Privacy Policy

Last updated: 2026-03-23

This Privacy Policy explains how FerroIT B.V. (“FerroIT”, “we”, “us”, “our”) processes Personal Data in connection with our websites, software platform, software components, and related services (together, the “Services”).

This Privacy Policy primarily applies where FerroIT acts as a Controller, including for website visitors, business contacts, prospects, supplier and partner contacts, and individuals who interact with FerroIT directly. Where FerroIT processes Personal Data on behalf of a customer in the Services, FerroIT acts as a Processor and the relevant customer acts as Controller. In those cases, processing is governed by the applicable customer agreement, including any Data Processing Addendum (“DPA”), and the relevant customer’s privacy notice.

1. Who we are

Controller: FerroIT B.V.
Registered office: Scheepswervenweg 7, 9608PD Westerbroek, the Netherlands
Chamber of Commerce: 83899472
Privacy contact: privacy@ferroit.com
General contact: info@ferroit.com

If required under applicable law, FerroIT will cooperate with the relevant supervisory authority, including the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, “AP”).

2. Scope

This Privacy Policy applies to:

  • visitors to our website and marketing pages;
  • business contacts, prospects, partners, and supplier contacts;
  • individuals who communicate with us for demos, support, webinars, events, or other direct interactions; and
  • users who interact directly with FerroIT as Controller.

This Privacy Policy does not replace the DPA, customer instructions, or the applicable customer privacy notice where FerroIT acts as Processor.

3. Personal Data we process

Depending on the relationship with you, we may process the following categories of Personal Data.

A. Business contact and account data

  • name;
  • business email address;
  • phone number;
  • job title;
  • company name;
  • account identifiers;
  • login timestamps;
  • billing and administrative contact details; and
  • basic contract and transaction information.

B. Service usage and technical data

  • IP address;
  • device, browser, operating system, and application version information;
  • approximate location derived from IP address (such as city or country);
  • system logs, diagnostics, telemetry, audit trails, and performance data; and
  • support requests and related communications.

C. Customer-controlled content

Where FerroIT acts as Processor, we may process:

  • data uploaded or submitted to the Services by or for customers and their users; and
  • outputs generated from that data.

D. Website technical data and cookies

Our website currently does not use analytics or marketing cookies. We may process limited technical data necessary for secure operation of the website, such as IP address, request metadata, server logs, and strictly necessary technical mechanisms. If we introduce non-essential cookies or similar technologies in the future, we will update this Privacy Policy and, where required, implement a consent mechanism.

4. Purposes of processing

We process Personal Data for the following purposes:

  1. providing, operating, maintaining, and securing the Services;
  2. authentication, access control, logging, fraud prevention, abuse prevention, and incident response;
  3. contract administration, account management, service delivery, billing, renewals, and related business operations;
  4. customer support, service communications, and troubleshooting;
  5. improving the quality, reliability, usability, and security of the Services;
  6. legal and regulatory compliance, enforcing rights, and handling lawful requests; and
  7. limited B2B marketing and relationship management where permitted by applicable law, including applicable direct marketing rules.

We may also create aggregated or anonymized information that no longer identifies an individual. Where we do so, we apply technical and organizational safeguards reasonably designed to prevent re-identification.

5. Legal bases

Where FerroIT acts as Controller, we rely on one or more of the following legal bases under applicable data protection law:

  • Contract: where processing is necessary to provide the Services, manage a business relationship, respond to requests, or administer an account.
  • Legitimate interests: for securing, maintaining, improving, supporting, and developing our Services; managing business relationships; and conducting limited B2B marketing where lawful and where our interests are not overridden by your rights and freedoms.
  • Consent: where required by law, including where we rely on consent for certain communications or non-essential technologies.
  • Legal obligation: where we must comply with legal or regulatory duties.

Where FerroIT acts as Processor, the relevant customer determines the legal basis for processing.

6. How we share Personal Data

We may share Personal Data with:

  • hosting, infrastructure, support, monitoring, communications, and other service providers acting on our behalf;
  • professional advisers such as lawyers, auditors, insurers, and accountants;
  • affiliates, where relevant for internal administration or service delivery;
  • competent authorities, courts, regulators, or law enforcement where required by law or necessary to protect rights, safety, or security; and
  • a purchaser, investor, lender, or successor in connection with a merger, acquisition, financing, restructuring, or sale of assets, subject to appropriate safeguards.

Where FerroIT acts as Processor, subprocessor use is governed by the DPA. We maintain a subprocessor list and make it available where required or upon request.

7. International transfers

If Personal Data is transferred outside the EEA or UK, FerroIT will use an appropriate transfer mechanism under applicable law, such as:

  • the European Commission’s Standard Contractual Clauses (“SCCs”), including the module appropriate to the transfer scenario;
  • the UK International Data Transfer Addendum or another approved UK transfer mechanism; or
  • another lawful transfer mechanism recognized under applicable law,

and will implement supplementary measures where required following an assessment of the transfer.

A summary of relevant safeguards and information about relevant recipients or subprocessors may be provided where legally required or on request, subject to confidentiality and legal limitations.

8. Security and compliance

FerroIT maintains technical and organizational measures designed to protect Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, or damage.

Our security program is designed with reference to recognized industry standards. Depending on the relevant Services and operational scope, FerroIT may maintain controls aligned in whole or in part with frameworks or requirements such as:

  • ISO/IEC 27001;
  • SOC 2 Type II
  • And; applicable cybersecurity and resilience obligations, including NIS2-related requirements where relevant.

References to standards or frameworks in this Privacy Policy do not constitute a representation that FerroIT holds any particular certification unless expressly stated by FerroIT in writing.

Additional details may be made available under confidentiality restrictions, customer agreement, or DPA.

9. Retention

We retain Personal Data only for as long as necessary for the purposes described in this Privacy Policy, unless a longer retention period is required by law or justified by a legitimate need.

Typical retention criteria and periods include:

  • Business contact data: for the duration of the relationship and up to 24 months after the last meaningful contact, unless a longer period is needed for legal claims or compliance.
  • Account, authentication, and audit log data: typically up to 12 months, unless a longer period is needed for security investigations, contractual commitments, or legal obligations.
  • Support communications: typically up to 24 months after closure of the support matter.
  • Billing and transaction records: retained for the period required by tax, accounting, and financial reporting laws.
  • Customer-controlled data: retained in accordance with the customer agreement, DPA, and customer instructions.
  • Server and security logs: retained for a limited period appropriate for security, reliability, and abuse prevention, typically up to 12 months unless investigation or legal retention requires longer.

Retention periods may be adjusted where necessary to establish, exercise, or defend legal claims, comply with legal obligations, or investigate security incidents.

10. Cookies, essential technologies, and server logs

Our website currently does not use analytics or marketing cookies.

We may use strictly necessary technical mechanisms required for:

  • website security;
  • session continuity;
  • load balancing;
  • fraud prevention; and
  • storing basic user preferences where lawful.

We may also process server logs and similar technical records to maintain the security, integrity, and availability of our systems.

If we introduce analytics, advertising, personalization, or other non-essential cookies or similar technologies in the future, we will update this Privacy Policy and, where required, implement a consent management flow before placing them.

11. Your rights

Depending on applicable law and FerroIT’s role, you may have rights including:

  • access;
  • rectification;
  • deletion;
  • restriction;
  • objection;
  • data portability; and
  • withdrawal of consent, where processing is based on consent.

How to exercise your rights

You can submit a request to privacy@ferroit.com. We may ask for additional information to verify your identity before responding. If we cannot verify your identity, we may not be able to fulfill the request.

If FerroIT processes your Personal Data solely on behalf of a customer as Processor, you should generally direct your request to that customer as Controller in the first instance, although FerroIT may assist where required or appropriate.

Response timing

We aim to respond without undue delay and, where applicable law requires, within one month of receipt of a valid request. That period may be extended where legally permitted, for example if the request is complex or multiple requests are submitted.

Limits and exceptions

Your rights are not absolute. We may decline or limit a request where permitted by law, including where doing so would adversely affect the rights of others, conflict with legal obligations, or relate to data we process solely on behalf of a customer.

Complaints

If you are in the EEA or UK and believe your rights have been infringed, you may lodge a complaint with your local supervisory authority, including in the member state of your habitual residence, place of work, or place of the alleged infringement, where applicable. In the Netherlands, this is the Autoriteit Persoonsgegevens: https://autoriteitpersoonsgegevens.nl/

12. Data breaches

Where FerroIT is required to do so under law or contract, we will notify relevant parties of Personal Data breaches in accordance with applicable legal and contractual requirements. Where FerroIT acts as Processor, breach handling is governed by the DPA and customer agreement.

13. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. We will update the “Last updated” date accordingly. Material changes may be communicated through the Services, on our website, or by other appropriate means.

14. Contact

Privacy requests: privacy@ferroit.com
General inquiries: info@ferroit.com

© FerroIT B.V. All rights reserved.