Privacy Policy

Privacy Statement Van Lead Naar Klant (VLNK)

Last updated: October 7, 2025

1. Who We Are

Van Lead Naar Klant ("VLNK", "we", "us") helps B2B organizations with LinkedIn and email outreach, content, and online lead generation.

Data Controller: We are responsible for personal data that we process for our own purposes (website, newsletter, own prospecting, customer service, contract execution).

Processor for Clients: When we execute campaigns on behalf of a client via their channels/domains, we act as a processor. We then process exclusively according to the client's instructions and enter into a data processing agreement (Art. 28 GDPR).

Contact

Van Lead Naar Klant – Richard Holstraat 73, 3131 EN Vlaardingen, Netherlands
Email for privacy questions: boy@vanleadnaarklant.com
Phone: +31 (0)6 14326168 (weekdays 09:00–16:00)
Current version: vanleadnaarklant.com/privacy

2. What Personal Data We Process

Depending on your relationship with us (website visitor, prospect, customer, supplier, community member), we process, among other things:

• Identity & Contact: name, business email, phone, job title, organization

• Online Profiles: publicly available LinkedIn data (profile URL, job title, sector)

• Campaign & Interaction Data: connection requests, DM responses, email opens/clicks/replies, appointment bookings

• Community (Skool): profile name, email, activity (posts/comments)

• Account Data (if applicable): username, hashed passwords

• Transaction/Contract: quotes, assignments, invoice and payment data

• Support & Correspondence: (action) notes, tickets

• Technical/Analytics: IP address, user agent, timestamps, visited pages, events, error logs (anonymized or aggregated where possible)

Sources: provided by you; public (including LinkedIn/company websites); interactions with our communications; tooling/analytics; provided by clients when we are processor.

3. Purposes and Legal Grounds

We process personal data for the following purposes. For each purpose, we state our legal basis under GDPR.

B2B Prospecting (LinkedIn & Email): building new business relationships.
Legal basis: legitimate interest (business acquisition). You always have opt-out/objection rights.

Newsletter and Marketing Communications: updates and own/similar services.
Legal basis: consent OR "soft opt-in" for existing customers (own/similar services). Every email contains an unsubscribe link.

Profiling/Segmentation: making communication more relevant and limiting over-contact (e.g., based on response status, click behavior, bookings).
Legal basis: legitimate interest; right to object always remains possible. There are no legal consequences or similar significant impact.

Website, Hosting and Security: making site work, troubleshooting/logs.
Legal basis: legitimate interest (security, continuity).

Analytics (GA4): insight into site usage.
Legal basis: consent for non-essential cookies, or privacy-friendly configuration. See §10.

Community (Skool): access and management of the VLNK environment.
Legal basis: performance of contract and/or legitimate interest (community management).

Quote/Contract and Execution: delivering agreed services, communication, file formation.
Legal basis: performance of contract.

Invoicing and Tax Obligations: complying with legal administrative requirements.
Legal basis: legal obligation.

Support and Disputes: handling questions, tickets, and (potential) claims.
Legal basis: legitimate interest.

AI Support (Pseudonymized): more efficient writing/analysis with pseudonymized input; no direct identification.
Legal basis: legitimate interest + data minimization. Model training on our data is disabled where possible.

When we act as processor for a client, we follow their written instructions and the data processing agreement applies.

4. Retention Periods

We retain data no longer than necessary:

• Prospect & Campaign Data: 24 months after last interaction

• Client Files/Communication: contract duration + 24 months

• Invoices/Accounting: 7 years (statutory)

• Server Logs (Hosting): 90 days

• Analytics Events (GA4): standard 14 months (or shorter if configured)

• Support Tickets: 24 months

When we are processor: periods according to client instructions; after end of assignment, we delete/return data (deletion confirmation upon request).

5. Your Rights

You have the right to access, rectification, deletion, restriction, data portability, objection (especially against direct marketing/profiling), and withdrawal of consent.

Submit your request via boy@vanleadnaarklant.com. We respond within one month (extendable by two months if complex). For verification, we may request additional information.

You can also file a complaint with the Dutch Data Protection Authority: www.autoriteitpersoonsgegevens.nl

6. Communication Rules (B2B Email & Opt-Out)

Existing Customers: we may send emails about our own, similar services (soft opt-in).

Non-Customers: marketing email only with consent or in the context of B2B prospecting with clear opt-out.

Every marketing email contains a direct unsubscribe link or one-click stop. You can also email boy@vanleadnaarklant.com.

7. Recipients (Processors) and Sharing with Third Parties

We do not sell your data and do not share it for others' marketing. We engage processors with appropriate safeguards (Art. 28 GDPR) and minimal data access (least privilege).

Core Processors/Subprocessors:

• Framer – website/hosting

• Google Analytics 4 (GA4) – website analytics

• Skool – community platform

• Microsoft 365 / Outlook – email/communication

• HubSpot – CRM and (optional) marketing automation

• Smartlead – email outreach and tracking

• Notion – internal collaboration/project file formation

• Accounting/Bank – legal obligations

• OpenAI/ChatGPT – AI support with pseudonymized input; model training opt-out where possible

A current and complete list of subprocessors is available upon request via boy@vanleadnaarklant.com.

We provide data to third parties only when legally required (e.g., Tax Authority) or strictly necessary for the performance of our agreement.

8. Transfers Outside the EEA

Some processors (or their subprocessors) are located outside the European Economic Area (EEA), including in the United States. In those cases, we ensure appropriate safeguards, including:

• EU Standard Contractual Clauses (SCCs)

• Transfer Impact Assessment (TIA)

• Additional measures such as pseudonymization/minimization, encryption, and access restriction

• Model training opt-out for AI services where available

Copies of relevant safeguards are available upon request.

9. Security

We apply appropriate technical and organizational measures, including:

• Encryption (in-transit/at-rest where possible)

• 2FA and role-based access control

• Logging, backups, least privilege

• Periodic reviews and vendor due diligence

• Separate environments for production/testing

• Pseudonymization/minimization toward AI and non-EEA services

Data Breaches & Incidents

In case of an incident with probable risk to data subjects, we report this without undue delay to the Dutch Data Protection Authority and – if required – to the data subjects. Report incidents via boy@vanleadnaarklant.com (subject: Security Incident).

10. Cookies and Similar Technologies

Our website uses cookies and similar technologies.

Essential Cookies: required for the operation/security of the site (no consent needed).

Analytics (GA4): placed with consent, unless configured so privacy-friendly that consent is not required. You can manage your choice via the cookie settings on the site.

In the cookie statement at vanleadnaarklant.com/privacy (section "Cookies"), we explain per category which cookies we use, for what purpose, and for how long.

11. Your Rights

You have rights including access, rectification, deletion, restriction, data portability, objection (especially against direct marketing/profiling), and withdrawal of consent.

Submit your request via boy@vanleadnaarklant.com. We respond within one month (extendable by two months if complex). For verification, we may request additional information.

You can file a complaint with the Dutch Data Protection Authority: www.autoriteitpersoonsgegevens.nl

12. Minors

Our services are aimed at the business market and not at persons under 16 years of age. We do not knowingly process data of minors.

13. Changes

We may update this statement. The most recent version is available at vanleadnaarklant.com/privacy. In case of material changes, we inform you actively (e.g., by email or a banner on the website).

14. Specific for Clients: VLNK as Processor

When we execute campaigns on behalf of a client:

• We process exclusively according to written instructions

• We use only subprocessors with prior general consent and notification of changes

• We support the client with data subject rights to the extent reasonable

• We assist with data breach notifications and DPIAs where necessary

• We delete or return personal data after completion of the assignment and delete copies, subject to legal retention obligations

These safeguards are detailed in our Data Processing Agreement (DPA). A copy is available upon request via boy@vanleadnaarklant.com.

Appendix A – Overview of Core Processors (Summary)

(Subject to change; complete list available upon request.)

• Framer – website/hosting (processor; possible transfer outside EEA via subprocessors)

• Google Analytics 4 (GA4) – analytics (processor; IP anonymization/retention 14 months; transfer outside EEA)

• Skool – community platform (processor; possible transfer outside EEA)

• Microsoft 365/Outlook – email/communication (processor/controller for own services; possible transfer outside EEA)

• HubSpot – CRM/automation (processor; transfer outside EEA with SCCs)

• Smartlead – email outreach & tracking (processor; possible transfer outside EEA with SCCs)

• Notion – internal collaboration/project file formation (processor; possible transfer outside EEA with SCCs)

• Accounting/Bank – legal obligations (processor/controller)