This privacy policy is effective as of 6 June 2025.
It replaces the previous version dated 1 January 2025, which has been repealed.
• Legal basis: Article 5(1)(a) and Article 24(1) of the GDPR (principles of transparency and accountability).
This privacy policy sets out the principles for the processing and protection of personal data provided by Clients in connection with the use of services offered by SafeLead Solutions.
1. Data Controller
The controller of your personal data is SafeLead Solutions with its registered office in Eindhoven, Spalaan 6, 5628 ZG, the Netherlands, registered in the Dutch Chamber of Commerce (KvK) under number 95907130, and VAT ID: NL005178103B20 (hereinafter referred to as the “Controller”).
The Controller may be contacted via:
• Email: info@safe-lead.solutions
• Correspondence address: Spalaan 6, 5628 ZG Eindhoven, the Netherlands
2. Purposes and Legal Bases for Data Processing
The Controller processes your personal data for the following purposes:
a) Provision of consultancy and training services – for the purpose of concluding and properly performing a contract for the provision of consultancy or training services including the issuance of documents.
• Legal basis: Article 6(1)(b) of the GDPR (performance of a contract).
b) Payment processing – in the case of purchases made via the online store, data is processed to handle payment transactions.
• Legal basis: Article 6(1)(b) of the GDPR (performance of a contract).
c) Compliance with legal obligations – for the fulfilment of obligations arising from applicable laws, in particular tax and accounting regulations (e.g., issuing and storing invoices).
• Legal basis: Article 6(1)(c) of the GDPR (legal obligation incumbent upon the Controller).
d) Contact and inquiry handling – for the purpose of conducting email or telephone correspondence in response to your inquiries.
• Legal basis: Article 6(1)(f) of the GDPR (legitimate interest of the Controller in client service and communication).
e) Establishment, exercise, or defence of legal claims – to protect the rights of the Controller in the event of any claims arising from the performance of a contract.
• Legal basis: Article 6(1)(f) of the GDPR (legitimate interest of the Controller).
3. Types of Personal Data Processed
The Controller processes the following categories of personal data:
• Identification data: first and last name.
• Contact data: email address, phone number, home address or company address.
• Transaction data: bank account number, invoicing data (including VAT ID for companies).
• Service-related data: information necessary for service delivery, such as data required for issuing certificates (e.g., nationality, place and date of birth).
Providing personal data is voluntary but necessary for entering into and performing the contract.
4. Data Retention Period
Your personal data will be retained for the period necessary to fulfil the purposes for which it was collected:
• Data processed for the performance of a contract: for the duration of the contract and, after its termination, for a period required by applicable law, i.e. up to 7 years.
• Certificates and confirmations: data contained in training certificates and confirmations is stored for 5 years. This serves the legitimate interest of both the Controller and the data subject, enabling the issuance of a duplicate in the future.
• Data may be retained longer if necessary to establish, exercise, or defend legal claims, until the final conclusion of proceedings.
After these periods, the data will be permanently deleted or anonymised.
5. Recipients of Personal Data
To ensure proper service delivery, your personal data may be shared with the following categories of recipients:
• Payment processors: For purchases in the online store, payments are handled by an external provider, Stripe, Inc. The data required for payment processing is transferred directly to Stripe, which acts as an independent data controller. Please refer to Stripe’s privacy policy: https://stripe.com/privacy.
• Accounting and legal service providers: accounting firms and law offices that support the Controller in meeting legal obligations.
• IT service providers: companies providing hosting, maintenance, or business management software.
• Courier and postal service providers: for delivering documents or certificates.
• Authorized employees and collaborators of the Controller who need access to the data to perform their duties.
All entities entrusted with data processing ensure appropriate data protection and security measures as required by law.
6. Automated Decision-Making and Profiling
The Controller does not make decisions about you based on automated processing, nor does it perform profiling as defined in Article 22 of the GDPR.
7. Data Security Measures
The Controller implements appropriate technical and organisational measures to ensure the security of personal data processing, in accordance with GDPR requirements. Communication with our services is encrypted using the TLS/SSL protocol. In all systems where particularly sensitive personal data is stored (e.g., customer data on certificates, payment data), we use multi-factor authentication (MFA), such as two-factor login (2FA) or hardware security keys compliant with the FIDO standard.
8. Data Subject Rights
In connection with the processing of your personal data, you have the following rights:
• Right of access (Article 15 GDPR)
• Right to rectification (Article 16 GDPR)
• Right to erasure (“right to be forgotten”) (Article 17 GDPR) – subject to limitations when processing is required by law (e.g., invoice or annual report retention)
• Right to restriction of processing (Article 18 GDPR)
• Right to data portability (Article 20 GDPR)
• Right to object to processing based on the Controller’s legitimate interest (Article 21 GDPR)
• Right to withdraw consent at any time, if processing is based on consent (without affecting the lawfulness of processing carried out before the withdrawal)
To exercise these rights, please contact us at: info@safe-lead.solutions
You also have the right to lodge a complaint with a supervisory authority. The competent authority for the Controller is the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, AP). More information is available at: https://autoriteitpersoonsgegevens.nl/
9. Transfers of Data Outside the European Economic Area (EEA)
Due to the use of service providers such as Stripe, your personal data may be transferred to third countries, i.e., outside the European Economic Area (e.g., the United States). The Controller ensures that such transfers are based on appropriate legal mechanisms, such as the European Commission’s Standard Contractual Clauses, which guarantee an adequate level of data protection.
9a. Data Storage Location within the European Economic Area (EEA)
Your personal data is stored exclusively on servers located within the European Economic Area (EEA), as follows:
• safe-lead.eu is hosted by nazwa.pl, with infrastructure located in Poland.
• safe-lead.solutions (the main website and online store) is hosted by OVH SAS, with servers located in France.
• The contact form available on the safe-lead.solutions website was created using a tool provided by Mobirise (Netherlands). Mobirise only provides the technical infrastructure for message transmission and does not store or process the submitted data. Information entered into the form is delivered directly to the Administrator’s email address.
The Administrator bears sole responsibility for securing the server environment, configuring the services, and ensuring the security of data processing.
10. Changes to the Privacy Policy
The Controller reserves the right to amend this Privacy Policy. The current version will always be available on the Controller’s website. Clients will be informed of any significant changes by email.
