Privacy & Cookie Policy

1. Who we are (data controller)

[EXEME LEGAL NAME]
Company registration: [KVK NUMBER]
Contact: [CONTACT EMAIL]

If you have questions about this policy or want to exercise your rights, email us at the address above.

2. What data we collect and why

Analytics (with your consent)

• Google Analytics 4 — collects anonymised usage data (pages visited, session duration, approximate location). Used to understand how visitors use the site so we can improve it.
• Microsoft Clarity (active once enabled in settings) — session recordings and heatmaps to understand user behaviour. No personally identifiable information is captured.

Marketing / advertising (with your consent)

• Bing UET (Universal Event Tracking) (active once enabled in settings) — tracks conversions from Microsoft Ads campaigns.

Strictly necessary (no consent required)

• Cookies required for the site to function (e.g. storing your cookie preferences). No personal data is used for tracking or profiling.
• Cloudflare Web Analytics — cookieless, privacy-first analytics operated by our CDN provider. Does not set cookies or track individuals; not subject to consent requirements.

3. Cookies we use

The table below lists cookies set by this site. We only set non-essential cookies after you grant consent.

4. Legal basis

We process personal data collected through analytics and marketing cookies on the basis of your consent (GDPR Art. 6(1)(a) / UK GDPR Art. 6(1)(a)). You can withdraw consent at any time using the button at the bottom of this page or in the site footer.

Strictly necessary cookies are processed under our legitimate interest in delivering a functioning website (GDPR Art. 6(1)(f)).

5. International data transfers

Google (Google Analytics 4) and Microsoft (Clarity, Bing UET) may process data on servers in the United States and other countries outside the EEA / UK. These transfers are covered by:

• EU–US Data Privacy Framework — both Google and Microsoft are certified participants (verify at dataprivacyframework.gov). [Confirm this remains current before going live.]
• Standard Contractual Clauses (SCCs) — in addition to DPF certification, Google and Microsoft rely on SCCs for transfers to other third countries. [Insert links to Google/Microsoft DPA pages.]

This paragraph is template wording. Confirm the applicable transfer mechanisms with your legal adviser before publishing.

6. Your rights

Under GDPR and UK GDPR you have the right to:

• Access — request a copy of your personal data.
• Rectification — correct inaccurate data.
• Erasure — ask us to delete your data ("right to be forgotten").
• Restriction — limit how we process your data.
• Objection — object to processing based on legitimate interests.
• Withdraw consent — withdraw cookie consent at any time via the button below or in the site footer. Withdrawal does not affect the lawfulness of processing before withdrawal.
• Lodge a complaint — contact the UK ICO (ico.org.uk) or the Dutch AP (autoriteitpersoonsgegevens.nl).

To exercise any right, email [CONTACT EMAIL]. We respond within one month.

7. Changes to this policy

We update this policy when we add new cookies or change how we process data. Material changes will be communicated via a new consent prompt. The "Last updated" date at the top reflects the most recent revision.