Privacy Policy

Last updated: February 10, 2026

1. Introduction & Controller

This Privacy Policy explains how Hipodo ("we", "us", "our") collects, uses, and protects your personal data when you visit our website or use our services. We are committed to processing your data in compliance with the General Data Protection Regulation (GDPR) and Dutch data protection law.

Data Controller:

Company: Hipodo
KvK: 96200618
VAT: NL030768330B01
Address: Zaamslag, Netherlands
Email: [email protected]

2. Definitions

"Personal Data" means any information that can directly or indirectly identify a natural person (e.g., name, email address, IP address).
"Processing" means any operation performed on personal data, including collection, storage, use, sharing, and deletion.
"Data Subject" means the individual whose personal data is being processed (i.e., you).
"Controller" means the entity that determines the purposes and means of processing personal data (i.e., Hipodo).
"Processor" means a third party that processes personal data on behalf of the Controller.

3. Data We Collect

We collect the following types of personal data:

Contact and form data:

Name and email address
Phone number (if provided)
Company name and website URL
Message content submitted through forms

Audit data:

Website URL submitted for analysis
Audit results and improvement recommendations

Automatically collected data:

IP address (anonymized where possible)
Browser type and operating system
Pages visited, time spent, and referral source
Device type (desktop, mobile, tablet)

4. How We Collect Data

Directly from you: When you fill in a form, request an audit, send us an email, or otherwise communicate with us.
Automatically: Through cookies and analytics tools when you browse our website (only after consent, where required).
Third-party sources: In rare cases, from publicly available business directories or referral partners, always in compliance with applicable law.

5. Purpose & Legal Basis

We process your personal data for the following purposes:

Purpose	Legal Basis	Retention
Responding to contact requests	Pre-contractual steps	1 year after last contact
Delivering the free audit	Consent / legitimate interest	1 year
Performing a client engagement	Contract performance	7 years (fiscal obligation)
Sending project updates	Legitimate interest	Duration of engagement
Website analytics	Consent	26 months
Improving our website and services	Legitimate interest	Aggregated / anonymized

6. AI & Data Safety

We use advanced AI tools (such as large language models) for content creation, analysis, and development. Your privacy and safety are paramount:

Zero-data-training: We have configured our AI tools so that your specific business data is not used to train public AI models. Your secrets stay yours.
Human-in-the-loop: No AI-generated content goes live without human verification. An expert always reviews the output for accuracy and safety.
No sensitive data: We never input personal data (such as client lists, passwords, or financial details) into public AI tools without anonymization.
Transparency: We are happy to explain exactly how AI is used in your project upon request.

7. Cookie Policy

Cookies are small text files placed on your device. We use the following cookies:

Cookie	Purpose	Duration	Type
cookie_consent	Stores your cookie preferences	1 year	Essential
_ga / _gid	Google Analytics (visitor statistics)	2 years / 24h	Analytics (consent)

Essential cookies are always active. Analytics cookies are only loaded after you opt in via the cookie banner or cookie settings. You can withdraw consent at any time through our cookie settings.

8. Processors & Subprocessors

We use the following third-party services that may process personal data on our behalf:

Service	Purpose	Location
Vercel	Website hosting and deployment	US (EU edge nodes)
Supabase	Form handling and data storage	EU (Frankfurt)
Google Analytics	Website usage statistics	US (anonymized IP)
Google Fonts	Font delivery	US

Where applicable, we have Data Processing Agreements (DPAs) in place with these providers. We evaluate subprocessors for GDPR compliance before use.

9. International Transfers

Some of our processors are based outside the European Economic Area (EEA), primarily in the United States. We ensure a lawful basis for these transfers through:

EU adequacy decisions: Where the European Commission has determined the recipient country offers adequate data protection.
Standard Contractual Clauses (SCCs): EU-approved contractual safeguards that bind the recipient to GDPR-level protections.
EU-U.S. Data Privacy Framework: Where applicable, providers are certified under this framework.

10. Data Retention

We retain personal data only for as long as necessary for the purpose it was collected:

Contact form submissions: 1 year after last contact, unless an engagement is started.
Audit data: 1 year after delivery.
Client engagement data: 7 years after the end of the engagement (Dutch fiscal retention obligation).
Analytics data: 26 months (anonymized after expiry).
Cookie consent records: 1 year.

After the retention period, data is deleted or anonymized. You may request earlier deletion at any time (see section 11).

11. Your Rights (GDPR)

Under the General Data Protection Regulation, you have the following rights:

Right of access: Request a copy of the personal data we hold about you.
Right to rectification: Request correction of inaccurate or incomplete data.
Right to erasure: Request deletion of your personal data ("right to be forgotten").
Right to data portability: Receive your data in a structured, machine-readable format.
Right to object: Object to processing based on legitimate interests.
Right to restriction: Request restriction of processing in certain circumstances.
Right to withdraw consent: Withdraw consent at any time, without affecting the lawfulness of processing before withdrawal.
Right to lodge a complaint: File a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens). See section 15.

To exercise any of these rights, email us at [email protected]. We will respond within 30 days.

12. Security Measures

We take appropriate technical and organizational measures to protect your personal data, including:

Encryption in transit: All data sent between your browser and our servers is encrypted via TLS/HTTPS.
Encrypted storage: Sensitive data is encrypted at rest where applicable.
Access controls: Only authorized personnel have access to personal data, on a need-to-know basis.
Regular updates: We keep our systems and dependencies up to date to address known vulnerabilities.
Incident response: In the event of a data breach, we notify affected individuals and the relevant supervisory authority within the legally required timeframes.

13. Children's Privacy

Our services are directed at businesses and professionals, not at children. We do not knowingly collect personal data from individuals under 16 years of age. If we become aware that we have collected data from a child, we will delete it promptly. If you believe a child has provided us with personal data, please contact us at [email protected].

14. Changes to This Policy

We may update this Privacy Policy from time to time. When we make changes:

The "Last updated" date at the top of this page will be revised.
For material changes (e.g., new categories of data collection, new processors), we will notify affected users via email.
Non-material updates (e.g., clarifications, formatting) are effective immediately upon publication.

15. Contact & Complaints

If you have questions about this Privacy Policy or want to exercise your rights:

Email: [email protected]
Postal address: Hipodo, Zaamslag, Netherlands

If you are not satisfied with our response, you have the right to lodge a complaint with the Dutch Data Protection Authority:

Autoriteit Persoonsgegevens
Website: autoriteitpersoonsgegevens.nl
Phone: +31 (0)88 1805 250