Privacy Policy

Version: October 2025

Controller:
Building HVAC Engineering – sole proprietorship of Ilias Achkaoukaou
Chamber of Commerce (KvK): 98376136
VAT: NL005329385B71
Email: info@buildinghvac.eu
Service area: The Netherlands

1. Scope

This Privacy Policy explains how we process personal data when you visit this website, send us an enquiry, receive a quotation, or when we perform engineering services. We follow the EU GDPR and Dutch law.

2. Categories of data

• Contact and enquiry data: name, email, phone, ZIP/city, category of request, message, attachments (optional).
• Project/contract data: project details, planning, deliverables, correspondence, invoices, payment status.
• Technical logs: IP address, user-agent, timestamps (minimised; for security and spam prevention).

3. Purposes and legal bases (GDPR art. 6)

• Handling enquiries and quotations – pre-contractual steps (art. 6(1)(b)) and legitimate interest in effective communication (art. 6(1)(f)).
• Executing the agreement and delivering work – performance of a contract (art. 6(1)(b)).
• Invoicing and accounting – legal obligation (art. 6(1)(c)).
• Security, spam and abuse prevention – legitimate interests (art. 6(1)(f)).

4. Retention

• Enquiries/leads: up to 3 months after last contact or quotation expiry unless a project follows.
• Project/contract files: for the project duration and then as reasonably needed for aftercare/warranty (max. 2 years unless legal claims require longer).
• Invoices and fiscal records: 7 years (Dutch tax law).
• Security/logs: up to 90 days unless required for incident investigation.

5. Recipients and processors

We share data only where necessary:

• Hosting & email: Mijndomein B.V. (NL) – website hosting and email delivery/logging.
• Temporary file storage: Apple iCloud – secure syncing of working files/attachments.
• Accounting/tax authorities: data required by law may be provided to our accountant and the Dutch Tax Administration.
• (Optional) Other processors strictly for executing the assignment (e.g., specialist subcontractors) – only with confidentiality terms.

With each processor we conclude a data processing agreement (art. 28 GDPR). A current list is available on request.

6. International transfers

Hosting is located in the EEA where possible. If providers such as Apple iCloud process data outside the EEA, we rely on safeguards such as the EU Standard Contractual Clauses and supplementary measures. We minimise such transfers and the data involved.

7. Security

• HTTPS/TLS on the website; HSTS enforced.
• Access to leads and project data restricted to the controller.
• Up-to-date systems, strong authentication, least-privilege principle.
• Backups with secure storage and controlled access.
• Log minimisation and regular deletion schedules.

8. Analytics and cookies

We use privacy-friendly, cookieless analytics limited to aggregated visit metrics. No cross-site tracking, advertising cookies, or profiling. If we ever deploy non-essential cookies, we will first request your consent via a clear banner with choices.

9. Your rights

You have the right to access, rectify, erase, restrict or object to processing, and to data portability (subject to legal limits). Where processing is based on consent, you may withdraw it at any time. Contact info@buildinghvac.eu.

10. Data breaches

We assess all security incidents. If a breach creates a risk to your rights and freedoms, we will notify the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) and, where required, inform affected individuals.

11. Minors

Our services are intended for business customers and adults.

12. Complaints

You can lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) or your local supervisory authority in the EEA.

13. Changes

We may update this policy to reflect operational or legal changes. The latest version is published on this page.

Contact

Privacy questions? Email info@buildinghvac.eu