Back to home

Privacy Policy

Last updated: March 7, 2026

1. Introduction & Controller

This Privacy Policy explains how Hipodo ("we", "us", "our") collects, uses, and protects your personal data when you visit our website or use our services. We process your data in compliance with the General Data Protection Regulation (GDPR) and Dutch data protection law.

Data Controller:

  • Company: Hipodo
  • KvK: 96200618
  • VAT: NL030768330B01
  • Address: Zaamslag, Netherlands
  • Email: [email protected]

2. Definitions

  • "Personal Data" means any information that can directly or indirectly identify a natural person (e.g., name, email address, IP address).
  • "Processing" means any operation performed on personal data, including collection, storage, use, sharing, and deletion.
  • "Data Subject" means the individual whose personal data is being processed (i.e., you).
  • "Controller" means the entity that determines the purposes and means of processing personal data (i.e., Hipodo).
  • "Processor" means a third party that processes personal data on behalf of the Controller.

3. Data We Collect

We collect the following types of personal data:

Contact and form data:

  • Name and email address
  • Phone number (if provided)
  • Company name and website URL
  • Message content submitted through forms

Automatically collected data:

  • IP address (anonymized where possible)
  • Browser type and operating system
  • Pages visited, time spent, and referral source
  • Device type (desktop, mobile, tablet)

4. How We Collect Data

  • Directly from you: When you fill in a form, send us an email, or otherwise communicate with us.
  • Automatically: Through analytics tools when you browse our website (only after consent, where required).
  • Third-party sources: In rare cases, from publicly available business directories or referral partners, always in compliance with applicable law.

5. Purpose & Legal Basis

We process your personal data for the following purposes:

PurposeLegal BasisRetention
Responding to contact requestsPre-contractual steps1 year after last contact
Executing client engagementsContract performance7 years (Dutch fiscal law)
Website analyticsConsent26 months
Legal complianceLegal obligationAs required by law

6. Data Sharing

We do not sell your personal data. We share data only when necessary:

  • Processors: Service providers that help us deliver our services (e.g., hosting, analytics, email). Each is bound by a Data Processing Agreement (DPA).
  • Legal requirements: When required by law, court order, or regulatory authority.
  • Business transfers: In the event of a merger, acquisition, or asset sale (you will be notified in advance).

7. Cookies & Tracking

For full details on our use of cookies and tracking technologies, please see our Cookie Policy.

In summary: we use necessary cookies for basic functionality and analytics cookies (Vercel Analytics) only after your explicit consent.

8. Third-Party Services

We use the following third-party services:

ServicePurposeData processedLocation
VercelHosting, AnalyticsPage views, performance dataUS (EU-US DPF)
SentryError trackingError logs, browser infoUS (SCCs)
GitHubCode hostingSource code (no personal data)US (EU-US DPF)

9. International Transfers

Some of our processors are based outside the European Economic Area (EEA), primarily in the United States. We ensure a lawful basis for these transfers through:

  • EU adequacy decisions: Where the European Commission has determined the recipient country offers adequate data protection.
  • Standard Contractual Clauses (SCCs): EU-approved contractual safeguards that bind the recipient to GDPR-level protections.
  • EU-U.S. Data Privacy Framework: Where applicable, providers are certified under this framework.

10. Data Retention

We retain personal data only for as long as necessary for the purpose it was collected:

  • Contact form submissions: 1 year after last contact, unless an engagement is started.
  • Client engagement data: 7 years after the end of the engagement (Dutch fiscal retention obligation).
  • Analytics data: 26 months (anonymized after expiry).
  • Cookie consent records: 1 year.

After the retention period, data is deleted or anonymized. You may request earlier deletion at any time (see section 11).

11. Your Rights (GDPR)

Under the General Data Protection Regulation, you have the following rights:

  • Right of access: Request a copy of the personal data we hold about you.
  • Right to rectification: Request correction of inaccurate or incomplete data.
  • Right to erasure: Request deletion of your personal data ("right to be forgotten").
  • Right to data portability: Receive your data in a structured, machine-readable format.
  • Right to object: Object to processing based on legitimate interests.
  • Right to restriction: Request restriction of processing in certain circumstances.
  • Right to withdraw consent: Withdraw consent at any time, without affecting the lawfulness of processing before withdrawal.
  • Right to lodge a complaint: File a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens). See section 15.

To exercise any of these rights, email us at [email protected]. We will respond within 30 days.

12. Security Measures

We take appropriate technical and organizational measures to protect your personal data, including:

  • Encryption in transit: All data sent between your browser and our servers is encrypted via TLS/HTTPS.
  • Encrypted storage: Sensitive data is encrypted at rest where applicable.
  • Access controls: Only authorized personnel have access to personal data, on a need-to-know basis.
  • Regular updates: We keep our systems and dependencies up to date to address known vulnerabilities.
  • Incident response: In the event of a data breach, we notify affected individuals and the relevant supervisory authority within the legally required timeframes.

13. Children's Privacy

Our services are directed at businesses and professionals, not at children. We do not knowingly collect personal data from individuals under 16 years of age. If we become aware that we have collected data from a child, we will delete it promptly. If you believe a child has provided us with personal data, please contact us at [email protected].

14. Changes to This Policy

We may update this Privacy Policy from time to time. When we make changes:

  • The "Last updated" date at the top of this page will be revised.
  • For material changes (e.g., new categories of data collection, new processors), we will notify affected users via email.
  • Non-material updates (e.g., clarifications, formatting) are effective immediately upon publication.

15. Contact & Complaints

If you have questions about this Privacy Policy or want to exercise your rights:

If you are not satisfied with our response, you have the right to lodge a complaint with the Dutch Data Protection Authority:

Questions about this policy? Contact us at [email protected]

🍪 Cookies

We use necessary storage for basic functionality. We only load analytics (Vercel Analytics) after your consent.