Guardsquare Privacy Policy

1. Introduction

1.1 Who We Are

Guardsquare ("we," "our," or "us") is committed to protecting your privacy. This privacy policy (“Privacy Policy”) regulates how we collect, use, disclose, and safeguard your personal data when you visit our website, guardsquare.com (the “Website”), use our services (the “Services”), or interact with us in other ways. Data processing is primarily handled by Guardsquare NV, located at Tervuursevest 362/1, 3000 Leuven, Belgium, and registered with the CBE under number BE0550.675.829. For the purposes of the Data Privacy Framework (DPF) self-certification (see here), this policy also applies to our U.S. subsidiary, Guardsquare, Inc., located at 99 Summer Street, Floor 10, Suite 1010, Boston, MA 02110, which adheres to the DPF Principles.

Depending on the context, we may act as either a data controller (e.g., for website visitor or marketing data) or a data processor (e.g., for customer data processed through our “Services” as defined in our Data Processing Agreement).

1.2 Scope of This Policy

This Privacy Policy applies to all personal data collected through our Website, our Services, or through any other interactions you may have with us. By using our Website and/or our Services, you acknowledge that you have carefully read this Privacy Policy and agree to its terms without reservation.

For purposes of this Privacy Policy, “Services” refers to the products and offerings described in our Data Processing Agreement (DPA).

While using the Website, you may encounter links to third-party websites. Please be advised that such third-party websites are independent sites, and we assume no responsibility or liability whatsoever regarding privacy matters or any other legal matter with respect to such sites. We encourage you to review the privacy policies and terms of use for any such third-party websites you visit.

1.3 Legal Compliance

We comply with relevant data protection laws, including the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR), and utilize the Data Privacy Framework (DPF) for service providers that are certified under this mechanism or Standard Contractual Clauses (SCCs) for international data transfers to ensure that personal data is protected when exported outside the European Economic Area (EEA) to countries that are not recognized by the European Commission to offer adequate personal data protection.

1.4 Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Any changes will be posted on this page with an updated effective date.

Last updated: 09 April 2025

2. Data Processing

2.1 Information We Collect

We collect personal data based on how you interact with our Website and Services:

• Personal Data – Name, email, phone number, company details, and other contact information.
• Usage Data – IP address, browser type, activity logs, and interaction history.
• Cookies & Tracking Technologies – Used for analytics, functionality, and user experience (see §5 Cookies).

This Privacy Policy applies to data that qualifies as personal data, defined as data about an identified or identifiable natural person.

2.2 Legal Basis for Processing Personal Data

We process your personal data based on the following legal grounds:

• Consent: You provide explicit permission to process your data (e.g., for marketing communications). You can withdraw consent at any time, and we will cease processing unless another legal ground applies. The foregoing will, however, not prevent us from retaining any personal data if this is necessary to comply with our legal obligations, in order to file a legal claim or defend ourselves against a legal claim, or for evidential purposes.
• Contractual Necessity: Processing is necessary to fulfill a contract with you, such as providing services or responding to requests, or when you have asked us to take specific steps before entering into a contract.
• Legal Obligation: Processing is required to comply with laws, regulatory requirements, or judicial or administrative orders.
• Legitimate Interests: When processing is necessary for our legitimate interests or those of a third party, such as improving our services or ensuring the security of our platform, provided that these interests do not override your fundamental rights and freedoms.

We are committed to data minimization, meaning that we collect and process the personal data necessary to fulfill the specific purposes outlined in this Privacy Policy. Personal data is processed only for as long as required for these purposes or until you withdraw consent. If you have registered on our Website and later remove your profile, we will delete your personal data unless retention is required by law.

Please do not provide us with any sensitive information (e.g., health data, criminal records, or credit card/account number details).

To the extent that you provide us with any personal data in connection with any third party, you are solely responsible for receiving and hereby represent and undertake to have received the consent, authority, permission, and approval of such person and to have provided them with sufficient disclosures, to allow the use of such personal data, and to allow us to access, store, collect, and process such personal data as detailed herein.

2.3 Data Sharing and Disclosure

We may share your personal data in the following cases:

2.3.1 Sharing with Affiliates and Service Providers

• We may share data with affiliates and third-party vendors who assist in providing our services.
• These vendors process personal data on our behalf under strict security and confidentiality requirements.

2.3.2 Public Authorities

• Data may be disclosed when required by law enforcement, regulatory authorities, or courts.
• This includes sharing your personal data with enforcement authorities having jurisdiction over Guardsquare, Inc.’s compliance with the DPF Principles.

2.3.3 Business Transfers

• In case of a merger, acquisition, or sale of company assets, data may be transferred to the new entity, including transfers outside the European Economic Area (EEA).

2.3.4 Sharing Anonymized or Aggregated Data

• We may share anonymized or aggregated data for analytics, product improvement, and marketing, ensuring it cannot identify you.
• We may share your personal data in additional manners with your explicit consent.

2.4 Data Processing Locations and International Transfers

We process personal data both within and outside the European Economic Area (EEA). Our product infrastructure is securely hosted in the European Union (EU) on the Google Cloud Platform (GCP). However, some of our product sub-processors may process data outside the European Economic Area (EEA). Please refer to our Data Processing Agreement (DPA) for detailed information.

2.4.1 Transfers Outside the EEA

Guardsquare processes personal data both within and outside the European Economic Area (EEA). For data transfers to countries outside the EEA, including the United States, we rely on the Data Privacy Framework (DPF) for service providers certified under this mechanism (please refer to §2.4.2 below), ensuring that your personal data receives the same level of protection as within the EEA. For other service providers not certified under the DPF, we rely on adequacy decisions and Standard Contractual Clauses (SCCs) in conjunction with Transfer Impact Assessments (TIA) to assess and mitigate potential risks. These legal mechanisms ensure the security and integrity of your personal data when processed outside the EEA, meeting GDPR compliance standards.

The following table provides an overview of our third-party service providers, the purposes for which personal data is processed, the types of personal data involved, the country of transfer, and the specific protection mechanisms applied. For detailed information about the subprocessors we use to deliver our “Services” — including their roles, processing locations, and the types of personal data involved — please refer to the annexes of our Data Processing Agreement.

2.4.2 Data Privacy Framework Compliance

Guardsquare, Inc. complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. Guardsquare, Inc. has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF. Guardsquare, Inc. has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) Program, and to view our certification, please visit https://www.dataprivacyframework.gov/

In accordance with the DPF Principles, Guardsquare, Inc. is responsible for the processing of personal data it receives under the DPF and subsequently transfers to third parties acting as agents on its behalf. In such cases, Guardsquare, Inc. ensures that the third parties process personal data in a manner consistent with the DPF Principles.

Our commitment includes:

• Subjecting all personal data received directly under Guardsquare, Inc’s DPF certification to the DPF Principles.
• Accountability for onward transfers to third parties, ensuring such transfers comply with the DPF Principles, except where we can demonstrate that we are not responsible for the event giving rise to the damage.
• Disclosing personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
• Providing, free of charge, an independent dispute resolution mechanism to address complaints and disputes.
• Providing individuals with the right to invoke binding arbitration under certain conditions for unresolved complaints (https://www.dataprivacyframework.gov/framework-article/ANNEX-I-introduction).

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Guardsquare, Inc. commits to resolving DPF Principles-related complaints about our collection and use of your personal data. European Union, United Kingdom, and Swiss individuals with inquiries or complaints regarding our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF should first contact Guardsquare. Refer to §6 (Dispute Resolution and Contact Information).

Guardsquare, Inc. has further committed to refer unresolved complaints and disputes concerning our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF to JAMS, an alternative dispute resolution provider located in the United States. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit JAMS Data Privacy Framework Dispute Resolution. The services of JAMS are provided at no cost to you.

If you have concerns regarding our compliance with the DPF Principles that remain unresolved after utilizing our internal complaint resolution processes and other available DPF mechanisms, you may have the option, under certain conditions, to invoke binding arbitration. For detailed information on the conditions and procedures for binding arbitration, please refer to Annex I of the DPF Principles.

Additionally, personal data transferred under the DPF is subject to oversight by the U.S. Federal Trade Commission (FTC), which has investigatory and enforcement powers.

2.5 Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes outlined in this Privacy Policy or as required by law. If you request the deletion of your data, we will comply unless statutory or regulatory obligations require us to retain it.

2.6 Data Collection and Retention by Purpose

The following sections describe the specific cases in which we collect and process personal data, the purpose, legal basis, retention period, and whether third parties receive the data.

2.6.1 Requests via Our Website

2.6.1.1 Requesting Documents & Resources

• Data Collected: Name, email, company, country.
• Purpose: To provide requested documents or resources.
• Legal Basis: Contractual necessity, pre-contractual steps, or consent.
• Retention Period:
  • Customer data is deleted upon request or after 24 months of inactivity with our marketing activities or website engagement, or upon contract termination, whichever is longer.
  • Prospect data is deleted upon request or after 24 months of inactivity with our marketing activities or website engagement.
• Third-party recipients: Hosting Provider (currently Hubspot); resellers of Guardsquare products or services.

2.6.1.2 Requesting Quotes

• Data Collected: Name, email, company, industry, country, phone number, and referral source.
• Purpose: To provide a tailored quote.
• Legal Basis: Contractual necessity for preparing a potential agreement.
• Retention Period:
  • Customer data is deleted upon request or after 24 months of inactivity with our marketing activities or website engagement or upon contract termination, whichever is longer.
  • Prospect data is deleted upon request or after 24 months of inactivity with our marketing activities or website engagement.
• Third-party recipients: Hosting Provider (currently Hubspot); resellers of Guardsquare products or services.

2.6.1.3 Contact Form

• Data Collected: Name, email, company, country, phone number, message content.
• Purpose: To respond to inquiries.
• Legal Basis: Contractual necessity, pre-contractual steps, or consent.
• Retention Time:
  • Customer data is deleted upon request or after 24 months of inactivity with our marketing activities or website engagement, or upon contract termination, whichever is longer.
  • Prospect data is deleted upon request or after 24 months of inactivity with our marketing activities or website engagement.
• Third-party recipients: Hosting Provider (currently Hubspot); resellers of Guardsquare products or services.

2.6.1.4 Direct Marketing

• Data Collected: Name, email, company, country, and phone number.
• Purpose: To send relevant product or market updates.
• Legal Basis: Your informed consent.
• Retention Period: Data is deleted upon request.
• Third-party recipients: Hosting Provider (currently Hubspot); resellers of Guardsquare products or services.

2.6.2 Sales Interactions & Customer Data

• Data Collected: Name, email, company, industry, country, phone number, communication history, service interest, quote details, and purchase history.
• Purpose: Customer relationship management (CRM), providing sales quotes, maintaining and managing customer relations.
• Legal Basis: Contractual necessity, legitimate interest (ongoing sales/customer relationship; internal risk assessment and risk management; legal defense).
• Retention Periods:
  • Prospects & Sales Leads (No Purchase):
    • Deleted after 24 months of inactivity unless explicit consent is provided for further retention.
  • Active Customer Data (Salesforce CRM & Sales Records):
    • Retained for 5 years from the last recorded interaction or 5 years from contract termination, whichever is longer.
  • Contracts & Financial Transactions (Invoices, Agreements):
    • Retained for 10 years in accordance with Belgian accounting and tax laws.
  • Customer Support Data (Related to Transactions):
    • Retained for 5 years after the last interaction unless required for legal compliance or risk management and legal defense.
  • Third-party recipients:
    • CRM system (currently Salesforce).
    • Contract management (currently Google Workspace).
    • Resellers of Guardsquare products or services.

2.6.3 Recruitment

2.6.3.1 Job Applications

• Data Collected: Name, contact details, resume, cover letter, recommendation letters, and other application-related documents.
• Purpose: To assess job applications.
• Legal Basis: Informed consent is necessary to prepare a potential labor agreement. Please note that you cannot apply without giving your consent to process your data for the purpose set out above upon application.
• Retention Period:
  • If consent is only for the application, data is deleted within 4 weeks after the application process concludes.
  • If consent is given for future opportunities, data is retained for up to 750 days (see §2.6.2.2 "Recruitment Reserve").
• Third-party recipients: Recruitment agencies and affiliates (if applicable).

2.6.3.2 Recruitment Reserve

• What: Applicant data (see §2.6.2.1 “Job Applications”).
• Purpose: To consider past applicants for future job opportunities.
• Legal Basis: Your informed consent.
• Retention Period: Data will be retained for up to 750 days.
• Third-party recipients: Recruitment agencies and affiliates (if applicable).

2.6.4 Guardsquare Products

2.6.4.1 Product User Registration and Usage Data

• Data Collected: Varies by product—refer to the relevant Data Processing Agreement Annex.
• Purpose: To provide access to software, services, and manuals, enable product and service usage, and communicate essential product and service information.
• Legal Basis: Necessary for delivering a product license or service in executing a contract.
• Retention Period: Refer to the relevant Data Processing Agreement Annex.
• Third-party recipients: Refer to the relevant Data Processing Agreement Annex.

2.6.5 Internal Risk Assessment, Risk Management, and Legal Defense

• Purpose:
  • To assess and manage business risks related to customer transactions and engagements.
  • To retain records for potential legal claims, regulatory inquiries, or contract disputes.
  • To maintain records for compliance with applicable data protection and business regulations.
• Legal Basis:
  • Legitimate interest (Article 6(1)(f) GDPR) – ensuring business continuity, compliance, and defense against potential claims.
  • Legal obligation (Article 6(1)(c) GDPR) – adhering to financial, tax, and contractual retention requirements.
• Retention Period:
  • 5 years after contract termination to cover potential liabilities, disputes, and regulatory inquiries.
  • 10 years for financial/tax documentation, aligning with Belgian legal requirements (or as otherwise legally permitted or required from time to time).

2.7 Cookies

• As per §5 (Cookies) below.

3. Your Rights

Under the GDPR and the Data Privacy Framework, you have the following rights:

• Right to be informed: The right to be informed about how we will collect, use, and share your personal data in a concise, transparent, intelligible, and easily accessible format, written in clear and plain language. This information is set out in this Privacy Policy, and additional information can be requested in accordance with (§6.1 “Contact Us”).
• Access: The right to request a copy of the personal data we hold about you (provided that this does not adversely affect the rights and freedoms of others), together with information regarding how your personal data is being used, which information you also find in this Privacy Policy.
• Rectification: The right to have your personal data rectified or, taking into account the purposes of the processing, completed if it is inaccurate or incomplete. If we have disclosed the relevant personal data to any third parties, we will take reasonable steps to inform those third parties of the rectification where possible.
• Erasure (Right to be Forgotten): The right to request the deletion of your personal data when any of the conditions outlined in (§2.2 "Legal Basis for Processing") apply, such as when the data is no longer necessary, you withdraw consent, or the data was unlawfully processed. You acknowledge that this is not a blanket right to require all of your personal data to be erased. We will carefully consider each request in accordance with the requirements under applicable law.
• Restriction: The right to request to restrict the processing of your data in certain circumstances.
• Data Portability: The right to request the transfer of your data to another entity under the legally defined conditions.
• Objection: The right to object to processing based on legitimate interests or for direct marketing purposes. If you so object, we will cease to process the personal data unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or the processing is for the establishment, exercise, or defense of a legal claim.
• Withdraw Consent: You can withdraw your consent at any time.

You will not have to pay a fee to access your personal data or to exercise any of the other rights. However, we may charge a reasonable fee if your request is clearly unfounded, repetitive, or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

4. Security Measures

We take data security seriously and have implemented technical and organizational measures to protect your personal data from unauthorized access, alteration, disclosure, or destruction. These measures include encryption, access controls, and regular security audits. Please visit our Security Standards page for more detailed information on our security practices.

5. Cookies

We use cookies and similar technologies to improve user experience. For details, see our Cookie Policy.

6. Dispute Resolution and Contact Information

If you have concerns about how we handle your personal data or believe we are not complying with applicable data protection laws, we encourage you to contact us directly first. We are committed to responding promptly and resolving issues in a fair and transparent manner.

6.1 Contact Us

For general privacy inquiries, to exercise your rights under GDPR or other applicable laws, or to raise a concern, please use our Privacy Request & Complaint Handling Form. If you are unable to access the form, you may contact us by email:

• Email: privacy@guardsquare.com
• Company Name: GuardSquare NV
• Address: Tervuursevest 362/1, 3000 Leuven, Belgium
• Phone: +32 (0)16 920 646

6.2 GDPR Complaints and Escalation Process

If you are not satisfied with our response, you have the right to escalate your complaint to the relevant Data Protection Authority (DPA) in your country.

Because our EU headquarters is in Belgium, you may also contact:

Belgian Data Protection Authority (Autorité de protection des données / Gegevensbeschermingsautoriteit)

Rue de la Presse 35, 1000 Brussels
Phone: +32 (0)2 274 48 00
Email: contact@apd-gba.be
Website: www.dataprotectionauthority.be

You can find a list of all EU/EEA DPAs here.

6.3 DPF Dispute Resolution

If your concern involves personal data transferred under the EU-U.S. Data Privacy Framework (DPF), the UK Extension, or the Swiss-U.S. DPF, the following dispute resolution process applies:

1. Contact us first using the complaint process outlined above. In accordance with DPF requirements, we will respond to your complaint within 45 days.
2. If we are unable to resolve your concern to your satisfaction, you may escalate the matter to our designated independent dispute resolution provider:
   
   JAMS (https://www.jamsadr.com/DPF-Dispute-Resolution)
    
   • JAMS handles unresolved privacy complaints covered by the DPF Principles.
   • You must provide evidence that you attempted to resolve the issue with us and, if applicable, through a DPA.
   • The JAMS process is provided at no cost to you.
3. In certain limited situations, if the issue still remains unresolved, you may have the right to invoke binding arbitration under the DPF’s Annex I conditions. Details are available on the official Data Privacy Framework website.