Draft, not yet finalised. This statement is a working version. The data marked [ to be completed ] and the legal bases and retention periods are still to be confirmed by the lawyer before the page goes live.
Privacy
Privacy statement
Last updated: [ date of adoption ]
DTIA Bridge assesses transfers of personal data. We apply that principle to ourselves: we process as little data as possible, exclusively within the EU/EEA, and without tracking. Below you can read exactly which data we process, for what, for how long and what rights you have.
1.Who is responsible
DTIA Bridge is a Recht & Robots product. For the personal data processed via DTIA Bridge, Recht & Robots is the controller.
- Email: info@rechtenrobots.nl
- Address: Trouwlaan 19-02, 5021 WD Tilburg
- CoC: 90968182
2.Our principle: as little data as possible
The tool processes metadata about your transfer (data describing the transfer), never the personal data you transfer. We store as little as possible and keep everything within the EU/EEA. The most securely stored data is the data we don't record.
3.Which data we process
We process the following categories:
- Account data: your name, your organisation (optional) and your email address. We store your password only in encrypted form (a bcrypt hash), never in readable form.
- Dossier data: the metadata you enter in the wizard, such as the names of the exporter and importer, the roles, the countries, the categories of data and data subjects, the purpose, the retention period, the measures and the author, plus the module version and the verdict at the time of saving. This is data about the transfer; not the transferred personal data itself.
- Technical data: a functional session cookie or token to keep you logged in, and the usual server logging needed for the security and availability of the service.
- Locally on your device: as long as you do not save a dossier, your wizard answers stay in your browser (localStorage) and do not leave your device. ‘Start over’ erases that local storage.
4.For what and on what legal basis
We process your data for the following purposes (Article 6 GDPR):
- To create your account and provide the service, including storing and monitoring your dossiers: performance of the contract (Article 6(1)(b) GDPR).
- To keep the service secure and available and to prevent misuse: legitimate interest (Article 6(1)(f) GDPR).
- To comply with legal obligations where they apply: legal obligation (Article 6(1)(c) GDPR).
The definitive legal bases per processing activity are still to be confirmed: [ curate legal bases ].
5.How long we keep data
- Account data: for as long as you have an account. If you cancel, we delete your account and your saved dossiers within [ period ].
- Dossiers: until you delete them or cancel your account. Deleting your account deletes your dossiers with it.
6.Who can access your data
- Our hosting provider [ hosting party name ] provides the servers and database within the EU/EEA and processes data solely on our instructions, under a data processing agreement.
- We do not sell your data and use no third-party advertising or tracking services.
7.Transfers outside the EEA
None. Storage and processing take place within the EU/EEA, with a European host. No US cloud, not even a ‘European region’ of one. A tool that assesses the risk of foreign government access should apply that principle to itself.
8.Cookies
DTIA Bridge uses only a functional cookie or session token to keep you logged in. There are no third-party analytics, tracking or marketing cookies. That is why we do not need to ask you for cookie consent.
9.Security
We protect your data with appropriate technical and organisational measures: passwords are hashed (bcrypt), data is encrypted in transit and at rest, and we apply access control and data minimisation. [ to be completed by the lawyer ]
10.Your rights
Under the GDPR (Articles 15 to 22) you have the right to:
- access to your data, and rectification or erasure;
- restriction of processing and objection to processing;
- portability of your data.
You can also delete your account and your dossiers yourself. To exercise a right, send a message to info@rechtenrobots.nl; we respond within the statutory period.
11.Lodging a complaint
If you disagree with how we handle your data, you can lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) via autoriteitpersoonsgegevens.nl.
12.Changes
We may amend this privacy statement, for example if the service changes. The date at the top shows when it was last updated.