The data controller for the personal data described in this Policy is Netelkaar B.V., a private limited company incorporated under Dutch law, registered with the Dutch Chamber of Commerce (KvK) under number 42011714, BTW number NL869280181B01, with its registered office at Vlierweg 12, 1032LG Amsterdam, the Netherlands.
For matters relating to this Policy or to your personal data, please contact us at privacy@netelkaar.com. Netelkaar has not appointed a Data Protection Officer, as it is not required to do so under article 37 of the GDPR.
This Policy applies to personal data Netelkaar processes as a Controller — that is, data we handle for our own purposes (managing customer relationships, billing, correspondence, and operating this website). Where Netelkaar processes personal data on a Customer's behalf (for example, end-user data stored on Customer Equipment in Colocation), Netelkaar acts as a Processor, and that processing is governed by a separate Data Processing Agreement signed alongside the individual contract. A copy is available on request at privacy@netelkaar.com.
Netelkaar collects only the personal data needed to operate the website, respond to inquiries, deliver the Services, and fulfil related legal and accounting obligations. The categories of data, the purposes of processing, and the lawful basis under article 6 of the GDPR are set out below.
§02.1 Contact form
The contact form on our website collects: name (required), email (required), company (optional), inquiry type (required), and a message (required). For Colocation inquiries, optional fields include configuration, power requirement, network requirement, and timeline. An invisible "honeypot" field is used to detect automated submissions and is not stored.
Purpose: reply to your inquiry, prepare a quote, and, where the engagement progresses, enter into a contract. Form submissions are forwarded by email to info@netelkaar.com and are not stored in the website's database.
Lawful basis: article 6(1)(f) GDPR (legitimate interest in responding to pre-contractual inquiries) and, where the engagement progresses to a contract, article 6(1)(b) GDPR (steps taken at the request of the data subject prior to entering into a contract).
§02.2 Customer correspondence
After a contract is in place, correspondence with Customer's contact persons takes place through email (Google Workspace, see §03), and, where the Customer initiates it, WhatsApp or Telegram. Data processed: contact details, the content of the correspondence, and channel metadata. Purpose: contract execution, support, billing, incident handling. Lawful basis: article 6(1)(b) GDPR (performance of the contract).
§02.3 Billing data
For invoicing and accounting, we process: company name, KvK or equivalent registration number, BTW (VAT) number where applicable, invoicing address, contact person's name and email, and invoice and payment records. Stored on Netelkaar's controlled infrastructure at an ISO 27001 certified data centre in Amsterdam and in our accounting system (Jortt, NL-based; see §03).
Lawful basis: article 6(1)(b) GDPR (performance of the contract) and article 6(1)(c) GDPR (compliance with legal obligations — Dutch tax law).
§02.4 Visitor pass for the data centre
Where a Customer's representative needs physical access to Customer Equipment in Colocation, we transmit the name and email of the authorised visitor to our data-centre partner. We do not collect or store copies of passports, government-issued ID documents, or any other identification beyond this. Lawful basis: article 6(1)(b) GDPR (performance of the contract) and the data-minimisation principle in article 5(1)(c) GDPR.
§02.5 Technical data from website use
When you visit our website we process: a server-side session record (id, IP address, user-agent, encrypted payload, last activity — expires after 120 minutes); a CSRF token protecting form submissions; a theme preference stored in your browser's localStorage (not transmitted to our servers); and web logs recorded only when the anti-bot honeypot fires or an email-delivery error occurs (routine, successful submissions are not logged with IP). We also process anonymous, aggregate usage analytics through Umami, an open-source analytics tool self-hosted on Netelkaar's own infrastructure — see §06.1 for the full description (no cookies, no cross-site tracking, IP addresses hashed with a daily-rotating salt and discarded). Lawful basis: article 6(1)(f) GDPR (legitimate interest in the security, proper operation, and aggregate audience measurement of the website).
§02.6 Marketing
We do not currently send marketing or newsletter emails. If we begin doing so, this Policy will be updated and the relevant lawful basis (article 6(1)(a) consent, or article 6(1)(f) plus the ePrivacy soft opt-in, depending on the recipient) will be identified before the first marketing email is sent.
§02.7 What we do not do
We do not perform automated decision-making or profiling that produces legal effects within the meaning of article 22 of the GDPR. We do not use third-party tracking, advertising, or remarketing tools (no Google Analytics, no Facebook Pixel, no remarketing). The only website analytics we use is Umami, an open-source tool self-hosted on Netelkaar's own infrastructure within the EU — see §02.5 and §06.1. We do not collect payment-card data through the website — payment is processed by licensed third-party processors.
Netelkaar relies on a small number of service providers that process personal data on Netelkaar's behalf or receive personal data necessary for their own service.
Provider
Jurisdiction
Purpose
Legal basis
Google Ireland Limited
Ireland (EU)
Email, Drive, Calendar (Google Workspace)
Google Workspace DPA
Jortt B.V.
Netherlands (EU)
Accounting and invoicing
Jortt DPA
ISO 27001 certified data centre partner
Netherlands (EU)
Physical infrastructure, visitor passes
Partner agreement
Meta Platforms Ireland Ltd
Ireland (EU)
Customer communication via WhatsApp
Meta DPA (when applicable)
Telegram FZ-LLC
UAE (non-EU)
Customer communication via Telegram (customer-initiated)
No DPA — customer-initiated channel
cdn.jsdelivr.net (Cloudflare)
Global
Public CDN for the Alpine.js library
Standard CDN terms
By design, personal data Netelkaar processes as a Controller is stored and handled within the European Union and the European Economic Area. The single non-EU provider listed above — Telegram (UAE) — appears only because customers may choose to communicate with us through that platform; for sensitive personal data, we recommend customers use email or another in-EU channel rather than Telegram.
The CDN entry covers the loading of the Alpine.js library. The CDN does not place cookies, but loading a script from a CDN exposes the visitor's IP address to the CDN provider.
We retain personal data only for as long as is necessary for the purpose for which it was collected, or as required by applicable law.
Category
Retention period · Legal basis
Contact-form submission (no contract follows)
12 months · legitimate interest
Contracts and individual agreements
7 years after contract end · NL law + tax law
Invoices, billing records, payment data
7 years · NL tax law (Belastingdienst)
Correspondence with active customers
contract duration + 7 years · contract + NL law
Correspondence with past customers
12 months after last contact · legitimate interest
Web logs (errors / honeypot only)
90 days · security monitoring
Sessions
120 minutes after last activity · technical necessity
Backups
30–90 days rolling · disaster recovery
Where retention is required by law (in particular, the seven-year period applicable to invoices and certain contractual records under Dutch tax law), we cannot delete the relevant data before the legal retention period expires. At the end of the applicable retention period, data is deleted or anonymised.
Under the GDPR you have the following rights in respect of your personal data:
Right (GDPR Article)
What it means
Access (Art. 15)
Receive a copy of personal data we hold about you
Rectification (Art. 16)
Have inaccurate data corrected, or incomplete data completed
Erasure (Art. 17)
Deletion where no legal basis remains
Restriction (Art. 18)
Pause processing in defined circumstances
Data portability (Art. 20)
Receive a copy in a structured, machine-readable format
Object (Art. 21)
Object to processing based on legitimate interest
Withdraw consent (Art. 7(3))
Where processing is based on consent, withdraw at any time
Lodge a complaint
Complaint to a supervisory authority (Autoriteit Persoonsgegevens, NL)
To exercise any of these rights, send your request to privacy@netelkaar.com. We will respond within 30 calendar days of receiving the request, as required by article 12(3) of the GDPR. We may extend this period by up to a further two months for complex requests and will inform you of any extension within the original 30-day period. To verify your identity for unusual or sensitive requests, we may ask for reasonable proof.
You have the right to lodge a complaint with a data-protection supervisory authority. In the Netherlands, this is the Autoriteit Persoonsgegevens (Dutch Data Protection Authority), Bezuidenhoutseweg 30, 2594 AV The Hague — autoriteitpersoonsgegevens.nl. We would appreciate the opportunity to address your concerns directly before you turn to the supervisory authority — please contact privacy@netelkaar.com in the first instance.
§06.1 Cookies
The Netelkaar website uses only the following cookies and similar storage. There are no tracking, analytics, advertising, or third-party cookies of any kind.
Name
Type
Lifetime
Purpose
netelkaar_session
First-party HTTP cookie · http-only · SameSite=Lax
120 minutes after last activity
Session and CSRF protection on the contact form
XSRF-TOKEN
First-party HTTP cookie · readable by JavaScript on this site
120 minutes
CSRF token for AJAX form submissions
theme
localStorage (not a cookie)
Until you clear it manually
Light/dark theme preference. Not transmitted to our server.
All cookies above are strictly necessary within the meaning of article 5(3) of the ePrivacy Directive (Directive 2002/58/EC, as amended) and its Dutch implementation (article 11.7a of the Telecommunicatiewet), so no cookie consent banner is required. Browsers let you inspect and delete cookies under their privacy settings; blocking the cookies listed above means the contact form will not work and your theme preference will reset on every visit.
§06.1.1 Analytics (Umami, self-hosted)
The Netelkaar website includes a small analytics script (/_a/script.js) served from our own domain. The script collects anonymous, aggregate visit data — page URL, referrer, country-level location, browser type, and screen size — and sends it to a self-hosted instance of Umami (an open-source analytics tool) running on Netelkaar's own infrastructure within the EU.
No cookies are set, no cross-site tracking occurs, and no personal identifiers are stored. Visitor IP addresses are hashed using a daily-rotating salt to identify unique visitors within a 24-hour window and are then discarded — raw IP addresses are never retained. No data is shared with third parties. Because this analytics is fully first-party, cookieless, and does not store identifiers, no cookie consent banner is required under article 5(3) of the ePrivacy Directive.
§06.2 Security
Netelkaar implements appropriate technical and organisational measures to protect personal data: encryption at rest (full-disk) on Netelkaar's controlled infrastructure, encryption in transit (TLS), access control on a need-to-know basis under documented confidentiality obligations, physical security in an ISO 27001 certified data centre in Amsterdam (24/7 staffing, access control, CCTV, environmental controls), backup rotation within the EU/EEA, regular patching, and access logs to support incident investigation.
For personal data Netelkaar processes on a Customer's behalf as a Processor, the technical and organisational measures applicable to that processing are set out in detail in the Data Processing Agreement provided when entering into a contract.
§07.1 Data breach notification
In the event of a personal-data breach we will notify the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) within 72 hours of becoming aware of the breach, as required by article 33 of the GDPR, and will inform affected customers without undue delay where the breach poses a high risk to their rights and freedoms (article 34 of the GDPR).
§07.2 Children's data
We do not knowingly collect personal data from children under the age of 16. If you believe we have inadvertently collected data of a minor, please contact privacy@netelkaar.com and we will delete it.
§07.3 Changes to this Policy
We may update this Policy from time to time. The current version is published at /legal/privacy and identified by the document ID and version stamp in the footer. Material changes affecting your rights will be notified at least 30 days in advance by email (where possible) or by prominent notice on the website. Amendments do not apply retroactively. Continued use of our website and services after the effective date of an amendment constitutes acknowledgement of the amended Policy.
§07.4 Privacy contact
Email: privacy@netelkaar.com. Postal address: Netelkaar B.V., Vlierweg 12, 1032LG Amsterdam, the Netherlands. For non-privacy matters: info@netelkaar.com (general), legal@netelkaar.com (formal legal notices), abuse@netelkaar.com (abuse complaints).
§07.5 Version history
Version · Date
Changes
v1.1 · 13 May 2026
Added Umami self-hosted analytics (§02.5, §02.7, §06.1.1). No third-party data processors added; analytics runs entirely on Netelkaar's own infrastructure within the EU.
v1.0 · 11 May 2026
First public release.
