Legal
Privacy Policy
Summary: Haluso.com processes personal data of its business customers (organisations) and their end users (leads). We attach great importance to the protection of your privacy and act in accordance with the General Data Protection Regulation (GDPR). In this policy we explain which data we process, why and how we handle it.
1. Data Controller
The data controller for the processing of your personal data is:
Haluso.com
Email: privacy@haluso.com
Website: https://haluso.com
For questions about the processing of your personal data, please contact us at the email address above.
2. What personal data do we process?
We process personal data in various contexts:
2.1 Account data (organisations and users)
When an organisation registers with Haluso.com, we process:
- Name and email address of the registering user
- Name of the organisation
- Billing information (company name, address, VAT number, bank details)
- Preferred language (Dutch/English)
- Date of acceptance of the terms of service
- Date and time of registration and login (access log)
- IP address and device information (for session and security purposes)
2.2 Configurator data
Organisations create product configurators within the platform. We process the configurator and product data they enter. This data generally does not constitute personal data, but may do so in exceptional cases if an organisation uses personally identifiable product names or descriptions.
2.3 Lead data (end users of the configurator)
When an end user submits a product configuration through a configurator of a Haluso customer, we process:
- Name
- Email address
- Telephone number (if provided)
- The assembled product configuration and calculated price
- Date and time of submission
- IP address (for fraud prevention and security)
For the processing of lead data, Haluso acts as a processor on behalf of the relevant organisation (the data controller). The organisation is responsible for informing its end users about the processing of their data.
3. Purposes and legal bases for processing
| Purpose | Legal basis (GDPR Art. 6) |
|---|---|
| Performance of the agreement (providing platform services, billing) | Performance of a contract (para. 1(b)) |
| Processing of lead data on behalf of the customer organisation | Performance of a contract (para. 1(b)) |
| Security, fraud prevention and abuse detection | Legitimate interest (para. 1(f)) |
| Compliance with legal obligations (tax, accounting) | Legal obligation (para. 1(c)) |
| Improvement of the platform (anonymised usage statistics) | Legitimate interest (para. 1(f)) |
| Sending transactional emails (confirmations, invoices, notifications) | Performance of a contract (para. 1(b)) |
| Commercial communications to existing customers | Legitimate interest (para. 1(f)) |
We never process more data than strictly necessary for the purposes stated above.
4. Recipients of personal data
We only share personal data with third parties to the extent necessary for the performance of our services or on the basis of a legal obligation:
- Hosting provider: our servers are hosted by an EU-based provider that processes personal data solely for the performance of the hosting agreement.
- Payment provider (Stripe): for the processing of payment transactions. Stripe is PCI-DSS certified and processes data in accordance with the GDPR.
- Email provider (Postmark): for sending transactional emails. Postmark only processes the email address and the content of the email to be sent.
- Accounting processors: for the processing of invoice data, where applicable.
We do not sell personal data to third parties. All processors are bound by a data processing agreement in accordance with Article 28 GDPR.
Transfers outside the EEA
The processors engaged by us (Stripe, Postmark) are based in the United States. Data transfers to the US take place on the basis of the Standard Contractual Clauses (SCCs) approved by the European Commission, or another adequate safeguard mechanism.
5. Retention periods
| Category | Retention period | Reason |
|---|---|---|
| Account data | Duration of the agreement + 2 years after termination | Contractual and legal obligations |
| Invoice data | 7 years after the financial year | Tax retention obligation (Art. 52 AWR, Dutch General Tax Act) |
| Lead data | As long as the customer organisation is active | Performance of the data processing agreement |
| Access logs | 90 days | Security and incident detection |
| Email communications | 2 years | Legitimate interest, dispute resolution |
After the retention period has expired, data is securely deleted or anonymised.
6. Your rights as a data subject
Under the GDPR, you have the following rights with regard to your personal data:
- Right of access (Art. 15 GDPR): you have the right to know which personal data we process about you.
- Right to rectification (Art. 16 GDPR): you have the right to have inaccurate data corrected.
- Right to erasure (Art. 17 GDPR): you have the right to have your data deleted, provided no statutory retention obligation applies.
- Right to restriction of processing (Art. 18 GDPR): you have the right to restrict the processing of your data in certain circumstances.
- Right to data portability (Art. 20 GDPR): you have the right to receive your data in a structured, commonly used and machine-readable format.
- Right to object (Art. 21 GDPR): you have the right to object to the processing of your data based on legitimate interest.
- Right to withdraw consent: insofar as the processing is based on your consent, you have the right to withdraw that consent at any time.
To submit a request, please send an email to privacy@haluso.com. We will respond to your request within four weeks. We may ask you to verify your identity to prevent misuse.
If you believe that we are not properly respecting your rights, you have the right to lodge a complaint with the Autoriteit Persoonsgegevens (Dutch Data Protection Authority) (autoriteitpersoonsgegevens.nl).
7. Security
We take appropriate technical and organisational measures to protect your personal data against loss, unauthorised access, disclosure, alteration or destruction. These measures include, but are not limited to:
- Encrypted connections (TLS/HTTPS) for all data transmission
- Encrypted storage of passwords (bcrypt)
- Two-factor authentication for platform users
- Role-based access control (RBAC)
- Regular backups and security audits
- Access logs for critical system operations
In the event of a data breach that poses a risk to your rights and freedoms, we will report this to the Autoriteit Persoonsgegevens (Dutch Data Protection Authority) within 72 hours and, where applicable, also to the affected individuals.
8. Cookies and tracking
The Haluso.com platform uses only functional cookies that are strictly necessary for the operation of the service (session cookies for authentication). These cookies do not require consent under the Dutch Telecommunications Act.
The public marketing page (haluso.com) does not use tracking cookies, third-party analytics services or social media pixels.
9. Processor role for lead data
Haluso acts as a processor for the processing of lead data submitted through the configurators of our customers. The customer organisation is the data controller and is itself responsible for:
- Informing end users (leads) about the processing of their personal data, in accordance with Article 13 GDPR.
- Establishing a valid legal basis for the processing of lead data.
- Including its own privacy policy on the configurator page or the website on which the configurator is integrated.
A data processing agreement is in effect between Haluso and each customer organisation, which is incorporated in the terms of service.
10. Changes to this policy
We reserve the right to amend this privacy policy to comply with changes in legislation or regulations, or as a result of changes to our services. The most current version is always available at haluso.com/en/privacy-policy.
In the event of material changes, we will inform you by email or a notification within the platform, at least 14 days before the change takes effect.
11. Contact details
For questions, requests or complaints about the processing of your personal data, please contact:
Haluso.com
Email: privacy@haluso.com
Website: https://haluso.com