Privacy Policy

Soteryan BV (“Soteryan,” “we,” “us,” “our”) respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, and safeguard information you provide through this website (soteryan.com), in compliance with the EU General Data Protection Regulation (GDPR), the Dutch Implementation Act (UAVG), and applicable international data protection laws.

1. Data Controller

The data controller for personal data processed via this website is:

2. What We Collect

We collect two kinds of data through this website: (a) personal data you actively submit via our forms, and (b) pseudonymous analytics about how the site is used — the latter only if you opt in to it via the cookie banner.

Contact form submissions — when you submit our contact form, we collect: first name, last name, email address, company name (optional), phone number (optional), and the contents of your message.

Newsletter subscriptions — when you subscribe to our Threat Brief, we collect your email address.

Analytics (opt-in only) — if you accept analytics in our cookie banner, we generate a random visitor identifier (the value of the soteryan_visitor cookie) and a session identifier and record events that include: the page you viewed, the page that referred you here, marketing campaign parameters in the URL (utm_source, utm_medium, utm_campaign), how long you spent on the page, how far you scrolled, which calls-to-action you clicked, and whether you submitted the contact form. We also derive coarse environment data from your browser request: device category (mobile / tablet / desktop), browser name, operating-system family, language preference, and country code (read from the network header, never stored as a raw IP address). All analytics processing happens on our own EU infrastructure. The visitor identifier is pseudonymous — it cannot be linked to your name, email, or other personal data unless you also submit the contact form, in which case the two records remain logically separated in our systems.

We do not knowingly collect data from children under 16. We do not use third-party advertising trackers or behavioural profiling. We do not run heatmaps or session recordings. We do not buy or sell visitor data.

3. Why We Collect It (Legal Basis)

We process your personal data on the following legal bases under Article 6 GDPR:

Contact form data is processed on the basis of your consent (Art. 6(1)(a)) and our legitimate interest in responding to your inquiry (Art. 6(1)(f)). It is used solely to respond to your request and to follow up on the conversation you initiated.

Newsletter data is processed on the basis of your explicit consent (Art. 6(1)(a)). You may withdraw this consent at any time using the unsubscribe link in every newsletter, or by emailing us.

Analytics data is processed on the basis of your explicit consent (Art. 6(1)(a)), captured through our cookie banner before any tracking cookie is set. You can withdraw this consent at any time via “Manage cookie preferences” in the footer of any page; on withdrawal, the analytics cookies are erased and no further events are recorded.

We do not sell, rent, or share your personal data with third parties for marketing purposes.

4. How Long We Keep It

Contact form submissions are retained for up to 24 months after our last interaction with you, after which they are deleted unless a commercial relationship has been established (in which case standard business-record retention applies).

Newsletter subscriptions are retained until you unsubscribe.

Analytics data — raw event rows are retained for 24 months from the date of capture, then deleted automatically. Aggregated daily summaries (which contain no per-visitor data) are retained indefinitely. Visitor identifiers expire after 12 months on the cookie schedule, and the corresponding rows are purged on the next sweep. You can erase your own analytics data immediately at any time via the “Delete my data” button in the cookie preferences modal — this calls our /api/privacy/delete endpoint which removes every row tied to your visitor identifier from our database.

5. Where Your Data Is Stored

This website is delivered through Vercel Inc., a U.S.-based hosting and content-delivery provider headquartered in San Francisco, California. Vercel is a sub-processor under our control and is bound by a Data Processing Agreement aligned with GDPR Art. 28. Vercel is certified under the EU–U.S. Data Privacy Framework and applies the European Commission’s Standard Contractual Clauses (SCCs) for any personal-data transfer that crosses the European Economic Area, ensuring an adequate level of protection equivalent to GDPR.

Static assets are served from Vercel’s global edge network; visitor IP addresses and request metadata may transit Vercel infrastructure in the United States as part of normal request routing and abuse protection. Contact-form submissions and newsletter sign-ups, when processed, are handled by Soteryan staff under the same DPA.

A current list of our data processors and sub-processors is available on request from privacy@soteryan.com. We will update this Privacy Policy in advance of any change to the hosting arrangement.

6. Your Rights

Under GDPR and equivalent data protection laws, you have the right to:

• Access the personal data we hold about you
• Rectify inaccurate or incomplete data
• Erase your data (“right to be forgotten”)
• Restrict or object to our processing
• Data portability — receive your data in a structured, machine-readable format
• Withdraw consent at any time, without affecting the lawfulness of prior processing

To exercise any of these rights, email privacy@soteryan.com. We will respond within one month, as required by Art. 12(3) GDPR. We may ask you to verify your identity before acting on the request.

7. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction, including encryption in transit (TLS), access controls, and regular review of our security posture.

In the unlikely event of a personal data breach affecting your rights, we will notify the Autoriteit Persoonsgegevens within 72 hours and inform you directly where required by Art. 34 GDPR.

8. International Visitors

If you are accessing this website from outside the European Economic Area, please be aware that your data will be processed in the EEA and, where applicable, in the United States, in accordance with this policy. Where the laws of your country provide additional rights (e.g., the UK GDPR, Swiss FADP, California CCPA/CPRA), we will honor those rights to the extent applicable.

9. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. The “Last updated” date at the top of this page indicates when it was last revised. Material changes will be communicated through the website or, where appropriate, by direct notice.

10. Contact

For any questions, concerns, or requests regarding this Privacy Policy or your personal data: