GDPR

Proofen B.V. is committed to protecting personal data and to processing it lawfully, fairly and transparently. This page summarises how we comply with the EU General Data Protection Regulation (Regulation (EU) 2016/679, the "GDPR") and, for our United Kingdom customers, the UK GDPR. It sits alongside our Privacy Policy, which sets out the full detail of how we handle personal data.

1. Who we are

Proofen B.V. is the data controller for the personal data we collect through our website and dashboard. We are registered with the Dutch Chamber of Commerce (KvK) under number 42017752, with our registered office at Dahliastraat 238, 3333 GN Zwijndrecht, The Netherlands.

For any data protection matter, contact us at [email protected]. We have not appointed a Data Protection Officer, as we do not meet the thresholds in Article 37 GDPR that make appointment mandatory.

2. Our role: controller and processor

We act in two distinct roles. We are a data controller for the limited personal data we collect directly, such as enquiry details and dashboard account information. We are a data processor when we process device records on behalf of a customer who operates a Proofen grading machine. In that case the customer is the controller, and the processing is governed by a separate written agreement that meets the requirements of Article 28 GDPR.

Our grading machine does not capture personal data from the devices it inspects. Devices are powered off, and only their external cosmetic condition is photographed. Device identifiers such as IMEI or serial numbers are handled as inventory data, not as personal data.

3. The principles we follow

In line with Article 5 GDPR, we process personal data:

• lawfully, fairly and in a transparent way;
• only for specified, explicit and legitimate purposes;
• limited to what is necessary (data minimisation);
• accurately, and kept up to date;
• for no longer than necessary (storage limitation);
• securely, with appropriate protection against unauthorised access, loss or damage (integrity and confidentiality).

We keep records of our processing activities so that we can demonstrate this (accountability).

4. Lawful bases we rely on

Depending on the activity, we rely on the lawful bases set out in Article 6(1) GDPR: performance of a contract, our legitimate interests, compliance with a legal obligation, and your consent (for example, for marketing communications). Our Privacy Policy sets out which basis applies to each activity.

5. Your rights

Wherever the GDPR or UK GDPR applies, you have the right to:

• be informed about how your personal data is used;
• access the personal data we hold about you;
• have inaccurate or incomplete data corrected;
• have your data erased where we no longer have a lawful basis to keep it;
• restrict how we process your data in certain circumstances;
• receive your data in a structured, commonly used, machine-readable format (portability);
• object to processing based on our legitimate interests;
• withdraw consent at any time, where processing is based on consent.

We do not use your personal data for automated decision-making or profiling that produces legal or similarly significant effects.

6. Exercising your rights

To exercise any of these rights, email [email protected]. We will respond within one calendar month, and we may need to verify your identity before acting on your request. In normal circumstances this is free of charge.

7. Keeping your data secure

We apply appropriate technical and organisational measures, including encryption of data in transit (TLS) and at rest, strict access controls limited to authorised personnel, EU data residency with our main providers, and regular security reviews. We are working towards ISO 27001 certification.

8. International transfers

Our infrastructure is hosted within the EU/EEA. Transfers from the United Kingdom to the Netherlands are covered by UK adequacy. Where a transfer to a country outside the EEA is necessary, we use the European Commission's Standard Contractual Clauses, or the equivalent UK International Data Transfer Agreement.

9. Personal data breaches

If a personal data breach is likely to result in a risk to your rights and freedoms, we will notify the Dutch supervisory authority within 72 hours, and inform affected individuals without undue delay where the law requires it.

10. Sub-processors

We use a small number of carefully selected service providers (including Supabase, Vercel and Resend) to run our service. Each is bound by a data processing agreement and may not use your data for its own purposes. The current list is set out in our Privacy Policy.

11. Supervisory authorities

You have the right to lodge a complaint with a supervisory authority:

Netherlands: Autoriteit Persoonsgegevens (AP), autoriteitpersoonsgegevens.nl

United Kingdom:Information Commissioner's Office (ICO), ico.org.uk

We would welcome the opportunity to resolve any concern directly before you contact a regulator.