Privacy Notice

Effective: March 12, 2026

1. About This Notice

This privacy notice explains how Omnitrex collects and processes your personal data when you visit our marketing website at omnitrex.eu.

This notice applies only to the omnitrex.eu marketing website. It does not cover the Omnitrex GRC platform at app.omnitrex.eu, which is subject to its own privacy policy.

We have written this notice in plain language so that you can understand exactly what data we collect, why we collect it, and what rights you have.

2. Data Controller

The data controller responsible for your personal data is:

Omnitrex

KvK: 99586355

Netherlands

Email: info@omnitrex.eu

Website: omnitrex.eu

For privacy-specific inquiries, please use our contact form and select "Privacy & Data Rights", or email info@omnitrex.eu.

3. What Personal Data We Collect

A. Data you provide directly

  • Contact form: name, email address, company (optional), area of interest, and your message
  • Privacy consent: your acknowledgment that you have read this privacy notice

B. Data collected automatically

  • Error reports via Sentry: IP address, browser and operating system information, page URL, and error stack traces — collected solely for debugging purposes
  • Rate limiting: IP address used for contact form anti-abuse protection, retained in server memory only and not persisted to disk

C. Data we do NOT collect

  • No analytics cookies — we do not use Google Analytics or similar tracking services
  • No tracking cookies of any kind
  • No advertising identifiers
  • No social media pixels
  • No fingerprinting

4. Purposes, Legal Bases & Retention

PurposeData CategoriesLegal Basis (GDPR)Retention
Responding to your inquiryName, email, company, messageArt. 6(1)(b) — pre-contractual steps at your requestUntil resolved, max 12 months
Sending confirmation emailEmail addressArt. 6(1)(b) — pre-contractual stepsTransient — not stored beyond delivery
Error monitoringIP, browser, OS, error contextArt. 6(1)(f) — legitimate interest (maintaining service reliability)90 days
Rate limiting (anti-abuse)IP address (server memory)Art. 6(1)(f) — legitimate interest (preventing abuse)In-memory only, cleared on restart, max 1 hour window
Legal complianceAny data as requiredArt. 6(1)(c) — legal obligationAs required by applicable Dutch/EU law

Legitimate interest balancing: For each purpose relying on Art. 6(1)(f), our interest is specified above. We have assessed that these interests are not overridden by your rights, given the limited nature of the data processed and the measures we take to minimize data collection.

5. Recipients & Sub-Processors

ProviderPurposeLocationTransfer Mechanism
Vercel Inc.Website hosting & deliveryEU regions; US headquartersEU-US Data Privacy Framework
Functional Software (Sentry)Error monitoringEU data center (Frankfurt)SCCs with US parent entity
ScalewayTransactional email (SMTP)France (EU)No transfer — EU only

We do not sell, rent, or trade your personal data to any third party.

All sub-processors are bound by Data Processing Agreements (Art. 28 GDPR).

Note: We are committed to reducing non-EU data exposure and are evaluating fully EU-hosted alternatives where transatlantic transfers currently occur.

6. International Data Transfers

  • Primary data storage and processing takes place within the European Union
  • Some sub-processors are US-headquartered with EU processing capabilities (see Section 5)
  • Transfer safeguards: EU-US Data Privacy Framework (adequacy decision) and/or Standard Contractual Clauses (Art. 46(2)(c) GDPR)
  • You may request a copy of the relevant safeguards by contacting us

7. Cookies & Tracking Technologies

  • We do not use tracking cookies on this website
  • We do not use Google Analytics or similar tracking services
  • Essential functionality (e.g., form state) uses browser-native features, not persistent cookies
  • If we introduce cookies in the future, we will update this notice and implement a consent mechanism
  • No third-party advertising, remarketing, or social media tracking

8. Data Security

  • Encryption in transit: TLS 1.3
  • Security headers: Content Security Policy, X-Frame-Options (DENY), strict referrer policy
  • Disabled browser features: camera, microphone, geolocation (Permissions-Policy)
  • Contact form anti-abuse: rate limiting (3 submissions per IP per hour), honeypot bot detection

See our Security page for full details.

9. Your Rights Under GDPR

  • Access (Art. 15) — request a copy of your personal data
  • Rectification (Art. 16) — correct inaccurate data
  • Erasure (Art. 17) — request deletion ("right to be forgotten")
  • Restriction (Art. 18) — limit processing
  • Data portability (Art. 20) — receive data in machine-readable format
  • Object (Art. 21) — object to processing based on legitimate interests. You have an absolute right to object to direct marketing at any time
  • Withdraw consent — where processing is based on consent, you may withdraw it at any time

How to exercise your rights: use our contact form and select "Privacy & Data Rights", or email info@omnitrex.eu.

Response time: within one month of receiving your request (Art. 12(3) GDPR). May be extended by two months for complex requests — we will inform you within the first month.

Cost: free of charge, unless requests are manifestly unfounded or excessive.

Verification: we may need to verify your identity before processing your request.

10. Automated Decision-Making

We do not use automated decision-making or profiling that produces legal or similarly significant effects on you (Art. 22 GDPR).

11. Obligation to Provide Data

Providing your personal data via the contact form is not a statutory or contractual requirement. However, if you do not provide your name, email, and message, we will be unable to respond to your inquiry.

12. Children's Privacy

Our services are directed at business professionals and are not intended for individuals under the age of 16. We do not knowingly collect personal data from children.

13. Changes to This Notice

  • Material changes will be highlighted on this page with an updated effective date
  • We will not introduce new processing purposes without updating this notice first
  • For significant changes that affect your rights, we will make reasonable efforts to notify you directly if we have your contact details

14. Supervisory Authority

You have the right to lodge a complaint with a data protection supervisory authority. Our lead supervisory authority is:

Autoriteit Persoonsgegevens

(Dutch Data Protection Authority)

Bezuidenhoutseweg 30, 2594 AV Den Haag

Website: autoriteitpersoonsgegevens.nl

Phone: +31 (0)70 888 85 00

We encourage you to contact us first so we can try to resolve your concern.

15. Governing Law

This privacy notice is governed by the laws of the Netherlands and the GDPR. Any disputes shall be subject to the exclusive jurisdiction of the competent courts in the Netherlands.

16. Contact

Email: info@omnitrex.eu

Contact form: omnitrex.eu/contact (select "Privacy & Data Rights")

Controller: Omnitrex, KvK 99586355, Netherlands