Privacy Policy

1.1 This privacy policy explains how Next Shape processes personal data via nextshape.nl and in the context of its services. 1.2 Next Shape is the data controller for personal data it processes for purposes such as website visits, contact, marketing, sales, administration, and contract management. 1.3 For client projects, Next Shape may process personal data on behalf of the client. In that case, the client is usually the data controller and Next Shape is the processor. Agreements regarding this are laid down in a Data Processing Agreement (DPA).

2.1 Contact and communication data: name, email address, phone number, company name, position, and content of messages/questions. 2.2 Website and device data: IP address (to the extent processed), cookie IDs/online identifiers, browser and device data, language settings, page views, click and scroll behavior, session and error message data, referrer/UTM parameters. 2.3 Business and administrative data: invoice details, contract details, communication about assignments, payment and transaction details (processed via payment service providers). 2.4 Project data (on behalf of clients): depending on the project, this may include: employee contact details, CRM data, sales and operational data, client communication, support tickets, AI logs, and automation data.

We process personal data for the following purposes: 3.1 Contact and relationship management: answering questions, scheduling introductions, follow-up, and client communication. 3.2 Quotes, contracts, and execution: preparing and executing assignments, deliveries, support, monitoring, and optimization (one-off projects and/or retainer). 3.3 Website improvement and measurements: gaining insight into website usage and conversions, debugging, and performance monitoring. 3.4 Marketing (B2B): promoting our services, measuring the effectiveness of campaigns, and approaching business contacts within the limits of applicable law. 3.5 Security: securing our website, systems, and accounts, abuse detection, and incident investigation. 3.6 Financial administration: invoicing, payments, and accounting. 3.7 Legal obligations: complying with tax and other legal retention and obligations.

4.1 Performance of a contract (GDPR Art. 6(1)(b)): when processing is necessary for a quote, contract, or service delivery. 4.2 Legitimate interest (GDPR Art. 6(1)(f)): including business operations, security, website improvement, limited B2B marketing, and quality improvement, with a balancing of interests. 4.3 Consent (GDPR Art. 6(1)(a)): specifically for non-essential cookies/trackers and similar technologies. 4.4 Legal obligation (GDPR Art. 6(1)(c)): including tax obligations. 4.5 For processing in which Next Shape acts as a processor, the grounds of the client as the data controller apply; Next Shape then acts based on the DPA and written instructions.

5.1 Next Shape uses cookies and similar technologies on nextshape.nl for:

• Functional purposes (e.g., basic operation and preferences);
• Analytical purposes (measuring and improving usage and conversions).

5.2 We use:

• Google Analytics 4 (GA4) for web analytics;
• PostHog for product/website analytics (e.g., funnels, events, and usage patterns).

5.3 For cookies and trackers that are not strictly necessary, we request consent via a cookie banner. Where legally required, analytics are only activated after consent. 5.4 You can always change or withdraw your consent via the cookie banner (or a 'cookie settings' link if present) and you can delete cookies via your browser settings. 5.5 Note: if you disable cookies, it may affect the functioning or measurability of parts of the website.

6.1 Next Shape does not sell personal data. We only share personal data if necessary for the purposes in this policy, to comply with legislation, or based on consent. 6.2 Personal data may be shared with the following categories of recipients: a. Hosting and IT service providers (cloud, infrastructure, databases, email, and communication tooling); b. Analytics and measurement service providers (including GA4 and PostHog, depending on cookie settings); c. Payment service providers (for payment processing and fraud prevention); d. Automation and integration service providers (for workflows and links); e. AI service providers (if/to the extent necessary for AI functionality within our services, depending on configuration and assignment); f. Professional advisors (such as accountants/lawyers) when necessary; g. Government authorities when we are legally obliged to do so.

6.3 Where parties process personal data on behalf of Next Shape, we conclude data processing agreements or similar contractual safeguards where necessary, including agreements on confidentiality and security. 6.4 For client projects, (sub)processors and any international transfer are further regulated in the DPA and/or a (sub)processor list.

7.1 Some service providers may use (sub)processors or process data outside the European Economic Area (EEA). 7.2 If personal data is processed outside the EEA, Next Shape takes appropriate safeguards, such as Standard Contractual Clauses (SCCs) and, where necessary, additional measures (e.g., encryption, data minimization, and access restrictions). 7.3 For client projects: international transfer is arranged in accordance with the DPA and the client's instructions.

8.1 Next Shape does not store personal data longer than necessary. Indicative: a. Contact and sales communication: up to 24 months after last contact, unless earlier objection/deletion and no other basis; b. Contract and invoice data: in accordance with legal retention obligations (in the Netherlands usually 7 years); c. Analytics data: according to the set retention in GA4/PostHog and no longer than necessary for analysis and improvement; d. Project data as a processor: in accordance with agreements in the DPA; after the end of service provision, delete/return as agreed, unless legal obligations dictate otherwise. 8.2 Backups may still contain data for a limited period; permanent deletion follows the backup cycle.

9.1 Next Shape takes appropriate technical and organizational security measures, including where appropriate: access management (least privilege), authentication, encryption during transport (TLS), logging/monitoring, patch management, and security agreements with service providers. 9.2 No single measure offers a 100% guarantee. In the event of an incident, we will act in accordance with the GDPR, including reporting where required.

10.1 You have (under conditions) the right to access, rectification, erasure, restriction, data portability, and objection. 10.2 If processing is based on consent, you can always withdraw that consent (without retroactive effect). 10.3 You can submit requests via info@nextshape.nl. We may verify your identity to prevent abuse. 10.4 You can file a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).

11.1 Next Shape usually does not take decisions through nextshape.nl with legal consequences or similarly significant consequences on the basis of solely automated processing. 11.2 AI may be used within service provision. AI output is in principle supportive and, depending on the use case, may be subject to human review (human-in-the-loop), as laid down in the assignment and/or general terms and conditions.

For questions or privacy requests: info@nextshape.nl or by post: Honingboomstraat 23, 6444CA Brunssum, The Netherlands.

We may change this privacy policy. The most recent version is published on nextshape.nl with an updated date.