A spin-out from TNO
Contact us
A spin-out from TNO

Privacy policy

Privacy Policy

Perovion B.V.

Version: 2.0  |  Date: March 2026 |  Effective date: March 2026

Replaces all previous versions.

This Privacy Policy has been drafted in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation – GDPR), the Dutch Implementation Act (Uitvoeringswet AVG), and applicable guidance issued by the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) and the European Data Protection Board (EDPB).

1. Introduction and Scope

Perovion B.V. (hereinafter: “Perovion”, “we”, “us” or “our”) is a private limited liability company incorporated and registered under Dutch law. We are committed to processing personal data in a lawful, fair and transparent manner and to ensuring a high standard of data protection in all of our activities.

This Privacy Policy (“Policy”) describes:

• the categories of personal data we collect and process;
• the purposes for which personal data is processed;
• the legal bases relied upon for each processing activity;
• the recipients of personal data and any international transfers;
• the retention periods applicable to personal data;
• the technical and organisational security measures we apply;
• the rights available to data subjects and how to exercise them; and
• how to contact us and the competent supervisory authority.

This Policy applies to all processing of personal data carried out by Perovion as data controller, including via our website (www.perovion.nl) and any related digital channels. It does not apply to the processing of personal data by third parties whose services we may link to.

By submitting your personal data through our contact form or otherwise engaging with our services, you acknowledge that you have read and understood this Policy.

2. Identity and Contact Details of the Data Controller

The data controller responsible for the processing of your personal data, within the meaning of Article 4(7) GDPR, is:

Perovion B.V.

Chamber of Commerce (KvK) number: [to be completed]

Registered address: [to be completed]

Email (data protection enquiries): privacy@perovion.nl

Website: www.perovion.nl

Perovion has assessed whether the appointment of a Data Protection Officer (DPO) is mandatory under Article 37 GDPR. [Insert outcome: e.g., “As Perovion does not carry out large-scale, systematic monitoring of data subjects, nor does it process special categories of data on a large scale, the appointment of a DPO is not mandatory. Nevertheless, any privacy-related enquiries may be directed to the contact details above.”]

3. Key Definitions

For the purposes of this Policy, the following terms shall have the meanings ascribed to them below, consistent with the definitions set out in Article 4 GDPR:

• “Personal data” means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data or online identifier (Art. 4(1) GDPR).
• “Processing” means any operation or set of operations performed on personal data, including collection, recording, storage, use, disclosure or erasure (Art. 4(2) GDPR).
• “Data controller” means the natural or legal person which determines the purposes and means of processing (Art. 4(7) GDPR).
• “Processor” means a natural or legal person which processes personal data on behalf of the controller (Art. 4(8) GDPR).
• “Data subject” means the identified or identifiable natural person to whom the personal data relates (Art. 4(1) GDPR).
• “Consent” means any freely given, specific, informed and unambiguous indication of the data subject’s wishes (Art. 4(11) GDPR).
• “Personal data breach” means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data (Art. 4(12) GDPR).

4. Categories of Personal Data Processed

4.1 Data provided directly by the data subject

We collect personal data exclusively where you voluntarily provide it, in particular throughthe contact form on our website. The categories of personal data we may process include:

• Identification data: first name and last name.
• Contact data: email address; telephone number (if provided).
• Professional data: company name, job title (if provided).
• Communication data: the content of your message, attachment, or any other information you choose to include.

4.2 Data collected automatically

When you visit our website, certain data may be collected automatically by our web server or analytics tools, including:

• IP address (which may constitute personal data under the GDPR).
• Browser type and version; operating system.
• Date and time of access; pages visited; referral URL.
• Cookie identifiers, where applicable (see Section 12).

4.3 Special categories of personal data

We do not intentionally collect or process special categories of personal data as referred to in Article 9 GDPR (e.g., health data, racial or ethnic origin, religious or philosophical beliefs, trade union membership, genetic or biometric data, data concerning sex life or sexual orientation) or personal data relating to criminal convictions and offences (Article 10 GDPR). Should you voluntarily include such data in a message, we will treat it with the highest level of confidentiality and process it only to the extent strictly necessary to respond to your communication.

5. Legal Bases for Processing

Each processing activity carried out by Perovion is grounded in one or more of the following legal bases pursuant to Article 6(1) GDPR:

5.1 Performance of a contract – Art. 6(1)(b) GDPR

Where your enquiry or request relates to entering into, or the performance of, a contract with Perovion (e.g., a request for a quotation or service engagement), we process your personal data to the extent necessary to take pre-contractual steps at your request or to fulfil our contractual obligations.

5.2 Compliance with a legal obligation – Art. 6(1)(c) GDPR

We process personal data to the extent required to comply with applicable legal or regulatory obligations, including but not limited to: fiscal record-keeping requirements under Article 52 of the Dutch General Tax Act (AWR); obligations under anti-money laundering legislation (Wwft); and compliance with orders or requests from competent public authorities.

5.3 Legitimate interests – Art. 6(1)(f) GDPR

We process personal data where necessary for the purposes of our legitimate interests or those of a third party, provided that such interests are not overridden by your interests or fundamental rights and freedoms. Our legitimate interests include:

• Responding to, and following up on, enquiries submitted via the contact form.
• Maintaining and developing business relationships.
• Improving the security and performance of our website.
• Defending or bringing legal claims.

Where we rely on legitimate interests, we have conducted a balancing test (Legitimate Interests Assessment – LIA) to ensure that our interests do not override your rights. You have the right to object to such processing at any time (see Section 10).

5.4 Consent – Art. 6(1)(a) GDPR

Where we rely on consent as the legal basis for processing (e.g., for the sending of commercial electronic communications, or the placement of non-essential cookies), we will request your prior, freely given, specific, informed and unambiguous consent. Consent may be withdrawn at any time without affecting the lawfulness of processing carried out prior to withdrawal. Withdrawal of consent can be effected by contacting us at privacy@perovion.nl.

6. Purposes of Processing

Personal data is processed by Perovion for the following specific, explicit and legitimate purposes, in accordance with the principle of purpose limitation (Art. 5(1)(b) GDPR):

• Handling and responding to enquiries: processing contact form submissions to provide you with a timely and accurate response.
• Pre-contractual and contractual communication: managing ongoing communication concerning a potential or existing business relationship.
• Service delivery: processing data to the extent necessary to deliver the services requested.
• Legal compliance: fulfilling obligations under applicable law, including fiscal, corporate, and regulatory requirements.
• Security and fraud prevention: detecting, preventing and responding to actual or potential fraud, unauthorised access and other security threats to our systems and data.
• Website analytics: analysing website usage in aggregate or anonymised form to improve functionality and user experience.
• Legal claims: establishing, exercising or defending legal claims before courts or regulatory authorities.

We do not process personal data for purposes incompatible with those listed above without first obtaining your consent or having another legitimate ground under the GDPR. We do not use your personal data for automated individual decision-making or profiling as referred to in Article 22 GDPR.

7. Retention Periods

In accordance with the principle of storage limitation (Art. 5(1)(e) GDPR), we do not retain personal data for longer than is necessary for the purposes for which it was collected. The following retention schedules apply:

• Contact form data (no business relationship established): retained for a maximum of 12 months from the date of the last communication, after which it is securely deleted or anonymised.
• Data arising from a business relationship or agreement: retained for 7 years from the end of the financial year in which the relationship or transaction occurred, in compliance with the fiscal retention obligation under Article 52 AWR.
• Data retained for legal defence: where personal data may be relevant to actual or anticipated litigation, regulatory investigation or legal claims, the data may be retained for the applicable limitation period under Dutch law (generally 5 years under Article 3:310 Dutch Civil Code, or up to 20 years in specific circumstances).
• Automatically collected technical data (server logs, IP addresses): retained for a maximum of 30 days unless required for security investigation purposes.
• Data processed on the basis of consent: retained until consent is withdrawn, subject to any overriding legal retention obligation.

Upon expiry of the applicable retention period, personal data is securely and irreversibly deleted or, where deletion is not technically feasible, anonymised such that re-identification is no longer possible.

8. Recipients and Processors

8.1 Internal access

Access to personal data within Perovion is restricted on a need-to-know basis. Personnel who have access to personal data are bound by confidentiality obligations.

8.2 Data processors

We may engage third-party service providers (“processors”) who process personal data on our behalf and under our documented instructions. Such processors may include:

• Web hosting and infrastructure providers.
• Email delivery service providers.
• IT support and maintenance providers.
• Analytics service providers.

In accordance with Article 28 GDPR, we enter into a written Data Processing Agreement (DPA) with each processor, which stipulates, inter alia, the subject matter, duration, nature and purpose of the processing, the type of personal data involved, and the obligations and rights of the controller.

8.3 Independent third-party controllers

In certain circumstances, personal data may be disclosed to parties acting as independent data controllers, including:

• Competent public authorities (e.g., tax authorities, law enforcement agencies), where disclosure is required by applicable law or by a binding order of such authority.
• Legal advisors, auditors or accountants, subject to professional confidentiality obligations.
• Courts or other adjudicatory bodies, for the purpose of establishing, exercising or defending legal claims.

We do not sell, rent or otherwise make available your personal data to third parties for their own commercial or marketing purposes.

8.4 International transfers

Where personal data is transferred to a country outside the European Economic Area (EEA) that does not benefit from an adequacy decision issued by the European Commission pursuant to Article 45 GDPR, Perovion will ensure that appropriate safeguards are in place, in accordance with Chapter V GDPR. Such safeguards may include:

• Standard Contractual Clauses (SCCs) as adopted by the European Commission (currently: Commission Implementing Decision (EU) 2021/914 of 4 June 2021).
• Binding Corporate Rules (BCRs), where applicable.
• An approved code of conduct or certification mechanism in combination with binding and enforceable commitments.

You may request a copy of the relevant safeguards by contacting us at privacy@perovion.nl.

9. Technical and Organisational Security Measures

Perovion implements and maintains appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 GDPR. These measures are designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access, taking into account:

• the state of the art and costs of implementation;
• the nature, scope, context and purposes of the processing; and
• the likelihood and severity of risks to the rights and freedoms of natural persons.

Current measures include, without limitation:

• Encryption of data in transit using TLS/SSL protocols.
• Access controls and role-based permissions for systems containing personal data.
• Regular security assessments and reviews of our information security policies.
• Physical access controls to premises where personal data is processed.
• Staff awareness and confidentiality obligations.

We periodically review and update our security measures to reflect technological developments and emerging threats.

9.1 Personal data breaches

In the event of a personal data breach, Perovion will comply with its notification obligations under Articles 33 and 34 GDPR:

• Notification to the supervisory authority: we will notify the Autoriteit Persoonsgegevenswithout undue delay and, where feasible, within 72 hours of becoming aware of a breach likely to result in a risk to the rights and freedoms of natural persons (Art. 33 GDPR).
• Notification to data subjects: where the breach is likely to result in a high risk to your rights and freedoms, we will communicate this to you without undue delay, providing the information required by Article 34(2) GDPR.

10. Rights of Data Subjects

As a data subject under the GDPR, you are entitled to exercise the following rights. All requests should be submitted in writing to privacy@perovion.nl. We will respond within one calendar month of receipt of a valid request (Art. 12(3) GDPR). In cases of complexity or high volume, this period may be extended by a further two months, of which you will be informed.

We reserve the right to verify your identity by reasonable means before processing a request, in order to prevent unauthorised disclosure (Art. 12(6) GDPR). The exercise of these rights is free of charge, unless requests are manifestly unfounded or excessive (Art. 12(5) GDPR).

10.1 Right of access – Art. 15 GDPR

You have the right to obtain confirmation as to whether personal data concerning you is being processed, and, where that is the case, to receive a copy of the personal data together with information on: the purposes of processing; categories of data; recipients or categories of recipients; envisaged retention periods; your rights; the right to lodge a complaint; the source of the data (if not collected from you directly); and the existence of automated decision-making.

10.2 Right to rectification – Art. 16 GDPR

You have the right to obtain, without undue delay, the rectification of inaccurate personal data concerning you, and to have incomplete personal data completed, including by means of providing a supplementary statement.

10.3 Right to erasure (‘right to be forgotten’) – Art. 17 GDPR

You have the right to obtain the erasure of your personal data without undue delay where one of the following grounds applies:

• the personal data is no longer necessary in relation to the purposes for which it was collected or processed;
• you withdraw consent on which the processing is based and there is no other legal ground for the processing;
• you object to the processing and there are no overriding legitimate grounds;
• the personal data has been unlawfully processed;
• the personal data must be erased to comply with a legal obligation.

This right is subject to limitations where the processing is necessary for compliance with a legal obligation, or for the establishment, exercise or defence of legal claims (Art. 17(3) GDPR).

10.4 Right to restriction of processing – Art. 18 GDPR

You have the right to obtain restriction of processing where:

• you contest the accuracy of the personal data (for the period necessary for verification);
• processing is unlawful and you request restriction rather than erasure;
• we no longer need the data but you require it for legal claims; or
• you have objected to processing pending verification of overriding grounds.

10.5 Right to data portability – Art. 20 GDPR

Where processing is based on consent or contract and is carried out by automated means, you have the right to receive the personal data you have provided to us in a structured, commonly used and machine-readable format, and to transmit that data to another controller without hindrance from us.

10.6 Right to object – Art. 21 GDPR

You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on our legitimate interests (Art. 6(1)(f) GDPR). We will cease processing unless we demonstrate compelling legitimate grounds which override your interests, rights and freedoms, or for the establishment, exercise or defence of legal claims.

Where personal data is processed for direct marketing purposes, you have an absolute right to object at any time, without giving reasons (Art. 21(2) GDPR).

10.7 Rights related to automated decision-making – Art. 22 GDPR

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. Perovion does not currently carry out such automated decision-making.

10.8 Right to withdraw consent – Art. 7(3) GDPR

Where processing is based on your consent, you have the right to withdraw that consent at any time by contacting privacy@perovion.nl. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

11. Right to Lodge a Complaint

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a competent supervisory authority if you consider that the processing of your personal data infringes the GDPR (Art. 77 GDPR). In the Netherlands, the competent supervisory authority is:

Autoriteit Persoonsgegevens (Dutch Data Protection Authority)

Postal address: Postbus 93374, 2509 AJ Den Haag, the Netherlands

Website: www.autoriteitpersoonsgegevens.nl

Telephone: +31 88 180 5250

If you are located in another EU/EEA Member State, you may also contact the supervisory authority in your country of habitual residence or place of work, or the place of the alleged infringement.

We would, however, appreciate the opportunity to address your concern directly before a formal complaint is lodged. Please contact us at privacy@perovion.nl so that we may seek to resolve the matter together.

12. Cookies and Similar Technologies

Our website may use cookies and similar tracking technologies. Cookies are small text files placed on your device that enable certain website functionality and provide information about how the site is used.

12.1 Strictly necessary cookies

These cookies are essential for the operation of the website and cannot be disabled. They do not require consent under the Dutch Telecommunications Act (Telecommunicatiewet) or the GDPR.

12.2 Analytical cookies

Where we use analytical cookies to understand how visitors use our website (e.g., via Google Analytics or a privacy-friendly alternative), we will either: (a) obtain your prior consent, or (b) configure the tool to anonymise IP addresses and use data solely in aggregate form, in which case consent may not be required under applicable guidelines.

12.3 Marketing and tracking cookies

We do not place marketing or third-party tracking cookies without your prior, explicit consent, obtainable via our cookie consent banner. You may withdraw or amend your cookie preferences at any time through the cookie settings on our website.

For full details of the cookies used, their purpose, duration and the third parties involved, please refer to our Cookie Policy (where applicable), available on our website.

13. Processing of Personal Data of Minors

Our website and services are not directed at persons under the age of 16 years. We do not knowingly collect personal data from minors. In the Netherlands, where processing is based on consent, the consent of the holder of parental responsibility is required for children under 16 (Art. 8 GDPR and Art. 5 UAVG). If we become aware that personal data of a minor has been collected without appropriate consent, we will take immediate steps to delete such data. If you believe we may have inadvertently collected data relating to a minor, please contact privacy@perovion.nl.

14. Data Accuracy and Integrity

In accordance with the principle of accuracy (Art. 5(1)(d) GDPR), Perovion takes reasonable steps to ensure that personal data is accurate and, where necessary, kept up to date. We encourage you to notify us of any changes to your personal data so that our records remain current. Requests for rectification may be submitted at any time to privacy@perovion.nl.

15. Amendments to This Privacy Policy

Perovion reserves the right to amend or update this Privacy Policy at any time in response to changes in applicable law, regulatory guidance, our processing activities, or best practices. The date of the most recent revision is indicated at the top of this document. Where amendments are material, we will take reasonable steps to bring them to your attention, such as by posting a prominent notice on our website.

We recommend that you review this Policy periodically. Continued use of our website or services following notification of material changes constitutes your acknowledgement of the amended Policy.

The most current version of this Policy is always available at www.perovion.nl/privacy.

16. Governing Law and Jurisdiction

This Privacy Policy is governed by and construed in accordance with the laws of the Netherlands and applicable European Union data protection law. Any disputes arising in connection with this Policy that cannot be resolved amicably shall be submitted to the exclusive jurisdiction of the competent courts of the Netherlands, without prejudice to your right to lodge a complaint with a supervisory authority.

17. Contact Details

For any questions, comments, requests or concerns relating to this Privacy Policy or to the processing of your personal data by Perovion, please contact us at:

Perovion B.V.

Chamber of Commerce (KvK): 98697188

Address: Anna van Buerenplein 1

2595DA ‘s-Gravenhage

Email: privacy@perovion.nl

Website: www.perovion.nl

We will endeavour to respond to all privacy-related correspondence within 5 business days of receipt.