Your data,
your terms.
Privacy is a promise. This page is the privacy policy Conduction commits to for every contact, customer, and visitor: purpose-bound use, minimum retention, ISO 27001-aligned security, and the rights the GDPR gives you. The Dutch version is the legally binding text.
What Conduction commits to.
The promises below come straight from the privacy policy further down this page. They apply to every contact, customer, and visitor, and are derived from the GDPR (EU Regulation 2016/679) and the ISO 27001-aligned ISMS described on our Quality page.
Conduction B.V. uses personal data only for the purpose for which it was stored. We do not silently repurpose it or bundle it into something you did not agree to. If the purpose changes, we ask again.
Read the purpose clausePrivacy policy
Privacy policy & DPIA, Conduction B.V.
- Standard
- GDPR · EU 2016/679
- Paired with
- ISO/IEC 27001:2022 ISMS
- Office
- Lauriergracht 14h, Amsterdam
- Contact
- [email protected]
Privacy policy (under the GDPR, derived from EU Privacy Regulation 2016/679)
Conduction B.V. uses personal data only for the purpose for which it was stored. We do not share personal data with third parties unless that sharing is necessary for the storage purpose. We do not retain personal data longer than the storage purpose requires. We protect personal data against access by unauthorised parties using all available means and measures.
We ask our contacts for consent before storing their personal data. We inform clients of their rights regarding their personal data. We inform our contacts about the purpose of the data processing. We inform contacts when we intend to perform unusual operations on their personal data.
Risk assessment (Data Protection Impact Assessment, DPIA)
The risk we manage against is Conduction B.V. unintentionally altering, leaking, or losing information, causing harm to our external stakeholders.
Against this risk we apply the measures in this privacy policy and our ISMS, execute them, and review their effectiveness. The procedures in the privacy policy and ISMS are subject to continuous review and improvement. All staff are involved in the security procedures, in the ways described in this privacy policy and ISMS.
Risk assessment procedure
Conduction B.V. reduces the risks above by working from its privacy policy and ISMS. Every internal audit and management review includes a data-security risk assessment.
A residual risk remains outside the scope of the privacy policy and ISMS. The known residual risks for Conduction B.V. are analysed in our internal audits and management reviews. Mitigations for those risks are part of the privacy policy and ISMS, and they are managed and executed there. Residual risk consists of extreme changes in circumstances that Conduction B.V. cannot foresee. We consider those risks unavoidable. After an unforeseen incident a fresh risk assessment is performed. Any remedies are folded into the privacy policy and ISMS.
Contact
Questions about this policy or about your personal data go to [email protected]. Office: Lauriergracht 14h, 1016 RR Amsterdam.
Adopted by the management of Conduction B.V., Amsterdam, the Netherlands. The Dutch text at /nl/privacy is the legally binding version; this English text is provided for convenience.
Privacy FAQ.
What rights do I have under the GDPR?
The right to access the data we hold about you, to have it rectified, to be forgotten (erasure), to restrict processing, to data portability, and to object. To exercise any of these, write to [email protected] with your request. Conduction is the data controller for the data you share directly with us.
How do I request access to or deletion of my data?
Send a request to [email protected] from the email address associated with your data, or include enough information for us to identify you. We aim to confirm receipt within 2 working days and respond within the statutory 30-day GDPR window, sooner where we can.
Does Conduction sell or share my data?
No. We do not sell personal data and we do not use it for ad targeting. We share data with third parties only when it is necessary for the stated storage purpose (for example a payment processor or hosting provider). In those cases a data-processing agreement is signed; we will provide it on request.
What about my data when I self-host the app?
When you self-host on your own Nextcloud, your infrastructure holds the data and you are the data controller. Conduction's privacy policy and ISO 27001 cover Conduction's own systems and the apps we develop. The security of the data you process on your own server is your responsibility. If you want Conduction's policy to cover hosting too, use our managed Common Ground tenant at commonground.nu.
How does Conduction handle data breaches?
Incidents are triaged through the same ISMS that runs the daily pentest scans. If a breach affects personal data, we notify the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) within 72 hours of becoming aware, and notify affected individuals where the breach is likely to result in a high risk to their rights and freedoms.
Where is my data stored?
Data Conduction holds about you sits with EU-based processors. The managed Common Ground tenant at commonground.nu runs on infrastructure operated by Cyso (Netherlands) under ISAE 3402 Type II. If we add a new processor that changes the picture, the privacy policy is updated and we communicate the change.