Privacy Policy

1. Data Controller

The controller responsible for processing your personal data is:

2. Introduction

De Netherlands Consulting Group ("we", "us", "our") values your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, store, and safeguard information in compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the Dutch Uitvoeringswet Algemene Verordening Gegevensbescherming ("UAVG"), the ePrivacy Directive 2002/58/EC, and any other applicable data protection legislation.

This policy applies to all personal data collected through our website www.denetherlands.com and any related services.

3. Data We Collect

We collect personal data only when you voluntarily provide it through our website forms. We do not collect data passively through cookies or tracking technologies (see Section 8).

3.1 Contact Form

When you submit a general enquiry, we collect: first name, last name, email address, phone number (optional), company name (optional), job title (optional), location (optional), zip code (optional), topic of enquiry, your message, and any file attachments you choose to upload.

3.2 Request for Proposal (RFP) Form

When you submit a proposal request, we collect: title, first name, last name, position, corporate email address, phone number, country code, company name, company location, industry, yearly revenue bracket, project description, comments, and any file attachments you choose to upload.

3.3 Job Application Form

When you apply for a position, we collect: first name, last name, email address, phone number (optional), desired position, cover letter, message, and any file attachments such as your CV/resume.

3.4 Email & Phone Verification (OTP)

To verify your identity during form submission, we may send a one-time passcode (OTP) to your email address or phone number. The OTP is generated on the client side and transmitted to our server solely for delivery to you. OTPs are not stored and expire immediately after use.

3.5 Contractual and Administrative Data

For existing clients, we may process limited contractual and administrative information necessary to perform our services and to comply with legal obligations — for example, contact and contractual identifiers, invoicing references, and tax identifiers where required by law. Billing amounts, pricing, and payment schedules are governed exclusively by separate written agreements (e.g., Master Services Agreement, Statements of Work).

3.6 Technical Data

Our hosting infrastructure (Amazon Web Services) may automatically log standard server access data such as IP addresses, browser type, and request timestamps. This data is used solely for security monitoring and is not linked to your identity.

3.7 De Map Waitlist and De Genie Notify List

When you join the De Map founding-200 waitlist or the De Genie launch-notify list, we collect: full name, email address, phone number (including country code), country of residence, city (optional), current employment status, target role, LinkedIn profile URL (optional), your explicit terms and privacy consent, and your optional marketing-communications consent.

To prevent abuse of the limited 200 founding-member offer and related Early Access coupon, we also collect a browser fingerprint and perform a coarse IP-based geolocation lookup (city, region, country, network operator) at the moment you submit the form. The fingerprint is a non-persistent identifier derived from standard browser characteristics; we do not combine it with advertising or tracking networks.

The legal basis for this processing is your consent (Art. 6(1)(a) GDPR) for the waitlist enrolment and marketing communications, and our legitimate interest (Art. 6(1)(f) GDPR) in preventing fraud and enforcing the fair use of the promotional coupon.

You can download a copy of your waitlist record or request permanent deletion at any time via our self-service page: Manage my data.

4. Legal Basis for Processing

We process your personal data on the following legal grounds under GDPR Article 6(1):

• Consent — Art. 6(1)(a): When you voluntarily submit a form on our website, you consent to the processing of the data you provide. You may withdraw your consent at any time (see Section 6).
• Contractual necessity — Art. 6(1)(b): To perform or enter into a contract with you, including responding to RFPs and processing job applications.
• Legal obligations — Art. 6(1)(c): To comply with applicable tax, accounting, and regulatory requirements under Dutch and EU law.
• Legitimate interests — Art. 6(1)(f): To maintain website security, prevent fraud, and improve our services. Our legitimate interests do not override your fundamental rights and freedoms.

5. Data Sharing and Third-Party Processors

We do not sell, rent, or trade your personal data. We share your data only with the following categories of processors, under appropriate data processing agreements:

• Microsoft 365 (Microsoft Corporation): Email delivery for form confirmations, OTP codes, and internal communications. Data may be processed in EU and US data centres under EU Standard Contractual Clauses.
• Amazon Web Services (AWS): Cloud hosting and infrastructure for our website and backend services, located in the US (us-east-1 region), protected under the EU-US Data Privacy Framework.
• Google Fonts (Google LLC): Web fonts are loaded from Google servers. When you visit our website, your browser connects to Google's servers, which may receive your IP address. Google's privacy policy applies.
• Cloudflare (Font Awesome CDN): Icon library loaded from Cloudflare's CDN. Your browser connects to Cloudflare's servers when loading these assets.

We do not use any analytics, advertising, remarketing, or social media tracking services.

6. Your Rights Under GDPR

Under Articles 15–22 of the GDPR, you have the following rights regarding your personal data:

• Right of access (Art. 15): Request a copy of the personal data we hold about you.
• Right to rectification (Art. 16): Request correction of inaccurate or incomplete data.
• Right to erasure (Art. 17): Request deletion of your personal data ("right to be forgotten").
• Right to restriction (Art. 18): Request that we limit how we process your data.
• Right to data portability (Art. 20): Request your data in a structured, machine-readable format.
• Right to object (Art. 21): Object to processing based on legitimate interests.
• Right to withdraw consent (Art. 7(3)): Where processing is based on consent, you may withdraw it at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

To exercise any of these rights, please email support@denetherlands.com, or for De Map / De Genie waitlist entries use our self-service page: Manage my data. We will respond within 30 days as required by law.

7. International Data Transfers

Your personal data may be transferred outside the European Economic Area (EEA) to the following jurisdictions:

• United States: Via AWS hosting and Microsoft 365 email services, protected under the EU-US Data Privacy Framework and/or EU Standard Contractual Clauses (SCCs).
• India: For certain operational support, protected by EU Standard Contractual Clauses (SCCs) together with a documented Transfer Impact Assessment (TIA).

We ensure that all international transfers are accompanied by appropriate safeguards as required by GDPR Chapter V.

8. Cookies and Local Storage

Our website does not set any cookies. We do not use analytics cookies, marketing cookies, tracking cookies, or any third-party cookies.

We use your browser's local storage (not cookies) solely to remember your cookie consent banner preference. This data remains on your device, is never transmitted to our servers, and you can clear it at any time through your browser settings.

The cookie consent banner on our website is provided as a transparency measure. Since we do not deploy any analytics or marketing tracking, accepting or declining optional categories has no practical effect.

Third-party services loaded by our website (Google Fonts, Cloudflare CDN) may set their own cookies according to their respective privacy policies. We have no control over these third-party cookies.

9. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes described in this policy:

• Contact form submissions: Up to 12 months after the last communication, unless a contractual relationship is established.
• RFP submissions: Up to 12 months after the proposal process concludes, unless a contractual relationship is established.
• Job applications: Up to 4 weeks after the recruitment process concludes, or up to 1 year with your explicit consent, in accordance with Dutch UAVG guidelines.
• Contractual data: For the duration of the contract plus 7 years thereafter, as required by Dutch fiscal retention obligations (Algemene wet inzake rijksbelastingen).
• De Map / De Genie waitlist entries: Retained until you request deletion via the self-service page. Unverified entries older than 24 hours are purged automatically. Deletion-request and export tokens expire after 24 hours.
• OTP verification codes: Not stored; expire immediately after use.

10. Data Security

We implement appropriate technical and organisational measures to protect your personal data in accordance with GDPR Article 32, including:

• Encryption of data in transit (TLS/HTTPS)
• Access controls and authentication
• Secure cloud infrastructure with AWS
• Regular security reviews

11. File Uploads

When you upload files via our forms (e.g., CVs, project briefs), we validate file types and sizes for security purposes. Uploaded files are transmitted securely to our email system and are subject to the same retention periods as the corresponding form submission. We do not store uploaded files on public servers.

12. Automated Decision-Making

We do not use automated decision-making or profiling as defined under GDPR Article 22. All form submissions are reviewed by our team members.

13. Children's Data

Our website and services are not directed at individuals under the age of 16 (the threshold under Dutch UAVG Article 8). We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us immediately so we can delete it.

14. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Autoriteit Persoonsgegevens (Dutch Data Protection Authority) within 72 hours of becoming aware of the breach, as required by GDPR Article 33. If the breach is likely to result in a high risk to you, we will also notify you directly without undue delay (GDPR Article 34).

15. Changes to This Policy

We may update this Privacy Policy from time to time. Any material changes will be posted on this page with a revised "Last updated" date. We encourage you to review this policy periodically.

16. Supervisory Authority

If you believe that our processing of your personal data infringes the GDPR, you have the right to lodge a complaint with the Dutch Data Protection Authority:

17. Contact

For any questions or concerns regarding this Privacy Policy or your personal data, please contact us: