often acts as a (sub-)processor for specific data processing activities.

13. Data processing agreement

When SpySecure processes personal data on behalf of a customer, a data processing agreement is provided that complies with the requirements of the GDPR. This agreement sets out, among other things, the purposes, security measures, and responsibilities.

14. Changes to this privacy policy

We reserve the right to amend this privacy policy. The most recent version is always available on our website. In the event of material changes, we will inform you through our usual communication channels.

15. Contact

Do you have questions about this privacy policy or about how SpySecure handles your personal data? Please contact us via:

Email: contact@spysecure.nl
Phone: +31-20-261-2897