Privacy & Cookies

Last updated: Augustus 2025

1. Introduction

CCombox respects your privacy and is committed to protecting personal data. In this privacy policy, we explain what personal data we collect, how we use it, with whom we share data, how we secure personal data, and what rights you have when you visit our website or use our services. CCombox processes personal data in accordance with the General Data Protection Regulation (GDPR) and other applicable privacy legislation.

2. Who is responsible?

CCombox is the data controller for the processing of personal data. For privacy-related questions, you can contact us via info@ccombox.com with the subject "Privacy".

3. What personal data do we collect?

We may process the following categories of personal data:

  • Contact details: name, email address, telephone number.
  • Business data: company name, function, industry, website.
  • Account and customer data: customer number, contract details, billing information.
  • Communication data: email correspondence, chat messages, call notes, support requests.
  • Technical data: IP address, browser data, device information, log data.
  • Usage data: information about the use of our website and (if applicable) our platform.
  • Marketing data: preferences, interactions with campaigns, newsletter subscriptions.

4. For what purposes do we use personal data?

We process personal data for the following purposes:

  • Providing and executing our services (including AI marketing services, content creation, publications, campaigns, call center/chat services).
  • Contact and communication with customers and prospects.
  • Quotations, contract formation and invoicing.
  • Customer service and support.
  • Improvement of our website, services and service delivery.
  • Marketing and commercial communication (such as newsletters).
  • Compliance with legal obligations (e.g. tax retention obligation).

5. On what legal bases do we process personal data?

CCombox only processes personal data when there is a legal basis for doing so. This can be:

  • Performance of a contract (Art. 6(1)(b) GDPR).
  • Legal obligation (Art. 6(1)(c) GDPR).
  • Legitimate interest (Art. 6(1)(f) GDPR), such as business operations, security, fraud prevention, customer relationship management and improving our services.
  • Consent (Art. 6(1)(a) GDPR), for example for marketing cookies or sending marketing communications, where this is legally required.

If we use consent as a basis, you can always withdraw it.

6. Cookies and tracking

Our website uses cookies and similar technologies to ensure the website functions properly and to gain insight into website usage.

We may use:

  • Necessary cookies: essential for operation and security.
  • Preference cookies: remember choices and preferences.
  • Statistics cookies: help us analyze website usage.
  • Marketing cookies: used for targeted advertising and campaign analysis.

You can always adjust your cookie preferences via the cookie settings on our website.

7. With whom do we share personal data?

CCombox only shares personal data when this is necessary for the execution of our services, our business operations or when we are legally obliged to do so.

We may share personal data with:

  • IT and hosting parties.
  • Email and communication providers.
  • Payment and billing providers.
  • Advertising platforms (such as Google, Meta/Facebook/Instagram, TikTok, LinkedIn).
  • Analytics and tracking parties (e.g. Google Analytics, depending on your setup).
  • Call center or support partners (if part of the service delivery).
  • Professional advisors (accountant, legal advisor), if necessary.

Where necessary, we conclude data processing agreements or similar arrangements with such parties.

8. Transfer outside the EEA

Some of CCombox's service providers (such as advertising and analytics platforms) may process personal data outside the European Economic Area (EEA), for example in the United States. If this occurs, CCombox takes appropriate safeguards such as Standard Contractual Clauses (SCCs) or other legal mechanisms to adequately protect personal data.

9. Security of personal data

CCombox takes appropriate technical and organizational measures to secure personal data against loss, unauthorized access, misuse or alteration. Examples of these may be:

  • Access control and authorizations.
  • Strong passwords and where possible MFA.
  • Logging and monitoring.
  • Encrypted connections (SSL/TLS).
  • Backups and secure storage.
  • Restriction of access to personal data on a need-to-know basis.

10. Retention periods

We do not retain personal data longer than necessary for the purpose for which it was collected, unless we are legally obliged to retain data longer.

Indicative retention periods:

  • Quotation and prospect data: maximum 12 months after the last contact moment.
  • Customer and contract data: during the term of the agreement and up to 7 years after expiry (tax retention obligation).
  • Invoices and financial administration: 7 years.
  • Support requests and communication: maximum 24 months (unless necessary for dispute).
  • Website log data: maximum 12 months (unless longer necessary for security).

11. Your rights

Under the GDPR you have the following rights:

  • Right of access.
  • Right to rectification.
  • Right to erasure ("right to be forgotten"), insofar as legally permitted.
  • Right to restriction of processing.
  • Right to data portability.
  • Right to object to processing (especially for processing based on legitimate interest).
  • Right to withdraw consent (if processing is based on consent).

You can submit a request via info@ccombox.com. To prevent misuse, we may ask for verification of your identity. We respond in principle within one month, in accordance with legal deadlines.

12. Complaints

If you have a complaint about the processing of personal data, please contact us first so that we can resolve this. You also have the right to file a complaint with the Dutch Data Protection Authority via www.autoriteitpersoonsgegevens.nl.

13. Data controller and processor

When CCombox provides services to business customers, CCombox may in some cases act as a processor (e.g. when processing lead data, chat logs or customer data). In that case, the customer remains the data controller. If legally required, Parties conclude a data processing agreement (DPA) in which agreements are laid down regarding processing, security, sub-processors and retention periods. In case of conflict, the data processing agreement prevails over the general terms and conditions.

14. Changes

CCombox may change this privacy policy, for example in the event of changes in legislation or services. The current version is always available via www.ccombox.com. We recommend that you consult this privacy policy periodically.

15. Use of AI systems and external technology

15.1 CCombox uses external software suppliers, cloud providers and AI systems ("third-party technologies") in the execution of its services. These systems are used for content generation, analyses, automation and communication, among other things.

15.2 Client acknowledges that the operation of such AI systems is largely determined by the relevant suppliers and that CCombox has no influence on the internal operation, training methods or mutual communication of these systems.

15.3 Insofar as personal data is processed via third-party technologies, CCombox takes appropriate contractual and organizational measures, including concluding data processing agreements or similar arrangements where this is legally required.

15.4 However, CCombox cannot provide guarantees regarding the internal data processing, algorithmic decision-making or model training of external AI providers.

15.5 Client acknowledges that legislation regarding artificial intelligence is currently still evolving (including future European AI regulation) and that CCombox will adapt its services to this as soon as such regulation comes into force.

15.6 CCombox is not liable for changes, limitations or risks arising from the use of external AI systems, provided CCombox acts in accordance with applicable privacy legislation and its contractual obligations.