PRIVACY POLICY

1. DEFINITIONS AND INTERPRETATION

1.1 Key Definitions

For the purposes of this Policy, the following terms shall have the meanings ascribed below:

• "Personal Data" means any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person;
• "Processing" means any operation or set of operations performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction;
• "Data Controller" means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. For the purposes of this Policy, Leyoda acts as the Data Controller;
• "Data Processor" means a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the Data Controller;
• "Consent" means any freely given, specific, informed, and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
• "Third Party" means a natural or legal person, public authority, agency, or body other than the data subject, Data Controller, Data Processor, and persons who, under the direct authority of the controller or processor, are authorized to process personal data;
• "Services" means the Leyoda website, platform, and all associated services, features, and functionality provided by the Company.

1.2 Data Controller Information

The Data Controller responsible for your personal data is:

Leyoda
Registered Address: Maastricht, Netherlands
Email: privacy@leyoda.eu

2. DATA PROTECTION OFFICER

2.1 DPO Contact Information

The Company has appointed a Data Protection Officer ("DPO") in accordance with Article 37 of the GDPR. The DPO is responsible for monitoring compliance with the GDPR and related data protection legislation and serves as the primary contact point for data subjects and supervisory authorities regarding data protection matters.

Data Protection Officer
Email: dpo@leyoda.eu
Postal Address: Maastricht, Netherlands

2.2 When to Contact the DPO

You may contact the DPO for:

• Questions regarding the processing of your personal data;
• Exercise of your data subject rights under the GDPR;
• Concerns about data protection compliance;
• Data breach notifications;
• Complaints regarding privacy practices.

3. SCOPE AND APPLICABILITY

3.1 Territorial Scope

This Policy applies to the processing of personal data of data subjects who are in the European Union, regardless of whether the processing takes place within the EU or not, in accordance with Article 3 of the GDPR.

3.2 Material Scope

This Policy applies to all personal data processed by the Company through:

1. The Leyoda website accessible at leyoda.eu;
2. Email communications and customer support interactions;
3. Business relationships with clients, partners, and service providers;
4. Any other channels through which the Company collects or processes personal data.

3.3 Third-Party Services

This Policy does not apply to third-party websites, applications, or services that may be linked from or integrated with our Services. Users are advised to review the privacy policies of such third parties independently, as the Company is not responsible for their data protection practices.

4. PERSONAL DATA WE COLLECT

4.1 Categories of Personal Data

The Company collects and processes the following categories of personal data:

4.1.1 Account and Registration Information

When you create an account or register for our Services:

• Full name
• Email address
• Password (stored in encrypted form)
• Company name and position (if applicable)
• Country of residence
• Phone number (optional)
• Profile photograph (optional)

4.1.2 Usage and Technical Data

Automatically collected when you use our Services:

• IP address (processed transiently for geolocation only; not stored — see Section 5.2)
• Browser type and version (via User-Agent header)
• Operating system and platform
• Pages visited and features accessed
• Date and time of visits
• Referring website addresses
• Click-stream data and navigation patterns
• Approximate geographic location (country and city, derived from IP address at request time via an offline database)

4.1.3 Communications Data

When you communicate with us:

• Email correspondence
• Customer support inquiries and tickets
• Feedback and survey responses

4.1.4 Marketing and Preferences Data

• Marketing preferences and consent records
• Communication preferences
• Newsletter subscription status
• Interest categories and preferences

4.1.5 User-Generated Content

• Content uploaded, posted, or shared through the Services
• Files and documents stored on the platform

4.2 Special Categories of Personal Data

The Company does not intentionally collect or process special categories of personal data as defined in Article 9 GDPR (including data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, or data concerning sex life or sexual orientation) unless explicitly required for specific service features and with your explicit consent or as otherwise permitted by law.

4.3 Children's Data

The Services are not directed to children under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have inadvertently collected personal data from a child under 16, we will take steps to delete such information as soon as possible. Parents or guardians who believe we have collected information from a child under 16 should contact us immediately at privacy@leyoda.eu.

5. HOW WE COLLECT PERSONAL DATA

5.1 Direct Collection

We collect personal data directly from you when you:

• Register for an account or create a user profile;
• Complete forms on our website;
• Contact customer support or communicate with us;
• Participate in surveys, promotions, or contests;
• Subscribe to newsletters or marketing communications;
• Attend events, webinars, or demos hosted by the Company.

5.2 Automated Collection

We collect certain data automatically through:

• Cookies and similar tracking technologies (see Section 15 and our Cookie Policy);
• Log files and server logs;
• Self-hosted, server-side analytics — the Company operates its own analytics infrastructure to record page views, referral sources, and user interactions. No third-party analytics services (such as Google Analytics) are used. IP addresses are processed transiently to derive approximate geographic location (country and city) via a locally-hosted MaxMind GeoLite2 database and are not stored.

5.3 Third-Party Sources

We may receive personal data from:

• Social media platforms (if you choose to link your social media account);
• Business partners and affiliate networks;
• Data enrichment services for business contacts (publicly available information only);
• Payment processors and fraud prevention services;
• Public databases and registers.

6. PURPOSES AND LEGAL BASIS FOR PROCESSING

6.1 Processing Purposes

The Company processes personal data for the following purposes, each with a corresponding legal basis under Article 6 GDPR:

6.1.1 Service Provision and Contract Performance (Article 6(1)(b) GDPR)

• Creating and managing user accounts;
• Providing access to platform features and functionality;
• Processing transactions and delivering purchased services;
• Providing customer support and responding to inquiries;
• Sending transactional communications (account notifications, service updates);
• Facilitating collaboration and content sharing features.

Legal Basis: Processing is necessary for the performance of a contract to which the data subject is party or to take steps at the request of the data subject prior to entering into a contract.

6.1.2 Legal Obligations (Article 6(1)(c) GDPR)

• Compliance with accounting, tax, and financial reporting obligations;
• Responding to lawful requests from law enforcement or regulatory authorities;
• Maintaining records as required by applicable law;
• Preventing fraud, money laundering, and other illegal activities;
• Enforcing legal rights and defending against legal claims.

Legal Basis: Processing is necessary for compliance with a legal obligation to which the Company is subject.

6.1.3 Legitimate Interests (Article 6(1)(f) GDPR)

• Analyzing usage patterns to improve Services and user experience;
• Conducting internal research and development;
• Detecting, preventing, and investigating security incidents and fraud;
• Network and information security measures;
• Business analytics and reporting;
• Direct marketing to existing customers (with easy opt-out);
• Enforcing Terms of Use and preventing misuse of Services.

Legal Basis: Processing is necessary for the purposes of the legitimate interests pursued by the Company or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.

Legitimate Interest Assessment: The Company has conducted balancing tests to ensure that processing for legitimate interests does not unduly impact data subject rights. Documentation of these assessments is available upon request.

6.1.4 Consent (Article 6(1)(a) GDPR)

• Marketing communications to prospective customers;
• Non-essential cookies and tracking technologies;
• Personalized advertising and content recommendations;
• Participation in optional surveys and research studies;
• Processing of special categories of personal data (where applicable).

Legal Basis: The data subject has given consent to the processing of their personal data for one or more specific purposes.

Consent Characteristics: All consent obtained meets GDPR requirements: freely given, specific, informed, and unambiguous. Consent can be withdrawn at any time without affecting the lawfulness of processing based on consent before its withdrawal.

6.2 Withdrawal of Consent

Where processing is based on consent, you have the right to withdraw your consent at any time by:

• Accessing your account settings and modifying preferences;
• Clicking the "unsubscribe" link in marketing emails;
• Contacting us at privacy@leyoda.eu;
• Using the cookie consent management tool on our website.

Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

7. DATA SHARING AND DISCLOSURE

7.1 Categories of Recipients

The Company may share your personal data with the following categories of recipients:

7.1.1 Service Providers and Data Processors (Article 28 GDPR)

We engage third-party service providers to perform functions on our behalf, including:

• Cloud hosting and infrastructure providers;
• Authentication providers — LinkedIn (for OAuth / OpenID Connect social login);
• IP geolocation — MaxMind GeoLite2 (offline database; no API calls or data sharing with MaxMind);
• Email delivery services;
• Cybersecurity and fraud prevention services.

All data processors are bound by data processing agreements pursuant to Article 28 GDPR and are contractually obligated to implement appropriate technical and organizational measures to protect personal data.

7.1.2 Business Partners and Affiliates

• Strategic business partners for joint offerings or integrated services;
• Corporate affiliates and subsidiaries within the Leyoda corporate group;
• Resellers and distribution partners (with your consent where required).

7.1.3 Legal and Regulatory Authorities

• Law enforcement agencies, courts, and regulatory authorities when required by law or legal process;
• Tax authorities and financial regulators as required by applicable law;
• Data protection supervisory authorities (Autoriteit Persoonsgegevens).

7.1.4 Professional Advisors

• Legal counsel, accountants, auditors, and other professional advisors bound by confidentiality obligations.

7.1.5 Business Transactions

In the event of a merger, acquisition, reorganization, sale of assets, or bankruptcy, personal data may be transferred to successor entities or acquiring parties, subject to this Privacy Policy and applicable law.

7.2 No Sale of Personal Data

The Company does not sell, rent, or trade personal data to third parties for monetary consideration or other valuable consideration.

7.3 Data Sharing Safeguards

All data sharing arrangements include:

• Contractual obligations to protect personal data;
• Restrictions on further processing beyond specified purposes;
• Requirements to implement appropriate security measures;
• Obligations to notify the Company of data breaches;
• Rights to audit compliance with data protection obligations.

8. INTERNATIONAL DATA TRANSFERS

8.1 Transfers Outside the EEA

The Company is based in the Netherlands, and our primary data processing infrastructure is located within the European Economic Area (EEA). However, some of our service providers and business partners may be located in countries outside the EEA, including the United States.

8.2 Transfer Safeguards

When personal data is transferred to countries outside the EEA that do not provide an adequate level of data protection as determined by the European Commission, we implement appropriate safeguards pursuant to Chapter V of the GDPR, including:

• Standard Contractual Clauses (SCCs): We use the European Commission's Standard Contractual Clauses approved pursuant to Article 46(2)(c) GDPR;
• Adequacy Decisions: Where transfers are to countries subject to an adequacy decision by the European Commission (Article 45 GDPR);
• Binding Corporate Rules: For transfers within our corporate group (if applicable);
• Supplementary Measures: Additional technical and organizational measures to ensure data protection in accordance with EDPB recommendations.

8.3 Transfer Impact Assessments

The Company conducts transfer impact assessments to evaluate the legal framework and practices in destination countries, ensuring that appropriate safeguards are in place and effective. Documentation of these assessments is available upon request.

8.4 Right to Information

You have the right to obtain information about the safeguards implemented for international data transfers by contacting our Data Protection Officer at dpo@leyoda.eu.

9. DATA RETENTION

9.1 Retention Principles

The Company retains personal data only for as long as necessary to fulfill the purposes for which it was collected and processed, in accordance with the storage limitation principle set forth in Article 5(1)(e) GDPR.

9.2 Specific Retention Periods

9.3 Deletion and Anonymization

Upon expiration of applicable retention periods, personal data is:

• Securely deleted or destroyed beyond recovery; or
• Anonymized such that it can no longer be attributed to an identified or identifiable natural person and falls outside the scope of the GDPR.

9.4 Legal Hold

Notwithstanding the above retention periods, the Company may retain personal data for longer periods where required by law, legal process, litigation hold, regulatory investigation, or to establish, exercise, or defend legal claims.

10. DATA SUBJECT RIGHTS

10.1 Your Rights Under the GDPR

Pursuant to Chapter III of the GDPR, data subjects have the following rights regarding their personal data:

10.1.1 Right of Access (Article 15 GDPR)

You have the right to obtain:

• Confirmation as to whether personal data concerning you is being processed;
• Access to such personal data and information about the processing (purposes, categories, recipients, retention period);
• A copy of the personal data undergoing processing (first copy provided free of charge).

10.1.2 Right to Rectification (Article 16 GDPR)

You have the right to obtain without undue delay the rectification of inaccurate personal data concerning you and to have incomplete personal data completed.

10.1.3 Right to Erasure ("Right to be Forgotten") (Article 17 GDPR)

You have the right to obtain erasure of personal data concerning you without undue delay where:

• The personal data is no longer necessary for the purposes for which it was collected;
• You withdraw consent and there is no other legal ground for processing;
• You object to processing and there are no overriding legitimate grounds;
• The personal data has been unlawfully processed;
• Erasure is required to comply with a legal obligation.

This right is subject to exceptions, including where processing is necessary for compliance with legal obligations or for the establishment, exercise, or defense of legal claims.

10.1.4 Right to Restriction of Processing (Article 18 GDPR)

You have the right to obtain restriction of processing where:

• The accuracy of the personal data is contested (for a period enabling verification);
• The processing is unlawful and you oppose erasure and request restriction instead;
• The Company no longer needs the personal data but you require it for legal claims;
• You have objected to processing pending verification of overriding legitimate grounds.

10.1.5 Right to Data Portability (Article 20 GDPR)

You have the right to:

• Receive personal data concerning you in a structured, commonly used, and machine-readable format;
• Transmit that data to another controller without hindrance from the Company;

This right applies where: (a) processing is based on consent or contract; and (b) processing is carried out by automated means.

10.1.6 Right to Object (Article 21 GDPR)

You have the right to object at any time to processing of personal data based on:

• Legitimate interests (Article 6(1)(f)) — the Company shall cease processing unless it demonstrates compelling legitimate grounds that override your interests, rights, and freedoms;
• Direct marketing purposes — the Company shall cease processing for such purposes upon objection;
• Scientific or historical research or statistical purposes — except where processing is necessary for a task carried out for reasons of public interest.

10.1.7 Right Not to be Subject to Automated Decision-Making (Article 22 GDPR)

You have the right not to be subject to decisions based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects you, except where:

• The decision is necessary for entering into or performing a contract;
• It is authorized by EU or Member State law;
• It is based on your explicit consent.

The Company does not currently engage in automated decision-making with legal or similarly significant effects without human intervention.

10.1.8 Right to Withdraw Consent (Article 7(3) GDPR)

Where processing is based on consent, you have the right to withdraw consent at any time. Withdrawal does not affect the lawfulness of processing based on consent before its withdrawal.

10.2 Exercising Your Rights

To exercise any of the above rights, please submit a request:

• By email to: privacy@leyoda.eu
• By post to: Leyoda, Maastricht, Netherlands

We will acknowledge receipt of your request within 72 hours and provide a substantive response within one (1) month, extendable by a further two (2) months for complex requests.

10.3 Right to Lodge a Complaint

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with the Dutch Data Protection Authority: Autoriteit Persoonsgegevens.

11. DATA SECURITY

11.1 Technical Measures

• Encryption of personal data in transit (TLS 1.2+) and at rest (AES-256);
• Secure authentication mechanisms including multi-factor authentication;
• Regular security assessments and penetration testing;
• Intrusion detection and prevention systems;
• Automated vulnerability scanning and patch management;
• Secure software development lifecycle (SSDLC) practices;
• Data backup and disaster recovery procedures.

11.2 Organizational Measures

• Role-based access controls with principle of least privilege;
• Employee confidentiality agreements and data protection training;
• Incident response procedures and breach notification protocols;
• Regular internal audits of data processing activities;
• Vendor risk assessment and management programs;
• Data classification and handling policies.

11.3 Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of natural persons, the Company will notify the Autoriteit Persoonsgegevens without undue delay and, where feasible, within 72 hours of becoming aware of the breach (Article 33 GDPR). Where the breach is likely to result in a high risk to the rights and freedoms of natural persons, the Company will communicate the breach to affected data subjects without undue delay (Article 34 GDPR).

12. DATA PROTECTION IMPACT ASSESSMENTS

The Company conducts Data Protection Impact Assessments (DPIAs) in accordance with Article 35 GDPR when processing is likely to result in a high risk to the rights and freedoms of natural persons, including:

• Systematic and extensive evaluation of personal aspects based on automated processing, including profiling;
• Processing on a large scale of special categories of data;
• Systematic monitoring of a publicly accessible area on a large scale.

13. RECORDS OF PROCESSING ACTIVITIES

The Company maintains records of processing activities in accordance with Article 30 GDPR. These records include the purposes of processing, categories of data subjects and personal data, categories of recipients, international transfers, retention periods, and a general description of technical and organizational security measures. These records are available for inspection by the Autoriteit Persoonsgegevens upon request.

14. AUTOMATED DECISION-MAKING AND PROFILING

14.1 Use of Automated Processing

The Company may use automated processing techniques to improve service delivery and user experience, such as content recommendations and platform optimization. These automated processes do not produce legal effects or similarly significantly affect data subjects.

14.2 Safeguards

Where automated decision-making is employed, the Company ensures: the right to obtain human intervention, the right to express your point of view, and the right to contest the decision.

15. COOKIES AND TRACKING TECHNOLOGIES

For comprehensive information about the cookies and tracking technologies used by the Company, including types of cookies, purposes, and management options, please refer to our Cookie Policy.

16. CHANGES TO THIS PRIVACY POLICY

16.1 Policy Updates

The Company reserves the right to update or modify this Privacy Policy at any time to reflect changes in our data processing practices, legal requirements, or business operations. The "Effective Date" at the top of this Policy indicates when the latest revisions were made.

16.2 Notification of Changes

For material changes to this Policy, we will:

• Post a prominent notice on our website;
• Send notifications to registered users via email;
• Where required by law, obtain your consent to the updated processing practices.

16.3 Continued Use

Your continued use of the Services after the effective date of any updated Policy constitutes your acceptance of the changes. If you do not agree with the updated Policy, you should discontinue use of the Services and contact us regarding deletion of your data.

17. CONTACT INFORMATION

For any questions, concerns, or requests regarding this Privacy Policy or our data processing practices, please contact:

Leyoda
Maastricht, Netherlands
Email: privacy@leyoda.eu

Data Protection Officer
Email: dpo@leyoda.eu
Postal Address: Maastricht, Netherlands

18. GOVERNING LAW AND JURISDICTION

18.1 Governing Law

This Privacy Policy shall be governed by and construed in accordance with the laws of the Netherlands, including the GDPR as directly applicable in the Netherlands and the UAVG.

18.2 Jurisdiction

Any disputes arising from or in connection with this Privacy Policy shall be subject to the exclusive jurisdiction of the competent courts in the Netherlands, without prejudice to your right to lodge a complaint with the Autoriteit Persoonsgegevens or to seek judicial remedy in the Member State of your habitual residence or place of work (Article 79 GDPR).