Legal
Privacy Statement
Last updated: June 2026
1. Data Controller
This website is operated by NovaSec B.V., registered in the Netherlands, with its principal place of business in Amersfoort. NovaSec is the data controller within the meaning of the General Data Protection Regulation (GDPR / AVG) for all personal data collected through this website.
This website serves solely as a portfolio and point of contact for prospective clients. No client data, engagement materials, or sensitive business information is stored or processed here.
Contact: info@novasec.nl
2. Personal Data We Process
We process personal data only when you actively provide it via the contact form.
Contact form submissions
Data: Name, email address, company name (optional), message content.
Purpose: Responding to your enquiry; assessing whether an engagement is a mutual fit.
Legal basis: Article 6(1)(f) GDPR — legitimate interest. Responding to an unsolicited business enquiry is a legitimate interest of NovaSec. Where an enquiry directly precedes a contractual engagement, Article 6(1)(b) GDPR (pre-contractual measures) may also apply.
Website analytics (Google Analytics 4)
Data: Anonymised usage data — pages visited, session duration, referral source, browser and device type. IP addresses are anonymised before processing. No cross-site tracking. No advertising profiles are built.
Purpose: Understanding which content is useful to visitors; improving the site. Analytics are used only in aggregate and are never linked to individual contact form submissions.
Legal basis: Article 6(1)(a) GDPR — consent. Analytics only activate after you click “Understood” on the cookie notice. You may withdraw consent at any time by clearing your browser's local storage. If consent is not given, Google Analytics remains inactive.
We do not process special categories of personal data (Article 9 GDPR), nor do we use personal data for automated decision-making or profiling.
3. Third-Party Processors
We engage the following processors under data processing agreements:
Resend (email delivery)
Contact form submissions are transmitted by email via Resend (Resend Inc., United States). Resend processes your name and email address solely to deliver the message to NovaSec. Data is processed under a DPA and is not used for any other purpose. Resend's privacy policy: resend.com/privacy.
Google Analytics 4 (analytics)
When you have given consent, we use Google Analytics 4 (Google LLC, United States) to collect anonymised usage statistics. Google Analytics is configured with IP anonymisation, and operates in Consent Mode v2 — no analytics cookies are set and no data is transmitted until consent is given. We have entered into a DPA with Google under the EU Standard Contractual Clauses. Google's privacy policy: policies.google.com/privacy.
No personal data is sold, rented, or shared with third parties for marketing purposes.
4. International Transfers
Both Resend and Google LLC are headquartered in the United States. Transfers to these processors are made on the basis of EU Standard Contractual Clauses (Article 46(2)(c) GDPR) and, where applicable, the EU–US Data Privacy Framework (Commission Implementing Decision of 10 July 2023). We have verified that both processors participate in appropriate transfer mechanisms.
5. Cookies and Local Storage
Functional (always active)
A preference key (cookie-notice-dismissed) is stored in your browser's local storage when you dismiss the cookie notice. This value is never transmitted to any server and is not personal data.
Analytics cookies (consent required)
If you give consent, Google Analytics 4 sets two first-party cookies: _ga (expires 2 years) and _ga_{ID} (expires 2 years). These cookies distinguish returning visitors for statistical purposes. They contain no personally identifying information.
To withdraw consent, clear your browser's local storage and cookies. Reloading the site will present the cookie notice again.
No tracking, advertising, or cross-site cookies are used.
6. Retention Periods
Contact enquiries: Retained for a maximum of 24 months from the date of receipt, unless a contractual engagement follows, in which case data is retained for as long as the engagement requires plus the applicable statutory retention period under Dutch law.
Google Analytics data: Retained for 14 months in Google Analytics, after which aggregate statistics are retained without personal identifiers. You may request earlier deletion; see Section 7.
Local storage preference: Retained until you clear your browser data. No server-side copy exists.
7. Your Rights Under the GDPR
As a data subject, you have the following rights:
Right of access (Article 15): Request a copy of the personal data we hold about you.
Right to rectification (Article 16): Request correction of inaccurate or incomplete data.
Right to erasure (Article 17): Request deletion of your data, subject to any legal retention obligations.
Right to restriction (Article 18): Request that we limit the processing of your data in certain circumstances.
Right to data portability (Article 20): Receive your data in a structured, machine-readable format where processing is based on consent or contract.
Right to object (Article 21): Object to processing based on legitimate interest. We will cease processing unless we can demonstrate compelling legitimate grounds.
Right to withdraw consent: Where processing is based on consent (analytics), you may withdraw at any time without affecting the lawfulness of prior processing.
To exercise any of these rights, contact us at info@novasec.nl. We will respond within one month (Article 12 GDPR). We may request verification of your identity before disclosing or modifying data.
8. Right to Lodge a Complaint
If you believe we have processed your personal data in violation of the GDPR, you have the right to lodge a complaint with the Dutch supervisory authority:
Autoriteit Persoonsgegevens (AP)
Hoge Nieuwstraat 8, 2514 EL Den Haag
autoriteitpersoonsgegevens.nl
We would appreciate the opportunity to resolve any concern directly before you contact the AP. Please reach us at info@novasec.nl.
9. Changes to This Statement
We may update this privacy statement when our processing activities or applicable law change. Material changes will be notified via a visible notice on this website. The date at the top of this page indicates when the statement was last revised.