Privacy Policy

Version 1.2 – May 5, 2026

Shift Advisory respects your privacy and is committed to protecting your personal data. This policy explains how we handle personal data as a data controller.

Shift Advisory is based in Amersfoort, the Netherlands, and registered with the Dutch Chamber of Commerce (KvK: 42021583).

Contact
E-mail: privacy@shiftadvisory.nl
Website: https://shiftadvisory.nl

1. Personal Data We Process

We process personal data when you contact us, work with us, or use our services.

When you contact us (e.g., via contact form):

  • Company name
  • Email address
  • Your question or request
  • Any additional information you choose to provide

When you become a client or supplier:

  • Company name
  • Contact person (name and role)
  • Address details
  • Phone number
  • Email address
  • Payment and invoicing details

Website usage:

  • We do not use analytics, tracking, or behavioral profiling technologies
  • We do not build user profiles or track user activity across sessions

We process personal data only when necessary and for the following purposes:

  • To respond to your inquiries
  • To deliver our services and fulfill agreements
  • To manage billing and financial administration
  • To comply with legal obligations (e.g., tax regulations)

Legal basis for processing:

  • Contractual necessity
  • Legal obligation
  • Legitimate interest (e.g., responding to inquiries and maintaining business communication)

3. Security and Automated Protection

We use automated security mechanisms to protect our website, services, and infrastructure from abuse, spam, and malicious activity.

This includes technologies such as CAPTCHA and anti-bot protection systems provided by EU-based service providers.

These systems may temporarily process technical information such as:

  • IP address
  • Browser and device information
  • Request and interaction signals

This processing is:

  • Strictly limited to security and abuse prevention
  • Not used for analytics, marketing, or user profiling
  • Not used to track individuals across websites or services

4. Data Retention

We retain personal data only as long as necessary:

  • Contact requests: up to 2 years after last contact (unless it becomes a client relationship)
  • Client and financial records: 7 years (legal requirement)

5. Data Sharing

We do not sell your data.

We only share personal data when necessary:

  • To deliver our services
  • To comply with legal obligations
  • To operate essential security and infrastructure services

We work with carefully selected service providers and ensure appropriate data processing agreements are in place.

Service providers:

  • Proton Workspace (EU) – email and document storage
  • Scaleway (EU) – website hosting
  • Cloudflare (EU/EEA processing where applicable) – security and anti-bot protection

6. EU Data Sovereignty

Shift Advisory follows a strict EU data sovereignty principle.

  • All data is processed and stored within the European Union or European Economic Area (EEA), where possible
  • We use EU-based service providers as a default standard
  • Data processing is aligned with GDPR requirements
  • We aim to ensure your data remains under European legal protection frameworks

7. Cookies

We do not currently use cookies.

If this changes in the future, this policy will be updated accordingly.

8. Your Rights

Under applicable data protection laws, you have the right to:

  • Access your personal data
  • Correct inaccurate or incomplete data
  • Request deletion of your data (“right to be forgotten”)
  • Restrict processing
  • Object to processing
  • Request data portability

To exercise your rights, contact: privacy@shiftadvisory.nl

You also have the right to file a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).

9. Security Measures

We take data protection seriously and implement appropriate technical and organizational measures, including:

  • Encrypted connections (TLS/SSL)
  • Data storage exclusively within the European Union
  • Use of EU-based service providers
  • Access control based on the principle of least privilege
  • Strong authentication (password manager and two-factor authentication where applicable)
  • No shared accounts
  • Full disk encryption on work devices
  • Secure and encrypted backups where applicable
  • Automated security filtering and abuse prevention systems

10. Data Breach Handling

In the unlikely event of a data breach, Shift Advisory will act in accordance with GDPR requirements, including notification to relevant authorities and affected individuals where legally required.