We recognize that you put your trust in us. It is therefore our responsibility to protect your privacy. This is quite an extensive document in which we explain why we collect data, what data we collect and how we process it so you can understand exactly how we work and how your data is processed.
We are not responsible or liable for any infringements on your privacy by other sites and sources, including our clients and partners.
We respect the privacy of all users of our website and ensure that the personal information you provide is treated confidentially.
Use of the TrustProfile system
Purposes of our TrustProfile system
The personal data we receive from publicly available trust sources and from clients will be processed for the purpose of assessing the reliability of a web store and to inform consumers and interested parties, this is always based on the legitimate interests of consumer protection. In this context we can distinguish three main processes:
- Keeping a register in which we record all inspected web stores;
- We collect, publish, and moderate customer reviews about web stores;
- Informing about various important aspects within the e-commerce.
Database of web stores
To be able to inform consumers about the reliability and customer service of a web store we maintain a database. This database is created and maintained by information from our clients and trust sources. These trust sources are publicly available and can be verified by anyone.
Data that we store in our database include; the name of the contact person, the Chamber of Commerce number, VAT number, company address, telephone number and e-mail address.
- This is based on the legitimate interests of consumer protection.
- We consider the risk of processing these personal details as low.
- We keep the data on a secure database, the server is located in The Netherlands.
- We store this data indefinitely. We consider this necessary from the point of view of informing the consumer about the reliability of web stores. At the request of the person concerned, we can anonymize the personal data from the register.
Customer reviews – the invitation
In order to be able to inform the consumer about the quality of a web store, clients can invite customers to leave a review. We will then send an email on behalf of the client to the customers and publish the review. Sending this email can be done via the email address of TrustProfile.com or an email address of the clients web store.
To send the invitation, we process the following personal data: name and email address of the consumer and order number. Optionally, the phone number of the consumer and ordered products can also be processed, for example for sending a mobile invitation and/or collecting product reviews.
- Clients are obliged to inform their customers that they share personal data with us before sending the review invites. A sample text to add to your privacy statement can be found in our suport forum.
- We consider the risk of processing these personal data average.
- Invitations are sent via e-mail by Mandrill.
- We retain this information on a secure database, the server is located in The Netherlands.
- This data is retained for three years. This is necessary in order to provide our clients with statistics about the invitations sent and to prevent a single consumer from writing multiple reviews about a web store. This way we also try to protect web stores and consumers from fake reviews.
Customer reviews – the review
The customer reviews about a web store will be published on the web store’s trustprofile. If a noteworthy or offensive review is left the client can ask us to edit or remove the review by means of a moderation request. When requested by the client, we will assess the situation and contact the customer if necessary. More information on this process can be found in our Customer review policy.
To publish and manage the reviews we process the following (personal) data: the review text, name, email address, order number and IP address of the customer. An order number is requested but is not mandatory.
- The customer gives us permission to process and publish these personal data when issuing the review.
- We consider the risk of processing these personal data average.
- Correspondence will be sent via e-mail by Mandrill.
- We keep this data on a secure database, the server is located in The Netherlands.
- We store this data indefinitely. We consider this necessary from the point of view of informing the consumer about the reliability of the web store, this is always based on the justified interests of consumer protection. The consumer can adjust or remove his/her own review. The review can also be removed by TrustProfile at the request of the consumer.
Information for our clients
To help you increase the reliability of your web stores and to keep it up to date with new regulations, we publish a frequent newsletter for our clients.
To be able to send the newsletter we process the following personal data of our clients: your name and email address.
- We process these personal data in order to be able to carry out transactions with you.
- We consider the risk of processing these personal details low.
- Correspondence will be sent via e-mail by Mailchimp.
- We keep this data if you are subscribed to the newsletter. You can unsubscribe from our newsletter via a link found in all of our emails.
Use of our website
Purposes of data when using the website
We collect data for research purposes in order to gain a better understanding of our visitors so that we can tailor our services accordingly. We do this by means of Google Analytics among others. We anonymize your IP address and we have an agreement with Google that prevents Google to share your data with third parties.
This website uses ‘cookies’ (small text files placed on your computer) to help the website analyze the ways that visitors use the site. The information about your use of the website is stored in a cookie and can be transferred to our secure servers or those of a third party. We use this information to track how you use the website, to compile reports on website activity and to offer other services related to website activity and internet use.
There are various types of cookies, namely:
- Functional cookies: these cookies are necessary for the website to function properly. Our website can place cookies for functions like logging in, using the support forum, etc.
- Analytical cookies: these cookies provide insight into the use of the website and how you found the website. Cookies from Google Analytics, Hotjar and GA Audiences are placed for this purpose;
- Marketing cookies: these cookies are used to record the surfing behavior of visitors in order to make personalized offers. We don’t use these kind of cookies at the moment.
By default, most browsers are set to accept cookies, but you can set your browser to refuse all cookies or to alert when a cookie is being sent. However, some features and services, on our and other websites, may not function correctly if cookies are disabled in your browser.
This is an overview of all sub processors we work with. These parties help us, for example, in enabling the daily customer service, technical developments and much more. We believe it is important that the parties we work with comply with certain requirements and rules when it comes to processing your data. The security requirements have been laid down in a processing agreement, which makes sure that your data will be properly secured.
The data you share with us is important and our sub processors understand that too. We only share personal data with sub processors that we list on our website. All these sub processors:
- only process their data within the EU or have taken appropriate technical and organizational security measures;
- take the necessary steps for proper data protection. The level of data protection is related to a risk assessment.
We are not allowed to share data with a sub processor that does not meet the above requirements without your explicit written consent. By only working with parties who meet these requirements, we ensure that your data is also processed correctly and securely by these sub processors.
Mailchimp – Mailchimp helps us to set up mail campaigns and send automated messages on our behalf. For example think of our newsletter and automated messages. You can unsubscribe from many of these messages via a link at the bottom of the mail. There are also messages that you as a member should receive about our services, such as test results. The processing of personal data by Mailchimp is governed by a data processing agreement.
Mandrill – Mandrill is part of Mailchimp and is an application that enables the automatic sending of e-mails. We have a data processing agreement with Mailchimp, the owner of Mandrill.
Supportbee – Supportbee is a mail program that we use for our non-automated mail correspondence. Through Supportbee we get in contact with our clients and we react for example to questions that come in by mail. Supportbee does not ask for personal data, however, they can be included into mail threads/correspondence. The processing of personal data by Supportbee is governed by a data processing agreement.
Google Analytics – We use Google Analytics to provide us with a clear picture of, among other things, visitor flows, traffic sources and page views. These statistics allow us to make improvements to our website. We have signed a data processing agreement with Google with regard to their Google Analytics-service.
Hively – When you email us you can leave a review about us via Hively. This enables us to improve our service based on the needs communicated to us. We have a data processing agreement with Hively. Leaving a review is of course completely optional, but it will be appreciated!
Hotjar – Hotjar helps us gain insight into how our website is used. They help us to track browser behavior and based on this information we can make improvements to our website. This way we make visiting our website a pleasant experience. They do not process personal data; therefore we do not have a processing agreement with this party.
For payments and administration
Buckaroo – We use Buckaroo for processing our payments. Personal data is gathered with the use of the payment system Buckaroo. Buckaroo will not use this data for any other purposes. We have a data processing agreement with Buckaroo.
Moneybird – We use Moneybird for administration and accounting. With Moneybird we keep track of our expenses and income. Personal data is collected in order to be able to offer our services. Some administrative must be kept due to fiscal laws for seven years. Data is not kept longer than necessary. Moneybird also sends letters relating to payments by mail. We have a data processing agreement with Moneybird.
For hosting & storage
Our website and database are hosted at Hetzner Online GmbH. Hetzner’s servers are located in Germany and Finland. Hetzner Online GmbH is certified according to ISO 27001, an internationally recognized standard for information security. We have a data processing agreement with Hetzner Online GmbH.
We handle the personal data we process with great care. Measures to secure your data include preventing unauthorized access/processing, loss, guaranteeing availability and monitoring the integrity of the data files. We have taken at least the following security measures:
- Network connections for our computer systems with which the data processing takes place are secured by means of an SSL encryption (128-bit);
- If a remote connection is established to a computer system that processes data, this access is secured;
- access to the systems that process data is secured by 3 factors: a username, password and authenticator code;
- we maintain a strong password policy. Each password contains at least 8 characters, at least 1 letter, at least 1 number at least 1 symbol and may not have a character string previously used;
- all computer systems with which data processing takes place have a reliable virus scanner that is always up to date;
- mobile data carriers such as USB sticks, if used, are protected against reading by means of a password;
- no personal data is stored on any private computers;
- a backup is kept for a standard period of one year. Our backup files cannot be read directly;
- All our employees, interns, freelancers, sub processors and other third parties are required to maintain confidentiality. This will only be waived after your explicit written consent or if we are required by law to share the data;
- old and unnecessary documents will be destroyed in an accurate manner.
If, however, a security incident does occur that has an impact on the rights and freedoms of individuals, we will report it as soon as possible to those affected. Our client, as the responsible party, must report this to the Dutch “Autoriteit Persoonsgegevens” (Dutch Data Protection Authority). We will in any case report the following incidents to you as soon as possible:
- The website with login details has been hacked or has become accessible to third parties;
- The loss of a data carrier containing personal data;
- letters or e-mails containing personal details have been sent to an incorrect address;
- the IT-system containing personal data has been hacked.
Based on Dutch and European law you, as a data subject, have certain rights when it comes to personal data that is processed by us or on behalf of us. Below you will find an explanation of these rights and how you, as a data subject, can invoke these rights. In principle to prevent abuse we only send invoices and copies of your data to e-mail addresses that you have made known to us. Should you wish to receive this data on another e-mail address or for instance per mail we will ask you to identify yourself accordingly. We maintain an administration of concluded requests, in case of a request to be forgotten we will maintain an administration of anonymized data. You will receive all invoices and copies of data in files that are structured in a machine-readable format Based on data classifications that we use within our system. At all times you maintain the right to lodge a complaint with the Autoriteit Persoonsgegevens if you suspect that we mistreat or misuse your personal data.
Right of inspection
You have the right to view data we process that has a relation or may be deducible to your person at all times. Any requests regarding exercising said rights can be directed to our contact designated for privacy matters. You will receive a response to your request within 30 days. If your request is approved we will send you an email with a copy of all data with an added overview of processors managing this data with a mention of the categories under which we store the data at your registered email address.
Right to rectification
At all times you maintain the right to have the data we process that has a relation or may be deducible to your person be adjusted. You may request such an adjustment to our contact designated for privacy matters. You will receive a response to your request within 30 days. If your request is approved we will send you an email at your registered email address with confirmation that the data has been adjusted.
Right to restriction of processing
At all times you keep the right to request the data we process that has a relation or may be deducible to your person to be processed by a third party of your choice. You may send in such a request to our contact designated for privacy matters. You will receive a response to your request within 30 days. If your request is approved we will send you at your registered email address invoices or copies of data that we, or third parties on behalf of us, have processed. It is highly likely that in such a case we can no longer offer our services to you for we can no longer guarantee the previous data safety.
Right of transferability
At all times you maintain the right to request for the data we process that has a relation or may be reducible to your person be processed by a third party of choice. You may send in such a request to our contact in charge of privacy matters. You will receive a response to your request within 30 days. If your request is approved we will send you, via the e-mail address known to us, your (personal) invoices or copies of data that we, or third parties on behalf of us, have processed. It is highly likely that in such a case we can no longer offer our services to you for we can no longer guarantee the previous data safety.
Right of objection and other rights
At all times you maintain the right to object to the processing done by us, or on behalf of us by third parties, of your personal data. In case of such an objection we will immediately cease all processing of your data while your objection is being investigated and handled. In case of a justified objection we will return all invoices and/or copies of personal data that we, or third parties on behalf of us, have processed up until that point and cease processing thereafter. You also keep the right to not be subject of automated decision-making processes or profiling. We do not process your data in such a way that this right may be infringed upon. Should you believe that this right is infringed upon then we ask you to reach out to our contact designated for privacy matters.
Questions and requests about privacy matters can be submitted via e-mail: firstname.lastname@example.org.