Privacy policy

Privacy Policy

1. Who we are

Purple Dragon Cybersecurity B.V. (“we,” “us,” or “our”) provides the following consulting and advisory services: cybersecurity; governance, risk and compliance; privacy and cybersecurity certification preparation; cybersecurity tooling selection, configuration and implementation; vCISO and other related services. This Privacy Notice explains how we collect, use, disclose, and otherwise process personal data in connection with our website, products, services, communications, and business operations.

Data Controller
Purple Dragon Cybersecurity B.V.
Nicolaas Beetsstraat 216, 3511 HG Utrecht
The Netherlands

We act as a controller for the personal data described in this Privacy Notice unless we state otherwise.

2. Scope of this notice

This Privacy Notice applies to personal data we process about customers and prospective customers, website visitors, business contacts, users of our services, event attendees, vendors, and other individuals who interact with us.

This Privacy Notice does not apply to personal data processed by our customers through their own use of our products or services, where we act only on their instructions as a processor or service provider.

3. Personal data we collect

Category	Example content
Contact and account information	Name, business email address, phone number, company name, job title, account identifiers, billing contact details.
Service and technical information	IP address, device identifiers, log data, authentication data, browser type, operating system, usage metadata, approximate location derived from IP, error and diagnostic data.
Communications	Information you provide when you contact us, request a demo, subscribe to updates, or communicate with support.
Transaction and commercial information	Subscription details, order records, contract information, invoices, and payment-related metadata.
Compliance and security information	Records relevant to fraud prevention, security monitoring, access control, incident detection, and legal compliance.

The categories of personal data we collect depend on how you interact with us, the services you use, and the choices you make.

4. How we collect personal data

We collect personal data directly from you, automatically from your device or use of our services, from your employer or organization, from service providers acting on our behalf, and in some cases from publicly available sources or third-party business partners.
Directly from forms, contracts, support requests, events, and meetings.
Automatically through logs, analytics, cookies, and similar technologies.
From your organization when it provisions your access.
From vendors, resellers, integration partners, or publicly available business sources where relevant.

5. Why we process personal data and our legal basIs

Purpose	Categories	Legal basis	Example(s)
Provide and operate our services	Contact data, account data, technical data, support data	Contract; legitimate interests	We process personal data as necessary to provide requested services, administer accounts, authenticate users, respond to support requests, and maintain service functionality.
Secure our systems, products, and business	Log data, device data, account data, security event data	Legitimate interests; legal obligation where applicable	We process personal data to detect, prevent, investigate, and remediate security incidents, abuse, fraud, and unauthorized access.
Communicate with customers and prospects	Name, email, company, communications history	Legitimate interests; consent where required by law	We use contact information to respond to inquiries, provide service communications, and send marketing communications where permitted.
Manage contracts, billing, and vendor relationships	Contact data, transaction data, payment-related metadata	Contract; legal obligation; legitimate interests	We process personal data as necessary to enter into and perform contracts, manage payments, maintain records, and administer business relationships.
Comply with law and enforce rights	Any relevant category depending on the issue	Legal obligation; legitimate interests	We may process personal data to comply with applicable law, respond to lawful requests, protect our rights, and establish, exercise, or defend legal claims.

Where we rely on legitimate interests, we do so only where those interests are not overridden by the interests or fundamental rights and freedoms of the affected individual.

6. Cookies and similar technologies

We and our service providers may use cookies, SDKs, local storage, pixels, and similar technologies to operate our website and services, understand usage, improve performance, remember preferences, and, where permitted, support analytics and marketing.

7. Sharing of personal data

We may disclose personal data to the following categories of recipients, as necessary for the purposes described in this Privacy Notice.
Service providers and subprocessors, including hosting, cloud, analytics, CRM, support, payment, and security vendors.
Professional advisers such as auditors, lawyers, insurers, and accountants.
Corporate transaction counterparties in connection with a merger, acquisition, financing, or reorganization.

Authorities and law enforcement where required by law or necessary to protect rights and safety.
Your organization, where you use the services through an employer or customer account.

8. International transfers

Your personal data may be transferred to and processed in countries other than the country in which you reside. Where required, we implement appropriate safeguards for such transfers, such as the European Commission’s Standard Contractual Clauses, adequacy decisions, or other lawful transfer mechanisms.

9. Retention

We determine retention periods by considering the nature of the data, the purpose of processing, operational necessity, legal requirements, contractual commitments, and risk. When personal data is no longer required, we delete, anonymize, or securely archive it as appropriate.

10. Your rights

Depending on your location and applicable law, you may have the right to request access to personal data, rectification, erasure, restriction, objection, data portability, and withdrawal of consent where processing is based on consent.
You have the right to object to processing based on legitimate interests, the right to withdraw consent, and the right to lodge a complaint with an EEA supervisory authority where GDPR applies.

We may need to verify your identity before fulfilling a request.

11. Security

We implement technical and organizational measures designed to protect personal data against unauthorized access, loss, misuse, alteration, and disclosure. No method of transmission or storage is completely secure, and we cannot guarantee absolute security.

12. Children

Our services are intended for business use and are not directed to children.

13. Changes to this notice

We may update this Privacy Notice from time to time to reflect changes in our practices, technologies, legal requirements, or other operational factors. We will post the updated version on this page and revise the ‘Last Updated’ date.

14. Contact us

privacy@purpledragoncyber.com
Nicolaas Beetsstraat 216, 3511 HG Utrecht, The Netherlands

If you have questions about this Privacy Notice or our privacy practices, please contact us at privacy@purpledragoncyber.com. If you are located in the EEA or UK, you may also have the right to lodge a complaint with the relevant supervisory authority.

Last Updated Date: 14 April 2026

‍