Privacy Policy

1.1. This Privacy Policy governs the processing of Personal Data by NorthStone NV, a company duly incorporated and existing under the laws of Belgium, with its registered office at 8 Verbrande Poort, 3000 Leuven, Belgium, registered with the Crossroads Bank for Enterprises (hereinafter referred to as the "Company").

1.2. This Privacy Policy applies to the processing of Personal Data in connection with the provision, operation, and use of the Simplify software platform (hereinafter the "Platform"), including associated websites, interfaces, and services.

1.3. The Company acts as Data Controller within the meaning of Article 4(7) of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter "GDPR") with respect to Personal Data relating to its Customers, Users, and visitors.

1.4. Where the Platform is used by Customers to process Personal Data of third parties, the Customer acts as Data Controller and the Company acts solely as Data Processor within the meaning of Article 4(8) GDPR.

2.1. For the purposes of this Privacy Policy, the following definitions shall apply:

1. "Personal Data" — any information relating to an identified or identifiable natural person, as defined in Article 4(1) GDPR;
2. "Processing" — any operation performed on Personal Data, including collection, storage, use, transmission, or deletion, as defined in Article 4(2) GDPR;
3. "Customer" — any legal or natural person who enters into an agreement with the Company for use of the Platform;
4. "User" — any individual authorized by a Customer to access and use the Platform;
5. "Customer Data" — any data, including Personal Data, submitted to or stored within the Platform by or on behalf of a Customer.

3.1. The Company may process Personal Data necessary for the creation, administration, and operation of accounts, including identification and contact details such as name, email address, account identifiers, and associated account configuration information.

3.2. The Company may process technical and operational data generated through the use of the Platform, including IP addresses, system identifiers, authentication records, timestamps, browser information, and device-related information, insofar as such Processing is necessary to ensure system functionality, integrity, and security.

3.3. The Company may process Personal Data contained in communications between Users and the Company, including support requests, service-related inquiries, and operational correspondence.

3.4. The Platform enables Customers to upload, store, and manage Customer Data, which may include Personal Data of Users or third parties. In such circumstances, the Company processes such data solely on behalf of the Customer and in accordance with the Customer's instructions.

4.1. The Company processes Personal Data exclusively for specified, explicit, and legitimate purposes, including the provision, maintenance, and improvement of the Platform.

4.2. Processing shall be based on one or more of the following legal bases:

1. the necessity of Processing for the performance of a contract to which the Data Subject or Customer is a party, pursuant to Article 6(1)(b) GDPR;
2. compliance with legal obligations to which the Company is subject, pursuant to Article 6(1)(c) GDPR;
3. the legitimate interests of the Company, including ensuring system security, preventing unauthorized access, maintaining service reliability, and protecting its legal rights, pursuant to Article 6(1)(f) GDPR;
4. where applicable, consent of the Data Subject, pursuant to Article 6(1)(a) GDPR.

4.3. The Company shall not process Personal Data for purposes incompatible with the purposes described herein.

5.1. Where Customers use the Platform to process Personal Data of third parties, the Customer shall act as Data Controller and shall remain solely responsible for determining the legal basis and purposes of such Processing.

5.2. The Company shall process Customer Data solely for the purpose of providing the Platform and in accordance with Customer instructions and applicable agreements.

5.3. The Company shall not access Customer Data except where necessary to ensure the proper functioning, security, or maintenance of the Platform, or where required by law.

6.1. The Company may engage third-party service providers acting as Data Processors for the purpose of operating and maintaining the Platform.

6.2. Such service providers include, but are not limited to:

1. infrastructure and hosting providers, including Amazon Web Services, Inc. and HostHatch LLC;
2. network and security service providers, including Cloudflare, Inc.;
3. server management service providers, including RunCloud Sdn Bhd;
4. communication service providers, including Mailgun Technologies, Inc.;
5. artificial intelligence service providers, including OpenAI, L.L.C. and Google LLC.

6.3. The Company shall ensure that such service providers are subject to appropriate contractual safeguards consistent with GDPR requirements.

6.4. Personal Data shall not be sold, leased, or otherwise transferred to third parties for unrelated commercial purposes.

7.1. Personal Data may be transferred to service providers located outside the European Economic Area where necessary for the provision of the Platform.

7.2. Where such transfers occur, the Company shall ensure appropriate safeguards in accordance with Chapter V GDPR, including the use of Standard Contractual Clauses or equivalent legal mechanisms.

8.1. The Company implements appropriate technical and organizational measures designed to ensure a level of security appropriate to the risks associated with the Processing of Personal Data.

8.2. Such measures include, where appropriate, access controls, encryption of data in transit, authentication safeguards, infrastructure protection mechanisms, and monitoring of system integrity.

8.3. Access to Personal Data shall be limited to authorized personnel and service providers strictly on a need-to-know basis.

9.1. Personal Data shall be retained only for as long as necessary to fulfill the purposes for which it was collected and processed, including compliance with legal obligations and contractual requirements.

9.2. Upon termination of the Customer relationship, Personal Data may be deleted, anonymized, or retained as required by applicable law or legitimate business interests.

10.1. Data Subjects shall have the rights provided under GDPR, including:

1. the right to access Personal Data;
2. the right to rectify inaccurate Personal Data;
3. the right to request erasure of Personal Data;
4. the right to restrict Processing;
5. the right to data portability;
6. the right to object to Processing.

10.2. Requests relating to such rights may be submitted in writing to the Company using the contact details set forth in Article 14.

11.1. The Company reserves the right to amend this Privacy Policy from time to time.

11.2. Updated versions shall become effective upon publication and shall apply to all subsequent Processing activities.

12.1. This Privacy Policy shall be governed by and construed in accordance with the laws of Belgium.

12.2. Any dispute arising in connection with this Privacy Policy shall be subject to the exclusive jurisdiction of the competent courts of Leuven, Belgium.

13.1. Data Subjects have the right to lodge a complaint with the competent supervisory authority, namely:

Gegevensbeschermingsautoriteit / Autorité de protection des données
Drukpersstraat 35 / Rue de la Presse 35
1000 Brussels, Belgium

14.1. Any questions, requests, or notices regarding this Privacy Policy shall be addressed to:

NorthStone NV
8 Verbrande Poort
3000 Leuven
Belgium

Email: privacy@onebonsai.com