Smaling Service Monteur
Gecertificeerd • Erkend installateur
Offerte aanvragen

PRIVACY POLICY SMALING SERVICE MONTEUR

We value your privacy and comply with the GDPR. Below we explain what data we process, on which legal bases, and how we secure it.
Last update: 06-12-2025

IMPORTANT: This privacy policy contains essential information about your rights and our data processing activities.

1. Controller

Smaling Service Monteur acts as the controller. No Data Protection Officer (DPO) has been appointed.

Smaling Service Monteur
Oranjeweg 120, 6991 WV Rheden
Tel: +31 (0)6 134 79960  •  +31 (0)26 234 0830
E-mail: raymond@smaling.net
Chamber of Commerce: 87310953

2. What data do we collect?

  • Identification & contact: name, e-mail, phone, (project) address.
  • Project information and attachments (e.g., photos/PDFs you provide).
  • Device/technical: IP address, user-agent, basic web statistics (anonymised where possible).
  • Administrative/financial: invoicing and payment data (only for performance and legal duties).
  • Communication: email correspondence, phone notes, quotes and project documentation.

We do not process special categories of personal data unless strictly necessary and explicitly provided by you (e.g., a photo revealing personal data).

3. Purposes & legal bases

  • Contact & quotes — Performance of (pre-)contractual measures (Art. 6(1)(b) GDPR)
  • Preparation & execution — Contract/legitimate interests (Art. 6(1)(b)/(f) GDPR)
  • Administration & tax — Legal obligation (Art. 6(1)(c) GDPR)
  • News/marketing (optional) — Consent (Art. 6(1)(a) GDPR), always opt-out
  • Analytics/marketing cookies (optional) — Consent (Art. 6(1)(a) GDPR) via the cookie banner
  • Fraud prevention & security — Legitimate interests (Art. 6(1)(f) GDPR)

4. Recipients/processors

We only share data where necessary. We conclude data processing agreements with processors. A current list of (sub)processors is available on request.

  • Hosting/infrastructure (own server/CyberPanel) — EU location
  • E-mail provider (smaling.net domain) — EU location
  • Analytics (optional GA4 with IP masking; consent only) — potentially outside EEA
  • Bank (ABN AMRO) for payments/invoicing — EU location
  • Backup storage (encrypted) — EU location

Data Processing Agreements: All processors are contractually bound to GDPR obligations and security measures.

5. Transfers outside the EU/EEA

Only where necessary and with appropriate safeguards, such as EU SCCs or an adequacy decision. Where possible we pseudonymise/anonymise data.

  • EU Standard Contractual Clauses (SCCs) for transfers to third countries
  • End-to-end encryption for international data transfers
  • Data minimisation: only strictly necessary data is shared

6. Security

  • HTTPS/HSTS, strict security headers (CSP, X-Frame-Options, etc.)
  • Access control (least privilege) and multi-factor authentication where possible
  • Encryption in-transit and at-rest for sensitive data
  • Regular security updates and vulnerability scanning
  • Logging and monitoring of access to personal data
  • Physical security of server location

7. Data breaches & notification

Where a breach poses (likely) risk to individuals we notify the Dutch DPA without undue delay and, where required, the affected individuals.

  • Internal breach procedure with escalation guidelines
  • Documentation of all breaches (including near-misses)
  • Periodic review and testing of incident response plan

8. Retention periods

Type Period Legal basis
Quotes & correspondence up to 2 years after last contact Legitimate interests
Project files up to 5 years post hand-over (or longer for warranty) Contract + legal
Financial records 7 years (statutory tax duty) Legal obligation
Log files max. 90 days Legitimate interests (security)
Cookie consent max. 12 months Consent

9. Your GDPR rights

  • Right of access, rectification and erasure ("right to be forgotten")
  • Right to restriction, objection and data portability
  • Withdraw consent at any time (no retroactive effect)
  • Requests: e-mail raymond@smaling.net or use the contact page
  • We respond within 30 days (extendable by up to 2 months for complexity) and may request additional identification
  • No fees unless requests are manifestly unfounded or excessive (max. €25 administrative costs)
  • Complain to the Dutch DPA: Autoriteit Persoonsgegevens

10. Minors

Our services are not primarily aimed at children < 16. If you believe data was collected without parental consent, please contact us; we will delete such data where appropriate.

11. Cookies

We use functional cookies and — with your consent — analytics/marketing cookies. Manage your preferences here: open cookie settings.

Category Purpose Example
Functional (required)Core features and securitysession/CSRF tokens
Analytics (opt-in)Website usage insightsGA4 with IP anonymization
Marketing (opt-in)Personalisation/adspixels/remarketing (if used)

12. Profiling & automated decision-making

We do not take decisions solely based on automated processing with legal effects. Any profiling is limited to aggregated analytics with consent.

13. Accessibility

We aim for an accessible website (WCAG guidelines where feasible). If you encounter barriers, tell us and we will seek a solution.

14. Changes

The most recent version is available on this page. Important changes are actively communicated to data subjects where possible. 06-12-2025.

VCA-gecertificeerd NEN 1010 / 3140 Zegelrecht (Liander-gebied)