Privacy Policy

Last updated: 22 October 2025

1. Introduction

DreCo Insights ("we," "our," or "us") is committed to protecting your privacy and complying with the EU General Data Protection Regulation (GDPR). This policy explains how we collect, use, and protect your personal data when you visit our website or use our services.

2. Who we are

Data controller

DreCo Insights

Vossenkamp 152, 9675KN Winschoten

KVK Nr. 92400205

The Netherlands

Contact Information

Email: [email protected]

Phone: +31 (0)970 102 58821

Website: https://drecoinsights.eu

DreCo Insights is the data controller for your personal data, meaning we decide how and why your data is processed. For data protection inquiries or to exercise your rights, contact us using the details above.

Data Protection Officer

We have not appointed a Data Protection Officer, as we are not required to do so under Article 37 GDPR.

For data protection questions, contact [email protected].

3. How and Why we process your personal data

We process your personal data for the following purposes, each with a specific legal basis under GDPR:

Purpose: Client Relationship Management

Data Processed: Contact details, company info, project communications, financial records (for clients)

Legal Basis: Performance of a contract (Art. 6(1)(b) GDPR)

Retention Period: Engagement duration + 7 years

Purpose: Business Development

Data Processed: Business contact info, professional interests, industry sector

Legal Basis: Legitimate interests (Art. 6(1)(f) GDPR)

Retention Period: 2 years from last interaction

Purpose: Marketing Communications

Data Processed: Name, work email, company, engagement behavior (opens, clicks)

Legal Basis: Consent (Art. 6(1)(a) GDPR)

Retention Period: Until withdrawal of consent

Purpose: Website Analytics

Data Processed: IP address (anonymized), browser type, pages visited, navigation paths

Legal Basis: Legitimate interests (Art. 6(1)(f) GDPR)

Retention Period: 26 months (Google Analytics)

Purpose: Compliance & Legal Obligations

Data Processed: Client engagement data, contracts, financial transactions

Legal Basis: Legal obligation (Art. 6(1)(c) GDPR)

Retention Period: 7 years from engagement end

4. Personal data we collect

Sources of data

Directly from you: Website forms, strategy call surveys, email communications, service delivery.
Third parties: LinkedIn, professional networking events, public business directories, client referrals.

Categories of data

Contact Information: Name, email, phone, company, job title.
Professional Information: Company name, size, website/domain name, sector, decision-making role, strategic challenges.
Technical Data: IP address (anonymised), browser type, device info, usage data, cookies.
Financial Information: Invoicing details, payment info, budget parameters (for clients).
Project Data: Strategic plans, deliverables, technical specifications (for clients).

5. Who we share your data with

Service Providers (Data Processors)

Provider: Microsoft Office 365

Purpose: Email, document storage, collaboration

Data Stored: Email communications, documents

Location: EU data centers

Protection Measures: DPA, GDPR compliance, EU-hosted servers

Provider: Salesflow CRM

Purpose: Client relationship management, Marketing and Social media campaigns

Data Stored: Contact info, project details, interaction with campaigns and website visits (Google Analytics)

Location: United States

Protection Measures: SCCs, Transfer Impact Assessment, encryption

Provider: Mistral AI

Purpose: Research assistance, data analysis, productivity tool

Data Stored: Temporary processing (no retention)

Location: EU (France)

Protection Measures: DPA, GDPR compliance, no AI training on client data

Specialist partners

We may share data with selected partners (e.g., prototyping labs, M&A advisors, lawyers and financial advisors, HR & Recruitment agencies) only inside the scope of our agreed collaboration and with your explicit consent for specific projects. All partners sign NDAs and DPAs.

Professional advisors

Limited disclosure to legal advisors, insurance providers, or tax accountants for compliance or advice.

Legal authorities

We may disclose data when legally required (e.g., tax authorities, law enforcement).

What we never do

Sell your data to third parties.
Share your data with marketing companies or data brokers.
Use your data for undeclared purposes.

6. International data transfers

Salesflow CRM stores data in the United States.
- Safeguards: Standard Contractual Clauses (SCCs), Transfer Impact Assessment, encryption.
- Your Rights: Request a copy of SCCs or object to transfers.

7. How long we keep your data

Category: Website visitors (non-clients)

Retention Period: 26 months (analytics)

Category: Business contacts (prospects)

Retention Period: 2 years from last interaction

Category: Active clients

Retention Period: Engagement duration + 7 years

Category: Marketing consent

Retention Period: Until withdrawal (deletion within 30 days)

Note: Client data is retained for 7 years post-engagement for legal, tax, and professional indemnity requirements.

8. How we protect your data

Technical Measures

Encryption (TLS, AES-256), access controls, regular backups, security monitoring, VPN, 2FA (where available).

Organisational Measures

Confidentiality agreements, staff training, incident response plan

Data Breach Notification

We will notify authorities within 72 hours and affected individuals without undue delay if a breach poses a high risk.

9. Your rights under GDPR

Right: Access (Art. 15)

Description: Request a copy of your data.

Right: Rectification (Art. 16)

Description: Correct inaccurate or incomplete data.

Right: Erasure (Art. 17)

Description: Request deletion (subject to legal obligations).

Right: Restriction (Art. 18)

Description: Limit processing in specific cases.

Right: Portability (Art. 20)

Description: Receive your data in a machine-readable format.

Right: Object (Art. 21)

Description: Object to marketing or legitimate interest processing.

Right: Withdraw Consent (Art. 7)

Description: Withdraw consent for marketing (does not affect past processing).

Right: Complain (Art. 77)

Description: Lodge a complaint with your supervisory authority.

To exercise your rights, email [email protected] with:

Your full name and contact details.
Description of your request.

We respond within 1 month (extendable by 2 months for complex requests).

10. Cookie Policy

Types of Cookies

Type: Strictly Necessary

Purpose: Website functionality, security

Legal Basis: Legitimate interests

Duration: Session or 1 year

Type: Analytics (Google)

Purpose: Understand user behavior (anonymized)

Legal Basis: Consent (Art. 6(1)(a) GDPR)

Duration: Up to 26 months

Your Choices

Accept/Reject Cookies: Via our cookie banner.
Manage in Browser: Adjust settings in Chrome, Firefox, Safari, or Edge.
Do Not Track: We respect browser settings.

11. Changes to This Policy

We may update this policy to reflect changes in practices or legal requirements. Material changes will be notified via email (for clients/subscibers) or on our website.