1. Introduction

This privacy statement describes how INTIGRITI may process personal data in the context of its general business activities.

This privacy statement does not describe how Intigriti processes personal data in the context of your use of the website www.intigriti.com. If you would like more information on how we processes personal data in that context, please consult the privacy statement on the website.

Who are we? Intigriti NV, a company incorporated and existing under the laws of Belgium with enterprise number 0660.623.646, having its principal office at Borsbeeksebrug 34/1, 2600 Antwerp, Belgium.

The current privacy statement sets out which personal data we may process, how we may use it, with whom we may share it, and which rights you may have in this context. While this privacy statement describes how we usually process your personal data, the content of the current document may not be construed or interpreted as an obligation for us to process or preserve certain information. Moreover, we may decide not to process certain data about you and/or to delete any of your personal data prior to the completion of processing term that is indicated below.

If you have any questions or remarks on how we process your personal data, please reach out to our privacy team at: privacy@intigriti.com.

2. Summary privacy statement

In order to inform you in an efficient and understandable manner about how we use your personal, we hereby provide a high level overview of the processing activities we carry out.

Want more info? Please consult our full privacy statement below.

2.1. Who are we?

Intigriti NV, a company incorporated and existing under the laws of Belgium with enterprise number 0660.623.646, having its principal office Borsbeeksebrug 34/1, 2600 Antwerp, Belgium.

2.2. How do we use and process your personal data?

If you are a supplier of us, or work for one of our suppliers, we may process personal data that is relevant in the context of supplier relationship management (e.g. identification and contact data and your profession and occupation).
If you are a customer of us, or work for one of our customers, we may process personal data that is relevant in the context of customer relationship management (e.g. identification and contact data and your profession and occupation).
In certain cases, we may be under a legal obligation to process personal data about you.
If you subscribe to one of our newsletters, we use your email address to send the concerned newsletters to you.
We may process personal data in the context of lead generation and prospect management (i.e. to search new clients or researchers);
We may process your personal data in the context of our direct marketing activities;
If we contact you, or you contact us, per email, telephone, regular post or otherwise, we store any such written or digital communication, or may take notes of any oral conversations we might have;
We process any data that may be relevant for risk and claims management;
We process personal data for the purposes of generating aggregated/ anonymous statistics.

2.3. Who has access to your data?

Most of your data will stay within Intigriti, and will be shared with our personnel on a need-to-know basis.
We may share your personal data with our service providers, advisors, etc. where this is needed or useful to enable them to provide their assistance or services to us.
We may share your personal data with financial institutions, payment providers and other relevant services providers, for the purpose of making or receiving payments.
We may share your personal data with public authorities (including tax and social security authorities) when we are legally required to do so.

In the context of some specific processing activities, we may additionally disclose your personal data, in accordance with the provisions of the full privacy statement below.

2.4. What are your rights?

In the context of the GDPR, you have certain rights in relation to your personal data, such as the right to be informed of the personal data we process about you, the right to rectify any data that is incorrect, and (in certain cases) the right to have your personal data deleted.
The exercise of these rights may be subject to legal conditions.
For an overview of the specific rights you have in the context of the processing of your personal data, please consult section 3.4 of this privacy statement.

2.5. How can you contact us?

privacy@intigriti.com

3. Full privacy statement

In order to more closely inform you about how we use your personal data, we hereby provide a more detailed overview of the processing activities we carry out in the context of our platform.

Prefer to be informed of the essentials only? Please consult our summary privacy statement above.

3.1. Who are we?

We are Intigriti NV, a company incorporated and existing under the laws of Belgium with enterprise number 0660.623.646.
Our principal seat of business is located at Borsbeeksebrug 34/1, 2600 Antwerp, Belgium.

3.2. How do we use and process your personal data?

We process the personal data described in the current section of this privacy statement. For each processing activity, we strive to explain why we process that data and will clarify the legal basis for the processing.

Supplier relationship management

We process the below information about our suppliers and their employees, representatives or collaborators that are involved in the cooperation.

Purpose:	This information is used for the purpose of supplier relationship management, and more precisely to assess if you’d be a good match for us, to negotiate, prepare, execute, and/or manage our agreements with you, and to interact with you in that context.
Data Categories:	Identification data; Contact details; Profession, occupation, professional qualifications, company/employer; Information about payments; Personal data included in agreements or linked to the signature thereof; Customer survey feedback data.
Legal Basis:	We rely upon legitimate interest for processing activities related to customer relationship management, except for customer surveys, where we rely upon consent.
Processing Term:	As from termination of the agreement with the concerned supplier: retention during the period relevant for legal action (currently 10 years).
Recipients:	This information can be shared with companies or persons that are involved in the receipt or provision of the products or services (e.g. our consultants that work with you). This information can be shared with the general recipients, indicated in section 3.3 of this privacy statement.

Customer relationship management

We process information about our customers and their employees, representatives or collaborators, who are involved in the cooperation.

Purpose:	This information is used for the purpose of customer relationship management, and more precisely to negotiate, prepare, execute, and/or manage our agreements with you, and to interact with you in that context (including potentially in the context of upselling).
Data Categories:	Identification data; Contact details; Profession, occupation and company/employer; Information about payments; Personal data included in agreements or linked to the signature thereof.
Legal Basis:	Where customer and data subject are one and the same: contractual necessity. In all other cases: our legitimate interest, namely to perform and follow-up on our agreements with our customers.
Processing Term:	As from termination of the agreement with the concerned customer: retention during the period relevant for legal action (10 years).
Recipients:	This information can be shared companies or persons that are involved in the receipt or provision of the products or services (e.g. our consultants that work with you). This information can be shared with the general recipients, indicated in section 3.3 of this privacy statement.

Compliance with legal obligations

Purpose:	Sometimes we are required to store, process or disclose personal data pursuant to a legal obligation. It may for example concern: bookkeeping obligations, duties of cooperation with public authorities or judicial instances, etc.
Data Categories:	Any data which we need to process pursuant to the legal obligation.
Legal Basis:	Legal obligation
Processing Term:	During such term as legally required.
Recipients:	Any recipient we have to disclose the personal data to, in accordance with the legal obligation. Additionally, this information can be shared with the general recipients, indicated in section 3.3 of this privacy statement

Newsletters

If you subscribe to one of our newsletters or other periodical email communications, we will process your personal data for that purpose. You may at any time unsubscribe, by clicking on the unsubscribe button included at the bottom of the relevant email.

Purpose:	To send to the email communications for which you have subscribed.
Data Categories:	Information that is relevant to provide you the newsletter, such as your email address.
Legal Basis:	Consent (opt-in)
Processing Term:	Until 2,5 years after your subscription. On the expiry of this term, we will ask you to confirm if you want to continue receiving our communications.
Recipients:	This information can be shared with the general recipients, indicated in section 3.3 of this privacy statement.

Lead generation and prospect management

We may search for potential prospects or security researchers and process relevant information in that context.

Purpose:	We use personal data to (try to) find interesting prospective clients or security researchers, and to assess if you could be an interesting match to our company and/or services.
Data Categories:	The information may be acquired from you directly (e.g. by means of a connection request or other form of communication on professional social media), from your company or colleagues, from public sources where you published the information (such as professional websites), or may be obtained through references and/or parties with whom we cooperate in the context of business expansion services. Currently, in the context of lead generation and prospect management, we have appointed as a joint controller and could receive your personal data from: Prospect Global Ltd (trading as Sopro) Reg. UK Co. 09648733. You can contact Sopro and view their privacy statement here: http://sopro.io. Sopro are registered with the ICO Reg: ZA346877 and their Data Protection Officer can be emailed at: dpo@sopro.io.
Legal Basis:	Our legitimate interest to generate leads and prospects, for the purpose of expanding our business.
Processing Term:	Until two (2) years from the last meaningful contact we have with you.
Recipients:	From time to time, we may engage digital marketing agencies to conduct marketing activities on our behalf. Such activities may include or result in the processing of personal data. Currently, we have appointed as a joint controller and may share your personal data with: Prospect Global Ltd (trading as Sopro) Reg. UK Co. 09648733. You can contact Sopro and view their privacy statement here: http://sopro.io. Sopro are registered with the ICO Reg: ZA346877 their Data Protection Officer can be emailed at: dpo@sopro.io.

Direct marketing

We may search for potential prospects or security researchers and process relevant information in that context.

Purpose:	If you are a current customer or researcher, if you have subscribed or otherwise requested to receive information about or products or services, or if we think you would be an interesting match with our company, we may use your personal data to communicate about Intigriti’s platform, activities and services, to invite you to events or seminars and/or to (try to) convince you to cooperate with us.
Data Categories:	Identification data; Contact details; Profession, occupation and company/employer. Currently, in the context of direct marketing, we have appointed as a joint controller and could receive your personal data from: Prospect Global Ltd (trading as Sopro) Reg. UK Co. 09648733. You can contact Sopro and view their privacy statement here: http://sopro.io. Sopro are registered with the ICO Reg: ZA346877 and their Data Protection Officer can be emailed at: dpo@sopro.io.
Legal Basis:	Our legitimate interest to inform prospects and clients about or services, or where applicable your consent.
Processing Term:	Until two (2) years from the last meaningful contact we have with you. You may at any time request us not to contact you anymore. Please use the contact details set out in the “ Introduction” of this privacy statement. this privacy statement.
Recipients:	From time to time, we may engage digital marketing agencies to conduct marketing activities on our behalf. Such activities may include or result in the processing of personal data. Currently, we have appointed as a joint controller and may share your data with: Prospect Global Ltd (trading as Sopro) Reg. UK Co. 09648733. You can contact Sopro and view their privacy statement here: http://sopro.io. Sopro are registered with the ICO Reg: ZA346877 their Data Protection Officer can be emailed at: dpo@sopro.io.

Marketing and sales content platforms

We make use of external platforms, in the context of content sharing and prospect engagement. If you access these platforms, and provide your consent to do so, we may process your personal data in that context.

Purpose:	We use personal data to analyse prospect and customer interactions, and more specifically to assess the impact of and to improve our marketing content, e.g. by logging which document sections users pay much or few attention to.
Data Categories:	Email address; Interactions with the platform (e.g. documents that are accessed, time spent on a specific document, mouse clicks, etc.).
Legal Basis:	Your consent.
Processing Term:	24 months from your last interaction with the platform.
Recipients:	The provider of the platform is our data processor for the data described herein, and will therefore only process your personal data in accordance with our instructions thereto.

Communication data

We process this information about all platform users, and in general about anyone who contacts us.

Purpose:	If you make a communication on the website and/or if you reach out to us, per email, chat, telephone, regular post or otherwise, we store any such written or digital communication, or may take notes of any oral conversations we might have, for the purpose of handling your request, remark or question.
Data Categories:	Identification data you provide to us (e.g. name, surname, profile name); Contact data you provide to us (e.g. email, telephone number, address); Emails, chats and other forms of communication; Any data included in or annexed to your communication; Metadata about your communication (e.g. time of receipt).
Legal Basis:	Our legitimate interests, namely our freedom to operate our business and our interest in preserving evidence of communications made.
Processing Term:	During the period relevant for legal action (currently 10 years).
Recipients:	See our general information on recipients

Risk and claims management

We may further preserve personal data that we process in the context of the other purposes outlined herein, for the purpose of allowing ourselves to demonstrate certain events or actions that took place (e.g. to demonstrate that a party has accepted certain terms and conditions, to demonstrate that someone has opted-in to receive marketing communication, to demonstrate that someone has ordered services, etc.).

Purpose:	The data will be used for evidentiary purposes, to anticipate on potential complaints, questions, demands, claims, proceedings and/or liabilities (either from or vis-à-vis- Intigriti) and, where applicable, to follow-up on any such matters.
Data Categories:	Identification and contact data; Personal characteristics (data of birth); Activities of acceptance, confirmation or permission (such as signatures, ticking boxes, etc.); Actions you undertake vis-s-vis us (e.g. where you exercise a right to be forgotten); Personal data included in agreements or linked to the signature thereof; Other events or data that may be relevant to us for evidentiary purposes.
Legal Basis:	Legitimate interest, namely in the context of risk- and claims management (including the collection of debts).
Processing Term:	During the period relevant for legal action (in most cases this will be 10 years).
Recipients:	Information may be shared with legal or other relevant advisors, court instances, bailiffs and other parties involved in a dispute, claim, or demand. Additionally, this information can be shared with the general recipients, indicated in section 3.3 of this privacy statement.

Aggregates and statistics

All data we process in accordance with the current privacy statement can be used to generate anonymous statistics.

Purpose:	We aggregate and anonymize data which might be interesting to us, so that we can further use such data for different purposes. The data will be aggregated and/or anonymized, so that the final set of data is no personal data in the meaning of the GDPR.
Data Categories:	All personal data categories referenced in the current privacy statement.
Legal Basis:	Legitimate interest, namely our freedom of enterprise.
Processing Term:	We can process personal data to generate statistics, for as long as we dispose over the personal data in the context of the a data processing activity described in the current privacy statement.
Recipients:	This information can be shared with the general recipients, indicated in section 3.3 of this privacy statement.

If personal data would be processed outside of the EEA, we will apply measures to ensure an adequate level of protection of your personal data, equivalent to the protection within the EEA.

3.3. Who do we share your data with?

Our general recipients are the following:

We will disclose your personal data to our personnel, on a need-to-know basis.
We may share your personal data with financial institutions, payment providers and other relevant services providers,
for the purpose of making or receiving payments.
We share your personal data with public authorities (including tax and social security authorities) when we are legally
required to do so;
To the extent needed for that purpose, we may potentially share limited personal data with third parties, in connection
with an (anticipated or considered) disposal of assets, restructuring, merger or sale of shares.
We share your personal data with our professional advisors, lawyers and bailiffs to the extent relevant to their assistance.
Furthermore, we use various suppliers and service providers and may share personal data with them, where this is
needed or useful to enable them to provide their assistance or services to us (e.g. hosting providers or parties who assist us in securing our premises, etc.). These parties may only process your personal data in accordance with our instructions thereto.

3.4. Which rights do you have in relation to your personal data?

In accordance with the provisions of the GDPR, you have several rights with regard to the personal data that we process about you. We try to explain your rights here in a simplified way here. Please note that the exercise of your rights may be subject to additional legal conditions.

To exercise any of your rights, please send us a written request, using the contact details indicated in the “Introduction” of this privacy statement. We will respond to your request without undue delay, but in any event within one month of the receipt of the request. In the event of an extension of the term to respond or in the event we do not take action on your request, we will notify you.

Right to information and right of access

You have the right to confirmation as to whether or not we process your personal data and, in the event we do so, you have the right to access such personal data, together with certain additional information that you also find listed in this privacy statement. You have the right to receive from us a copy of your personal data we have in our possession, provided that this does not adversely affect the rights and freedoms of others. The first copy will be provided free of charge, but we reserve the right to charge a reasonable fee if you request further copies.

Right to rectification

If the personal data we hold about you is inaccurate or incomplete, you have the right to have this information rectified or, taking into account the purposes of the processing, completed. Have you noticed an error in the information we hold? Please let us know using the contact details below.

Right to erasure (“right to be forgotten”)

You have the right to ask us to erase your personal data. We are obliged to comply with this request in each of the following situations:

If we no longer need the data for the purposes for which it was collected or otherwise processed.
If the data is processed on the basis of consent, you withdraw your consent, and there is no other legal basis for the
processing.
If you object to the processing on grounds relating to your particular situation and there are no overriding legitimate grounds for processing.
If you object to the processing of your data for direct marketing purposes.
If we have processed your personal data unlawfully.
If the personal data must be deleted to comply with a legal obligation to which we are subject.

There are certain exclusions to the right to erasure. Those exclusions include the situation where processing is necessary:

for exercising the right of freedom of expression and information;
for compliance with a legal obligation; or
for the establishment, exercise or defense of legal claims.

Right to restriction of processing

You have the right to restrict the processing of your personal data (meaning that the personal data may only be stored by us and may only be used for limited purposes), if:

You contest the accuracy of the personal data (and only for as long as it takes to verify that accuracy);
The processing is unlawful and you request restriction (as opposed to exercising the right to erasure);
We no longer need the personal data for the purposes of our processing, but you require personal data for the
establishment, exercise or defense of legal claims; or
You have objected to processing, pending the verification of that objection.

In addition to our right to store your personal data, we may still otherwise process it but only:

with your consent;
for the establishment, exercise or defense of legal claims;
for the protection of the rights of another natural or legal person; or
for reasons of important public interest.

We will inform you before we lift the restriction of processing.

Right to data portability

To the extent that the legal basis for our processing of your personal data is consent, and such processing is carried out by automated means, you have the right to receive your personal data from us in a structured, commonly used and machine-readable format. However, this right does not apply where it would adversely affect the rights and freedoms of others. You also have the right to have your personal data transferred directly to another company, if this is technically possible, and/or to store your personal data for further personal use on a private device.

Right to withdraw your consent

If the processing is based on your consent, you have the right to withdraw this consent for the future.

Automated decision-making and profiling

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning your, or similarly significantly affects you.

Right to object to processing

Where we process your personal data based on legitimate interests, you have the right to object to the processing of your personal data on grounds relating to your particular situation. You also have the right to object to the use of your personal data for direct marketing purposes. In this case, no specific reason is required.

How can you exercise your rights?

You can contact your right to contact us per email at: privacy@intigriti.com
We may ask you to prove your identity, for example by sending us a copy of the front of your identity card.

You have the right to lodge a complaint with the Belgian Data Protection Authority:

Data Protection Authority
Rue du Printing 35
1000 Brussels
Tel. +32 (0)2 274 48 00 - Fax +32 (0)2 274 48 35, Email: contact@apd-gba.be

This is without prejudice to the possibility of taking legal action before the civil courts. If you have suffered damage as a result of the processing of your personal data, you can submit a claim for compensation.

3.5. Amendments to the privacy statement

We may update this privacy statement from time to time. Please consult the most recent version on our website.

This is version V3 (2023) of the Privacy Statement