Privacy Policy

Introduction

Subalta ("we", "our" or "us") is committed to protecting your privacy and personal data that we obtain from or about you. This privacy policy describes our practices regarding information obtained from or about you when you use our websites, applications, platforms and all associated software applications and technologies, as well as the services (collectively "Services"). By using our Services, you agree to the practices described in this privacy policy.

Subalta SRL, domiciled at Rue de Belle-Vue 18, 1480, Tubize, Belgium, under company number 1004905845, is the data controller for your personal data. You can contact us by email at contact@subalta.com or by post at the address mentioned above.

Personal data we collect

We collect different types of personal data through different methods in order to provide, improve and secure our Services.

Data you provide directly

We collect information you provide directly when you create an account, communicate with us, or identify yourself as a representative of an organisation. This includes:

Account information

When you create an account, we collect information associated with it, including your name, contact details, account credentials (securely encrypted), date of birth (for age verification), payment information, and transaction history.

Communication information

If you communicate with us (e.g. by email, social media, or support channels), we collect personal data including your name, contact details, and message content. These data help us respond to queries, resolve issues, and improve our Services.

Other information you provide

We may collect additional information when you participate in surveys, events or promotions, or when you provide documents to verify your identity, age, or authority to represent an organisation in specific circumstances. These data are used for event management, identity verification, legal compliance, and ensuring legitimate access to our Services.

Data resulting from your use of our Services

We automatically collect certain types of personal data when you interact with our Services. This helps us ensure the platform works correctly and allows us to improve our Services. The categories of data we collect are:

Cookies and similar technologies: We use cookies and similar technologies to manage and administer our Services and improve your experience. You can manage your cookie preferences. For more details, please see our cookie policy.

Usage data: We collect information about how you use our Services to monitor functionality and identify areas for improvement. This includes details about search types, features used, access frequency and duration, and other platform interactions.

Content provided to the platform: When you provide information or upload data (e.g. for grant applications), this content may contain personal data. We process this information solely to provide the requested Services. This data is stored and accessible only to the user or authorised representatives of the using organisation, and is not used to improve our Services.

Organisation information

To provide our Services, we collect extensive data about organisations referenced by our users. This involves the systematic collection of public company information from a wide range of sources, including official registers, government databases, company websites, and other online resources.

While we focus on company-related information such as names, addresses, registration numbers, financial data, sector classifications, or similar details, it is possible that some private or personal data may appear in these collected datasets.

We emphasise that we do not actively seek personal information when collecting organisation data. We also do not use personal data included in these datasets for purposes such as contacting individuals, advertising, selling products, or monetising the information itself. Any personal data appearing in organisation information is processed solely for the purpose of providing our Services.

This data remains secure and is used in strict compliance with this privacy policy and applicable data protection laws. Please contact us if you believe that organisation data contains personal information requiring further review or specific action.

Information from additional sources

We may receive personal data from partners for specific purposes, such as ensuring security, preventing fraud or abuse, and identifying potential customers for our Services. These partners include security providers and marketing vendors who share relevant data to support our business operations and improve Service delivery.

How we use personal data

We use personal data for the following purposes:

Provide, operate, and maintain our Services: This includes responding to user requests, providing core features, and ensuring operational reliability.

Improve and develop our Services: We analyse data to improve our platform, create new features, and drive innovation.

Communicate with you: We send updates, announcements, and information about our Services, including platform changes and improvements.

Prevent fraud and ensure security: We monitor and process data to prevent fraudulent activities and protect our Services and systems.

Meet legal obligations: We use data to comply with regulatory requirements and protect the rights, privacy, safety, and property of users, our company, and third parties.

We may also aggregate or anonymise personal data to analyse Service usage and improve functionality. Such de-identified data remains in anonymous form and is only re-identified when legally required. We are committed to collecting only the data necessary to achieve these purposes.

Disclosure of personal data

We may disclose personal data to third parties in compliance with applicable laws. Below are the categories of third parties with whom we may share personal data and the reasons for disclosure:

Vendors and service providers

To support and ensure the effectiveness of our Services, we may disclose personal data to trusted vendors and service providers who assist with hosting, data storage, IT infrastructure, customer support, payment processing, analytics, and other business operations. These parties process personal data only according to our instructions and for the purposes specified in this policy.

Affiliates and partner companies

We may share personal data with our affiliates, subsidiaries, or related entities. These affiliates will process personal data in a manner consistent with this privacy policy.

Business transfers

If Subalta is involved in a merger, acquisition, reorganisation, bankruptcy, or other transaction involving the transfer of business assets, personal data may be disclosed to the relevant parties during due diligence and transferred to the successor entity as part of the transaction. We will ensure that any shared data continues to be protected in accordance with this privacy policy.

Legal compliance and rights protection

We may disclose personal data to government authorities, regulators, or other third parties where required by law or where we believe disclosure is necessary to: comply with applicable legal or regulatory obligations; protect our rights, property, or safety, and those of our users, employees, or the public; detect, investigate, and prevent fraud, security breaches, or other illegal activities; respond to legal claims or disputes, or enforce our terms of use or other policies.

Third-party integrations and links

Our Services may include integrations or links to third-party websites, applications, or services. By interacting with these third parties, you may share data directly with them, subject to their privacy policies. We encourage you to review the privacy practices of any third-party services you access. Inclusion of links or integrations does not imply our endorsement of or responsibility for those services.

We do not sell or rent personal data to third parties for marketing. All disclosures are made to meet legitimate business needs, ensure the safety and security of our users, or comply with legal obligations. Where applicable law requires, we ensure appropriate safeguards are in place for any transfer of personal data, particularly when transfers occur outside the European Economic Area (EEA).

Retention periods

We retain your personal data for as long as necessary to provide our Services, fulfil our contractual obligations, and meet legitimate business needs, including resolving disputes, ensuring safety and security, and complying with legal requirements. Retention depends on factors such as:

Your relationship with us: We retain data while your account is active or as necessary to provide our Services.

Purpose of collection: Data is only retained until it has fulfilled its specific function.

Legal and regulatory obligations: Certain information must be retained to comply with laws or resolve disputes.

Potential risks: We assess the sensitivity of data and potential risks of unauthorised use or disclosure.

When personal data is no longer required, we delete it, anonymise it, or securely store it until deletion is possible. Specifically, we retain:

Account and communication data for five (5) years after account closure.

Usage data for one year for analytics and Service improvement purposes.

Uploaded content for as long as your account or your organisation's account is active.

Your rights

As a user of Subalta's Services, you have the following rights regarding your personal data under applicable data protection laws:

Access your personal data: You have the right to request access to the personal data we hold about you and information about how it is processed.

Rectify or update your personal data: If any of your personal data is inaccurate or out of date, you can ask us to correct or update it.

Delete your personal data: You can ask us to delete your personal data when it is no longer necessary for the purposes for which it was collected, or if you withdraw your consent (where applicable).

Restrict how we process your personal data: You can request a restriction on processing in certain circumstances, such as while a dispute about the accuracy or lawfulness of your data use is resolved.

Transfer your personal data (data portability): You can ask us to provide your data in a structured, commonly used, machine-readable format for transfer to another organisation.

Withdraw your consent: Where we rely on your consent to process personal data, you have the right to withdraw it at any time by contacting us at contact@subalta.com. This does not affect the lawfulness of processing carried out before withdrawal.

Object to processing: You may object at any time to the processing of your personal data for direct marketing purposes. If you object to processing based on legitimate interests, we will evaluate your objection and balance it against our legitimate grounds for processing.

Lodge a complaint: If you have concerns about how we handle your personal data, you have the right to lodge a complaint with the Belgian Data Protection Authority or your local supervisory authority within the EEA.

Define instructions for after your death: You have the right to define directives concerning the retention, erasure, and communication of your personal data after your death, in accordance with Article 40-1 of the GDPR.

How to exercise your rights

To exercise any of these rights, contact us at contact@subalta.com or through your user account where applicable. For security reasons, we may request additional documents to verify your identity before processing your request.

We aim to respond to all valid requests within two months. If your request is particularly complex or involves multiple requests, we may extend this period by a further two months, in which case we will inform you and explain the reasons.

Security

We are committed to protecting your personal data. We implement commercially reasonable technical, administrative, and organisational measures designed to protect personal data against loss, misuse, and unauthorised access, disclosure, alteration, or destruction.

While we strive to secure your data, no system, network, or transmission method is entirely safe. You should therefore exercise care when deciding what information you provide to our Services. We are also not responsible for circumvention of privacy settings or security measures in the Service or on third-party websites.

Technical and organisational measures we implement:

Encryption of data in transit using standardised protocols.

Strict access controls to limit data access to authorised personnel only.

Regular security assessments of our systems.

Regular security training for our team to prepare for and mitigate potential threats.

In the event of a data breach likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours. If the breach presents a high risk to your rights and freedoms, we will also notify affected individuals as soon as possible.

If you have concerns about the security of your personal data, contact us at contact@subalta.com. We are committed to addressing any potential security issues promptly. If you detect suspicious activity, inform us immediately.

Legal bases for processing

We assess objections to processing based on legitimate interests on a case-by-case basis. This involves balancing your rights and freedoms against our legitimate interests to determine whether processing may continue.

Data transfers

We process and store your personal data on servers located in the European Economic Area (EEA). However, we also use service providers whose servers are located in the United States and other countries, meaning your personal data may be transferred, stored, and processed in facilities outside the EEA. We apply the protections described in this privacy policy regardless of where your data is processed.

When transferring personal data outside the EEA:

We rely on adequacy decisions issued by the European Commission under Article 45(1) GDPR for jurisdictions considered to offer adequate levels of protection.

For transfers to jurisdictions without adequacy decisions, such as the United States, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission under Article 46(2)(c) GDPR and the UK data transfer addendum to ensure compliance.

Transfers to non-EEA jurisdictions are limited to the purposes necessary for Service delivery and are retained only to the extent necessary to achieve those purposes. We are actively working to transition all data storage and processing operations to the EEA.

For more information on the transfer mechanisms we use, or if you have questions about our ongoing efforts, contact us at contact@subalta.com.

Children's privacy

We do not knowingly collect, solicit, or process personal data from children under 18 years of age. By using our Services, you represent that you are at least 18 years old or that you are the parent or legal guardian of a minor using the Services with your consent. If we learn that personal data of users under 18 has been collected without appropriate consent, we will immediately take steps to disable the account and delete the data from our records.

If you believe we have inadvertently collected data about a child under 18, please contact us at contact@subalta.com and we will resolve the matter promptly.

Privacy policy updates

We may update this privacy policy from time to time to reflect changes in our practices, legal obligations, or other operational or regulatory requirements. If the update involves material changes affecting your rights or how we use your personal data, we will provide at least thirty (30) days' prior notice before the new provisions take effect, via a notification in our Services or by email. When we make updates, we publish the revised policy with a new "last updated" date. We encourage you to review this privacy policy regularly. By continuing to use our Services after an update to this privacy policy, you accept the updated terms.

Contact us

For any question or concern not already addressed in this privacy policy, contact us at contact@subalta.com or write to us at our registered office: Rue de Belle-Vue 18, 1480, Tubize, Belgium.