Privacy policy

Thank you for visiting our website!

Protecting your privacy and personal data is of the utmost importance to us. We are committed to protecting your privacy and ensuring that you can entrust your personal data to us with confidence. We therefore undertake to process your personal data in a secure and discreet manner. In addition, we take appropriate security measures to prevent the loss, alteration, unauthorised access and/or any other unlawful processing of your personal data.

This privacy policy relates to the processing of personal data by us via our website [www.vrooomy.com].

We strive for transparency regarding how we process your personal data and what we do with it. In this privacy policy, we provide you with further details about these processing activities.

Who are we?

VROOOMY N.V. (VROOOMY), a public limited company incorporated and existing under Belgian law, with its registered office at Boterbosstraat 6 (bus 1), 3550 Heusden-Zolder, Belgium, and registered in the Crossroads Bank for Enterprises (KBO) under number BE0873.674.050 (hereinafter: “VROOOMY”, “we” or “us”)

You can contact us using the following contact details:

Email: support@vrooomy.com

We endeavour to process your personal data in accordance with the applicable legal provisions regarding privacy and the protection of personal data, including Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter the “GDPR”) and the applicable national implementing legislation.


Some definitions

For the purposes of this privacy policy, the term “personal data” refers to: any information relating to an identified or identifiable natural person (the “data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. In other words: any information that can be used to identify a person. This includes, for example, your first and last name, date of birth, telephone number and email address, as well as your IP address.

The term “processing” is very broad and includes, among other things, the collection, recording, organisation, storage, updating, alteration, retrieval, consultation, use, disclosure, combination, archiving and erasure of data.


Data controller for the processing of your personal data (the “data controller”)

VROOOMY is responsible for the processing of your personal data.

We are what the GDPR describes as the “data controller” for your personal data. In practical terms, this means that VROOOMY, possibly together with other entities, determines the purpose and means of processing your personal data.


What categories of personal data do we process, why, on what legal basis and for how long?

In the table below, you can see:

  • Column 1: which categories of personal data we process (the “Categories of personal data”);
  • Column 2: why we process your personal data (the “Purposes”);
  • Column 3: the legal basis on which the processing is based (the “Legal Basis”); and
  • Column 4: how long we process your personal data (the “Retention Period”).

All processing activities relating to your personal data take place for one or more specific purposes.

Furthermore, we only process your personal data where we can rely on a valid legal basis. The applicable legal basis, which you will find in the “Legal Basis” column, means the following:

  • “Consent”: you have given consent to the processing of personal data for one or more specific purposes;
  • “Contract”: the processing is necessary for the performance of a contract to which you are a party, or to take steps at your request prior to entering into a contract;
  • “Legitimate interest”: the processing is necessary for the purposes of our legitimate interests or those of a third party, except where your interests or fundamental rights and freedoms which require the protection of personal data take precedence;
  • “Legal obligation”: the processing of your personal data is necessary to comply with a legal obligation to which we, as the data controller, are subject.

Categories of personal data | Purposes | Legal basis | Retention period[1]

Device information

  • Purpose: To grant you access to our website
  • Legal basis: Consent
  • Retention period: Until the end of your visit to our website

Identification data, contact details, content of your message, attachments (optional)

  • Purpose: To respond to your enquiry, message or complaint via the contact form on the website
  • Legal basis: Consent
  • Retention period: For the duration of the processing of your enquiry or message

Contact details, language preference

  • Purpose: To allow you to subscribe to our newsletter
  • Legal basis: Consent
  • Retention period: 3 years after you have given your consent[2]

Identification details, contact details, company details if you represent a company, language selection, bank account details, username and password

  • Purpose: To allow you to create a customer account via our website
  • Legal basis: Contract
  • Retention period: For the entire duration of the customer relationship with you

Identification details, contact details, content of your report, special categories of personal data (if disclosed in your report)

  • Purpose: To facilitate the reporting of matters that may relate to breaches of legal obligations or our own rules and regulations under the Belgian whistleblower scheme
  • Legal basis:
    • Legal obligation (Act of 28 November 2022 on the protection of whistleblowers reporting breaches of Union or national law within a legal entity in the private sector)
    • Article 9(2)(g) GDPR (obligation under Union and Member State law (whistleblower legislation))
  • Retention period: For as long as necessary to deal with your report appropriately

Identification details, contact details, company details if you represent a company, information about your relationship with us, the content of your request and related information, identity card details and signature

  • Purpose: To manage your request to exercise your rights
  • Legal basis: Legitimate interest (facilitating the exercise of your rights)
  • Retention period: 10 years from the request (in the event of legal proceedings: until the conclusion of the legal proceedings)

Identification details, contact details, any other information about you that may be necessary to defend and protect our rights

  • Purpose: To defend and protect our rights
  • Legal basis: Legitimate interest (legal defence)
  • Retention period: Applicable limitation period (see “Retention of your personal data”)


Minors

We do not intend to collect personal data from persons under the age of 16. These minors must not provide us with personal data or give consent without the consent of the person exercising parental authority.


Cookies

We also use cookies, primarily to continuously optimise our website for its users. For more specific information about the cookies we use, please consult our cookie policy via [INSERT HYPERLINK].


Your privacy rights

To give you more control over the processing of your personal data, you have various rights. These rights are set out in the GDPR.

You have the following rights:

Right of access (Article 15 GDPR)

You have the right to ask us at any time whether we are processing your personal data. If we are processing it, you have the right to access this personal data and to receive further information regarding:

a) the purposes of the processing;

b) the categories of personal data concerned;

c) the recipients or categories of recipients (in particular recipients in third countries);

d) the retention period or, if that is not possible, the criteria for determining that period;

e) the existence of your data protection rights;

f) the right to lodge a complaint with the supervisory authority;

g) the source of the personal data if we obtain personal data from a third party;

h) whether we use automated decision-making in relation to you.

If we are unable to grant you access to your personal data (e.g. due to legal obligations), we will inform you why this is not possible.

You may also obtain a copy, free of charge, in a comprehensible format, of the personal data processed. Please note that we may charge a reasonable fee to cover our administrative costs for any additional copies you request.

Right to erasure (“right to be forgotten”) (Article 17 of the GDPR)

In certain cases, you may request that we erase your personal data. Please note: the right to be forgotten is not absolute. We may continue to retain your personal data if this is necessary for, amongst other things, the performance of the contract, compliance with a legal obligation, or the establishment, exercise or defence of legal claims. We will provide you with further details on this in our response to your request.

Right to rectification (Article 16 of the GDPR)

If your personal data is inaccurate, out of date or incomplete, you may ask us to correct these inaccuracies or incomplete information.

Right to data portability (Article 20 of the GDPR)

Under certain conditions, you also have the right to have the personal data you have provided to us for the performance of the contract or for which you have given consent transferred by us to another controller. Where technically possible, we will provide your personal data directly to the new controller.

Right to restriction of processing (Article 18 of the GDPR)

If any of the following situations arise, you may request that we restrict the processing of your personal data:

a) you contest the accuracy of that personal data (in which case its use will be restricted for a period allowing us to verify its accuracy);

b) the processing of your personal data is unlawful;

c) we no longer need your personal data for the purposes, but you need it for the establishment, exercise or defence of legal claims;

d) as long as no decision has been made regarding the exercise of your right to object, you may request that the use of your personal data be restricted.

Right to object (Article 21 of the GDPR)

You may, on grounds relating to your particular situation, object to the processing of your personal data where we process your personal data on the basis of legitimate interests or on the basis of a task carried out in the public interest. In that case, we will cease processing your personal data, unless we can demonstrate compelling and legitimate grounds that override your interests, or where the processing is related to the establishment, exercise or defence of legal claims.

Right not to be subject to automated decision-making (Article 22 of the GDPR)

You have the right not to be subject to a decision based solely on automated processing which produces significant effects concerning you or results in legal effects, and which is taken without meaningful human intervention.

You cannot exercise this right in the following three situations:

a) where automated decision-making is permitted by law (e.g. to prevent tax fraud);

b) where automated decision-making is based on your explicit consent; or

c) where automated decision-making is necessary for the conclusion or performance of a contract (note: we always strive to use less privacy-invasive methods for the conclusion or performance of the contract).

Right to withdraw your consent (Article 7 of the GDPR)

If your personal data is processed on the basis of your consent, you may withdraw this consent at any time upon simple request.

Right to lodge a complaint with the supervisory authority (Article 77(1) of the GDPR)

You may lodge a complaint with the data protection supervisory authority. A list of supervisory authorities within the European Union can be found via the following hyperlink: https://www.edpb.europa.eu/about-edpb/about-edpb/members_nl.

In Belgium, the competent supervisory authority is the Data Protection Authority, with the following contact details:

Website:

https://www.dataprotectionauthority.be

Contact details:

Data Protection Authority

Drukpersstraat 35, 1000 Brussels, Belgium

+32 (0)2 274 48 00

+32 (0)2 274 48 35

contact@apd-gba.be


Exercising your rights

To exercise these rights, please contact us using the contact details provided in the “Who are we?” section.

To verify your identity when you wish to exercise your rights, we may ask you to provide us with a copy of the front of your identity card. We do not retain the national registration number or the photograph on your electronic identity card. We strongly advise you to “black out[3]” the national registration number and the photo before sending us a copy of your electronic identity card.

You may exercise the rights mentioned above free of charge, unless your request is manifestly unfounded or excessive (for example, due to its repetitive nature). In that case, we are entitled to charge a reasonable fee or to refuse to comply with your request.

Retention of your personal data

We retain your personal data only for as long as necessary to achieve the intended purpose. Please note that numerous (statutory) retention periods mean that personal data must be retained. Where there is no retention obligation, data is routinely deleted as soon as the purpose for which it was collected has been fulfilled.

In addition, we may retain your personal data if you have given us your consent to do so or if we may require this data in the context of legal proceedings. In the latter case, we must be able to use certain personal data as evidence. To this end, we retain certain personal data in accordance with the applicable limitation periods, which may be up to thirty years; however, the standard limitation period for personal claims is ten years.

Sources of your personal data

We process personal data that you provide to us voluntarily. If additional personal data is required, we will inform you whether you are obliged to provide it and what the consequences are if you do not. Failure to provide personal data may result in us being unable to provide our services to you.

In particular, we identify the following categories of sources:

(i) external partners and independent service providers;

(ii) […[4]].

Categories of recipients

Within our organisation, we ensure that your personal data is only accessible to those who need it to fulfil contractual and legal obligations.

We will only disclose your personal data to third parties in accordance with legal provisions or if you have given your consent. In certain cases, our employees are supported by external service providers in the performance of their duties.

Furthermore, we do not disclose personal data to third parties unless we are obliged to do so on the basis of legal provisions (e.g. disclosure to public authorities such as supervisory or law enforcement authorities).

In particular, we identify the following categories of recipients[5]:

(i) government or regulatory authorities when requested in the context of complying with a judgment or order, legislation, regulations, standards or legal proceedings;

(ii) external service providers that enable us to offer you website functionalities;

(iii) external (legal and financial) advisers and consultants.

Transfer to third countries outside the European Economic Area (“EEA”)

We will only transfer your personal data to processors or controllers in third countries to the extent that we are legally entitled to do so.

Where such transfers are necessary, we take the necessary measures to ensure that your personal data is strongly protected and that all transfers of personal data outside the EEA take place lawfully.

Security of your personal data

The security of your personal data is a key priority for us. We take reasonable and appropriate technical and organisational security measures to protect your personal data against accidental or deliberate manipulation, loss, destruction or access by unauthorised persons.

Unfortunately, the transmission of information via the internet is not completely secure. Although we do our best to protect your personal data, we cannot guarantee the security of personal data transmitted to us via the internet. Any transmission of personal data is at your own risk.

Questions or complaints?

We are committed to safeguarding your privacy and personal data. If you have any questions or complaints regarding the way in which we process your personal data, please let us know using the contact details provided above in the ‘Who are we?’ section.

Changes

In response to feedback, or to reflect changes in our processing activities, we may amend this privacy policy from time to time. We therefore invite you to consult the most recent version of this privacy policy on our website at all times.

Version 26/12/2025