Data Policy

How we handle your data.

The technical specifics of data collection, processing, storage, and deletion at Process Notes — written for GDPR compliance and for anyone who wants to understand exactly what happens to their information.

Effective: 1 June 2026·Jurisdiction: Netherlands / EU (GDPR)·← Also see: Privacy Policy & Terms

Section 1

Data Categories

We collect the following categories of personal data. We do not collect special-category data (health, political, religious, biometric, or genetic data) and we have no reason to do so.

Category	Examples	Source	Purpose
Identity data	First name, last name, job title	Provided directly by you	Personalisation, addressing correspondence
Contact data	Email address	Provided directly by you	Newsletter delivery, form responses, notifications
Business data	Company name, project type, budget range	Provided directly via contact form	Assessing consulting enquiries
Engagement data	Email opens, link clicks, unsubscribes	Generated by Beehiiv tracking pixel	Newsletter performance analytics
Technical data	IP address, browser type, device, page URL, timestamps	Automatically collected by server (Vercel)	Security, error monitoring, aggregate analytics

Section 2

Lawful Basis for Processing

Under GDPR Article 6, every instance of personal data processing must have a lawful basis. We use the following bases, applied per data category:

Consent (Art. 6(1)(a))

Applies to: Newsletter subscription, masterclass/tool waitlist sign-up.

You can withdraw consent at any time. Withdrawal does not affect the lawfulness of processing before the date of withdrawal.

Contract performance (Art. 6(1)(b))

Applies to: Transactional emails confirming form submission; consulting engagement delivery.

Processing is necessary to fulfil the service you requested.

Legitimate interest (Art. 6(1)(f))

Applies to: Contact/consulting lead records, resource download logs, server access logs, security monitoring.

Our legitimate interest is in responding to enquiries you initiated and operating a secure service. We have assessed that this interest is not overridden by your rights, given the limited sensitivity of the data, the reasonable expectations of someone who contacts a business, and the opt-out rights available to you.

Legal obligation (Art. 6(1)(c))

Applies to: Record retention required by Dutch tax law (KVK, Belastingdienst) for commercial correspondence.

Applies only to the minimum records required by law; we do not extend retention on this basis beyond what is required.

Section 3

Data Processors

We engage the following third-party processors under written Data Processing Agreements. They act only on our instructions and are not permitted to use your data for their own purposes. All are GDPR-compliant and subject to regular review.

Beehiiv

RoleNewsletter delivery, subscriber management

LocationUSA

Transfer mechanismStandard Contractual Clauses (SCCs)

Data heldSubscriber email, name, engagement data (opens, clicks)

RetentionUntil you unsubscribe or request deletion

Supabase

RoleDatabase — leads, waitlist, download logs, newsletter archive

LocationEU (Frankfurt region)

Transfer mechanismIntra-EU — no transfer mechanism required

Data heldContact form submissions, waitlist entries, resource download emails

RetentionPer category — see retention schedule below

Vercel

RoleWebsite hosting and edge functions

LocationUSA (global CDN)

Transfer mechanismStandard Contractual Clauses (SCCs)

Data heldServer request logs (IP, user agent, URL, timestamp)

Retention90 days

Resend

RoleTransactional email (form confirmations, notifications)

LocationUSA

Transfer mechanismStandard Contractual Clauses (SCCs)

Data heldEmail address and message content for transactional sends

Retention90 days in sending logs

Section 4

International Transfers

Three of our four processors (Beehiiv, Vercel, Resend) are based in the USA. Transfers to these processors are covered by Standard Contractual Clauses (SCCs) approved by the European Commission under GDPR Article 46(2)(c). SCCs are contractual obligations binding the processor to process data to EU standards regardless of location.

Supabase database storage uses the Frankfurt (EU) region. No data stored in Supabase crosses outside the EU.

We do not transfer personal data to any country without an adequacy decision or appropriate safeguards in place. If our processor arrangements change, we will update this policy and notify newsletter subscribers.

Section 5

Retention Schedule

We retain personal data only for as long as necessary for the purpose it was collected, or as required by law. The schedule below sets out our standard retention periods.

Data Category	Retention Period	Lawful Basis
Newsletter subscribers	Until unsubscribe or deletion request	Consent
Contact / consulting leads	3 years from date of enquiry	Legitimate interest
Masterclass / tool waitlist	Until product launches and enrolment closes	Consent
Resource download emails	2 years from download date	Legitimate interest
Server / access logs	90 days, then purged automatically	Legitimate interest
Transactional email logs	90 days (held by Resend)	Contract performance

Section 6

Your Rights

As a data subject under GDPR, you have the following rights. These apply regardless of where you are based, provided we are processing your data under EU/EEA rules.

Right of Access (Art. 15)

You can request a copy of all personal data we hold about you. We will provide this within 30 days, in a commonly used electronic format.

Right to Rectification (Art. 16)

If any data we hold is inaccurate or incomplete, you can ask us to correct or complete it.

Right to Erasure (Art. 17)

You can ask us to delete your personal data — the "right to be forgotten". We will action this unless we have a legal obligation to retain records, which we will explain.

Right to Restriction (Art. 18)

You can ask us to pause processing of your data while a dispute about accuracy or lawfulness is resolved.

Right to Portability (Art. 20)

Where processing is based on consent or contract and carried out by automated means, you can receive your data in a structured, machine-readable format (JSON or CSV).

Right to Object (Art. 21)

You can object to processing based on our legitimate interest. We will stop unless we can demonstrate compelling legitimate grounds that override your rights.

Withdrawal of Consent

Where processing is based on consent (e.g. newsletter subscription), you can withdraw consent at any time using the unsubscribe link in any email. Withdrawal does not affect the lawfulness of processing before withdrawal.

Right to Complain (Art. 77)

You have the right to lodge a complaint with the Autoriteit Persoonsgegevens (the Dutch supervisory authority) at autoriteitpersoonsgegevens.nl, or with the supervisory authority in your country of residence.

Section 7

How to Make a Data Request

To exercise any of the rights listed above, or to ask a question about how we process your data, contact us by email at:

hello@processnotes.com

In your request, please include: (a) the type of request (access, erasure, objection, etc.), (b) the email address or name you used when submitting data to us, and (c) any relevant context to help us locate your records. We will acknowledge receipt within 5 working days and respond substantively within 30 days.

If you are not satisfied with our response, you have the right to escalate your complaint to the Autoriteit Persoonsgegevens (Dutch Data Protection Authority) at autoriteitpersoonsgegevens.nl, or to the supervisory authority in your country of residence within the EU/EEA.

Policy updates

This Data Policy is reviewed annually and updated when our practices change. Material changes will be notified to active newsletter subscribers at least 14 days before they take effect. The effective date at the top of this page records the date of the current version.

← Back to Privacy Policy & Terms