PRIVACY POLICY SMALING SERVICE MONTEUR

1. Controller

Smaling Service Monteur acts as the controller. No Data Protection Officer (DPO) has been appointed.

Smaling Service Monteur
Oranjeweg 120, 6991 WV Rheden
Tel: +31 (0)6 134 79960  •  +31 (0)26 234 0830
E-mail: raymond@smaling.net
Chamber of Commerce: 87310953

2. What data do we collect?

• Identification & contact: name, e-mail, phone, (project) address.
• Customer portal and account data: login, role, linked customer account and security data such as 2FA status.
• Project information and attachments, including quotations, reports, certificates, invoices, planning data, photos, PDFs and any profile photo you choose to upload.
• Communication and service data: email correspondence, phone notes, portal chat, quotations, project documentation and notification preferences.
• Device/technical data: IP address, user-agent, basic web statistics (anonymised where possible) and security or audit logs around logins, downloads and account actions.
• Administrative/financial: invoicing and payment data (only for performance and legal duties).

We do not process special categories of personal data unless strictly necessary and explicitly provided by you (e.g., a photo revealing personal data).

3. Purposes & legal bases

• Contact & quotes — Performance of (pre-)contractual measures (Art. 6(1)(b) GDPR)
• Preparation & execution — Contract/legitimate interests (Art. 6(1)(b)/(f) GDPR)
• Customer portal, account access & 2FA — Contract/legitimate interests (Art. 6(1)(b)/(f) GDPR)
• Invoices, reports, certificates & document access — Contract/legal obligation (Art. 6(1)(b)/(c) GDPR)
• Service messages, portal notifications, planning updates & chat support — Contract/legitimate interests (Art. 6(1)(b)/(f) GDPR)
• Administration & tax — Legal obligation (Art. 6(1)(c) GDPR)
• News/marketing (optional) — Consent (Art. 6(1)(a) GDPR), always opt-out
• Analytics/marketing cookies (optional) — Consent (Art. 6(1)(a) GDPR) via the cookie banner
• Fraud prevention, auditing & security — Legitimate interests (Art. 6(1)(f) GDPR)

4. Recipients/processors

We only share data where necessary. We conclude data processing agreements with processors. A current list of (sub)processors is available on request.

• Hosting/infrastructure (own server/CyberPanel) — EU location
• E-mail provider / mail processing for service messages and 2FA (smaling.net domain) — EU location
• Analytics (optional GA4 with IP masking; consent only) — potentially outside EEA
• Bank / payment processing (ABN AMRO / Tikkie where applicable) for payments/invoicing — EU location
• Backup storage (encrypted) — EU location

Data Processing Agreements: All processors are contractually bound to GDPR obligations and security measures.

5. Transfers outside the EU/EEA

Only where necessary and with appropriate safeguards, such as EU SCCs or an adequacy decision. Where possible we pseudonymise/anonymise data.

• EU Standard Contractual Clauses (SCCs) for transfers to third countries
• End-to-end encryption for international data transfers
• Data minimisation: only strictly necessary data is shared

6. Security

• HTTPS/HSTS, strict security headers (CSP, X-Frame-Options, etc.)
• Access control (least privilege) and multi-factor authentication where possible
• Encryption in-transit and at-rest for sensitive data
• Regular security updates and vulnerability scanning
• Logging and monitoring of access to personal data, downloads, payments and account actions
• Rate limiting, WAF controls and audit logging on sensitive portal routes
• Physical security of server location

7. Data breaches & notification

Where a breach poses (likely) risk to individuals we notify the Dutch DPA without undue delay and, where required, the affected individuals.

• Internal breach procedure with escalation guidelines
• Documentation of all breaches (including near-misses)
• Periodic review and testing of incident response plan

8. Retention periods

9. Your GDPR rights

• Right of access, rectification and erasure ("right to be forgotten")
• Right to restriction, objection and data portability
• Withdraw consent at any time (no retroactive effect)
• Requests: e-mail raymond@smaling.net or use the contact page
• We respond within 30 days (extendable by up to 2 months for complexity) and may request additional identification
• No fees unless requests are manifestly unfounded or excessive (max. €25 administrative costs)
• Complain to the Dutch DPA: Autoriteit Persoonsgegevens

10. Minors

Our services are not primarily aimed at children < 16. If you believe data was collected without parental consent, please contact us; we will delete such data where appropriate.

11. Cookies

We use functional cookies and — with your consent — analytics/marketing cookies. Manage your preferences here: open cookie settings.

12. Profiling & automated decision-making

We do not take decisions solely based on automated processing with legal effects. Any profiling is limited to aggregated analytics with consent.

13. Accessibility

We aim for an accessible website (WCAG guidelines where feasible). If you encounter barriers, tell us and we will seek a solution.

14. Changes

The most recent version is available on this page. Important changes are actively communicated to data subjects where possible. 13-03-2026.

15. Contact & complaints

Smaling Service Monteur
Oranjeweg 120, 6991 WV Rheden
Tel: +31 (0)6 134 79960 +31 (0)26 234 0830
E-mail: raymond@smaling.net

Complaints about our processing of personal data can be filed with the Dutch Data Protection Authority.