Skip to main content
// LEGAL

Privacy Policy

Last updated: 2026-05-12

DataExpert BV ("DataExpert", "we", "us") is a Dutch private limited company providing digital-forensics, OSINT, cryptocurrency-investigation, cyber-security and 24/7 incident-response services across the European Union. This policy explains what personal data we collect through this website and during client engagements, the purposes and lawful bases for that processing, with whom we share it, how long we keep it, and the rights you have under the EU General Data Protection Regulation (Regulation 2016/679, "GDPR") and the Dutch implementing law (Uitvoeringswet AVG, "UAVG").

1. Controller and contact

DataExpert BV is the data controller for personal data collected through this website and for the personal data we process in our own administration (sales, finance, HR, security). For most engagement data — the material clients entrust to us during a forensic investigation, an OSINT project, a crypto-tracing case, or an incident-response mandate — DataExpert acts as a processoron the client's behalf and processes that data strictly under the engagement's data-processing agreement (DPA) and signed engagement letter.

Controller details:
DataExpert BV
Vendelier 65, 3905 PD Veenendaal, Netherlands
Netherlands Chamber of Commerce (KvK): 30093689 (Utrecht)
VAT (BTW): NL009433569B01
Email: info@dataexpert.nl
Phone: +31 (0)318 543173

Data Protection Officer / privacy contact: [FILL IN: DPO name and direct email, or confirm that no DPO has been formally appointed under GDPR Art. 37]. In the meantime, privacy questions can be sent to info@dataexpert.nlwith the subject line "Privacy".

2. Personal data we collect

We collect personal data in three distinct contexts, each described below.

2.1 Website visitors

When you visit this website we may process:

  • IP address and approximate location (country) derived from it, user-agent, referring URL, the pages and resources you request, and the timestamps of those requests — held in short-lived server and CDN access logs for security, abuse-prevention and diagnostics.
  • If you contact us by email, the contents of that email and anything you choose to share with us (name, employer, role, phone number, nature of your enquiry).
  • If you call our 24/7 incident-response line, the metadata of the call (calling number, time, duration) and any notes our analysts take to triage the incident.

This website does not currently offer user accounts, paid subscriptions, e-commerce, or an embedded contact form. If we add a contact or lead-magnet form in future, this policy will be updated to disclose the fields collected, the lawful basis, and the retention period.

2.2 Prospective and existing clients

In the course of selling and delivering services we keep business-contact details for the people we deal with at client and prospect organisations: name, employer, role, business email, business phone, and a record of our correspondence, meetings, proposals and engagement letters. Where an engagement involves background screening of our own personnel for cleared work, additional vetting data is processed separately under that screening programme.

2.3 Engagement material (forensic, OSINT, crypto, IR)

When a client engages us to perform a digital-forensics examination, an OSINT investigation, a cryptocurrency-tracing case, or an incident-response mandate, the material the client provides or that we lawfully acquire on the client's instruction can include personal data of third parties — for example, content of seized devices, copies of cloud accounts, server images, network telemetry, chat transcripts, on-chain transaction data tied to wallet addresses, or open-source records about persons of interest. We process this material onlyon the documented instructions of the client (the controller), under a written DPA that meets GDPR Art. 28, with strict chain-of-custody, access-control, and audit logging appropriate to forensic work. Categories of data subjects, categories of personal data, and retention periods are set out in each engagement's DPA and case-handling plan.

3. Purposes and lawful bases (GDPR Art. 6)

We rely on the following lawful bases, matched to the processing activity:

  • Performance of a contract (Art. 6(1)(b)) — to deliver services under a signed engagement letter, to administer the contract, and to invoice for the work.
  • Legal obligation (Art. 6(1)(c)) — to comply with Dutch tax and accounting retention rules, with anti-money-laundering rules where they apply to us, and with any lawful demand from a competent authority.
  • Legitimate interests (Art. 6(1)(f)) — to run our website securely, to keep server and security logs, to follow up sales leads via business-to-business contact details, to defend ourselves in litigation, and to operate the day-to-day business. We balance these interests against the rights and freedoms of the people concerned and only rely on this basis where that balance supports the processing.
  • Consent (Art. 6(1)(a)) — where we ask for it explicitly, for example before sending marketing email to a personal address or before any future use of non-essential analytics or marketing trackers on this website.
  • Substantial public interest / processing on instructions — where we process engagement data as a processor, the controller (our client) is responsible for identifying its own lawful basis under Art. 6 and, where relevant, Art. 9 / Art. 10 for special-category and criminal-conviction data. The DPA records this allocation.

4. Cookies, tracking, and third-party scripts

We keep this site deliberately light. As at the date of this policy:

  • No advertising or marketing trackers. The site does not load Google Analytics, Google Tag Manager, Meta / Facebook Pixel, LinkedIn Insight Tag, Hotjar, or any comparable marketing pixel.
  • Web fonts. Three typefaces (Space Grotesk, Inter, JetBrains Mono) are loaded via next/font/google. The font files are served from this site's own origin, not directly from Google's servers, so visiting the site does not disclose your IP address to Google purely for font delivery.
  • Nukipa platform.Editorial content for this site is fetched server-side from the Nukipa CMS gateway. Those calls are made from our server to the gateway and do not place a Nukipa cookie in your browser. If we later enable Nukipa's server-side visit-ping (which sets a nk_sidsession cookie to group a visitor's page views) or CTA-click tracking, this section will be updated to disclose the cookie, the data collected (path, country derived from IP, UTM parameters, session id), and the retention period.
  • Strictly necessary technical state. We may set short-lived cookies that are strictly necessary to operate the site, for example to remember a chosen language if multi-language is enabled. These do not require consent under Dutch / EU rules.

[FILL IN: confirm the exact cookie / local-storage inventory at launch and update this section if the build changes.]

5. Recipients, processors and sub-processors

We share personal data only with parties that need it to support the purposes above:

  • Infrastructure and platform providers we use to host this website, serve email, run our case-management and ticketing systems, and operate forensic and OSINT tooling.
  • Specialised software vendors whose tools we operate as part of engagements (for example Cellebrite, OpenText, Magnet Forensics, Maltego, Chainalysis, TRM Labs). For most of these the tool runs in our own environment and the vendor does not receive engagement data; where a vendor does process data, this is governed by the vendor's own terms and any DPA we put in place.
  • Trained sub-contractors and individual experts we bring in under written confidentiality and data-protection terms.
  • Professional advisers (counsel, auditors, insurers) under duties of confidentiality.
  • Competent authorities, courts, or other recipients where we are legally required to disclose.

A current sub-processor list for engagements is maintained outside this page and is provided to clients on request as part of the DPA package. [FILL IN: link or contact for the live sub-processor register.]

6. International transfers

We aim to keep personal data within the European Economic Area (EEA). Where a transfer to a country outside the EEA cannot be avoided — for example because a vendor or sub-processor operates from a third country — we rely on an adequacy decision where one exists, on the European Commission's Standard Contractual Clauses (Decision 2021/914) supplemented by technical and organisational measures where appropriate, and on a transfer impact assessment that records why the chosen safeguard is effective.

7. Retention

We keep personal data only for as long as we need it for the purpose for which it was collected, or for as long as Dutch or EU law requires us to keep it.

  • Engagement material — retained for the period agreed in the engagement letter / DPA, and securely returned or destroyed at the end of that period with a certificate of destruction provided to the client on request. Cryptographic evidence integrity (hashes, chain-of-custody logs) is retained alongside the case file where required.
  • Client and prospect contact details — retained for the duration of the commercial relationship and for a reasonable follow-up period after the last interaction.
  • Financial and tax records — retained for seven (7) years in accordance with Dutch fiscal law (Algemene wet inzake rijksbelastingen).
  • Website and security logs — retained for a short operational window (typically 30–90 days) and longer only where needed to investigate a specific incident.

[FILL IN: confirm the precise retention schedule by category — counsel and the privacy owner should sign off the numbers above before publishing.]

8. Security

The integrity of evidence and the confidentiality of client data are the core of what we do. We apply organisational and technical measures appropriate to the sensitivity of the data we handle, including role-based access control, multi-factor authentication, encryption of data in transit and at rest, segregated case environments, chain-of-custody logging, secure data destruction at end of engagement (overwrite or physical destruction of media), and staff vetting and confidentiality obligations. [FILL IN: current certification status — ISO/IEC 27001, NEN 7510, SOC 2, ISO/IEC 27037 alignment, etc., with certificate numbers and issuing bodies. Do not assert a certification we do not actually hold.]

9. Your rights

Subject to the conditions and limits set out in the GDPR (Art. 12–22), you have the right to:

  • access the personal data we hold about you;
  • have inaccurate personal data corrected;
  • have your personal data erased;
  • have processing of your data restricted;
  • data portability;
  • object to processing that we base on our legitimate interests; and
  • withdraw consent at any time where processing is based on consent (withdrawal does not affect the lawfulness of processing before withdrawal).

Where personal data about you is held by us as a processor on behalf of a client (for example, because you appear in material under examination in a forensic engagement), please direct your request to that client as the controller. If you contact us first we will forward the request to the controller without unreasonable delay and assist them in responding.

To exercise a right, write to info@dataexpert.nl with enough information to identify you and the data concerned. We respond within one month of receipt and may extend that period by up to two further months for complex requests, in line with Art. 12(3) GDPR.

You also have the right to lodge a complaint with the Dutch supervisory authority, Autoriteit Persoonsgegevens — see autoriteitpersoonsgegevens.nl.

10. Automated decision-making and profiling

We do not use this website to take decisions about individual visitors by purely automated means within the meaning of GDPR Art. 22. Forensic, OSINT and crypto-tracing outputs we produce in an engagement are reviewed and interpreted by human analysts before they leave our hands.

11. Children

This website is aimed at law-enforcement, government, and regulated-enterprise buyers. It is not directed at children and we do not knowingly collect personal data from children.

12. Changes to this policy

We may update this policy as our services, sub-processors, or the law change. The current version is identified by the "Last updated" date at the top of this page. The previous version is available on request.

13. Contact

Privacy questions, rights requests, and DPA enquiries can be sent to info@dataexpert.nl or by post to DataExpert BV, Vendelier 65, 3905 PD Veenendaal, Netherlands.