Privacy policy

Introduction

Xendy BV, located at Oostervelden 62, 6681WZ in Bemmel, the Netherlands, processes personal data carefully and in accordance with the General Data Protection Regulation (GDPR). In this privacy statement, we explain which personal data we collect, for what purposes this data is used, and what rights you have as a data subject.

1. What personal data do we collect and why?

Xendy collects and processes various categories of personal data, depending on your relationship with us. Below is an overview of the data we process, the purposes, and the legal basis:
  • Customers: Contact details, payment information, usage data of our services, and the content of sent emails for analysis and optimization.
    • Purpose: execution of the agreement, analysis to improve services, reporting and optimizing email campaigns.
    • Legal basis: necessary for the performance of the agreement.
  • Prospects and Interested Parties: Contact details, company name, and interests in our services.
    • Purpose: marketing, providing information, and making offers.
    • Legal basis: legitimate interest in acquiring new customers.
  • Website Visitors: IP address, browser data, cookies, and click behavior.
    • Purpose: improving the website experience and providing relevant content.
    • Legal basis: consent (for non-functional cookies).
  • Applicants: Contact details, resume, cover letters, and additional application information.
    • Purpose: assessing suitability for a position.
    • Legal basis: necessary for pre-contractual measures.
  • Employees: Contact details, personnel files, salary information, identification data, job title, employment contract, work hours, leave, and sick leave.
    • Purpose: execution of the employment contract, payroll administration, compliance with legal obligations (e.g. tax and social insurance laws), and internal operations.
    • Legal basis: necessary for the employment contract, legal compliance, and in some cases, legitimate interest (e.g. managing sick leave).
    • Retention period: data is stored during the employment period and as long as legally required (e.g. 7 years for payroll records).

2. Retention of personal data

Xendy does not store personal data longer than necessary for the purposes for which it was collected, unless a legal retention obligation applies. We use the following retention periods:
  • Customer data: during the term of the agreement and as long as legally required (e.g. 7 years for financial records).
  • Prospect data: until the prospect indicates no further interest or after 3 years of inactivity.
  • Applicant data: up to 4 weeks after the end of the application process, unless consent is given for longer retention.
  • Call recordings: up to a maximum of 30 days, unless needed for legal investigation.

3. Data processing by customers (processor role)

Xendy also processes data uploaded by our customers (e.g. email contacts). In this case, we act as a processor, while the customer is the data controller. This means:
  • The customer is responsible for obtaining valid consent from their contacts for sending email campaigns via Xendy.
  • Xendy processes the data only on behalf of the customer and has no control over the legal basis of the processing.
  • Customers must notify Xendy of data deletion or updates to remain GDPR-compliant.

4. Sharing data with third parties

Xendy collaborates with carefully selected third parties to deliver certain services, such as hosting, data analysis, and payment processing. These third parties only access your personal data when strictly necessary to provide their services. Xendy signs data processing agreements with all third parties to ensure they comply with GDPR standards and only process your data according to our instructions and solely for the intended purpose.
 
Data processing outside the EEA
Where possible, Xendy processes personal data within the European Economic Area (EEA). If it is necessary to transfer personal data outside the EEA, we take appropriate measures to ensure a level of protection in line with the GDPR. This includes using Standard Contractual Clauses (SCCs) approved by the European Commission, and additional technical and organizational safeguards where required.
 
Xendy acknowledges that countries like Germany and other EEA member states may impose additional requirements for data transfers outside the EU. To meet these standards, we provide documentation on request outlining the safeguards taken for international infrastructure and data transfers. Customers are informed about the locations of subprocessors and can request details of the specific security measures taken for those data flows.
 
Sharing with government authorities
In exceptional cases, Xendy may share personal data with government authorities, for instance when legally required during a criminal investigation. In such cases, we carefully assess whether the request is necessary and legally justified. We always act in accordance with the law and our privacy policy.

5. Email tracking and monitoring

To help our customers optimize their email campaigns, Xendy collects data on interactions with emails, such as open and click behavior. This information is only collected with the recipient’s consent and is used by our customers for reporting and insights. Anonymous data is retained to improve our service.

6. Cookies and tracking technology

We use cookies on our website to collect visitor data, improve user experience, and display relevant content. Functional cookies are always placed, but non-functional cookies (such as tracking and marketing cookies) are only used after you give explicit consent. You can manage your cookie preferences via our website.

7. Protection of your personal data

Xendy implements appropriate measures to protect personal data against loss, misuse, and unauthorized access. Our security measures include:
  • Encryption: data is encrypted during transmission and storage.
  • Backups: daily backups to protect against data loss.
  • ISO-27001 Standards: we follow security protocols based on these standards.
  • Contractual Agreements: data processing agreements with vendors to safeguard personal data.

8. Privacy-by-design and privacy-by-default

Xendy applies the principles of privacy-by-design and privacy-by-default in system development. This means we prioritize data protection in our processes and continuously work to improve our systems to safeguard your data.

9. Your rights under the GDPR

As a data subject, you have the following rights under the GDPR. Xendy supports you in exercising these rights and aims to respond promptly and fully:
  • Right of access: request an overview of the personal data we process about you.
  • Right to rectification: request corrections to incorrect or outdated data.
  • Right to erasure: request deletion of your data when processing is no longer necessary or when you withdraw consent.
  • Right to restrict processing: request restriction of processing, for example if data accuracy is disputed.
  • Right to data portability: receive your data in a structured, commonly used, and machine-readable format.
  • Right to object: object to processing based on legitimate interest, including profiling and direct marketing.
  • Right not to be subject to automated decision-making: Xendy does not make automated decisions that have legal or similarly significant effects on you.
Automated decision-making
Xendy does not use automated decision-making without human intervention that has legal or significant impact on you. For customers in countries like the Netherlands and Spain, where specific regulations apply, we confirm that decisions about personal data always undergo human review. We comply with EEA regulations and can provide further information about decision-making processes upon request.
 
Handling requests
You can submit your requests via our legal department at support@xendy.me, and we typically respond within 5 working days. In complex cases, this may be extended to up to one month. Xendy generally does not charge for handling requests unless the request is repeated or clearly unfounded. Any administrative fees will be communicated to you in advance.

10. Filing a complaint with the supervisory authority

If you are not satisfied with how we handle your personal data, you have the right to file a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) via www.autoriteitpersoonsgegevens.nl.

11. Changes to this privacy statement

Xendy may update this privacy statement to comply with legal changes or optimize our processes. We recommend reviewing this statement regularly. Significant changes will be communicated to customers via email.

12. Contact details

For questions about this privacy statement or to exercise your rights, please contact us at:
 
Xendy BV
Attn: Legal Department
Address: Oostervelden 62, 6681WZ Bemmel, The Netherlands
Email: support@xendy.me