Last updated 30 March 2023
Your privacy is very important to us. In this document we provide you with information regarding the data we collect, how and why we collect it, and how we store and secure it.
1 Contact information
Customers and users of CookieFirst may contact us via the information provided below.
CookieFirst by Digital Data Solutions B.V.
Plantage Middenlaan 42a
1018 DH Amsterdam
Data protection officer
Tom van den Bos
2. The information we collect
When using our website, app and/or services we collect the following information.
If you create an account the following data is processed:
- Your name
- Your address
- Your residence
- Your phone number
- Your email address
- Your IP-address (anonymised)
- Your payment details
- Cookie preferences
If you visit our website or use our services the following end user data is processed:
- Your IP-address (anonymised)
- The date and time of the consent
- User agent of the End User’s browser and operating system
- The URL from which the consent was submitted
- An anonymous, random and encrypted key value
- The End User’s consent state, serving as proof of consent
If you visit our website or use our services the following system generated data is processed:
- The type of your browser
- The operating system that you use
- The internet service provider
- User device data
We specifically do not aim our services and products at persons under the age of sixteen (16). If personal data regarding such persons is discovered in our systems the data will be deleted without undue delay.
3. The purposes for which we process information
The information we process can be used for one or multiple of the following purposes:
- Account management
- When you have an account with us we need to process your personal information to ensure that you can log in and make changes to your subscription, orders, and payment. We also need your personal information to be able to contact you.
- Orders and payment
- When you place an order or make a payment to us, we need certain personal information to ensure the correct processing of your request, to prevent fraud, and for tax purposes.
- With your consent we process your personal information to be able to send you tailored offers regarding our products and services.
- In order to analyse how our website and services are used and how we can improve them we use pseudonymised data.
- We can also use your personal data for targeted advertising.
- Sending you newsletters
- If you sign up for our newsletter we need your personal details to send you the newsletter and enable you to unsubscribe.
- Market research
- Pseudonymised, anonymised, and aggregated data collected from website visitors to help us improve our services.
- Your personal data is processed when you fill in questionnaires and/or customer satisfaction ratings
- Security and error logging
- We can process personal data for security and error logging and thus, to improve our security and data protection.
4. Legal basis for processing
We always process your personal data with the utmost care. In this section the different legal bases we use are set out.
We always process your data on the basis of the consent you give us to do so. We could also process your data if it is necessary for the performance of a contract to which you are a party, or in order to take steps at your request prior to entering into a contract. These legal bases are set out in article 6(1)(a) & (b) of the GDPR.
In order to enter into a contract regarding the purchase of one of our services, you must provide us with the required information. If you do not provide the required information it is not possible for us to deliver our services.
In some cases we are legally obliged to process your data, article 6(1)(c) GDPR. In that case, we will alway inform you of this processing, unless a legal obligation prevents us from doing so.
5. How we protect your data
Digital Data solutions has taken technical, organisational and physical security measures to ensure that the data you share with us is protected against all forms of unlawful processing. Examples are: accidental or unlawful destruction, accidental loss, alteration, unauthorised use, unauthorised modification, disclosure and/or access.
For safety and security reasons we cannot disclose the specific measures we have taken. A few broad examples are set out below.
This means that we have processes and measures in place to protect your personal data against unintentional, unlawful, or unauthorised access disclosure or theft.
All our personnel are subject to full confidentiality and any third parties hired are obliged to sign a confidentiality agreement if the full confidentiality is not part of the main agreement. All data we process is encrypted to align with best practices for protecting confidentiality and data integrity.
Data is encrypted with Secure Socket Layer (SSL) technology and data which are no longer necessary are destroyed without undue delay. When personal data is accessed by authorised personnel the access is only possible over an encrypted connection. All devices used by personnel have antivirus software.
This means that we have processes and measures in place for the maintenance of, and the assurance of, data accuracy and consistency. Access to personal information is only possible on a need to know basis and there are processes in place for identification and authentication of persons wanting access. There are also processes in place for erasure or rectification of incorrect information.
This means that we have processes and measures in place to ensure the timeliness and reliability of access to and use of data. We use the extensive features of the cloud environment to ensure high availability, like full redundancy, load balancing, automatic capacity scaling, continuous data backup and geo-replication along with a traffic manager for automatic geographical failover on datacenter level disasters. All failover mechanisms are fully automated.
All data centers where your personal information is stored are within the EU and comply with industry standards such as ISO270001 for physical security and availability. For example, by using 24h security staff, two-factor authentication, barriers, fencing, and security cameras.
5.4. Data breach notification
We do our best to prevent any kind of unauthorised access to your personal data. In the event that your data is compromised, we have internal procedures and policies on how to handle these situations. We will notify you and the competent Supervisory Authority(ies) within 72 hours with information about the extent of the breach, affected data, any impact on our services and our plan for measures to secure the data, and limit any further negative effects on the data subjects.
7. Third parties
In principle, Digital Data Solutions/CookieFirst does not sell, trade or otherwise transfer your personal data to third parties.
This does not include trusted third parties or subcontractors who assist us in providing our services and products. Such trusted parties may have access to personally identifiable information on a need-to-know basis and will be contractually obliged to keep your information confidential.
We may also release your information when we believe release is appropriate to comply with the law, enforce our policies, or protect our and/or others’ rights, property, or safety. Furthermore, non-identifiable information may be provided to other parties for marketing, advertising, or other purposes.
We will not disclose personal data to law enforcement or other supervisory authorities, unless our customers instruct us to do so or if we are compelled by law to do so. In those cases, we will limit the disclosure to the data which are requested and strictly necessary to comply with the request. If we are compelled to disclose your data, we will notify you and provide you with a copy of the demand unless we are legally prohibited from doing so.