Services About Plans FAQ Contact
// Legal

Privacy Policy

How Horizon IT Consulting collects, uses and protects your personal data.

Last updated: 18 March 2026 | Controller: Horizon IT Consulting | Applies to: horizonconsulting.it

1. Who we are

Horizon IT Consulting is a sole-trader IT consulting firm registered at the Chamber of Commerce (KVK) in Rotterdam, the Netherlands. We provide remote IT support, cloud migrations and modern workplace solutions, primarily to SMEs.

In the context of the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the Dutch Implementation Act (Uitvoeringswet AVG), Horizon IT Consulting acts as the data controller for personal data processed via this website and in connection with its services.

Controller details:

2. Data we collect

We only collect personal data that is necessary for the services we provide or that you voluntarily share with us.

Via the contact form

  • First and last name
  • Email address
  • Company name (optional)
  • Your message / question

Via email or phone

  • Contact details you provide in the communication
  • Content of the conversation relevant to the service request

During service delivery

  • IT environment details required to perform the work (e.g. system names, configurations)
  • Invoice and payment data (name, address, VAT number if applicable)

Automatically via the website

  • IP address and browser type (server logs, retained for max. 7 days)
  • Pages visited and referral source (anonymous analytics, if active)

3. Purpose & legal basis

We process personal data only for specified, explicit and legitimate purposes. For each purpose we identify the applicable legal basis under Article 6 GDPR:

  • Responding to enquiries and requests — legitimate interest (Art. 6(1)(f) GDPR): we have a legitimate interest in responding to messages sent via the contact form or by email.
  • Executing a service agreement — performance of a contract (Art. 6(1)(b) GDPR): processing is necessary to perform the agreed IT services.
  • Invoicing and financial administration — legal obligation (Art. 6(1)(c) GDPR): Dutch tax law (Belastingdienst) requires us to retain financial records for seven years.
  • Website security and abuse prevention — legitimate interest (Art. 6(1)(f) GDPR): server logs are kept briefly to detect and prevent misuse.
  • Commercial communications / newsletter — consent (Art. 6(1)(a) GDPR): we only send marketing emails to individuals who have explicitly opted in. You may withdraw consent at any time.

We do not engage in automated decision-making or profiling as referred to in Article 22 GDPR.

Where we rely on legitimate interest, we have carried out a balancing test to ensure that our interests do not override your fundamental rights and freedoms.

4. Retention periods

  • Contact form messages: deleted within 12 months if no service agreement follows
  • Client records (invoices, contracts): kept for 7 years to comply with Dutch tax retention requirements
  • Server logs: automatically deleted after 7 days
  • Newsletter subscriptions: retained until you unsubscribe

5. Third parties and processors

We do not sell, rent or otherwise commercially share your personal data with third parties. We may engage processors who process data on our behalf. All processors are bound by a written data processing agreement (verwerkersovereenkomst) as required by Article 28 GDPR:

  • GoDaddy — website hosting. GoDaddy processes data within or under adequate safeguards from the EEA.
  • Email provider — for professional email communication.
  • Accounting / invoicing software — for financial administration and invoice generation.
  • Microsoft 365 / Azure — productivity tools used for internal operations. Microsoft acts as a processor under a Data Processing Agreement and the EU Standard Contractual Clauses.

We may also disclose your data to competent authorities (such as the Dutch Tax Authority or law enforcement) if we are legally required to do so.

International transfers: Where personal data is transferred to a country outside the European Economic Area (EEA), we ensure that adequate safeguards are in place, such as the EU Standard Contractual Clauses (SCCs) adopted by the European Commission, or that the receiving country benefits from an adequacy decision.

6. Security

We take appropriate technical and organisational measures to protect your personal data against unauthorised access, loss or misuse. These measures include:

  • Encrypted communication (HTTPS / TLS)
  • Access restricted to authorised persons only
  • Regular security updates and patching
  • Strong password policies and multi-factor authentication on internal systems

In the event of a data breach that poses a risk to your rights and freedoms, we will notify the Dutch Data Protection Authority (AP) within 72 hours and, where required, inform you directly.

7. Your rights

Under the GDPR and the Dutch Implementation Act (Uitvoeringswet AVG), you have the following rights with regard to your personal data. These rights apply within the limits set by applicable law:

  • Right of access (Art. 15 GDPR) — you may request a copy of all personal data we process about you, along with information on how it is used.
  • Right to rectification (Art. 16 GDPR) — you may ask us to correct or complete inaccurate or incomplete data without undue delay.
  • Right to erasure / "right to be forgotten" (Art. 17 GDPR) — you may request deletion of your data, unless we are required to retain it by law (e.g. for tax purposes).
  • Right to restriction of processing (Art. 18 GDPR) — you may ask us to limit the use of your data in specific circumstances, for example while a correction request is pending.
  • Right to data portability (Art. 20 GDPR) — you may request a copy of your data in a structured, commonly used and machine-readable format, and have it transferred to another controller where technically feasible.
  • Right to object (Art. 21 GDPR) — you may object at any time to processing based on legitimate interests. We will then stop processing unless we can demonstrate compelling legitimate grounds.
  • Right to withdraw consent (Art. 7(3) GDPR) — where processing is based on consent, you may withdraw that consent at any time without affecting the lawfulness of processing prior to withdrawal.

To exercise any of these rights, please contact us at info@horizonconsulting.it or by post at the address in section 1. We will respond within one month. This period may be extended by up to two additional months for complex or multiple requests, in which case we will inform you.

We may request proof of identity before processing your request, to prevent unauthorised disclosure.

If you believe your rights have been infringed, you have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens): www.autoriteitpersoonsgegevens.nl, tel. +31 88 1805 250.

8. Cookies and similar technologies

This website does not currently use tracking, analytics or advertising cookies. Only technically necessary scripts are loaded to render the page correctly (no third-party cookies are set).

Under the Dutch Telecommunications Act (Telecommunicatiewet, Art. 11.7a) and the ePrivacy framework, we are required to inform you of any cookies or similar tracking technologies in use and, for non-essential cookies, to obtain your prior consent.

If we introduce analytics or marketing tools in the future, we will update this policy, implement a cookie banner and request your consent before placing any non-essential cookies.

9. Changes to this policy

We may update this privacy policy from time to time to reflect changes in our services or applicable law. The date at the top of this page will always reflect the most recent revision. We encourage you to review this page periodically.

For material changes, we will notify existing clients by email.

10. Contact

Questions about this privacy policy or how we handle your data? Please reach out:

← Back to homepage