Privacy Statement
Data Controller

Emilia Shend
Maastricht, Netherlands
Email: emilia.shend@gmail.com
Phone: +31 6 86 04 84 54
KVK number: 42009866

1. Introduction

Emilia Shend attaches great importance to the careful handling of personal data. In this Privacy Statement, I explain what personal data I collect, why I collect it, on what legal basis I process it, how long I retain it, with whom it may be shared, and what rights you have.

This Privacy Statement has been prepared in accordance with the General Data Protection Regulation (GDPR / AVG) and applicable Dutch privacy law. A privacy statement is mandatory when personal data is processed, and it must clearly explain the identity of the organisation, the purposes of processing, the legal basis, retention periods, recipients, and the rights of data subjects.

2. What personal data do I collect?

Depending on how you use my website or services, I may process the following personal data:

Contact and enquiry form

  • Name
  • Email address
  • Organisation or school name
  • Information you provide in your message or enquiry
  • Timeline and budget details, if you choose to provide them

Payments and orders

  • Name
  • Email address
  • Billing details
  • Payment information necessary to process a transaction
  • Service or order details

I do not store full bank card details myself. Payments are handled through a third-party payment provider.

Website use

If my website uses cookies or analytics tools, I may process limited technical or usage data such as:

  • IP address
  • Browser type
  • Device information
  • Pages visited
  • Date and time of visit

Under Dutch guidance, websites that use cookies must inform visitors clearly which cookies are used, why they are used, how long the data is stored, and with whom it is shared; in many cases explicit consent is also required.

3. Why do I process your personal data?

I process personal data only for specific and legitimate purposes, as required by the GDPR.

Your personal data may be used for:

  • responding to contact requests and enquiries
  • preparing offers or proposals
  • providing services
  • processing and administering payments
  • complying with legal and tax obligations
  • improving the functioning and security of the website
  • complying with cookie preferences, where applicable

4. Legal bases for processing

Under the GDPR, personal data may only be processed if there is a valid legal basis. The Dutch DPA lists consent, performance of a contract, legal obligation, and legitimate interest among the recognised legal bases.  

I rely on the following legal bases:

Purpose


Legal basis


Responding to enquiries and contact requests

Legitimate interest and/or taking steps prior to entering into a contract

Providing services and processing payments

Performance of a contract

Invoicing and financial administration

Legal obligation

Non-essential cookies or analytics, where applicable

Consent


5. With whom do I share your data?

I only share personal data where necessary for the operation of my business or website, for example with:

  • payment service providers
  • website hosting providers
  • website or technical service providers
  • accounting or invoicing tools, if used
  • government authorities where I am legally required to do so

I do not sell your personal data to third parties.

6. International transfers

If one of my service providers is located outside the European Economic Area (EEA), your personal data may be transferred outside the EEA. In that case, I will only do so where appropriate safeguards are in place, such as Standard Contractual Clauses where required. Dutch guidance specifically highlights the need to account for transfers outside the EEA when complying with the GDPR.

7. Retention periods

I do not keep personal data longer than necessary. The GDPR requires that personal data not be stored longer than needed, while some administrative records must be retained to meet legal obligations. Dutch business guidance notes that administrative data may need to be retained for 7 or 10 years depending on the record.

I generally apply the following retention periods:

Data


Retention period


Contact enquiries

Up to 12 months after the last contact, unless further communication is needed

Quotations and project-related communication

As long as necessary for the request and follow-up

Payment and invoice data

7 years, insofar as required for tax and accounting obligations

Cookie or analytics data

According to the settings of the relevant tool, where applicable


8. Your rights

Under the GDPR, you have the right to:

  • access your personal data
  • correct inaccurate data
  • request deletion of your data
  • restrict processing in certain circumstances
  • object to processing based on legitimate interest
  • receive your data in a portable format where applicable
  • withdraw your consent at any time where processing is based on consent

The Dutch DPA states that individuals must be informed clearly about these rights and how they can exercise them.

You can exercise your rights by contacting:
emilia.shend@gmail.com

9. Complaints

If you believe that I am not processing your personal data in accordance with the law, you have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens). The AP is the Dutch supervisory authority for privacy legislation.

10. Cookies

My website may use cookies or similar technologies.

  • Essential cookies may be used to ensure the website functions properly.
  • Non-essential cookies, such as certain analytics or marketing cookies, are only used where required after you have given consent.

Dutch business guidance says that websites using cookies must clearly explain which cookies are used, why, how long the data will be stored, with whom it is shared, and how consent can be withdrawn.

More information can be included in a separate Cookie Policy or Cookie Declaration.

11. Security

I take appropriate technical and organisational measures to protect personal data against loss, misuse, or unauthorised access. GDPR compliance also requires businesses to secure personal data properly.

12. Changes

I may update this Privacy Statement from time to time. The latest version will always be available on my website.

Last updated: March 2026
Made on
Tilda