PRIVACY POLICY
1. Introduction
2. Controller Information
According to Article 4(7) of the General Data Protection Regulation (GDPR), the "controller" is defined as the entity that determines the purposes and means of processing personal data. In this context, the controller for processing your personal data is:
NEUROSANTE B.V.
Address: Snellius 1, 6422 RM Heerlen, Netherlands
Phone: +31 6 27 83 77 65
Email: info@neuroces.com
Website: www.neuroces.com
NEUROSANTE B.V. is responsible for ensuring that all processing of personal data is conducted in accordance with the applicable data protection laws, including the GDPR. As the controller, NEUROSANTE B.V. takes full responsibility for safeguarding your personal data, as outlined in Article 5(1), which details the principles relating to processing, such as lawfulness, fairness, transparency, purpose limitation, and accuracy.
For any questions or concerns regarding the processing of your personal data, you can contact NEUROSANTE B.V. through the contact details provided above, following Article 13(1)(a) which requires the controller to provide such information at the time of data collection.
3. Data We Collect
NEUROSANTE B.V. ("we," "us," "our") respects your privacy and adheres to the General Data Protection Regulation (GDPR) when processing your personal data. As the Data Controller (Article 4, paragraph 7), located at Snellius 1, 6422 RM Heerlen, Netherlands, we manage how your data is collected, used, and protected.
We process your personal data based on lawful grounds such as performance of a contract, consent, legal obligations, or legitimate interests (Article 6). You have several rights under the GDPR, including access, rectification, erasure, restriction of processing, data portability, and the right to object or opt out of automated decision-making (Articles 12–23).
If you have concerns, you can lodge a complaint with the Dutch Data Protection Authority (Article 77). We may update this Privacy Policy to reflect changes, informing you through our website or email (Article 13).
4. Legal Basis for Processing
This section outlines the types of data we collect, processing methods, and their purposes, in accordance with the General Data Protection Regulation (GDPR).
3.1. Types of Data Collected
3.1.1 Personal Identification Information (Art. 6(1)(b), Art. 6(1)(f))
We collect personal data necessary for contractual obligations or when there is a legitimate interest. This data includes:
-
Full Name: Used for identification, customer account creation, and order processing.
-
Email Address: Used for account registration, order confirmations, and customer service communication.
-
Phone Number: Used for contact during order delivery, support services, and account verification.
-
Residential or Business Address: Used for order delivery and invoicing.
-
Username and Password: Used for user account management and access to the website.
3.1.2 Payment Information (Art. 6(1)(b), Art. 9(2)(a))
For transaction processing, we collect:
-
Credit or Debit Card Details: Collected securely via third-party payment providers to complete purchases.
-
Bank Account Information: Required for bank transfers or refunds, where applicable.
Note: We do not store payment information on our servers; it is managed through third-party, secure payment processors.
3.1.3 Communication Data (Art. 6(1)(f))
We collect data from your interactions with us, including:
-
Email Content: To respond to inquiries and provide customer support.
-
Phone Call Logs: To monitor and improve customer service quality.
-
Chat Transcripts: To address user queries, improve services, and for training purposes.
3.1.4 Usage Data (Art. 6(1)(f))
To understand website performance and user behavior, we collect:
-
IP Address: Used for security purposes and website analytics.
-
Device Type and Operating System: Used to improve website compatibility and user experience.
-
Browser Information: Used to analyze website performance and troubleshoot issues.
-
Pages Visited, Duration, and Click Behavior: Used for website optimization and traffic analysis.
3.1.5 Cookie Data (Art. 6(1)(a))
We use cookies to:
-
Store user preferences and settings.
-
Enable core website functionalities, such as login, shopping cart, and checkout processes.
-
Provide personalized content and advertising.
-
Analyze website traffic and user behavior.
Consent for non-essential cookies is requested separately.
3.1.6 Marketing and Advertising Data (Art. 6(1)(a), Art. 6(1)(f))
We collect information to personalize and enhance marketing efforts, including:
-
Email Address: Used for sending newsletters and promotional content, only with user consent.
-
User Interaction Data: Used to customize marketing campaigns and measure their effectiveness.
3.1.7 Customer Feedback and Survey Data (Art. 6(1)(a))
If you participate in surveys or provide reviews, we collect:
-
Survey Responses: To improve our products and services.
-
Product Reviews: To enhance product quality and customer satisfaction.
-
User Ratings: To evaluate and improve customer experiences.
3.1.8 Sensitive Personal Data (Art. 9(2)(a))
Sensitive personal data, such as health information, may be collected with explicit consent when necessary for specific product use or services.
3. 2. Data Collection Methods
Data is collected through:
-
User Input: Data provided by users during account creation, purchases, or direct communication.
-
Automated Technologies: Data collected automatically using cookies and analytics tools during website use.
-
Third-Party Services: Data shared by payment providers, marketing platforms, and social media channels integrated with our website.
3.3. Lawful Basis for Processing
We process personal data based on the following lawful bases:
-
Consent (Art. 6(1)(a)): Where users have explicitly given consent, such as for marketing purposes.
-
Contractual Necessity (Art. 6(1)(b)): To fulfill orders, process payments, or manage accounts.
-
Legal Obligation (Art. 6(1)(c)): To comply with applicable laws or legal requests.
-
Legitimate Interest (Art. 6(1)(f)): For security measures, website analytics, and user experience improvements.
You have the right to withdraw your consent at any time where processing is based on consent (Art. 7(3)).
3. 4. Data Retention
We retain personal data only as long as necessary to fulfill the purposes for which it was collected or to comply with legal, regulatory, or contractual requirements (Art. 5(1)(e)).
3. 5. Data Protection Measures
We implement suitable technical and organizational measures to protect personal data, adhering to GDPR’s requirements (Art. 32).
We process personal data based on the following lawful bases:
-
Consent (Art. 6(1)(a)): Where users have explicitly given consent, such as for marketing purposes.
-
Contractual Necessity (Art. 6(1)(b)): To fulfill orders, process payments, or manage accounts.
-
Legal Obligation (Art. 6(1)(c)): To comply with applicable laws or legal requests.
-
Legitimate Interest (Art. 6(1)(f)): For security measures, website analytics, and user experience improvements.
You have the right to withdraw your consent at any time where processing is based on consent (Art. 7(3)).
5. Sharing Your Data
Our processing of personal data is carried out in compliance with the General Data Protection Regulation (GDPR). The legal bases for processing your personal data are detailed below:
4.1. Performance of a Contract (Article 6(1)(b) GDPR)
We process personal data when it is necessary for the performance of a contract to which you are a party or in order to take steps at your request prior to entering into a contract. This includes processing data to:
-
Provide you with our products or services as ordered through our website.
-
Facilitate payment transactions.
-
Manage customer support and address any inquiries or complaints related to the contract.
4.2. Compliance with Legal Obligations (Article 6(1)(c) GDPR)
We process personal data when it is necessary for compliance with legal obligations to which we are subject. This includes, but is not limited to, obligations related to:
-
Tax regulations.
-
Accounting standards.
-
Compliance with lawful requests from public authorities.
4.3. Legitimate Interests (Article 6(1)(f) GDPR)
We may process personal data based on our legitimate interests or those of a third party, except where such interests are overridden by your fundamental rights and freedoms. Our legitimate interests include:
-
Improving our products and services based on customer feedback.
-
Conducting business analysis and market research to enhance our offerings.
-
Ensuring the security of our website, systems, and customer data.
-
Marketing our products to existing customers, where allowed by law.
4.4. Consent (Article 6(1)(a) GDPR)
In cases where processing is based on your explicit consent, we will request and obtain such consent before processing your data. Consent-based processing applies to:
-
Sending you marketing communications about our products, if you have opted to receive them.
-
Using cookies and similar tracking technologies, where required by law.
You have the right to withdraw your consent at any time by contacting us at info@neuroces.com.
4.5. Protection of Vital Interests (Article 6(1)(d) GDPR)
In rare circumstances, we may process personal data to protect your vital interests or those of another individual. For example:
-
In the event of a medical emergency or critical health situation during the use of our products.
4.6. Legal Claims and Defense (Article 9(2)(f) GDPR)
If necessary, we may process special categories of personal data when it is required to establish, exercise, or defend legal claims, in compliance with Article 9(2)(f) GDPR. This processing is undertaken only when strictly required and for purposes aligned with applicable legal requirements.
6. Data Security
5.1 General Information
We may share your personal data with third parties only under specific circumstances, as allowed or required under the General Data Protection Regulation (GDPR) (EU 2016/679). This sharing is governed by strict protocols to ensure your data’s security and privacy.
5.2 Legal Basis for Sharing Data
In accordance with GDPR Article 6, we only share your personal data when there is a lawful basis for doing so. These bases include:
-
Contractual Necessity (Article 6(1)(b)): We may share your data when it is necessary for the performance of a contract between you and us, such as processing an order, facilitating a payment, or managing your account.
-
Legal Obligation (Article 6(1)(c)): We may share your data to comply with legal obligations, such as reporting requirements to governmental authorities.
-
Legitimate Interests (Article 6(1)(f)): We may share your data when it is necessary for our legitimate interests, such as fraud prevention, provided your rights and freedoms are not overridden.
-
Consent (Article 6(1)(a)): In cases where your explicit consent is required, we will only share your data if you have given clear and specific permission.
5.3 Categories of Recipients
In accordance with GDPR Article 13(1)(e), your data may be shared with the following categories of recipients:
-
Payment Service Providers (GDPR Articles 6(1)(b) & 28): We may share your financial information with our external payment processors to complete transactions and manage payment security.
-
Logistics Providers (GDPR Articles 6(1)(b) & 28): We share your delivery information with third-party logistics providers to ensure the shipping of your order.
-
Analytics Providers (GDPR Article 6(1)(f)): We share data with third-party analytics services, such as Google Analytics and Yandex Metrica, for business analysis and improvement of our website’s functionality.
-
Marketing Partners (GDPR Articles 6(1)(a) & 6(1)(f)): We may share your information with advertising networks, such as Google AdWords, for marketing purposes, but only with your explicit consent where required.
-
Hosting and IT Service Providers (GDPR Articles 6(1)(b) & 28): We share data with hosting services to ensure secure and efficient functioning of our website.
5.4 International Data Transfers
In compliance with GDPR Articles 44-49, if your personal data is transferred outside the European Economic Area (EEA), we ensure that it receives an adequate level of protection. This includes implementing standard contractual clauses approved by the European Commission or ensuring transfers are based on an adequacy decision.
5.5 Data Sharing for Legal Reasons
According to GDPR Article 6(1)(c) and 6(1)(e), we may disclose your personal data if required by law, in response to valid legal requests from authorities, or in connection with legal proceedings, to protect our rights or the rights of our customers and the public.
5.6 Data Processing Agreements
In line with GDPR Article 28(3), we have Data Processing Agreements (DPAs) with all third-party processors to ensure they process your personal data only based on our instructions and provide adequate protection measures.
5.7 Duration of Data Sharing
We only share your data with third parties as long as necessary for the specific purpose, in compliance with GDPR Article 5(1)(e), unless a longer retention period is required or permitted by law.
7. International Data Transfers
6.1. Technical and Organizational Measures (Article 32, Paragraphs 1-4)
6.1.1 Encryption of Data:
In compliance with Article 32, Paragraph 1(a), we use encryption protocols to secure your personal data during transmission and at rest. This includes secure data transmission through HTTPS and data storage with encryption mechanisms that restrict access to authorized personnel only.
6.1.2 Regular Testing and Evaluation:
As required by Article 32, Paragraph 1(d), we conduct regular testing, assessment, and evaluation of the effectiveness of our technical and organizational measures. These tests aim to ensure ongoing security, confidentiality, and resilience of our systems and services related to data processing.
6.1.3 Access Controls and Confidentiality Measures:
In line with Article 32, Paragraph 1(b), we have implemented access control measures that limit data access to authorized individuals based on their role and responsibilities. Each authorized personnel receives training on data protection principles and must adhere to confidentiality obligations, as per Article 32, Paragraph 4.
6.14 Data Integrity and Availability:
To ensure the integrity and availability of data, as stipulated in Article 32, Paragraph 1(b) and (c), we maintain secure backup systems, apply redundancy mechanisms, and establish procedures to restore personal data in the event of a physical or technical incident.
6.1.5 Pseudonymization:
In situations where it is feasible, we apply pseudonymization techniques, as referenced in Article 32, Paragraph 1(a), to minimize data exposure risks by making it difficult to associate data with specific individuals.
6.2. Incident Response and Notification (Article 33, Paragraphs 1-5)
6.2.1 Data Breach Notification:
If a personal data breach is detected, we will promptly assess the potential impact on individual rights and freedoms. In accordance with Article 33, Paragraph 1, we will notify the relevant supervisory authority of the breach within 72 hours of becoming aware of it, unless the breach is unlikely to result in a risk to individuals' rights and freedoms.
Additionally, we will inform affected individuals without undue delay, as required by Article 34, Paragraph 1, if the breach is likely to result in a high risk to their rights and freedoms.
6.3. Data Minimization and Retention (Article 5, Paragraphs 1(c) and (e))
6.3.1 Data Minimization:
In adherence to Article 5, Paragraph 1(c), we only collect and process personal data that is necessary for the specified purposes outlined in this policy, ensuring that we do not retain excessive data.
6.3.2 Retention Periods:
As required by Article 5, Paragraph 1(e), we maintain personal data for only as long as necessary to fulfill the purposes for which it was collected. Specific retention periods are defined for different categories of data, and we implement measures to delete or anonymize data upon the expiration of these periods.
6.4. Processor Agreements (Article 28, Paragraphs 1-10)
6.4.1. Data Processing Contracts:
Where we engage third-party processors to handle personal data on our behalf, we enter into formal data processing agreements in compliance with Article 28, Paragraphs 1-10. These agreements ensure that processors adhere to GDPR requirements and maintain appropriate security measures equivalent to those we implement.
6.5. Risk Assessment (Article 35, Paragraphs 1-11)
6.5.1 Data Protection Impact Assessments (DPIA):
For processing activities that may pose a high risk to individual rights and freedoms, we conduct Data Protection Impact Assessments (DPIA) in line with Article 35, Paragraphs 1-11. This process involves assessing potential risks and implementing measures to mitigate them, ensuring compliance with data protection laws and safeguarding individual privacy.
8. Your Rights
7.1. General Principle for Transfers (Article 44)
As NEUROSANTE B.V. may collect, process, and store personal data of users from the European Union (EU) or European Economic Area (EEA), any transfer of such data to a country outside of the EU/EEA must comply with the safeguards established under the General Data Protection Regulation (GDPR).
7.2. Transfers Based on Adequacy Decisions (Article 45)
In cases where personal data is transferred to a third country or international organization, we ensure that such transfers are only made to countries that the European Commission has deemed to offer an adequate level of data protection. The adequacy decisions evaluate whether the legal framework of that third country or organization ensures appropriate data protection.
Examples of such countries include Canada, Japan, and Switzerland, where EU users' data may be transferred if necessary. Adequacy decisions are regularly reviewed by the European Commission to ensure compliance with data protection standards.
7.3. Transfers Subject to Appropriate Safeguards (Article 46)
If no adequacy decision exists, NEUROSANTE B.V. will implement appropriate safeguards to ensure the security and protection of personal data. These safeguards may include:
-
Standard Contractual Clauses (SCCs): Approved by the European Commission, these clauses bind the third-party recipient to adhere to GDPR standards.
-
Binding Corporate Rules (BCRs): For intra-group transfers, BCRs ensure that personal data processed within NEUROSANTE B.V.’s affiliates, located outside the EU/EEA, remains protected.
-
Codes of Conduct or Certification Mechanisms: In some cases, adherence to a code of conduct or certification mechanism may provide an additional layer of protection for transferred data, provided they are binding and enforceable.
7. 4. Binding Corporate Rules (Article 47)
For internal transfers of personal data between NEUROSANTE B.V.’s entities outside the EU/EEA, we may utilize Binding Corporate Rules (BCRs), which must be approved by the competent supervisory authority. These rules ensure that all group entities adhere to the same level of data protection as prescribed by GDPR.
7.5. Transfers or Disclosures Not Authorized by EU Law (Article 48)
NEUROSANTE B.V. will not transfer personal data to any third country or international organization that requires it under foreign jurisdiction, except when required by EU Member State law. In such cases, NEUROSANTE B.V. will inform the competent data protection authority before any data transfer is initiated.
7.6. Derogations for Specific Situations (Article 49)
If a specific data transfer is necessary in the absence of an adequacy decision or appropriate safeguards, NEUROSANTE B.V. will only proceed under the following conditions:
-
Explicit Consent: Users are informed of the potential risks and give explicit consent for the transfer.
-
Contractual Necessity: The transfer is necessary for the performance of a contract between the user and NEUROSANTE B.V., or for pre-contractual measures taken at the user’s request.
-
Public Interest: The transfer is necessary for reasons of public interest, as recognized in EU law.
-
Legal Claims: The transfer is necessary for the establishment, exercise, or defense of legal claims.
-
Vital Interests: The transfer is necessary to protect vital interests of the data subject when physically or legally incapable of giving consent.
7.7. International Cooperation for Data Protection (Article 50)
NEUROSANTE B.V. will collaborate with the European Data Protection Board (EDPB) and relevant authorities to enhance international cooperation regarding data protection rules, thus ensuring the protection of users’ rights and compliance with international data transfer regulations.
9. Cookies and Tracking Technologies
Under the General Data Protection Regulation (GDPR), you have the following rights regarding your personal data. NEUROSANTE B.V. is committed to respecting these rights:
8.1. Right to Access (Article 15 GDPR)
You have the right to obtain confirmation from us as to whether we are processing your personal data. If so, you can request access to the following information:
-
The categories of personal data processed.
-
The purposes of the processing.
-
The recipients or categories of recipients to whom your data has been disclosed, particularly if these recipients are in third countries or international organizations.
-
Where possible, the anticipated period for which your personal data will be stored, or, if not possible, the criteria used to determine that period.
-
The existence of your rights under Articles 16 (rectification), 17 (erasure), 18 (restriction), 20 (data portability), and 21 (objection).
-
The source of your data if it was not collected directly from you.
-
The existence of automated decision-making, including profiling, as outlined in Article 22(1) and (4) GDPR, along with meaningful information about the logic involved and the consequences of such processing for you.
8.2. Right to Rectification (Article 16 GDPR)
If your personal data is inaccurate or incomplete, you have the right to request its rectification without undue delay. We will make every effort to ensure that any inaccurate data is corrected and that any incomplete data is completed.
8.3. Right to Erasure (Right to be Forgotten) (Article 17 GDPR)
You can request the deletion of your personal data if:
-
It is no longer necessary for the purposes for which it was collected.
-
You withdraw your consent and there is no other legal basis for processing.
-
You object to processing (see the right to object below) and there are no overriding legitimate grounds for continuing.
-
Your personal data has been unlawfully processed.
-
Your personal data must be erased to comply with a legal obligation.
-
It was collected in relation to the offer of information society services to a child, as specified in Article 8(1) GDPR.
8.4. Right to Restriction of Processing (Article 18 GDPR)
You have the right to request the restriction of processing of your personal data if:
-
You contest the accuracy of your personal data, for a period enabling us to verify the accuracy of the data.
-
The processing is unlawful, and you oppose the erasure of the data and instead request its restriction.
-
We no longer need your personal data for processing, but you require it to establish, exercise, or defend legal claims.
-
You have objected to processing under Article 21(1) GDPR, pending verification of whether our legitimate grounds override yours.
8.5. Right to Data Portability (Article 20 GDPR)
You can request that your personal data, which you have provided to us, be received in a structured, commonly used, and machine-readable format. You also have the right to request that we transmit this data to another controller where:
-
The processing is based on your consent or a contract.
-
The processing is carried out by automated means.
8.6. Right to Object (Article 21 GDPR)
You have the right to object, on grounds relating to your particular situation, at any time to the processing of your personal data where the processing is based on Article 6(1)(e) or 6(1)(f) GDPR, including profiling. We will cease processing your data unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or for the establishment, exercise, or defense of legal claims.
8.7. Right to Withdraw Consent (Article 7(3) GDPR)
If the processing of your personal data is based on your consent, you have the right to withdraw that consent at any time. This withdrawal will not affect the lawfulness of processing based on consent before its withdrawal.
8.8. Right to Lodge a Complaint (Article 77 GDPR)
You have the right to lodge a complaint with a supervisory authority if you believe that our processing of your personal data violates GDPR. In the Netherlands, you can contact the Autoriteit Persoonsgegevens (Dutch Data Protection Authority).
If you wish to exercise any of these rights, please contact us at info@neuroces.com. We will respond to your request within one month, as stipulated by the GDPR (Article 12(3)).