Privacy policy

ManagementSysteem.nl respects your privacy and handles personal data with care. In this privacy policy you can read which data we process, why we do so, on which legal bases we rely and which rights you have. The policy applies to our marketing website, to entering into and performing agreements, and to the use of our SaaS platform for information security and compliance.

Last updated: June 2026

1. Introduction and who we are

ManagementSysteem.nl is a Dutch SaaS platform for information security and compliance (ISMS and GRC). It is a no-code register and table builder that organisations use to set up and maintain their control over frameworks such as ISO 27001, NEN 7510, BIO and ENSIA, the GDPR, ISO 9001 and comparable standards. Our website and our platform are hosted in the Netherlands (EU).

Our identity and contact details are:

• Trade name: ManagementSysteem.nl
• Chamber of Commerce number: 99739704
• Address: Euclideslaan 55, 3584 BM Utrecht, the Netherlands

Do you have a question about this privacy policy or about the processing of your data? Then please get in touch via our contact form. We deliberately do not use email addresses on this website, so that all questions reach us in a secure and structured way.

We have not appointed a Data Protection Officer (Functionaris Gegevensbescherming), as this is not legally required for our organisation. You can raise questions about privacy and the processing of personal data via our contact form. Your request is given a reference so that we can follow it up in a structured way.

2. Which personal data we process

Depending on how you are in contact with us, we process the following categories of personal data.

• Contact details: name, email address and the content of your message when you complete the contact form or sign up for our newsletter. Newsletter sign-up takes place through an opt-in on the sign-up form.
• Account data: name, business email address, username, job title or role, organisation name and authentication data (such as a hashed password) of platform users. We store passwords only in hashed form and never in readable form.
• Usage and device data: pseudonymised data about the use of the website and the platform, such as pages visited, IP address, browser type and approximate location. We only collect statistics via Google Analytics after you have given your cookie consent.
• Communication data: correspondence and support requests that you share with us, including the data needed to answer your question.
• Billing and contract data: company details, billing address, VAT number, chosen modules and subscriptions, and payment and invoice data relating to the agreement.
• Customer content in the platform: the registers, risks, documents, evidence and tasks that you or your organisation record in the platform. This content may contain personal data of your employees or third parties. For this data we act as a processor, see section 4.

3. Purposes and legal bases

We only process personal data for clearly defined purposes and on the basis of a valid legal ground under the GDPR.

• Handling contact requests submitted via the contact form. Legal basis: legitimate interest (answering your question properly) and, where relevant, the performance or preparation of an agreement.
• Sending the newsletter. Legal basis: consent, which you give through an opt-in. You can unsubscribe and object to this processing at any time.
• Providing and managing an account and the platform. Legal basis: performance of the agreement.
• Operational and technical processing of usage and device data, such as server logs and the use of your IP address to deliver, keep available and secure the website and the platform. Legal basis: legitimate interest in a secure and reliable service and, where applicable, performance of the agreement. This processing is separate from the consent-based analytics.
• Billing and administration. Legal basis: performance of the agreement and compliance with a legal obligation (such as the statutory retention period for tax purposes).
• Customer service and support. Legal basis: performance of the agreement and legitimate interest.
• Security, fraud prevention and spam protection (including Google reCAPTCHA on the contact form, where enabled). Legal basis: legitimate interest in a secure and reliable service.
• Display of fonts. We host our fonts on our own servers. No third parties are contacted and no IP address is passed to anyone for this. Legal basis: legitimate interest in a correct and consistent display of our website.
• Improving the website through statistics. Legal basis: consent (cookies are off by default).
• Complying with legal obligations. Legal basis: legal obligation.

4. Our role: processor and controller

Our role under the GDPR differs depending on the type of data.

Processor for customer content in the platform. For the data that a customer enters into the platform, that is their own ISMS and compliance content such as registers, risks, documents, evidence and tasks, ManagementSysteem.nl acts as a processor. The customer remains the controller and determines the purpose and means of that processing. We process this data solely in accordance with the customer's instructions and do not use it for our own purposes.

For this processing we enter into a data processing agreement (DPA) that forms part of the customer agreement and is concluded together with it. The data processing agreement meets the requirements of Article 28 GDPR and covers, among other things, the engagement of sub-processors with the customer's approval, assistance with data-subject requests, and notification of personal data breaches to the customer as controller without undue delay.

Controller for our own data. For account, contract, billing, support and marketing data, ManagementSysteem.nl is itself the controller. For that data we determine the purpose and means, as described in this privacy policy.

5. Cookies and analytics

Our website places functional cookies that are necessary for the site to work. We only place analytical cookies, such as for Google Analytics, after you have given consent for this via the cookie banner. By default these are off. You can adjust or withdraw your preferences at any time.

Where Google reCAPTCHA is enabled on the contact form, this service may place cookies and transmit data, including your IP address, to Google. This transfer falls under the safeguards described in section 7. For a full overview of the cookies, their purpose and their retention period, please read our cookie policy.

6. Sharing with third parties and sub-processors

We do not sell your data. We do, however, engage carefully selected service providers who process personal data on our behalf. With every party that processes personal data for us, we enter into a data processing agreement, so that your data is also properly protected with them.

Party	Purpose	Location
Brevo (Sendinblue)	Transactional email and sending of the newsletter	European Union
Google (Analytics and reCAPTCHA)	Statistics and spam protection on the contact form	Ireland and United States
Hosting provider	Hosting of the website and the platform	Netherlands

We host our fonts on our own servers. No external font services are contacted and no IP address is passed to third parties. In addition, we may share data where a legal obligation requires us to do so.

Brevo processes and stores data within the European Union. Should any part of Brevo's processing take place outside the EEA, this happens under the safeguards described in section 7.

7. Transfers outside the European Economic Area

We prefer to process your data within the European Economic Area (EEA). Some Google services may lead to the transfer of data to the United States. For such transfers to Google we provide appropriate safeguards: Google LLC is certified under the EU-US Data Privacy Framework, and where necessary we additionally rely on the Standard Contractual Clauses of the European Commission.

8. Retention periods

We do not retain personal data for longer than is necessary for the purposes for which it was collected, or for as long as is legally required.

• Messages via the contact form: we delete these no later than 12 months after your question has been handled, unless the content is needed for an ongoing or intended agreement.
• Support and communication data: we retain these for the duration of the agreement and up to 24 months after the last contact, after which we delete them.
• Newsletter: until the moment you unsubscribe or object.
• Account data: we delete these no later than 6 months after termination of the agreement, unless a statutory retention obligation requires a longer period.
• Contract and billing data: we retain invoices for 7 years on the basis of the Dutch statutory tax retention obligation.
• Analytics: in accordance with the periods described in our cookie policy.

9. Security of your data

We take appropriate technical and organisational measures to protect personal data against loss, misuse and unauthorised access. These include encrypted connections, hosting in the Netherlands, access management based on roles and permissions, storing passwords in hashed form, logging and regular evaluation of our measures. Through data processing agreements, our service providers are contractually required to maintain a comparable level of security. We continuously improve our security on the basis of the state of the art and the nature of the data.

In the event of a personal data breach we act in accordance with Articles 33 and 34 of the GDPR. Where required, we notify the Autoriteit Persoonsgegevens and inform the individuals concerned. If the breach concerns customer content for which we act as a processor, we notify the customer as controller without undue delay.

10. Your rights under the GDPR

Under the GDPR you have various rights in relation to your personal data:

• the right of access to your data;
• the right to rectification (correction) of inaccurate data;
• the right to erasure (deletion of data);
• the right to restriction of processing;
• the right to object to the processing;
• the right to data portability (the right to transfer your data);
• the right to withdraw consent previously given at any time.

Would you like to exercise one of these rights? Then submit your request via our contact form. We respond as quickly as possible and at the latest within one month, as the GDPR prescribes. In order to help you, we may ask you to confirm your identity. If your request concerns data that your organisation has recorded in the platform, then your organisation is the controller and you should turn first to that organisation, which can engage us as a processor.

11. Lodging a complaint with the Dutch Data Protection Authority

Are you not satisfied with the way in which we handle your personal data? You can always lodge a complaint directly with the Dutch supervisory authority, the Autoriteit Persoonsgegevens (Dutch Data Protection Authority). We would also appreciate the chance to resolve it with you first via our contact form, but this is not a precondition for your right to lodge a complaint.

The Autoriteit Persoonsgegevens can be reached via the website autoriteitpersoonsgegevens.nl and by post at Postbus 93374, 2509 AJ The Hague, the Netherlands.

12. Automated decision-making and profiling

We do not use automated decision-making or profiling with legal effects or similarly significant consequences for you within the meaning of Article 22 GDPR. Decisions with a legal impact are not taken solely on the basis of automated processing. The consent-based analytics does not constitute automated decision-making or profiling with legal or similarly significant effects.

13. Changes to this privacy policy

We may amend this privacy policy from time to time, for example due to changed legislation, new functionalities or new service providers. You can always find the most up-to-date version on this page, with the date of the most recent change at the top. In the event of significant changes, we will inform you where this is appropriate.

14. Contact

Do you have questions about this privacy policy or about the processing of your personal data? Then please get in touch via our contact form. Our identity details are:

• Trade name: ManagementSysteem.nl
• Chamber of Commerce number: 99739704
• Address: Euclideslaan 55, 3584 BM Utrecht, the Netherlands