Privacy policy

VanIersel Development, registered office: Pieter Vreedestraat 2, 5142 SE Waalwijk, the Netherlands. Contact: [email protected]. Phone: +31 6 36035292.

Dutch Chamber of Commerce (KvK) number: 42050725. VAT ID: NL005457538B24.

When you submit the contact form or email us, we process your name, email address and the contents of your message. Optionally you may include a phone number or company name.

For paid engagements we additionally process data required for quotes, contracts and invoices: company name, billing address, Chamber of Commerce number (if applicable) and VAT ID.

Through Google Analytics 4 we collect usage statistics (pages visited, device, referrer) with IP pseudonymisation. If you consent to the 'analytics & marketing' category we additionally activate Google Signals (cross-device usage view) and Google Ads conversion pixels for lead attribution from ad campaigns. All of this is off by default (Consent Mode v2 default-deny).

To respond to your inquiry or quote request.

To execute an engagement and issue invoices (statutory retention: 7 years for tax records).

To improve the website based on aggregated analytics.

To comply with legal obligations (tax filings, bookkeeping).

Processing is based on: (a) performance of a contract for engagements and invoicing, (b) legitimate interest for contact form communication, (c) consent for analytics cookies (via the cookie banner), and (d) legal obligation for tax retention.

We use a cookie banner with three categories: necessary (always on), functional (language and theme preferences) and analytics & marketing (usage statistics plus Google Ads conversion measurement with remarketing). The last category is off by default and only activates after explicit opt-in.

Google Analytics 4, Microsoft Clarity, Google Signals and the Google Ads conversion pixel are only loaded after you opt in to 'analytics & marketing'. All hits respect Google Consent Mode v2 default-deny until that point. GA4 runs with IP pseudonymisation; Clarity applies automatic PII masking to text fields and credit-card data.

Cookie categories in detail: (a) necessary (session, CSRF, security) - no consent required under Article 11.7a(3) of the Dutch Telecommunications Act; (b) functional (language, theme) - opt-in only; (c) analytics & marketing (`_ga`, `_gid` from GA4, `_clck`, `_clsk` from Clarity, `_gcl_*`, `__gads`, `IDE` from Google Ads and Google Signals) - opt-in only. We use Google Signals + Google Ads conversion measurement for ad attribution and remarketing audiences.

Your consent is stored in localStorage under the key 'salonnare_cookie_consent' (no cookie, no server-side storage) with a version stamp so we can ask again when our cookie policy materially changes. You can update your choice at any time via the 'Cookie preferences' link at the bottom of every page, by clearing your browser cookies and localStorage for vaniersel.dev, or by enabling Do-Not-Track in your browser (we honour DNT as a default-deny signal).

Our cookie banner shares its implementation with Salonnare (see salonnare.com/privacy). Category definitions are identical; vaniersel.dev additionally places Google Ads conversion measurement with remarketing under the same 'analytics & marketing' opt-in.

We only share personal data with carefully selected processors bound by a data processing agreement (DPA) pursuant to Article 28 GDPR. The current sub-processor list:

Resend (Resend, Inc., USA) - transactional email for contact form confirmations. DPA with EU Standard Contractual Clauses; sending servers in the EU where possible.

Cloudflare (Cloudflare, Inc., USA) - CDN, WAF and DDoS protection. Processes IP addresses and request metadata for security. DPA with EU Standard Contractual Clauses, certified under the EU-US Data Privacy Framework.

Google Analytics 4 (Google Ireland Ltd., Ireland) - anonymised usage statistics with IP anonymisation and 14-month retention. Additionally, Google Ads conversion tracking for lead attribution from ad campaigns (only after marketing consent, default ad_storage=denied via Google Consent Mode v2). Google LLC (USA) as sub-processor is certified under the EU-US Data Privacy Framework.

Microsoft Clarity (Microsoft Ireland Operations Ltd., Ireland) - optional UX analysis via heatmaps and session replay with automatic PII masking (text inputs and credit card fields are obfuscated). Loads only after consent. DPA via the Microsoft Online Services Terms; Microsoft Corporation (USA) is certified under the EU-US Data Privacy Framework. See also learn.microsoft.com/clarity/setup-and-installation/privacy-disclosure.

Google Fonts - fonts are self-hosted via next/font; no requests are made to fonts.googleapis.com from your browser.

We never sell personal data to third parties and do not send data to advertisers or data brokers.

Contact form submissions: 12 months maximum, unless they lead to an engagement.

Quotes and contracts: 7 years (statutory tax retention).

Invoices and bookkeeping: 7 years (statutory tax retention).

Analytics data: 14 months (GA4 default retention).

You have the right to: (a) access your data, (b) request correction, (c) request erasure, (d) restrict processing, (e) data portability, (f) object to processing, and (g) withdraw consent.

Send requests to [email protected]. We respond within 30 days. If you disagree with our response, you may lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at autoriteitpersoonsgegevens.nl.

We implement appropriate technical and organisational measures: TLS encryption for all traffic, encrypted backups, least-privilege production access, and regular security updates. Incidents are reported to the Dutch DPA within 72 hours in accordance with Article 33 GDPR.

When VanIersel Development processes personal data on behalf of a business client (for example, in custom software development or hosting engagements), we act as a processor as defined in Article 28 GDPR. In that case we conclude a standard data processing agreement (DPA) with EU Standard Contractual Clauses.

Our standard DPA is available free of charge on request via [email protected]. If you wish to provide your own DPA on behalf of your organisation, we will review it free of charge provided the core requirements of Article 28 GDPR are respected.

In the event of a security breach leading to unauthorised access, loss or alteration of personal data, we notify the Dutch Data Protection Authority within 72 hours in accordance with Article 33 GDPR. If the breach presents a high risk to data subjects, we also inform them directly in accordance with Article 34 GDPR.

Our services target professional clients and are not aimed at children. We do not knowingly process personal data of persons under 16 years of age without parental consent (Article 8 GDPR, Dutch implementation: 16 years). If you become aware that this has happened accidentally, please email [email protected] so we can delete the data.

We update this privacy policy when our services or applicable law require it. The date of the most recent change is shown at the top of this page. Material changes are announced at least 30 days before they take effect via this page and - for active engagements - by email.