PRIVACY POLICY Cookie First by Digital Data Solutions B.V.

Last updated 24 November 2022

Your privacy is very important to us. In this document we provide you with information regarding the data we collect, how and why we collect it, and how we store and secure it.

1 Contact information

Customers and users of CookieFirst may contact us via the information provided below.

CookieFirst by Digital Data Solutions B.V.
Plantage Middenlaan 42a
1018 DH Amsterdam
KvK-number: 75762277
legal@cookiefirst.com

Data protection officer
Tom van den Bos
legal@cookiefirst.com

2. The information we collect

When using our website, app and/or services we collect the following information.
If you create an account the following data is processed:

  • Your name
  • Your address
  • Your residence
  • Your phone number
  • Your email address
  • Your IP-address (anonymised)
  • Your payment details
  • Cookie preferences

If you visit our website or use our services the following end user data is processed:

  • Your IP-address (anonymised)
  • The date and time of the consent
  • User agent of the End User’s browser and operating system
  • The URL from which the consent was submitted
  • An anonymous, random and encrypted key value
  • The End User’s consent state, serving as proof of consent

If you visit our website or use our services the following system generated data is processed:

  • The type of your browser
  • The operating system that you use
  • The internet service provider
  • User device data

We specifically do not aim our services and products at persons under the age of sixteen (16). If personal data regarding such persons is discovered in our systems the data will be deleted without undue delay.

3. The purposes for which we process information

The information we process can be used for one or multiple of the following purposes:

  • Account management
    • When you have an account with us we need to process your personal information to ensure that you can log in and make changes to your subscription, orders, and payment. We also need your personal information to be able to contact you.
  • Orders and payment
    • When you place an order or make a payment to us, we need certain personal information to ensure the correct processing of your request, to prevent fraud, and for tax purposes.
  • Marketing
    • With your consent we process your personal information to be able to send you tailored offers regarding our products and services.
    • In order to analyse how our website and services are used and how we can improve them we use pseudonymised data.
    • We can also use your personal data for targeted advertising.
  • Sending you newsletters
    • If you sign up for our newsletter we need your personal details to send you the newsletter and enable you to unsubscribe.
  • Market research
    • Pseudonymised, anonymised, and aggregated data collected from website visitors to help us improve our services.
    • Your personal data is processed when you fill in questionnaires and/or customer satisfaction ratings
  • Security and error logging
    • We can process personal data for security and error logging and thus, to improve our security and data protection.

4. Legal basis for processing

We always process your personal data with the utmost care. In this section the different legal bases we use are set out.
We always process your data on the basis of the consent you give us to do so. We could also process your data if it is necessary for the performance of a contract to which you are a party, or in order to take steps at your request prior to entering into a contract. These legal bases are set out in article 6(1)(a) & (b) of the GDPR.

In order to enter into a contract regarding the purchase of one of our services, you must provide us with the required information. If you do not provide the required information it is not possible for us to deliver our services.

In some cases we are legally obliged to process your data, article 6(1)(c) GDPR. In that case, we will alway inform you of this processing, unless a legal obligation prevents us from doing so.

5. How we protect your data

Digital Data solutions has taken technical, organisational and physical security measures to ensure that the data you share with us is protected against all forms of unlawful processing. Examples are: accidental or unlawful destruction, accidental loss, alteration, unauthorised use, unauthorised modification, disclosure and/or access.

For safety and security reasons we cannot disclose the specific measures we have taken. A few broad examples are set out below.

5.1. Confidentiality
This means that we have processes and measures in place to protect your personal data against unintentional, unlawful, or unauthorised access disclosure or theft.

All our personnel are subject to full confidentiality and any third parties hired are obliged to sign a confidentiality agreement if the full confidentiality is not part of the main agreement. All data we process is encrypted to align with best practices for protecting confidentiality and data integrity.

Data is encrypted with Secure Socket Layer (SSL) technology and data which are no longer necessary are destroyed without undue delay. When personal data is accessed by authorised personnel the access is only possible over an encrypted connection. All devices used by personnel have antivirus software.

5.2. Integrity
This means that we have processes and measures in place for the maintenance of, and the assurance of, data accuracy and consistency. Access to personal information is only possible on a need to know basis and there are processes in place for identification and authentication of persons wanting access. There are also processes in place for erasure or rectification of incorrect information.

5.3. Availability
This means that we have processes and measures in place to ensure the timeliness and reliability of access to and use of data. We use the extensive features of the cloud environment to ensure high availability, like full redundancy, load balancing, automatic capacity scaling, continuous data backup and geo-replication along with a traffic manager for automatic geographical failover on datacenter level disasters. All failover mechanisms are fully automated.

All data centers where your personal information is stored are within the EU and comply with industry standards such as ISO270001 for physical security and availability. For example, by using 24h security staff, two-factor authentication, barriers, fencing, and security cameras.

5.4. Data breach notification
We do our best to prevent any kind of unauthorised access to your personal data. In the event that your data is compromised, we have internal procedures and policies on how to handle these situations. We will notify you and the competent Supervisory Authority(ies) within 72 hours with information about the extent of the breach, affected data, any impact on our services and our plan for measures to secure the data, and limit any further negative effects on the data subjects.

6. How we use cookies

For information on our use of cookies, we refer you to our Cookie Policy.

7. Third parties

In principle, Digital Data Solutions/CookieFirst does not sell, trade or otherwise transfer your personal data to third parties.

This does not include trusted third parties or subcontractors who assist us in providing our services and products. Such trusted parties may have access to personally identifiable information on a need-to-know basis and will be contractually obliged to keep your information confidential.

We may also release your information when we believe release is appropriate to comply with the law, enforce our policies, or protect our and/or others’ rights, property, or safety. Furthermore, non-identifiable information may be provided to other parties for marketing, advertising, or other purposes.

We will not disclose personal data to law enforcement or other supervisory authorities, unless our customers instruct us to do so or if we are compelled by law to do so. In those cases, we will limit the disclosure to the data which are requested and strictly necessary to comply with the request. If we are compelled to disclose your data, we will notify you and provide you with a copy of the demand unless we are legally prohibited from doing so.

7.1 Sub processors

The Processor, Digital Data Solutions BV – CookieFirst, has sub-contracted (part of) the processing of the Personal Data to the following Sub-Processors:

7.1.1 CookieFirst as Processor

Sub-Processor

Location of processing activities

Purposes of processing

OVH BV, The Netherlands

Germany / France

Providing API for saving consent data.
Providing hosting services for the Cookies First website and applications
Storage of CDN log data

Artia International S.R.L. (IP-API)

Romania

Used by our API to determine country and region enhancing consent data and provide additional banner configurations based on country/region.

BunnyWay d.o.o., Slovenia

Slovenia

Provider of Content Delivery Network (CDN) ensuring global performance of the cookie banner.

Mailgun Technologies Inc., USA

Germany

Used by our system to send email notifications to customers. Used in registration processes, change password activities and marketing emails. No end user data is processed here.

Zendesk Inc, USA

Ireland

Provider of support ticket system, No end user data is sent to this service. We only share your email and name when you send a support request. No end user data is processed here.

7.1.2 CookieFirst as Controller

Sub-Processor

Location of processing activities

Purposes of processing

Google LLC, USA USA Analytics: measuring website usage

Ads: Website advertising, search engine advertising

Microsoft Inc, USA USA Analytics: measuring website usage

Ads: Website advertising, search engine advertising

LinkedIn Inc, USA USA Ads: Website advertising, search engine advertising
Tapfiliate BV, NL The Netherlands Marketing: Measuring affiliate conversions
Leadfeeder, Finland Finland Marketing: Website visitor identification
OVH, France France/Germany Providing webhosting services
BunnyWay d.o.o., Slovenia Slovenia Providing webfont hosting and static file storage
Mailgun Technologies Inc, USA Germany Providing email sending services
Visitor Analytics GmbH Germany Analytics: measuring website usage

8. Where your data is stored

CookieFirst by Digital Data Solutions B.V. stores all personal data in databases located in the European Economic Area (EEA). In certain cases some of our subcontractors or trusted third parties may transfer personal data outside the European Union, but only if this is necessary for the provision of their services. These parties all have implemented adequate safeguards to guarantee the protection and security of your data.

9. Your rights

If we process your personal data, you have the certain rights flowing from the GDPR. Aside from these rights you can always withdraw your consent. If you do so, we will not process any more of your personal data from that point in time.

9.1. Right of access
You have the right to obtain confirmation as to whether or not personal data concerning you are being processed by us and if that is the case access to that information.

9.2. Right to rectification
You have the right to correct and/or complete personal data concerning yourself if those data are incorrect and/or incomplete. We will correct this without undue delay.

9.3. Right to erasure
You may require us to have your personal information deleted and we shall be obliged to erase that information immediately if one of the following situations applies:

  • your personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
  • You revoke your consent and there is no other legal basis for processing;
  • You object to the processing and there are no other legitimate grounds for processing ;
  • Your personal data have been processed unlawfully;
  • Your personal data have to be erased for compliance with a legal obligation.

9.4. Right to restriction of processing
You may at any time request us to restrict processing of your personal data if one of the following situations applies:

  • If you contest the accuracy of the personal data, for a period enabling us to verify the accuracy of the personal data; 
  • If the processing is unlawful and you would rather restrict the use of your personal data as opposed to the erasure;
  • If we no longer need the personal data for the purposes of the processing, but we are required by you for the establishment, exercise or defence of legal claims; 
  • If you have objected to the processing pending the verification whether our legitimate grounds override yours.

9.5. Notification obligation
If you invoke your right to rectification, erasure or restriction of processing we shall communicate this to all recipients to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. Upon your request we will inform you about those recipients.

9.6. Right to data portability
You have the right to receive personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and transmit those data to another party without hindrance from us. If you wish, the personal data can also be transferred directly to a third party of your choice, where technically feasible.

9.7. Right not to be subjected to automated individual decision-making
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.

This does not apply if:

  • It is necessary for entering into, or performance of, a contract; 
  • It is authorised by EU or Member State law to which we are subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests; 
  • It is based on your explicit consent.

9.8. Right to complain with a competent supervisory authority
You have the right to complain to a supervisory authority, in particular in the Member State of your residence, place of work or place of alleged infringement, if you believe that the processing of the personal data concerning you is against GDPR. Names and contact information of the competent supervisory authorities in the European Union can be found at Overview EU DPAs.

The supervisory authority to which the complaint has been submitted shall inform you of the status and results of the complaint, including the possibility of a judicial remedy pursuant to Article 78 of the GDPR.

10. Data retention

Personal data processed by Digital Data Solutions/CookieFirst will be deleted as soon as they are not necessary anymore for the provision of our services and products or after the contract between us and the customer ends.

In the Cookie Policy all retention periods regarding cookies can be found. These retention periods affect all website visitors and all visitors on websites of customers of CookieFirst by Digital Data Solutions.

All retention periods regarding personal data processed regarding our customers can be found in the Agreements concluded between us, including the Data Processing Agreement.

11. General terms and conditions

Please see our General Terms and Conditions for further information about the use, availability and maintenance of our services and products, the prices, liability, non-disclosure, and other general terms.

12. Changes to this privacy policy

We reserve the right to update this privacy policy from time to time. We will publish a clear notice at the top of this Privacy Policy that informs users when they were last updated.