Privacy Statement
Soveryne B.V. values your privacy. This statement explains which personal data we process, for which purposes, on which legal bases, and what rights you have. We process personal data in accordance with the GDPR (Regulation (EU) 2016/679) and the transparency obligations of Articles 13 and 14 GDPR.
1. Who we are (controller)
- Name: Soveryne B.V.
- Chamber of Commerce (KvK) number: 42030650
- Address: Lange Groenendaal 110A, 2801 LV Gouda
- Email: privacy@soveryne.com
- Data Protection Officer: we have not appointed a DPO. Privacy questions and data-subject requests can be sent to privacy@soveryne.com.
Soveryne B.V. provides SaaS and cybersecurity services. Visitors to our website and users of our services may be business users (B2B) as well as consumers (B2C).
2. Our role: controller and processor
Soveryne acts as an independent controller for personal data it processes for its own website, marketing, administration and management of the customer relationship.
Soveryne acts as a processor on behalf of the customer for personal data processed in providing the Services, governed by a separate data processing agreement (verwerkersovereenkomst) under Article 28 GDPR. For threat-intelligence and security-telemetry data processed to protect the Services, Soveryne may act as controller to the extent it determines the purposes and means.
3. Which personal data we process, and from which source
Depending on your relationship with us, we process the following categories of personal data:
- contact and identification data (such as name, email address, phone number, job title, company name);
- account and usage data (such as login details, preferences, use of our service);
- communication data (such as emails, support requests, form submissions);
- technical data (such as IP address, device and browser data, log data);
- data via cookies and similar techniques (see our cookie policy);
- payment and billing data;
- any other information you choose to provide to us.
Source of the data:
- data you provide to us yourself (for example via forms, email or when entering into an agreement);
- data generated automatically when you use our website or service;
- data from other sources, such as publicly available sources, public registers and partner referrals (for example in the context of OSINT and security research).
4. Purposes and legal bases
We process personal data only for the purposes set out below and on the corresponding legal bases under Article 6 GDPR.
| Purpose | Categories of data | Legal basis (Art. 6 GDPR) |
|---|---|---|
| Providing and managing our service / performing the agreement | Contact, account and usage data | Performance of a contract |
| Customer service and communication | Contact and communication data | Performance of a contract |
| Security, fraud prevention and logging | Technical data, log data | Legitimate interests |
| Improving website and services (analytics) | Technical data, usage data | Legitimate interests |
| Marketing and newsletters | Contact data | Consent |
| Billing and administration | Contact and payment data | Legal obligation |
| Complying with legal obligations | Depending on the obligation | Legal obligation |
Where we rely on a legitimate interest, we have balanced that interest against your privacy. Where we rely on consent, you can withdraw that consent at any time (see Your rights).
5. Is providing your data required?
- Where data is needed to enter into or perform our agreement (for example contact and account data), providing it is a contractual requirement; if you do not provide it, we cannot conclude or perform the agreement.
- Where we are legally required to process data (for example billing and administration data), providing it is a statutory requirement; if you do not provide it, we cannot meet our legal obligations and may be unable to deliver the service.
- Where we rely on consent (for example certain analytics or marketing), providing the data is optional and refusal or withdrawal has no consequences other than that we cannot carry out that specific processing.
6. Recipients and processors
We share personal data only where necessary for the purposes set out above. Recipients may include:
- service providers that process data on our behalf (processors), such as hosting and cloud providers (including sub-processors). These include Plausible Analytics (Plausible Insights OÜ, EU), Scaleway (France) and TransIP (Netherlands), and Mollie (Mollie B.V., Netherlands) for payments;
- within the group: Little Bit & Bytes B.V. (the holding), where relevant for shared administration and management;
- competent authorities, where we are legally required to do so.
We conclude data processing agreements with processors covering, among other things, security and confidentiality. We do not sell your personal data.
7. Transfers outside the EEA
Our named email and communications processors, Scaleway (France) and TransIP (Netherlands), are located within the European Economic Area (EEA), so for those services there is no international transfer. Where we host with other cloud providers and personal data would be processed outside the EEA, we ensure appropriate safeguards under Chapter V GDPR, as a rule by concluding the EU Standard Contractual Clauses with the party concerned, supplemented where necessary by additional measures.
You can request a copy of the safeguards used via privacy@soveryne.com.
8. Retention periods
We do not retain personal data longer than necessary for the purposes for which it was collected, or for as long as we are legally required to.
| Category | Retention period |
|---|---|
| Account and contract data | For the term of the agreement; deleted within 12 months after it ends |
| Communication and enquiry data (contact form) | 12 months |
| Invoices and financial administration | 7 years (statutory fiscal retention, Art. 52 AWR) |
| Security logs | 12 months |
| Data processed on the basis of consent | Until consent is withdrawn, and no longer than 24 months |
After the retention period ends, the data is deleted or anonymised.
9. Security
We take appropriate technical and organisational measures to protect your personal data against loss and unlawful processing, in accordance with Article 32 GDPR. As a provider of cybersecurity services, we attach particular importance to this. For example:
- encryption in transit (TLS 1.2+/1.3) and at rest (LUKS volume encryption and Fernet at application level);
- role-based access control with multi-factor authentication for administrative access;
- centralised logging and monitoring;
- regular, tested backups.
Our organisational and technical measures are aligned to ISO 27001. Soveryne is not currently ISO 27001 certified and claims no certification.
10. Your rights
Under the GDPR, you have the following rights in respect of your personal data:
- right of access
- right to rectification (correction)
- right to erasure (right to be forgotten)
- right to restriction of processing
- right to data portability
- right to object to processing
- right to withdraw consent given (without affecting the lawfulness of earlier processing)
You can exercise these rights by sending a request to privacy@soveryne.com. We may ask you to confirm your identity. We will respond within the statutory period.
11. Complaint to the supervisory authority
If you disagree with how we handle your personal data, you can lodge a complaint with the Dutch supervisory authority, the Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl). We would appreciate it if you would first share any concerns with us via privacy@soveryne.com.
12. Automated decision-making and AI
We do not use solely automated decision-making, including profiling, that produces legal effects concerning you or similarly significantly affects you (Article 22 GDPR).
We do use AI and automated tooling to deliver our services, for example AI-assisted generation of security controls, policies and guidelines, automated penetration testing, phishing-awareness simulations and adversary (cyber-criminal) simulations. These activities do not constitute automated decisions producing legal or similarly significant effects about you within the meaning of Article 22 GDPR. Our use of AI is governed by our AI Usage Policy and Product AI Risk Assessment, and AI-generated output is labelled where required under Article 50 of the EU AI Act.
13. Changes to this privacy statement
We may amend this privacy statement from time to time. The most current version is always available on our website. For significant changes, we will inform you in an appropriate manner, for example via our website or by email.
14. Contact
Do you have questions about this privacy statement or about the processing of your personal data? Contact us at privacy@soveryne.com.