Privacy Notice

This notice explains how Sving Holding B.V. handles personal data. It was last revised on 22 May 2026.

Who we are

Sving Holding B.V. is the data controller responsible for the personal data described in this notice.

Verlengde Vaart NZ 124
7887EK Erica
The Netherlands

No Data Protection Officer has been designated; under Article 37 GDPR we are not required to appoint one.

Whose data this notice covers

This notice applies to the personal data of:

• our customers and prospective customers;
• visitors to our website www.sving.nl;
• our suppliers and business contacts.

What personal data we process

Depending on our relationship with you, we process the following categories of personal data:

• Identity and contact details — your full name, email address, phone number and other contact details.
• Website data — your IP address when you visit www.sving.nl.
• Customer and supplier records — the records we keep about our customers and suppliers.
• Communications — email and chat messages, and, where applicable, voice and video recordings of meetings or calls.
• Documents and scheduling — files and calendar entries relating to our work with you.
• Financial data — invoices, accounting data, tax records and bank account details.

Why we process it and our legal basis

We only process personal data where we have a legal basis to do so under Article 6 of the GDPR. We process personal data for the following purposes:

To provide our services and manage our relationships

Legal basis: performance of a contract (Article 6(1)(b) GDPR). This covers chat messages, customer records, email, calendar entries, files, supplier records, email addresses, full names and bank account details. We use this data to deliver the services we have agreed, communicate with you, schedule and carry out our work, manage documents, and make and receive payments.

To comply with our legal obligations

Legal basis: legal obligation (Article 6(1)(c) GDPR). This covers invoices, accounting data and tax records. We are required to keep this data in order to comply with the law, in particular Dutch tax and accounting legislation.

For our legitimate business interests

Legal basis: legitimate interests (Article 6(1)(f) GDPR). This covers voice recordings, video recordings, contacts, IP addresses and phone numbers. We rely on this basis to keep records of meetings and calls, maintain accurate contact details, communicate efficiently, and operate and secure our website. Where we make a recording, we will inform those involved beforehand. You can object to processing based on our legitimate interests — see “Your rights” below.

How long we keep it

We keep personal data only for as long as necessary for the purpose for which we hold it, or for as long as the law requires. Depending on the type of data, the periods we apply are:

• account data: until the account is deleted;
• contract-related data: for the duration of the contract plus 2 years, and, for certain records, plus 5 years;
• invoices, accounting data and tax records: 7 years, as required by Dutch law;
• data we hold on the basis of your consent: until you withdraw that consent;
• website and short-term operational data: between 6 months and 1 year.

Who we share it with

We share personal data with the following processors and service providers, who act on our behalf and only to the extent needed to provide their services to us:

• Jortt — online accounting software;
• Proton Mail — email;
• Proton Calendar — calendar;
• Signal — secure messaging;
• Synology C2 — cloud storage and backup.

We do not sell personal data, and we do not share it with third parties for their own purposes. We may disclose personal data where we are required to do so by law.

International transfers

Most of our service providers process personal data within the European Economic Area (EEA), or in a country recognised by the European Commission as offering an adequate level of data protection — for example, Proton’s services are based in Switzerland, which benefits from an EU adequacy decision.

One service we use, Signal, relies on infrastructure in the United States. Signal messages are end-to-end encrypted: the content of communications cannot be accessed by the service provider or by anyone other than the intended recipients. Only the limited technical metadata needed to deliver messages is processed.

Your rights

Under the GDPR you have the following rights regarding your personal data:

• the right to access the personal data we hold about you;
• the right to have inaccurate data corrected;
• the right to erasure (“the right to be forgotten”);
• the right to restrict processing;
• the right to data portability;
• the right to object to processing;
• the right to withdraw consent at any time, where processing is based on consent.

To exercise any of these rights, please contact us at info@sving.nl. We will respond within one month.

Complaints

If you are concerned about how we handle your personal data, you have the right to lodge a complaint with a data protection supervisory authority. In the Netherlands this is the Autoriteit Persoonsgegevens (Dutch Data Protection Authority), www.autoriteitpersoonsgegevens.nl.

Automated decision-making and other information

Automated decision-making. We do not carry out automated decision-making or profiling that produces legal effects or similarly significantly affects you.

Source of the data. We collect most personal data directly from you. Some data, such as your IP address, is collected automatically when you visit our website. We may also receive contact details from the organisation you represent, for example when you are the contact person for a customer or supplier.

Children. Our website and services are not directed at children. We do not knowingly collect personal data of children under the age of 16.

Changes to this notice

We may update this privacy notice from time to time. The date at the top of this notice indicates when it was last revised.