Privacy Notice

Versie 1.3

Privacy Notice

LAST UPDATE
March 2025

Triple is strongly committed to the protection of personal data of individuals. This Privacy Notice explains how Triple processes your personal data as a data controller and what your privacy and data protection rights are. This Privacy Notice is managed by Hypersolid Corporate B.V., a private limited liability company organized under the laws of the Netherlands, having its registered office at Keesomstraat 10E, 1821BS Alkmaar, the Netherlands, registered with the Netherlands Chamber of Commerce under number 59790970, and all its affiliated companies globally (hereinafter referred to as: “Triple”, “we”, “us”, “our”).

We strongly recommend that you familiarize yourself with this Privacy Notice, along with any other notices, policies or statements we may provide to you, to fully understand how we process your personal data and what your privacy and data protection rights are. This Privacy Notice supplements, but does not replace, any other notices, policies or statements regarding this subject matter.

This Privacy Notice is not applicable to the provision of goods and/or services to you by third parties, who are responsible for their own privacy practices. For information about how these third parties process your personal data, we kindly refer you to the privacy notices and/or other information provided by these third parties.

01 | What information do we process and for which purpose?

We process various types of personal data of individuals for specific purposes and based on defined legal grounds for processing. For the purpose of this Privacy Notice, the term personal data refers to any information relating to an identified or identifiable natural person as defined in the General Data Protection Regulation (EU) 2016/679 (the “GDPR”).

Below you will find an overview of the personal data that we process per category of individuals and the purposes and legal grounds for such processing.

1. Client Business Contacts
Categories of individuals: prospects; contact persons of (former) clients; contact persons of partners or vendors of clients; and contact persons involved with the provision of services.
Categories of personal data: first and last name; gender; business contact details (e.g. telephone number, email, address, title, employer and website); and signature and communication data.
Purpose: approaching and contacting prospects; maintaining contact with (former) clients; providing services to clients; (financial) administrative purposes; handling any requests, complaints and disputes; determining, exercising and defending our rights; and complying with legal obligations.
Legal basis:

o contractual obligation. We process personal data of prospects and contact persons of clients in order to offer and provide our services to them.

o legitimate interest. Our legitimate interest is to adequately provide services to prospects and (former) clients in general and to handle any requests, complaints and disputes.

o legal obligation. We process personal data in order to comply with legal obligations, such as compliance with (financial) administrative and retention obligations.

2. Suppliers
Categories of individuals: prospects; contact persons of (former) suppliers; contact persons of customers, partners or vendors of suppliers; contact persons involved in the provision of goods and/or services to us.
Categories of personal data: first and last name; gender; business contact details (e.g. telephone number, email, address, title, employer and website); signature and communication data.
Purpose: approaching prospects; maintaining contact with (former) suppliers and clients, partners or vendors of suppliers; receiving goods and/or services from the supplier; (financial) administrative purposes; handling any requests, complaints and disputes; determining, exercising and defending our right; and complying with legal obligations.
Legal basis:

o contractual obligation. We process personal data of prospects and contact persons of suppliers in order to receive goods and/or services from the supplier.

o legitimate interest. Our legitimate interest is to adequately receive goods and/or services from suppliers in general and to handle any requests, complaints and disputes.

o legal obligation. We process personal data in order to comply with legal obligations, such as compliance with (financial) administrative and retention obligations.

3. Recruitment
Categories of individuals: job applicants.
Categories of personal data: first and last name; gender; email address; telephone number; address; professional experience; academic background and information; professional qualifications; areas of interest; information retrieved from public resources and social media sites; information retrieved from interviews and assessments; information retrieved from your referrer and/or reference; offer details; and pre-employment screening information.
Purpose: attract new talent by means of organizing recruitment events and searching in existing talent pools and publicly available sources; processing, evaluating and managing job applications; maintaining contact with job applicants; scheduling and conducting (online) interviews; making a job offer; conducting a pre-employment screening; and complying with legal obligations.
Legal basis:

o legitimate interest. Our legitimate interest is to attract, process and manage applications at Triple, including screening, selecting, and hiring successful candidates by making a job offer and conducting a pre-employment screening.

o consent. Your consent is required to optionally keep your application data for a longer period of time.

o legal obligation. We process personal data in order to comply with legal obligations, such as compliance with retention obligations.

4. (Marketing) activities
Categories of individuals: website visitors; newsletter subscribers; and participants of Triple activities ( e.g. meetings, conferences, events and learning sessions).
Categories of personal data: first and last name; gender; location; telephone number; email; address; social media information; title; employer; data about presence (location, time of arrival and departure); information about the visit and communication data.
Purpose: communication; recruitment and selection marketing; analysis of website visitors; maintenance; administration and security of our website; marketing and business development; investigation; analysis and statistics; internal control and business operations; handling any requests, complaints and disputes; determining, exercising and defending our rights; and complying with legal obligations.
Legal basis:

o consent. With your (explicit) consent we process your personal data for marketing and activities related purposes, such as your subscription to our newsletters.

o legitimate interest. Our legitimate interest is to offer and optimize the usage of our website and the operation of our events.

o legal obligation. We process personal data in order to comply with legal obligations, such as compliance with retention obligations.

§ For more information about the cookies we place on our website, please see our Cookie Policy.

5. Office visitors
Categories of individuals: office visitors.
Categories of personal data: first and last name; gender; telephone number; email; address; title; employer; data about presence (location, time of arrival and departure); information about the visit; physical appearance; and communication data.
Purpose: offering and optimizing office facilities; security and protection of our office, its facilities, employees and data; access registration; control and management; network management and security; access badges procedure; contractual obligations; and complying with legal obligations.
Legal basis:

o legitimate interest. Our legitimate interest is to protect and secure our office, facilities, network infrastructure, staff members, property and data.

o legal obligation. We process personal data in order to comply with legal obligations, such as compliance with security and retention obligations.

o contractual obligation. We process personal data of office visitors to comply with our contractual obligations (e.g. security obligations).

6. Other persons who get in touch with us
Categories of individuals: persons that get in touch with us.
Categories of personal data: first and last name; telephone number; email address; title; employer; and communication data.
Purpose: approaching and maintaining contact; handling any requests, complaints and disputes; determining, exercising and defending our rights; and complying with legal obligations.
Legal basis:

o legitimate interest. Our legitimate interest is to maintain any contact or handle any requests, complaints and disputes.

o legal obligation. We process personal data in order to comply with legal obligations, such as compliance with retention obligations.

Children

It is not our intention to process any personal data of children under the age of sixteen (16). If a parent or guardian becomes aware that their child has provided us with its personal data without the consent of its parent or guardian, the parent or guardian should contact us via legal@hypersolid.com. We will delete such personal data without undue delay and in accordance with the timelines set out under the sections “04 | What are your rights?” and “07 | Additional information for individuals in the United States of America”.

Automated decision-making

We do not engage in any automated decision-making processes or profiling activities involving your personal data.

02 | How long do we keep your information?

We retain your personal data for as long as the existence of a legal basis for processing, as described in this Privacy Notice or as otherwise required by applicable law. The retention period may vary depending on certain factors. We may retain your personal data for a longer period of time due to our retention obligations, legal compliance requirements, the need to resolve inquiries and/or complaints or for the purpose of freedom of expression and/or information.

The following categories have a specific maximum retention period:

· Recruitment – we keep your personal data for a maximum period of one (1) month after the application process is closed. If you have provided your consent to retain your personal data for a longer period of time, we retain your personal data for a maximum period of twelve (12) months.

· Office visitors (CCTV) – we retain your personal data for a maximum period of four (4) weeks after your visit. However, in the event the CCTV captured a particular incident, we may keep your personal data for a longer period of time.

We have an internal retention policy in order to safeguard the retention periods of the personal data we process. After the expiry of the retention period, we will either erase or de-identify your personal data. If that is not possible, we will securely isolate your personal data through archiving to prevent any further use until deletion becomes possible.

03 | With whom do we share your information?

We may share your personal data with the following (third) parties:

· Triple affiliated companies – we may share your personal data internally with other Triple entities for e.g. administrative purposes or in order to provide our services.

· Suppliers – we may share your personal data with our suppliers in order to provide, run and manage our internal organization, such as information technology providers and cloud service providers.

· Clients – we may share your personal data with our clients as part of the services we provide to our clients.

· Auditors, insurer and professional advisors – we may share your personal data with our external auditor(s) to the extent necessary for audit(s), our insurer in the case of any claim(s) and professional advisors such as law firms in order to establish, exercise or defend our legal rights and/or obtain advice.

· Law enforcement or governmental and regulatory institutions – we may share your personal data with law enforcement or governmental and regulatory institutions in accordance with applicable laws and regulations, such as courts, police, law enforcement agencies, tax- and custom offices.

(Sub)Processors

The following third parties may be involved in the processing of your personal data via our website:

· HubSpot Ireland Ltd.

o Purpose: sales and marketing software

o Location of processing: Germany

· Recruitee B.V.

o Purpose: recruitment software

o Location of processing: Germany

· Amazon Web Services EMEA SARL

o Purpose: website hosting

o Location of processing: worldwide data centers

· Google LCC (Google Analytics)

o Purpose: website analytics

o Location of processing: worldwide data centers

· OneTrust

o Purpose: cookie consent management

o Location of processing: Germany

· Mux Inc.

o Purpose: video streaming

o Location of processing: USA and Germany

We will only share your personal data with (third) parties when we are legally permitted to do so. We have implemented contractual arrangements and security measures to ensure the appropriate protection of your personal data and compliance with privacy and data protection laws and regulations, confidentiality obligations, and security standards and practices.

International transfers

We may transfer your personal data outside the European Economic Area or any other applicable jurisdiction, provided that such transfer will only be conducted in the event the European Commission has assessed and declared the data protection laws and regulations of such country as adequate, or by means of the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, the Swiss-U.S. Data Privacy Framework and/or the standard contractual clauses adopted by the European Commission, including the performance of transfer impact assessments where required.

04 | What are your rights?

You have the right to exercise the following individual rights in respect to your personal data that we process:

· Right of information – You have the right to be informed about whether we process your personal data and, if so, the categories of personal data and the purpose and legal basis for such processing.

· Right of access - You have the right to access your personal data that we process and, where applicable, to receive information about how we process your personal data, including insight into the appropriate safeguards taken in the event of the transfer of your personal data outside the European Economic Area.

· Right to rectification – you have the right to rectify i.e. change or supplement your personal data processed by us in the event your personal data: is factually incorrect; is incomplete or not related to the purpose for which it was processed; or is in any other way used in a manner that is in conflict with applicable law.

· Right to erasure – under certain conditions, you have the right to request the erasure of your personal data that we process. These conditions are: we no longer need your personal data in relation to the purpose for which they were processed; we processed your personal data based on your (explicit) consent and you withdrew your consent; you successfully objected to the processing of your personal data by us; we processed your personal data unlawfully; we are obligated to erase your personal data in order to comply with a legal obligation; or personal data of an individual younger than sixteen (16) years old is processed through us.

· Right to restriction of processing – you have the right to restrict processing of your personal data by us, whereby this right may be invoked in the following situations: you object to the accuracy of your personal data processed by us; we process your personal data unlawfully and you request a restriction of processing instead of erasure; we may no longer process your personal data, however you do not want us to erase your personal data due to the establishment, exercise or defence of legal claims; or you object to the processing of personal data by us in general.

· Right to data portability – you have the right to receive your personal data in a structured, commonly used and machine-readable format, whereby you have the choice to receive this directly from us or send it to a third party.

· Right to object – you have the right to object to the processing of your personal data by us subject to certain conditions. We will always comply with an objection related to our processing of your personal data for direct marketing purposes.

· Right to withdraw your consent –you have the right to withdraw your consent in the event we asked for your (explicit) consent for a certain processing activity regarding your personal data. The withdrawal of your consent does not impact the lawfulness of the processing of your personal data prior to the withdrawal of your consent. The consequence of exercising this right is that we will no longer process your personal data for the purpose that you have provided consent for. It may be however possible that we process your personal data for another purpose, such as in order to comply with a minimum retention period, whereby you will be informed accordingly.

How to exercise your rights?

All individual rights can be exercised by means of sending an email to legal@hypersolid.com or a letter to Hypersolid Corporate B.V., attn. Legal Department, Keesomstraat 10E, 1821BS Alkmaar, the Netherlands. We request you to include the following information when exercising your individual right: full first and last name and a description of your request.

When you submit a request to exercise your individual rights, you will first receive an acknowledgement of receipt from us. Subsequently, we might request additional information to verify your identity and/or to ensure that we can properly address your request. We will handle all individual rights requests without undue delay and in any case within one (1) month of receipt of the request. If the complexity of the request requires more time to process, we will inform you as soon as possible and at least within one (1) month after receipt of your request, that we need up to a maximum of two (2) months of additional time, which results in a response from us within a maximum period of three (3) months after receipt of your request.

Complaint

Lastly, you also have the right to file a complaint with the relevant supervisory authority in your country of residence, place of employment or any other jurisdiction in which an alleged infringement of data protection law(s) has occurred within the European Union. The Autoriteit Persoonsgegevens is the supervisory authority in the Netherlands. For further information, please refer to the website of Autoriteit Persoonsgegevens.

05 | Security

We take all reasonable measures to ensure the security of your personal data by implementing appropriate technical and organizational measures in order to safeguard the confidentiality, integrity and availability of your personal data and to protect your personal data against any unauthorized or unlawful use, alteration, access, disclosure, accidental or wrongful destruction and/or loss. We adhere to internationally recognized security standards and we have established policies, procedures and training programs to maintain the confidentiality, integrity and availability of your personal data within our organization.

06 | Changes to this Privacy Notice

We may revise this Privacy Notice from time to time to reflect any changes in our operations. Any updates will be noted under “Last Updated” at the top of this Privacy Notice. Prior versions of this Privacy Notice will remain available on our website for your review. We recommend periodically checking this Privacy Notice in order to stay informed of any changes in this Privacy Notice. In the event of significant changes, we will notify you in advance by posting a prominent notice on our homepage or by sending you an email notification.

07 | Additional information for individuals in the United States of America

This "07 | Additional information for individuals in the United States of America" section applies solely with respect of states of the United States of America that have enacted specific data privacy legislation (“U.S. State Privacy Law”). This section should be read together with and explicitly deviates from and/or supplements the other sections in the Privacy Notice. In case of any conflict between this section and the other sections in the Privacy Notice, this section will prevail for residents of U.S. states that have enacted U.S. State Privacy Law.

What information do we collect?

For the purpose of this section, the term personal data refers to the terms personal data and personal information as defined in the applicable U.S. State Privacy Law that applies to you as a resident of that U.S. state. Below you will find an overview of the categories of personal data that we may process of you. We do not process any sensitive personal data as outlined in applicable U.S. State Privacy Law. For a more detailed overview, please see section “01 | What information do we collect” in the Privacy Notice.

· Identifiers.

· Client records information.

· Characteristics of certain protected classifications.

· Geolocation data.

· Professional or employment-related information.

· Financial information.

· Internet or other electronic network activity information.

What are the sources of collection?

We collect personal data from the following sources:

· prospects;

· (former) clients;

· (former) suppliers;

· job applicants;

· referrers and references;

· recruitment agencies;

· publicly available sources, such as social media and the internet;

· our website;

· information provided by you;

· governmental organizations.

Do we sell and/or share your information?

We do not sell, which includes disclosing or making available personal information to a third party, any of your personal data in exchange for monetary or other valuable consideration and we do not share, which includes disclosing or making available personal information to a third party, any of your personal data for cross-context behavioral advertising as defined in applicable U.S. State Privacy Law.

What are your rights?

If you are a resident of an U.S. state that has enacted U.S. State Privacy Law, you have, in accordance with and depending on the specific U.S. Privacy Law, the following rights regarding your personal data processed by us in the prior twelve (12) months:

· Right to know – you have the right to request disclosure of: the categories and/or personal data that we have collected from you; the categories of sources related to the personal data we have collected from you; the purpose for which we use your personal data; the categories of third parties with whom we disclose your personal data; and the categories of personal data that we disclose to third parties. You can invoke this right up to twice (2) a year, free of charge.

· Right to delete – subject to certain exceptions, you have the right to request us to delete the personal data we collected from you, including the third parties to whom we send your personal data.

· Right to correct – you have the right to request us to correct inaccurate personal data that we have from you.

· Right to limit – you have the right to request us to only use and/or disclose your (sensitive) personal data to the extent it is strictly necessary and proportionate to achieve the required purpose.

· Right to appeal – you have the right to appeal in the event of our denial of your above-listed rights.

Individuals may also exercise their individual right by the assistance of an authorized agent.

Exercising any of your individual privacy rights will not result in any discriminatory adverse treatment towards you.

In addition to the rights mentioned in this section, you can also exercise the rights mentioned under “section 04 | What are your rights?”, provided that the GDPR applies to our collection of your personal data.

How to exercise your rights?

When you submit a request to exercise your individual rights, you will first receive an acknowledgement of receipt from us within ten (10) business days. Subsequently, we might request additional information to verify your identity and/or to respond properly to your individual rights exercised under applicable U.S. State Privacy Law. We will handle all individual rights requests without undue delay and in any case within forty-five (45) calendar days of receipt of the request. If the complexity of the request requires more time to process, we will inform you as soon as possible and at least within forty-five (45) calendar days after receipt of your request, that we need up to a maximum of forty-five (45) calendar days of additional time, which results in a response from us within a maximum period of ninety (90) calendar days after receipt of your request.

08 | Contact Us

Should you require any further information in relation to this Privacy Notice, please contact us via legal@hypersolid.com.