CCOMBOX PRIVACY POLICY (GDPR)

version 2 dated 1-8-2025

1. Introduction

CCombox respects your privacy and is committed to protecting personal data. In this privacy policy, we explain which personal data we collect, how we use it, with whom we share data, how we secure personal data, and what rights you have when you visit our website or use our services. CCombox processes personal data in accordance with the General Data Protection Regulation (GDPR) and other applicable privacy legislation.

2. Who is responsible?

CCombox is the data controller for the processing of personal data. For privacy-related questions, you may contact us via info@ccombox.com with the subject "Privacy".

3. Which personal data do we collect?

We may process the following categories of personal data:

  • a) Contact details: name, email address, telephone number.
  • b) Company details: company name, job title, industry, website.
  • c) Account and client data: client number, contract details, billing information.
  • d) Communication data: email correspondence, chat messages, call notes, support requests.
  • e) Technical data: IP address, browser data, device information, log data.
  • f) Usage data: information about the use of our website and (if applicable) our platform.
  • g) Marketing data: preferences, campaign interactions, newsletter subscriptions.

4. For what purposes do we use personal data?

We process personal data for the following purposes:

  • a) Providing and performing our services (including AI marketing services, content creation, publications, campaigns, call center/chat services).
  • b) Contact and communication with clients and prospects.
  • c) Quotations, contract formation and invoicing.
  • d) Customer service and support.
  • e) Improvement of our website, services and service delivery.
  • f) Marketing and commercial communication (such as newsletters).
  • g) Compliance with legal obligations (e.g. fiscal retention requirements).

5. On what legal bases do we process personal data?

CCombox processes personal data only where there is a legal basis. This may include:

  • a) Performance of an agreement (Article 6(1)(b) GDPR).
  • b) Legal obligation (Article 6(1)(c) GDPR).
  • c) Legitimate interest (Article 6(1)(f) GDPR), such as business operations, security, fraud prevention, customer relationship management and improving our services.
  • d) Consent (Article 6(1)(a) GDPR), for example for marketing cookies or sending marketing communications, where legally required.

If we rely on consent as a legal basis, you may withdraw this consent at any time.

6. Cookies and tracking

Our website uses cookies and similar technologies to ensure proper website functionality and to gain insight into website usage.

We may use:

  • a) Necessary cookies: essential for operation and security.
  • b) Preference cookies: remember choices and preferences.
  • c) Statistics cookies: help us analyze website usage.
  • d) Marketing cookies: used for targeted advertising and campaign analysis.

You can always adjust your cookie preferences via the cookie settings on our website.

7. With whom do we share personal data?

CCombox shares personal data only when necessary for the performance of our services, our business operations, or when legally required.

We may share personal data with:

  • a) IT and hosting providers.
  • b) Email and communication providers.
  • c) Payment and invoicing providers.
  • d) Advertising platforms (such as Google, Meta/Facebook/Instagram, TikTok, LinkedIn).
  • e) Analytics and tracking providers (e.g. Google Analytics, depending on your setup).
  • f) Call center or support partners (if part of the services).
  • g) Professional advisors (accountant, legal advisor), where necessary.

Where required, we enter into data processing agreements or similar arrangements with such parties.

8. Transfers outside the EEA (e.g. United States)

Some of CCombox's service providers (such as advertising and analytics platforms) may process personal data outside the European Economic Area (EEA), for example in the United States. Where this occurs, CCombox implements appropriate safeguards such as Standard Contractual Clauses (SCCs) or other legal mechanisms to adequately protect personal data.

9. Security of personal data

CCombox takes appropriate technical and organizational measures to protect personal data against loss, unauthorized access, misuse or alteration. Examples may include: access control and authorizations, strong passwords and where possible MFA, logging and monitoring, encrypted connections (SSL/TLS), backups and secure storage, and limiting access to personal data on a need-to-know basis.

10. Retention periods

We do not retain personal data longer than necessary for the purposes for which it was collected, unless we are legally required to retain data longer.

Indicative retention periods:

  • a) quotation and prospect data: up to 12 months after the last contact moment.
  • b) client and contract data: during the term of the agreement and up to 7 years thereafter (fiscal retention obligation).
  • c) invoices and financial administration: 7 years.
  • d) support requests and communications: up to 24 months (unless required for a dispute).
  • e) website log data: up to 12 months (unless longer required for security).

11. Your rights

Under the GDPR, you have the following rights:

  • a) right of access.
  • b) right to rectification.
  • c) right to erasure ("right to be forgotten"), insofar as legally permitted.
  • d) right to restriction of processing.
  • e) right to data portability.
  • f) right to object to processing (especially where processing is based on legitimate interest).
  • g) right to withdraw consent (if processing is based on consent).

You may submit a request via info@ccombox.com. To prevent misuse, we may request verification of your identity. We will generally respond within one month, in accordance with statutory time limits.

12. Complaints

If you have a complaint regarding the processing of personal data, please first contact us so we can resolve the issue. You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) via www.autoriteitpersoonsgegevens.nl.

13. Data controller and processor (in service provision)

When CCombox provides services to business clients, CCombox may in some cases act as a processor (e.g. when processing lead data, chat logs or customer data). In such cases, the client remains the data controller. Where legally required, the parties enter into a data processing agreement (DPA) setting out arrangements regarding processing, security, subprocessors and retention periods. In the event of conflict, the data processing agreement prevails over the general terms and conditions.

14. Changes

CCombox may amend this privacy policy, for example due to changes in legislation or services. The current version is always available via www.ccombox.com. We recommend reviewing this privacy policy periodically.

15. Use of AI systems and external technology

15.1 In performing its services, CCombox uses external software providers, cloud providers and AI systems ("third-party technologies"). These systems are used for, among other things, content generation, analytics, automation and communication.

15.2 Client acknowledges that the operation of such AI systems is largely determined by the respective providers and that CCombox has no influence over their internal functioning, training methods or inter-system communication.

15.3 To the extent personal data is processed via third-party technologies, CCombox implements appropriate contractual and organizational measures, including entering into data processing agreements or similar arrangements where legally required.

15.4 However, CCombox cannot provide guarantees regarding the internal data processing, algorithmic decision-making or model training of external AI providers.

15.5 Client acknowledges that legislation relating to artificial intelligence is currently evolving (including future European AI regulation) and that CCombox will adapt its services accordingly once such regulations come into force.

15.6 CCombox is not liable for changes, limitations or risks arising from the use of external AI systems, provided CCombox acts in accordance with applicable privacy legislation and its contractual obligations.