Privacy Policy

Soteryan BV (“Soteryan,” “we,” “us,” “our”) respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, and safeguard information you provide through this website (soteryan.com), in compliance with the EU General Data Protection Regulation (GDPR), the Dutch Implementation Act (UAVG), and applicable international data protection laws.

1. Data Controller

The data controller for personal data processed via this website is:

2. What We Collect

We only collect personal data that you actively provide to us through this website. Specifically:

Contact form submissions — when you submit our contact form, we collect: first name, last name, email address, company name (optional), phone number (optional), and the contents of your message.

Newsletter subscriptions — when you subscribe to our Threat Brief, we collect your email address.

We do not knowingly collect data from children under 16. We do not use cookies, web analytics, advertising trackers, or behavioral profiling on this website.

3. Why We Collect It (Legal Basis)

We process your personal data on the following legal bases under Article 6 GDPR:

Contact form data is processed on the basis of your consent (Art. 6(1)(a)) and our legitimate interest in responding to your inquiry (Art. 6(1)(f)). It is used solely to respond to your request and to follow up on the conversation you initiated.

Newsletter data is processed on the basis of your explicit consent (Art. 6(1)(a)). You may withdraw this consent at any time using the unsubscribe link in every newsletter, or by emailing us.

We do not sell, rent, or share your personal data with third parties for marketing purposes.

4. How Long We Keep It

Contact form submissions are retained for up to 24 months after our last interaction with you, after which they are deleted unless a commercial relationship has been established (in which case standard business-record retention applies).

Newsletter subscriptions are retained until you unsubscribe.

5. Where Your Data Is Stored

This website is delivered through Vercel Inc., a U.S.-based hosting and content-delivery provider headquartered in San Francisco, California. Vercel is a sub-processor under our control and is bound by a Data Processing Agreement aligned with GDPR Art. 28. Vercel is certified under the EU–U.S. Data Privacy Framework and applies the European Commission’s Standard Contractual Clauses (SCCs) for any personal-data transfer that crosses the European Economic Area, ensuring an adequate level of protection equivalent to GDPR.

Static assets are served from Vercel’s global edge network; visitor IP addresses and request metadata may transit Vercel infrastructure in the United States as part of normal request routing and abuse protection. Contact-form submissions and newsletter sign-ups, when processed, are handled by Soteryan staff under the same DPA.

A current list of our data processors and sub-processors is available on request from privacy@soteryan.com. We will update this Privacy Policy in advance of any change to the hosting arrangement.

6. Your Rights

Under GDPR and equivalent data protection laws, you have the right to:

• Access the personal data we hold about you
• Rectify inaccurate or incomplete data
• Erase your data (“right to be forgotten”)
• Restrict or object to our processing
• Data portability — receive your data in a structured, machine-readable format
• Withdraw consent at any time, without affecting the lawfulness of prior processing

To exercise any of these rights, email privacy@soteryan.com. We will respond within one month, as required by Art. 12(3) GDPR. We may ask you to verify your identity before acting on the request.

7. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction, including encryption in transit (TLS), access controls, and regular review of our security posture.

In the unlikely event of a personal data breach affecting your rights, we will notify the Autoriteit Persoonsgegevens within 72 hours and inform you directly where required by Art. 34 GDPR.

8. International Visitors

If you are accessing this website from outside the European Economic Area, please be aware that your data will be processed in the EEA and, where applicable, in the United States, in accordance with this policy. Where the laws of your country provide additional rights (e.g., the UK GDPR, Swiss FADP, California CCPA/CPRA), we will honor those rights to the extent applicable.

9. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. The “Last updated” date at the top of this page indicates when it was last revised. Material changes will be communicated through the website or, where appropriate, by direct notice.

10. Contact

For any questions, concerns, or requests regarding this Privacy Policy or your personal data: