This privacy statement informs you about the processing of your personal data by us, DQC B.V., a private company incorporated under the laws of the Netherlands (besloten vennootschap met beperkte aansprakelijkheid), having its statutory seat and registered offices in (2242 JR) Wassenaar, the Netherlands, at the address of Van Wijnbergenlaan 13, registered with the Dutch Chamber of Commerce (Kamer van Koophandel) under number 84778180 (“Blockhorizon” or: “we”/“us”), when you use our website and/or app, use our services and/or communicate with us.

CONTROLLER

Blockhorizon is the controller of the processing operations described in this privacy statement, except where otherwise indicated for a specific processing operation.

PURPOSES OF PROCESSING

Blockhorizon may process your personal data for the following purposes:

• to enable the use and basic security of our website and app;
• to receive and make use of the services that we provide to you;
• to examine how our website and app is being used, so that we can make improvements where necessary;
• to communicate with you if you contact us;
• to document the agreements and arrangements we made with you;
• to keep records of business transactions in our financial administration;
• to be able to inform you about our business and about products that we offer; and/or
• to be able to transfer our company (including goodwill / customer base) in case of a merger, a takeover or relaunch.

LEGAL GROUNDS FOR PROCESSING AND RETENTION PERIODS

If you are visiting or using our website and/or app, use our services or contact us, there are certain personal data that we need to process about you, in order to be able to respond and provide our services to you. These are processing operations that we do on the grounds of Article 6 Paragraph 1 (b) and (c) of the GDPR.

If you visit or use our website and/or app, we process:

• your device's IP address; and

If you wish to enquire into and/or use our services, we process;

• your name;
• your contact details (e-mail address);
• your communications with us; and
• other information that is required by the relevant third party supplier in order to execute and deliver our services to you.

If you reach out to us with questions, comments or requests;

• your name;
• your contact details (according to your choice of communication channel); and
• your communications with us.

The personal data contained in our financial records could contain, for instance:

• your name, address, city and country of residence;
• the amounts we charged to you;
• the dates on which we have charged amounts to you;
• the type of products or services to which the amounts charged relate, so that the correct VAT rate can be determined;
• contact details; and/or
• communications and agreements that pertain to sale of products or services.

Providing us with these personal data is a prerequisite for entering into a contract with us and us being able to provide our services to you, within the meaning of in Article 13 (2) (e) of the GDPR. We cannot show you our website, app, provide our services to you and/or communicate with you without processing these personal data.

Retention periods

• Website/app data: In accordance with terms required under Dutch law.
• Communications: We save these until they are no longer relevant. When that is, exactly, depends on the subject of the communications. If communications have a legal or financial component, we may be obliged by law to keep them in our records for 10 years after the communications lose their topicality.

The retention period for the personal data we process for our financial administration is: ten (10) years after the data has lost its topicality. This means that billing data is destroyed in the eleventh fiscal year after the billing has taken place. If we have an ongoing contract with you or your company, under which we charge, we will retain a copy of that contract for our tax data retention obligations for ten years after the contract ends.

In some cases, we may retain the personal data that we mentioned above for a longer period. This is the case if we have reason to believe that retaining the data is necessary for the protection of our legal position in case of a dispute, or if we are required by law to retain certain data for a longer period. For more information about longer retention of personal data in such cases, please refer to the paragraph about ‘legitimate interest’ in this privacy statement.

SHARING OF PERSONAL DATA

We may share your personal data with third parties in the following cases. For some parts of our business activities, we use service providers outside our own organization. If these service providers process personal data for us, they are – in the terms of the GDPR – our “processors”. In such cases, we conclude a processor's agreement with them, as referred to in article 28 paragraph 3 GDPR.

We use the following types of processors:

• payment service provides in order to facilitate payments for your use of the services;
• a provider of software-as-a-service and cloud storage for our email and general office work;
• social networking media and a webhosting service for presenting our company online.

It may happen that a processor collects personal data directly from data subjects on our behalf. In such cases, we instruct our processor to collect only the personal data that is necessary for the provision of the services we have agreed with that processor. If you provide additional personal data to one of our processors (more than is necessary for the service they provide to us), please be aware that you do so of your own volition; in such a case, we are not the controller of those additional personal data.

We chose our processors with care, paying particular attention to data security. We selected providers who help us process personal data within the EEA as much as possible. Nevertheless, it must be noted that most of our processors are based in the USA or have parent companies in the USA. Our processor’s agreements with these processors include the Standard Contractual Clauses most recently ratified by the European Commission, in order to safeguard your privacy when we transfer personal data to these processors.

The Standard Contractual Clauses in themselves cannot always prevent that the USA government may take access to personal data processed by companies who are subject to legislation like the CLOUD Act and/or FISA 702. Before contracting with our processors, we assessed the risk of USA legislation being used to access personal data that we might store with them, and we concluded that the risk is small enough to decide to use these processors. Nevertheless, we want to warn you: if it is very important to you that there is zero risk of your personal data being involved in surveillance or investigative actions by the USA government, you should refrain from applying for a job with us or otherwise sending us your personal data.

DATA SHARING BASED ON A LEGAL OBLIGATION OR LEGITIMATE INTEREST

Sometimes we are obliged by law to share your personal data with third parties. For example:

• if the police or any other investigative service, the tax authority, a governmental body or any other authority lawfully request personal data from us; and/or
• if a private party has a legitimate claim to receive or access your personal data on the basis of a judicial authorization.

If we receive a request from third party to share your personal data with them, we will inform you of this, unless informing you is not permitted by law.

We may share your personal data with third parties such as our accountant, lawyer and/or a bailiff, a detective agency, cyber security experts or other types of researchers and/or the police if this is reasonably necessary:

• to keep our financial and fiscal records in accordance with the law;
• to protect rights, property or the safety of our organization, our employees, our customers or the public;
• to protect our organization, our employees, our customers or the public from fraudulent or otherwise unlawful, inappropriate or offensive use of our products, our property or our services; and/or
• to respond to a (current or imminent) liability or other (current or imminent) legal consequences.

If we share your personal data on this basis, we will inform you about it if we can. We cannot inform you about sharing your personal data if doing so might interfere with the purpose and effectiveness of the investigation or other measures for which we have to share the data.

TRANSFER OF PERSONAL DATA OUTSIDE THE EUROPEAN ECONOMIC AREA (EEA)

We process personal data within the EEA as much as we can. Even when we use processors who are based outside of the EEA, we choose regionalized settings to keep our data on servers in the EEA wherever we can. If we have to process personal data outside the EEA, we will try to this in a country that offers an adequate level of personal data protection within the meaning of Article 45 GDPR.

If we would ever need to process personal data in a country that is not covered by an adequacy decision within the meaning of Article 45 GDPR, we will make use of standard contractual clauses made or ratified by the European Commission (within the meaning of Article 46 paragraph 2 under c and d), to ensure that our processor offers adequate safeguards for your privacy. We already explained this further in the paragraph about sharing your personal data with our processors.

THIRD PARTY WEBSITES AND SERVICES

Our website or app may link to websites of other companies, or include links to online services by other parties. If you decide to visit websites or services by other companies, the data processing policies of that other company applies. Blockhorizon is not the controller for personal data processed by third party websites or services. Be sure to inform yourself about the applicable data processing policies on such websites or services before you decide to provide your personal data through them.

Blockhorizon is active on certain social media, like Facebook and LinkedIn. If you visit our pages there, or contact us through such media, the companies behind those media may also process certain information about you. Blockhorizon is not the controller for personal data processed by such social media. Please be sure to inform yourself about the applicable data processing policies on social media before you use them to visit or contact us.

SECURITY OF YOUR PERSONAL DATA

Blockhorizon takes the appropriate technical and organizational measures to secure your personal data. We will ensure that our measures are appropriately updated to remain in line with the state of the art regarding data security. Currently, we apply (at least) the following types of security measures:

• we have taken physical measures in our business premises to ensure that unauthorized persons cannot access our documents, workstations and servers;
• our company regulations contain behavioral rules to prevent unauthorized access to and/or loss of personal data;
• all our employees are contractually bound to confidentiality;
• we use SSL (Secure Socket Layer) technology where appropriate to encrypt sensitive information and personal data (such as account passwords and other identifying information) during transmission;
• sensitive information is stored in encrypted form, in so far as is reasonably possible within our company’s activities;
• back-ups of personal data are made to the reasonably possible extent; and
• vulnerabilities in our software are always addressed as quickly as possible.

Insofar as we use the services of third parties, who act on our behalf as processors of personal data, these processors are contractually obliged to take appropriate technical and organizational measures to protect the personal data.

Although we do our best to ensure good security, we must point out that absolute security when storing personal data and sending data over the Internet can never be guaranteed.

YOUR RIGHTS

For all processing operations that we carry out on the basis of your consent, you have the right to withdraw your consent at any time. We will then discontinue the processing operations in question. Please note that the processing operations that already took place on the basis of your granted consent will not become unlawful with retroactive effect.

You have the right to object against processing operations that we carry out on the basis of a legitimate interest, on grounds relating to your particular situation.

In all cases, you have the right to request access to the personal data we process about you, the right to have inaccuracies in your personal data corrected (“right to rectification”) and the right to have your personal data erased if their processing is not/no longer based on a valid legal ground. If there is no longer a valid legal ground for our processing of your personal data, but you do not want to have the data removed immediately, you can also make use of the right to “restriction of processing”. Restriction of processing means that we retain your personal data for you, but do not use it for any other purpose.

In some cases, you may have the right to data portability. Data portability means that you can receive your personal data from us in a structured, commonly used and machine-readable format, or have it transferred to a new service provider (where technically feasible). This right only applies to personal data that you have provided directly to us and that we process on the basis of your consent, or because it is necessary for the performance of our contract with you.

Your right to lodge a formal complaint

If you are dissatisfied with anything related to our processing of your personal data, please discuss it with us so that we can try to resolve it. You can contact us for this purpose using the contact details below. If we are unable to resolve your objection within a reasonable period of time, you have the right to lodge a complaint with the supervisory authority for the protection of personal data, either:

• in the EU member state where you live or habitually reside;
• in the EU member state where you work; and/or
• in one of the EU member states where Blockhorizon has its offices (the Netherlands).

Contact us about your privacy

For questions or comments on our processing of personal data, or to exercise your rights, please contact us at: [e-mail adres]

Updates to this privacy statement

Our privacy statement may be changed or updated from time to time. We can do this unilaterally, by amending this page.