V2.0 TriFact365 Privacy Statement

Effective Date: 1 August 2026


At TriFact365, we process personal data. In this privacy statement, we explain what data we process, why, for how long, and what rights you have.

Our Privacy Statement at a Glance

  • We define our processing purposes and legal bases before we process your personal data.

  • We process as little personal data as possible—only what is necessary for the purpose.

  • We explicitly request consent when required.

  • We secure your data and require our subprocessors to do the same.

  • You have rights—including the right to access, rectify, and erase your data, among others—and you can withdraw your consent at any time.

1. Who is TriFact365

TriFact365 provides business software and is the data controller for the personal data described in this statement. For privacy questions and our contact information, please visit our contact page.

2. Legal Framework

We process personal data in accordance with applicable privacy laws, including the General Data Protection Regulation (GDPR).

3. When Does This Statement Apply

This statement applies to data for which TriFact365 itself is the data controller. For data that you, as a Customer, enter into our Software (Customer Data), we act as the data processor, and the terms set forth in our General Terms and Conditions and our Data Processing Agreement apply.

This privacy statement applies to:

  • our website (https://www.trifact365.com)

  • your use of the TriFact365 Software—your account, subscription, and usage data (SaaS portal and mobile app for Android and iOS)

  • our marketing activities (newsletters, webinars, advertisements)

  • job application processes (working at TriFact365)

4. What Data We Process and Why

The tables below list, for each processing activity: the purpose, the personal data we use for that purpose, and the legal basis. The legal basis determines the legal grounds on which we are permitted to process your data.

4.1 Website

When you visit our website or fill out a form, we process:

Purpose

What data

Legal basis

Trial subscription registration

first name, last name, company name, phone number, email address

performance of the agreement

Scheduling a consultation, onboarding, or sales meeting

first name, last name, email address, any additional information in your message

performance of the agreement (existing customer or trial user); legitimate interest (prospects)

Webinar registration

first name, last name, email address, company name

legitimate interest

Newsletter

first name, last name, email address

consent

Contact form and white paper

first name, last name, email address, phone number, company name

legitimate interest

Ads on social media and search engines

email address

consent or legitimate interest

Appointment scheduling is handled through Microsoft Bookings. We use Microsoft Teams for participating in meetings. For webinars, we redirect you to YouTube after registration; there, YouTube processes data in accordance with its own privacy policy. Data from forms and appointment bookings is stored in our CRM system for follow-up by Marketing and Sales. Entering into a Subscription (trial or paid) is governed by our General Terms and Conditions.

Without the requested data, we cannot provide the relevant service or follow-up; other data submissions (such as newsletters or contact forms) are voluntary. For processing based on consent, you may withdraw your consent at any time, for example via the unsubscribe link in a newsletter email.

4.2 Use of the Software and Customer Management

When you use the Software and throughout our customer relationship, we process:

Purpose

What data

Legal basis

Login, authentication, and session management in the Software

email address, password (stored as a hash), session data

performance of the agreement

Sales and support contacts

first name, last name, company name, phone number, email address

performance of the agreement

Service communications (product updates, maintenance notifications)

first name, last name, email address

performance of the agreement

Push notifications via the mobile app (optional, only with consent)

unique device ID

consent

Security and audit trail in the Software

IP address, timestamps, log data

legitimate interest

When you first use the app, you consent to push notifications; you can change this preference at any time in your device’s or the app’s settings.

4.3 Working at TriFact365

When you apply for a job with us, we process your data to evaluate your application and prepare for a potential employment relationship:

Purpose

What data

Legal basis

Assessing the application and preparing for employment

name, address, city of residence, phone number, email address, CV, cover letter, passport photo (if provided), salary expectations, references, and any other information you submit

performance of the agreement (pre-contractual measure)

Preliminary research using public sources (e.g., LinkedIn)

publicly available professional information

legitimate interest

If anything relevant emerges from the preliminary review, we will discuss it with you.

Special categories of personal data: We do not actively request special categories of personal data (such as data regarding health, religion, political opinions, or sex life or sexual orientation). If you include such information in your CV or cover letter without being asked, we will not consider it in our assessment and will delete it as soon as practically possible. We do not consider a passport photo on your CV to be a special category, unless we were to process it biometrically—which we do not do.

4.4 Our Legitimate Interests

When we rely on a legitimate interest, it involves one or more of the following interests:

  • commercial follow-up of prospects and direct customer acquisition

  • service development and customer communication

  • security, fraud prevention, and audit trail

  • assessing the suitability of job applicants using public sources

You may always object to processing based on a legitimate interest.

5. Source of Personal Data

We receive most personal data directly from you. In some cases, we receive data indirectly—for example, when an organisation adds additional users to its account, during job applicant screening via public sources, or through commercial information providers for lead generation.

6. How Long Do We Retain Your Personal Data

We do not retain personal data longer than necessary for the purposes for which we process it. If the law requires a longer retention period, we will comply with it. For data for which TriFact365 is the data controller, the following retention periods apply:

  • Website and appointment data: up to 24 months after the last contact

  • Newsletter subscribers: until you unsubscribe

  • Login and session data: duration of the session, plus a reasonable period for fraud prevention

  • Invoice and payment data: 7 years (tax retention requirement, Article 52 of the Dutch General Tax Act (AWR))

  • Security and log data: 12 months

  • Job application data: up to 4 weeks after the position is filled; with consent, one year longer. Upon employment, this data is transferred to the personnel file.

  • Registration and subscription data: for the duration of the Subscription and for an additional 90 days after termination. After that, this data is deleted within 30 days.

7. With Whom Do We Share Your Data

TriFact365 does not sell or trade personal data or Customer Data to third parties.

We only disclose your personal data to third parties:

  • because we have engaged them as subprocessors

  • because we have a legal basis for doing so (for example, a legitimate interest)

  • because we are legally required to do so (for example, at the request of a government agency)

The categories of subprocessors we work with:

  • hosting providers and cloud service providers

  • email and communication service providers

  • CRM provider

  • appointment management and booking system provider

  • video and online meeting providers

  • e-invoicing provider via the Peppol network

  • feedback and support platform

We enter into a data processing agreement with all parties that process personal data on our behalf, in accordance with Article 28 of the GDPR.

The specific subprocessors that process Customer Data on behalf of our Customers are listed on our Subprocessors page.

8. Processing in the EU

We process personal data within the European Union (EU) and the broader European Economic Area (EEA) as much as possible. When a subprocessor processes data (in part) outside the EEA, we ensure appropriate safeguards—such as an adequacy decision by the European Commission or the EU Standard Contractual Clauses (Implementing Decision (EU) 2021/914)—supplemented by technical and organisational measures where necessary.

9. Security

We implement appropriate technical and organisational measures to protect your personal data, including:

  • encryption of data during storage and transmission

  • access restrictions based on roles and a need-to-know basis

  • confidentiality obligations for employees

  • logging and monitoring of access

  • regular backups

An up-to-date overview of our security measures, certifications, and compliance information is available on our Trust Center.

10. Children

Our website and Software are not intended for individuals under the age of 16. We do not knowingly collect personal data from children. If we discover that we have received data from someone under the age of 16, we will delete it as soon as possible.

11. Your Rights

Under the GDPR, you have the following rights:

  • Access — you have the right to know what data we hold about you

  • Rectification — you have the right to have inaccurate data corrected

  • Erasure — you may request that your data be deleted

  • Restriction of processing

  • Data portability — you have the right to receive your data in a commonly used format

  • Objection

  • Not to be subject to solely automated decision-making

Right to object based on legitimate interest: When processing is based on our legitimate interest, you may object to it at any time.

Automated decision-making: We do not make decisions based solely on automated processing that produce legal effects concerning you or significantly affect you.

To submit a request, please contact us via our contact page. We will generally respond within one month. In the case of a complex request or a large number of requests, we may extend this period by up to two months; we will inform you of the reason in a timely manner. We do not require a copy of your ID for identity verification; we follow the guidelines of the Dutch Data Protection Authority.

Additional rights under other legislation: If you reside in a jurisdiction outside the European Economic Area that provides additional privacy rights, you may submit a request to exercise those rights via our contact page. We will assess the request in accordance with applicable local law to the extent required by the applicable law of that jurisdiction.

12. Cookies

Our website uses cookies. On your first visit, we ask for your consent to use non-functional cookies via a cookie banner. You can find more information on our cookie page. You can adjust your cookie preferences directly via the cookie banner, which you’ll find in the bottom-left corner of our website.

13. Social Media Links

Our website and marketing materials may contain buttons or links to social media platforms such as LinkedIn, YouTube, Instagram, or X. When you click on such a button or link, you will leave our website and be redirected to the relevant platform. From that point on, that platform’s privacy policy applies.

14. Filing a Complaint

Do you have a complaint about how we handle your data? Please contact us first—we believe it’s important to resolve this together. If we cannot reach a resolution, you can file a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).

15. Changes

We may update this privacy statement from time to time. We will publish any changes on this page with a new date.


End of Privacy Statement — v2.0

TriFact365 B.V.
Arnhemseweg 10, 3817 CH Amersfoort, The Netherlands | Chamber of Commerce No. 30262227 | VAT No. NL820778540B01