Privacy Policy

This Agreement is made between

Sourcent Property Group

And:

Website User/Data Subject

Parties

(1) Sourcent Property Group VOF, a Dutch partnership (VOF) registered in the Netherlands with KVK number 98537547, operating the website www.sourcent.co, with registered address at Herengracht 320, 1016 CE Amsterdam and email contact info@sourcent.co (referred to as "we," "us," "our," or "the Company").

(2) Website User/Data Subject, being all individuals who visit, access, or use the website www.sourcent.co, including but not limited to real estate investors, property sellers, property owners, partner agencies, and other visitors who provide personal data through website forms, email communications, or whose data is collected automatically through cookies, IP addresses, and other tracking technologies (referred to as "you," "your," or "data subjects").

Background

Sourcent Property Group VOF operates the website www.sourcent.co as an intermediary platform connecting real estate investors with sellers, owners, and partner agencies across Southern Europe, including France, Spain, Italy, and other regions.
The Company does not act as a real estate agency but serves purely as an intermediary (bemiddelaar) that shares off-market or below-market investment opportunities and facilitates introductions between parties.
In the course of providing these services, the Company collects, processes, and stores personal data from website visitors, investors, sellers, and other users who interact with the platform.
This Privacy Policy is established to inform data subjects about the Company's data processing practices and to ensure full compliance with the European Union General Data Protection Regulation (GDPR) and Dutch data protection laws.
The Company is committed to protecting the privacy and personal data of all users and operates as the data controller for all personal data collected through the website and related business activities.
This Privacy Policy applies to all personal data processing activities conducted by the Company, including data collected through website forms, email communications, cookies, analytics tools, and other tracking technologies.
The Company processes personal data for legitimate business purposes including lead management, investor-seller matching, marketing communications, website functionality, and service improvement, always in accordance with applicable data protection laws.
Users have specific rights under GDPR regarding their personal data, and the Company is committed to facilitating the exercise of these rights in a transparent and accessible manner.

Definitions
1. Company means Sourcent Property Group VOF, a Dutch partnership (VOF) registered in the Netherlands with KVK number 98537547, operating the website www.sourcent.co.
2. Data Controller means the Company as the entity that determines the purposes and means of processing personal data.
3. Data Subject means any identified or identifiable natural person whose personal data is processed by the Company, including website visitors, investors, sellers, property owners, and partner agencies.
4. Personal Data means any information relating to an identified or identifiable natural person, including but not limited to names, email addresses, phone numbers, IP addresses, device information, and investment preferences.
5. Processing means any operation performed on personal data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, restriction, erasure, or destruction.
6. Data Processor means any natural or legal person who processes personal data on behalf of the Company, including CRM providers, email marketing platforms, cloud hosting services, and analytics providers.
7. Consent means any freely given, specific, informed, and unambiguous indication of a data subject's wishes by which they signify agreement to the processing of their personal data.
8. Legitimate Interest means the lawful basis for processing where the Company has a genuine and legitimate reason for processing personal data that is balanced against the data subject's rights and freedoms.
9. Cookies means small text files placed on a user's device to store information about website usage, preferences, and browsing behavior, including functional, analytical, and marketing cookies.
10. Third Country means any country outside the European Union and European Economic Area where personal data may be transferred or processed.
11. GDPR means the General Data Protection Regulation (EU) 2016/679 and any implementing or supplementary legislation in the Netherlands.
12. Dutch DPA means the Autoriteit Persoonsgegevens, the Dutch Data Protection Authority responsible for supervising compliance with data protection laws in the Netherlands.
13. Retention Period means the length of time personal data is stored by the Company before deletion or anonymization, based on specific legal requirements, statutory limitation periods, and documented business purposes as detailed in Section 9.
14. Data Subject Rights means the rights granted to data subjects under GDPR, including access, rectification, erasure, restriction, portability, objection, and withdrawal of consent.
15. Website means the website operated by the Company at www.sourcent.co and any associated subdomains, mobile applications, or digital platforms.
Data Controller Information
1. Data Controller Identity: Sourcent Property Group VOF, a partnership (vennootschap onder firma) established and registered under Dutch law, acts as the data controller for all personal data collected and processed through the website www.sourcent.co and related business activities.
2. Registration Details: The Company is registered with the Dutch Chamber of Commerce (Kamer van Koophandel) under registration number 98537547.
3. Business Address: The Company's registered business address is Herengracht 320, 1016 CE Amsterdam, Netherlands.
4. Contact Information: For all data protection and privacy-related inquiries, users may contact the Company through the following channels:
  1. Email: info@sourcent.co
  2. Website contact form: Available at www.sourcent.co
  3. Postal address: Herengracht 320, 1016 CE Amsterdam, Netherlands
5. Business Purpose: The Company operates as an intermediary platform connecting real estate investors with sellers, owners, and partner agencies across Southern Europe, facilitating introductions and sharing investment opportunities without acting as a licensed real estate agency.
6. Data Protection Officer: Sourcent does not require a Data Protection Officer under Article 37 GDPR. However, we have appointed an internal contact person for privacy-related matters, reachable at info@sourcent.co
Types of Personal Data Collected
1. Voluntarily Provided Personal Data
  1. The Company collects personal data that users voluntarily provide through website forms, email communications, or direct contact, including:
  2. Full name and contact information (email address, phone number, postal address);
  3. Investment preferences, budget ranges, and property interests;
  4. Geographic preferences for property investments;
  5. Professional background and investment experience details;
  6. Any additional information voluntarily shared in forms, surveys, or communications with the Company.
2. Automatically Collected Data
  1. The Company automatically collects technical and usage data when users visit the website, including:
  2. IP address, browser type and version, operating system, and device information;
  3. Website navigation patterns, pages visited, time spent on pages, and referral sources;
  4. Date and time of website visits and user interactions;
  5. Geographic location data derived from IP addresses.
3. Cookie and Tracking Data
  1. The Company collects data through cookies and similar tracking technologies, including:
  2. Session identifiers and user preferences for website functionality;
  3. Analytics data for website performance measurement and improvement;
  4. Marketing and advertising interaction data for targeted communications.
4. Third-Party Source Data
  1. The Company may receive personal data from third parties, including:
  2. Partner agencies and real estate professionals who refer investors or sellers;
  3. Public business directories and professional networking platforms;
  4. Data verification services used to validate contact information.
Purposes of Data Processing
1. The Company processes personal data exclusively for the following specific and limited purposes directly related to its intermediary services connecting real estate investors with off-market property opportunities in Southern Europe:
  1. Managing and responding to investor inquiries and registration requests submitted through the Website.
  2. Maintaining and updating investor profiles, including investment preferences, budget ranges, and geographic interests.
  3. Identifying and presenting suitable off-market or below-market property investment opportunities to registered investors.
  4. Facilitating introductions and connections between investors, sellers, property owners, and partner agencies.
  5. Coordinating communications and follow-up activities related to specific property opportunities and investment matches.
2. The Company processes personal data for the following specific marketing and communication purposes, limited to property investment-related communications:
  1. Sending newsletters containing property market updates, investment insights, and new opportunity alerts to subscribers who have provided consent.
  2. Distributing targeted marketing communications about specific properties or investment opportunities based on stated investor preferences.
  3. Providing customer support and responding to inquiries submitted through contact forms or email communications.
  4. Conducting customer satisfaction surveys and collecting feedback to improve service quality.
3. The Company processes personal data for website functionality and analytical purposes:
  1. Ensuring proper website operation, security, and technical performance through the collection of device and browser information.
  2. Analyzing website usage patterns, visitor behavior, and content engagement to improve user experience and website functionality.
  3. Implementing necessary cookies and tracking technologies for website performance, analytics, and marketing optimization.
  4. Preventing fraud, unauthorized access, and ensuring compliance with applicable laws and regulations.
4. The Company processes personal data for business administration and legal compliance:
  1. Maintaining accurate business records and documentation in accordance with Dutch commercial law requirements.
  2. Complying with legal obligations, regulatory requirements, and responding to lawful requests from authorities.
  3. Establishing, exercising, or defending legal claims and protecting the Company's legitimate business interests.
  4. Conducting internal business analysis, reporting, and performance evaluation to optimize service delivery.
Legal Basis for Processing
1. The Company processes personal data based on one or more of the following legal grounds under Article 6 of the GDPR:
  1. Consent - where you have given clear and specific consent for the processing of your personal data for one or more specific purposes.
  2. Legitimate interests - where processing is necessary for the purposes of the legitimate interests pursued by the Company or by a third party, except where such interests are overridden by your interests or fundamental rights and freedoms.
  3. Contract - where processing is necessary for the performance of a contract to which you are party or in order to take steps at your request prior to entering into a contract.
  4. Legal obligation - where processing is necessary for compliance with a legal obligation to which the Company is subject under Dutch or EU law.
2. Consent-based processing applies to:
  1. Newsletter subscriptions and marketing communications sent via email.
  2. Non-essential cookies including marketing and analytics cookies.
  3. Direct marketing activities where consent is required under applicable law.
3. Legitimate interest processing applies to:
  1. Lead management and investor-seller matching services based on documented Legitimate Interest Assessment (LIA) demonstrating: (i) Legitimate Interest: Facilitating property investment opportunities as the Company's core business purpose and users' reasonable expectations when providing contact details; (ii) Necessity: Processing contact details and preferences is essential to match suitable investors with relevant opportunities; (iii) Balancing Test: User interests do not override business necessity given voluntary data provision, clear service purpose, and ability to object at any time via info@sourcent.co.
  2. Website functionality improvements and user experience optimization.
  3. Security monitoring and fraud prevention to protect the Company and users.
  4. Business communications with existing contacts and prospects where there is an established business relationship.
4. Contractual necessity applies to:
  1. Processing of contact details and investment preferences when facilitating introductions between investors and sellers.
  2. Communication necessary to fulfill service requests or inquiries submitted through the website.
5. Where processing is based on legitimate interests, the Company has conducted formal Legitimate Interest Assessments (LIAs) documenting: (a) the specific legitimate interest pursued; (b) the necessity of processing for that purpose; and (c) a balancing test demonstrating that the legitimate interest is not overridden by the data subject's interests, rights, or freedoms. These assessments are reviewed annually and updated when processing purposes change.
6. You have the right to withdraw consent at any time where processing is based on consent, without affecting the lawfulness of processing based on consent before its withdrawal.
7. Where processing is based on legitimate interests, you have the right to object to such processing at any time on grounds relating to your particular situation.
8. Opt-out from Legitimate Interest Processing: Where processing is based on legitimate interests, you may object by contacting info@sourcent.co. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or processing is necessary for legal claims.
Cookies and Tracking Technologies
1. The Website uses cookies and similar tracking technologies to enhance user experience, analyze website performance, and deliver relevant content and advertisements.
2. Cookies are small text files stored on your device when you visit the Website that allow us to recognize your browser and capture certain information about your preferences and activities.
3. The Company uses the following types of cookies:
  1. Strictly Necessary Cookies (Legal Basis: Article 6(1)(f) GDPR - Legitimate Interest): Essential for the Website's basic functionality, including security features, user authentication, session management, load balancing, and core navigation features. These cookies do not require consent under the ePrivacy Directive as they are strictly necessary for the provision of the information society service explicitly requested by you. These cookies cannot be disabled without affecting Website functionality.
  2. Functional Cookies (Legal Basis: Article 6(1)(a) GDPR - Consent): Remember your preferences and settings, such as language selection, region preferences, and user interface customizations to improve your browsing experience. These cookies require your explicit consent before placement and can be managed through our cookie preference center.
  3. Analytical Cookies (Legal Basis: Article 6(1)(a) GDPR - Consent): Collect information about how visitors use the Website, including page views, session duration, bounce rates, and traffic sources to help us improve Website performance and user experience. These cookies require your explicit consent before placement and data is processed in anonymized or pseudonymized form where technically feasible.
  4. Marketing Cookies (Legal Basis: Article 6(1)(a) GDPR - Consent): Track your browsing behavior across the Website to deliver personalized advertisements, measure the effectiveness of marketing campaigns, enable retargeting and conversion tracking. These cookies require your explicit consent before placement and involve profiling activities that require clear disclosure and consent under GDPR Article 22.
4. The Company uses cookies from the following third-party providers:
  1. Google Analytics: For website traffic analysis and user behavior insights, with data retention periods as configured in our Google Analytics settings.
  2. Meta Pixel (Facebook): For conversion tracking and targeted advertising on Facebook and Instagram platforms.
  3. CRM and Email Marketing Platforms: Including but not limited to HubSpot, Mailchimp, or Wix CRM for lead tracking and email campaign performance measurement.
5. Cookie retention periods and legal basis specifics:
  1. Strictly necessary session cookies are automatically deleted when you close your browser and do not require consent as they are essential for basic website functionality.
  2. Consent-based persistent cookies (functional, analytical, and marketing) remain on your device for predetermined periods ranging from 24 hours to 2 years, depending on their specific function and purpose. These cookies are only placed after obtaining your explicit consent and can be withdrawn at any time.
6. You can control and manage cookies through:
  1. Granular cookie consent management system displayed when you first visit the Website, providing separate opt-in choices for each category of non-essential cookies (functional, analytical, and marketing cookies). You can provide or withdraw consent for each category independently, with strictly necessary cookies automatically enabled as they do not require consent under the ePrivacy Directive. The consent banner includes: (i) clear information about each cookie category and its purpose; (ii) separate toggle switches for each non-essential cookie type; (iii) links to detailed cookie policy information; (iv) easy access to withdraw or modify consent at any time.
  2. Your browser settings to block, delete, or receive notifications about cookies, though this may affect Website functionality.
  3. Third-party opt-out tools provided by advertising networks and analytics providers.
  4. Contacting us directly at info@sourcent.co to request specific cookie management assistance.
7. Disabling cookies may result in reduced Website functionality, including inability to save preferences, limited access to personalized content, and impaired user experience features.
8. We may use additional tracking technologies such as web beacons, pixel tags, and local storage to supplement cookie functionality and improve service delivery, subject to the same consent and control mechanisms as cookies.
9. ePrivacy Directive Compliance: The Company's cookie implementation complies with the EU ePrivacy Directive (2002/58/EC) and its interpretation by European data protection authorities. Consent is obtained before placing non-essential cookies on your device, with consent being freely given, specific, informed, and unambiguous. Consent can be withdrawn as easily as it was given, and withdrawal does not affect the lawfulness of processing based on consent before withdrawal.
10. Cookie Consent Withdrawal: You can withdraw your consent for specific cookie categories at any time by: (i) accessing the cookie preference center available in the website footer; (ii) adjusting your browser settings to block specific cookie types; (iii) using the consent withdrawal link in marketing communications; (iv) contacting us directly at info@sourcent.co with your specific withdrawal request. Withdrawal of consent will not affect cookies already placed with prior valid consent but will prevent future placement of those cookie categories.
Data Sharing and Third-Party Processors
1. The Company may share personal data with carefully selected third-party service providers and processors who assist in delivering our services and maintaining our website functionality.
2. Categories of Third-Party Recipients
  1. Customer Relationship Management (CRM) and email marketing platforms, including but not limited to HubSpot, Mailchimp, and Wix CRM systems.
  2. Cloud hosting and storage providers that maintain our website infrastructure and data storage systems.
  3. Analytics and tracking service providers, including Google Analytics and Meta Pixel, for website performance analysis and marketing optimization.
  4. Real estate partners, agencies, and property sellers when necessary to facilitate investor-seller introductions and complete property transactions.
  5. Professional service providers including legal advisors, accountants, and business consultants when required for legitimate business operations.
3. Data Processor Agreements
  1. All third-party processors are bound by written data processing agreements that require them to process personal data only on our instructions and in compliance with GDPR requirements.
  2. These agreements include appropriate technical and organizational security measures to protect personal data and restrict any unauthorized use or disclosure.
4. Sharing with Real Estate Partners
  1. When matching investors with sellers or property opportunities, we may share relevant contact information and investment preferences with partner agencies and property owners under the following specific criteria: (i) Consent-based sharing: Where investors have explicitly requested introduction to specific properties or sellers, requiring clear opt-in consent with detailed information about the recipient, data to be shared, and purpose; (ii) Legitimate interest-based sharing: Limited to basic contact details (name, email) and general investment criteria (property type, budget range, geographic preference) where investors have expressed interest in being contacted about suitable opportunities, provided recipients are bound by data sharing agreements with equivalent protection standards and specific use limitations.
  2. All partner sharing is governed by documented data sharing agreements containing: (i) specific data categories and retention limits; (ii) prohibited secondary uses and onward transfer restrictions; (iii) technical and organizational security requirements equivalent to this Privacy Policy; (iv) audit rights and compliance monitoring provisions; (v) breach notification obligations within 24 hours. Legitimate interest boundaries: sharing is limited to essential matching purposes only, excludes sensitive financial details, and requires prior balancing test documentation. Transparency measures: investors receive specific notification of planned sharing with partner details, data categories, and retention periods, with 72-hour objection period before data transfer. The Company conducts quarterly reviews of partner relationships and data sharing practices, maintaining a partner data sharing register documenting compliance status, audit results, and any corrective measures implemented.
5. Legal Disclosure Requirements
  1. We may disclose personal data to government authorities, law enforcement agencies, or courts when required by Dutch law, EU regulations, or valid legal process.
  2. In case of business restructuring, merger, or acquisition, personal data may be transferred to successor entities subject to the same privacy protections outlined in this Policy.
6. No Sale of Personal Data
  1. The Company does not sell, rent, or lease personal data to third parties for commercial purposes unrelated to our intermediary services.
International Data Transfers
1. The Company may transfer personal data to countries outside the European Union and European Economic Area (Third Countries) in connection with the provision of services through third-party processors and service providers. The Company conducts Transfer Impact Assessments (TIAs) for all international transfers to evaluate the data protection laws and practices in the destination country, assess potential risks to data subjects, and determine appropriate safeguards required under the Schrems II framework.
2. Such transfers may occur when using cloud hosting services, customer relationship management systems, email marketing platforms, analytics tools, or other technical service providers that store or process data outside the EU/EEA.
3. All international data transfers are conducted in accordance with GDPR requirements and only to Third Countries or organizations that provide adequate protection for personal data through one of the following safeguards, with processor-specific documentation maintained for each transfer relationship:
  1. European Commission adequacy decisions recognizing the Third Country as providing adequate protection;
  2. Standard Contractual Clauses (SCCs) approved by the European Commission;
  3. Binding Corporate Rules approved by competent supervisory authorities;
  4. Codes of conduct or certification mechanisms approved under GDPR; or
  5. Other appropriate safeguards as recognized under Article 46 of the GDPR.
4. The Company conducts regular assessments of Third Country data protection laws and practices to ensure continued adequacy of protection, particularly following guidance from the European Data Protection Board and Dutch Data Protection Authority.
5. Data subjects have the right to obtain information about the specific safeguards applied to their personal data transfers and may request copies of relevant documentation, except where this would compromise commercial confidentiality.
6. Where transfers are based on Standard Contractual Clauses, the Company implements supplementary measures as required under the Schrems II framework, including: (i) additional encryption requirements beyond standard protocols; (ii) data pseudonymization or anonymization where technically feasible; (iii) contractual restrictions on government access rights; (iv) regular audits of processor compliance with EU-equivalent protection standards; and (v) documented assessment of destination country surveillance laws and their impact on data subject rights. The Company maintains a Transfer Register documenting specific safeguards for each processor relationship and conducts annual reviews of transfer adequacy, with data localization strategies implemented where supplementary measures cannot provide equivalent protection to EU/EEA standards.
Data Retention Periods
1. The Company retains personal data only for as long as necessary to fulfill the documented purposes for which it was collected and processed, in accordance with specific statutory requirements, limitation periods under Dutch law, and legitimate business needs as justified below.
2. Contact and Lead Information including names, email addresses, phone numbers, and investment preferences shall be retained based on the following legal justifications: - Contractual claims limitation period: 5 years from last interaction (Article 3:307 Dutch Civil Code) - Marketing data based on consent: Until consent is withdrawn plus 30 days for processing cessation - Legitimate business relationship data: 3 years from last meaningful contact to maintain investor-seller matching services
3. Website Analytics Data including IP addresses, browser information, and device data shall be retained for a maximum period of twenty-six (26) months from the date of collection.
4. Cookie Data shall be retained according to the specific retention periods set forth in Section 6 of this Privacy Policy, with functional cookies retained for the duration of the browsing session and analytical cookies retained for up to twenty-six (26) months.
5. Marketing Communication Records including email campaign data, newsletter subscriptions, and communication preferences shall be retained until the data subject withdraws consent or for a maximum period of three (3) years from the last interaction, whichever occurs first.
6. Business Communication Records including inquiry responses, property introduction correspondence, and partner agency communications shall be retained for 3 years from the date of last communication, based on legitimate interest in maintaining business relationship history and potential future opportunities.
7. Data Processing Records including consent logs, data subject requests, and privacy compliance documentation shall be retained for 7 years to demonstrate GDPR compliance and respond to regulatory inquiries (Article 5(2) GDPR accountability principle).
8. Legal Compliance Data shall be retained for the minimum period required by specific Dutch statutory obligations: - Commercial records: 7 years (Article 2:10 Dutch Civil Code) - Tax-related documentation: 7 years (Article 52 Dutch Tax Collection Act) - Anti-money laundering records: 5 years (Article 33 Dutch Anti-Money Laundering Act - Wwft) - Consumer protection documentation: 2 years (Dutch Consumer Protection legislation)
9. The Company implements automated data deletion processes and conducts annual retention reviews to ensure personal data is deleted or anonymized promptly upon expiration of the applicable retention period, unless overriding legal obligations require longer retention with documented justification.
10. Data subjects may request earlier deletion of their personal data by exercising their right to erasure as set forth in Section 10 of this Privacy Policy. Such requests will be honored unless retention is required for: (a) compliance with specific legal obligations; (b) establishment, exercise, or defense of legal claims; or (c) overriding legitimate interests with documented balancing test results.
11. Where personal data serves multiple purposes with different retention periods, we apply purpose segregation principles: data is categorized by primary purpose and deleted according to the relevant timeframe, unless the data subject specifically requests retention for remaining valid purposes or legal obligations require longer retention.
Data Subject Rights
1. Right of Access
  1. You have the right to obtain confirmation as to whether or not personal data concerning you is being processed, and where that is the case, access to the personal data and information about the processing activities.
  2. You may request a copy of your personal data that we process, which will be provided free of charge for the first copy, with additional copies subject to reasonable administrative fees.
2. Right to Rectification
  1. You have the right to obtain the rectification of inaccurate personal data concerning you without undue delay.
  2. You have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
3. Right to Erasure ('Right to be Forgotten')
  1. You have the right to obtain the erasure of personal data concerning you without undue delay where one of the following grounds applies: the personal data is no longer necessary for the original purposes; you withdraw consent; you object to processing based on legitimate interests; the personal data has been unlawfully processed; or erasure is required for compliance with legal obligations.
  2. We may refuse erasure where processing is necessary for compliance with legal obligations, establishment of legal claims, or other legally recognized grounds.
4. Right to Restriction of Processing
  1. You have the right to obtain restriction of processing where you contest the accuracy of personal data, processing is unlawful, we no longer need the data but you require it for legal claims, or you have objected to processing pending verification of legitimate grounds.
5. Right to Data Portability
  1. You have the right to receive personal data concerning you in a structured, commonly used and machine-readable format where processing is based on consent or contract and carried out by automated means.
  2. You have the right to transmit such data to another controller without hindrance, anRight to Object
  3. You have the right to object to processingd to have personal data transmitted directly between controllers where technically feasible.
6. of personal data based on legitimate interests, including profiling based on such processing.
  1. You have the absolute right to object to processing for direct marketing purposes, including profiling related to direct marketing.
7. Right to Withdraw Consent
  1. Where processing is based on consent, you have the right to withdraw consent at any time without affecting the lawfulness of processing based on consent before withdrawal.
  2. Withdrawal of consent may be done by contacting us using the details provided in this Privacy Policy or through unsubscribe mechanisms in marketing communications.
8. Exercising Your Rights
  1. Rights Exercise Procedures and Identity Verification: All data subject rights requests must be submitted in writing to info@sourcent.co with the following mandatory information: (i) Identity Verification Requirements: Full name as recorded in our systems, email address or phone number used for previous communications with the Company, specific description of the personal data or processing activity in question, and government-issued photo identification (passport, driver's license, or national ID card) attachment or reference number for verification. (ii) Enhanced Verification for High-Risk Requests: For erasure, rectification, or portability requests involving sensitive data, additional verification may include: verification questions based on previous interactions with the Company, confirmation via phone call to registered contact number, or notarized identity confirmation for high-value property investment data. (iii) Request Specification Requirements: Clear indication of which specific right is being exercised (access, rectification, erasure, restriction, portability, or objection), detailed description of the requested action, preferred format for data provision (where applicable), and any specific time constraints or urgency factors. The Company maintains a Verified Identity Register to prevent fraudulent rights requests and ensure legitimate data subjects can efficiently exercise their rights without excessive verification burdens.
  2. Rights Response Implementation Framework: The Company operates a documented Data Subject Rights Management System (DSRMS) ensuring systematic compliance with GDPR Article 12 requirements: (a) Response Timeline Management: All requests are logged within 24 hours of receipt with unique tracking reference numbers. Standard timeline: 30 calendar days maximum from receipt of complete and verified request. Extension protocol: Maximum 60 additional days for complex requests involving multiple data categories, third-party data processors, or technical challenges, with detailed extension justification provided to data subject within initial 30-day period. Priority processing: Access requests completed within 15 days where technically feasible, urgent erasure requests (fraud prevention, security concerns) processed within 72 hours. (b) Staff Assignment and Training Protocol: Designated Rights Officers: Two trained staff members handle all rights requests with documented competency requirements including GDPR Article 12-23 provisions, data mapping knowledge, and technical data extraction procedures. Training Requirements: Annual 16-hour GDPR rights training, quarterly updates on regulatory guidance, and monthly internal audits of response quality and timeliness. Escalation Procedures: Complex legal questions escalated to external data protection counsel within 5 business days, technical challenges escalated to IT security team within 48 hours. (c) Quality Assurance and Monitoring: Response Content Standards: All responses include specific data categories processed, legal basis for processing, retention periods, third-party sharing details, and clear explanation of any request limitations or refusals. Tracking Metrics: Monthly reports on response times (target: 95% within 30 days), request completion rates, extension usage, and data subject satisfaction scores. Compliance Documentation: Each request generates comprehensive case file including identity verification records, data search documentation, response content approval, and outcome confirmation. The Company maintains a Rights Response Register with statistical analysis reviewed quarterly by senior management to identify process improvements and ensure continuous GDPR Article 12 compliance enhancement.
  3. We will provide information on action taken free of charge, unless requests are manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse to act.
9. Right to Lodge a Complaint
  1. You have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) if you believe your personal data has been processed in violation of GDPR.
  2. The Dutch Data Protection Authority can be contacted at: Autoriteit Persoonsgegevens, Postbus 93374, 2509 AJ Den Haag, Netherlands, or through their website at autoriteitpersoonsgegevens.nl.
Data Security Measures
1. The Company implements comprehensive technical and organizational security measures to protect personal data against unauthorized access, alteration, disclosure, or destruction, designed in accordance with GDPR Article 32 and based on systematic risk assessments updated annually. Our security framework follows ISO 27001 information security management principles and incorporates industry-standard technical safeguards with documented implementation procedures, regular audit protocols, and measurable compliance indicators to ensure appropriate protection levels relative to processing risks and data sensitivity categories.
2. Technical Security Standards and Implementation include documented implementation of the following security controls with specific technical specifications:
  1. Data Encryption Standards: AES-256 encryption for data at rest stored in cloud databases and local systems, TLS 1.3 minimum for data in transit with Perfect Forward Secrecy enabled, end-to-end encryption for email communications containing personal data, and encrypted backup storage with separate key management systems. All encryption implementations undergo annual third-party security assessments with documented compliance certificates maintained for regulatory review.
  2. Network Security Implementation: HTTPS Strict Transport Security (HSTS) with 365-day max-age for website www.sourcent.co, Web Application Firewall (WAF) with real-time threat detection and automated blocking capabilities, Content Security Policy (CSP) headers preventing cross-site scripting attacks, and certificate pinning for mobile applications with quarterly certificate rotation procedures.
  3. Vulnerability Management Program: Monthly automated vulnerability scans using industry-standard tools (Nessus, OpenVAS), immediate patching protocol for critical vulnerabilities within 72 hours of disclosure, quarterly penetration testing by certified ethical hackers with detailed remediation tracking, and annual security code reviews for custom applications with documented fix verification procedures.
  4. Network Access Controls: Multi-layered firewall protection with application-level filtering, intrusion detection systems (IDS) with 24/7 monitoring and automated incident response, network segmentation isolating personal data processing systems from public networks, and real-time security information and event management (SIEM) logging with 12-month retention for forensic analysis.
  5. Backup Security and Recovery Procedures: Encrypted daily backups with AES-256 encryption stored in geographically separate locations, automated backup integrity testing with monthly recovery simulation exercises, role-based access controls for backup systems with detailed access logging, and documented disaster recovery procedures with Recovery Time Objective (RTO) of 4 hours and Recovery Point Objective (RPO) of 1 hour for critical personal data systems.
3. Organizational Security Framework and Audit Procedures include systematic implementation of the following controls with documented compliance evidence:
  1. Role-Based Access Control System: Multi-factor authentication (MFA) mandatory for all personal data access with hardware security keys for administrative accounts, principle of least privilege implementation with quarterly access reviews and automatic deprovisioning, detailed access logging with real-time monitoring for unusual activities, and segregation of duties ensuring no single individual has complete control over sensitive data processing operations.
  2. Comprehensive Security Training Program: Annual mandatory 8-hour data protection and cybersecurity training for all staff with competency testing and certification requirements, monthly security awareness updates covering current threat landscapes and phishing prevention, specialized training for personnel with administrative access including incident response procedures, and documented training records maintained for compliance auditing with skills assessment tracking.
  3. Incident Response and Breach Management: Documented incident response plan with defined roles and escalation procedures, 24/7 security incident hotline with designated response team members, automated breach detection systems with immediate notification protocols, and quarterly incident response drills with lessons learned documentation and procedure refinement based on exercise outcomes.
  4. Regular Security Audit and Assessment Schedule: Annual comprehensive security audits conducted by certified third-party security firms with detailed findings reports and remediation tracking, quarterly internal security assessments including vulnerability scanning, access control reviews, and policy compliance verification, monthly security metrics reporting to senior management with key performance indicators including breach detection times, patch compliance rates, and training completion statistics, and bi-annual Data Protection Impact Assessments (DPIAs) for high-risk processing activities with documented risk mitigation measures and regulatory compliance validation.
  5. Contractual Security Obligations: Comprehensive confidentiality and data security agreements for all employees, contractors, and service providers with specific personal data handling requirements, background checks for personnel with access to sensitive data including identity verification and reference validation, regular compliance monitoring with documented violation reporting and disciplinary procedures, and mandatory security incident reporting obligations with defined timeframes and escalation protocols.
  6. Security Compliance Documentation and Evidence Maintenance: The Company maintains comprehensive documentation demonstrating security measure effectiveness and regulatory compliance including: Technical Implementation Records documenting security control deployment, configuration settings, and operational procedures with version control and change management tracking; Audit Trail Logs with tamper-proof storage for access activities, system changes, and security events retained for 3 years for regulatory inspection; Compliance Certification Records including third-party audit reports, penetration testing results, vulnerability assessments, and security certifications with annual renewal tracking; Security Training Documentation with individual completion records, competency assessments, and specialized role-based training certification maintained for audit purposes; and Incident Response Documentation including breach investigation reports, remediation evidence, lessons learned analysis, and regulatory notification records demonstrating continuous security improvement and GDPR Article 32 compliance.
  7. Security Risk Assessment Methodology: The Company conducts annual comprehensive risk assessments using internationally recognized frameworks (ISO 27005, NIST Cybersecurity Framework) to identify, analyze, and evaluate security risks specific to personal data processing activities. Risk assessments consider data sensitivity levels, processing purposes, technical infrastructure vulnerabilities, and external threat landscapes with quantitative risk scoring using standardized metrics. High-risk processing activities (automated decision-making, large-scale profiling, cross-border transfers) undergo enhanced security measures including additional encryption requirements, access restrictions, and monitoring controls with documented risk treatment plans and residual risk acceptance by senior management.
4. Continuous Security Monitoring and Improvement Program: The Company operates a systematic security enhancement program with real-time threat monitoring using automated security tools, quarterly security reviews assessing emerging threats and technological developments, annual security framework updates incorporating industry best practices and regulatory guidance, and continuous improvement processes based on audit findings, incident analysis, and threat intelligence updates. Security measures are benchmarked against industry standards with measurable improvement targets and documented evidence of enhanced protection capabilities maintained for regulatory compliance verification.
5. Breach Notification to Supervisory Authority: In the event of a personal data breach, the Company has implemented a documented breach response framework ensuring compliance with GDPR Article 33. The Company will notify the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) within 72 hours of becoming aware of the breach, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. Notifications will include: (i) description of the nature of the breach including categories and approximate numbers of data subjects and personal data records concerned; (ii) contact details of the designated breach response coordinator; (iii) description of likely consequences of the breach; (iv) measures taken or proposed to address the breach and mitigate adverse effects. The Company maintains a breach detection and monitoring system with designated responsibilities: initial breach assessment within 2 hours of detection, risk evaluation within 12 hours, and supervisory authority notification within 72 hours. Where notification cannot be made within 72 hours, the Company will provide reasons for delay in the notification.
6. Breach Notification to Data Subjects: The Company will communicate personal data breaches to affected data subjects without undue delay where the breach is likely to result in a high risk to their rights and freedoms, in accordance with GDPR Article 34. High risk criteria include: (i) breaches involving special categories of personal data; (ii) breaches that may lead to identity theft or fraud; (iii) breaches affecting financial data or payment information; (iv) breaches that may cause significant economic or social disadvantage; (v) breaches involving large-scale processing or systematic monitoring. Data subject notifications will be provided in clear and plain language and include: (a) description of the nature of the breach; (b) contact details of the designated privacy contact; (c) description of likely consequences; (d) measures taken to address the breach; (e) specific recommendations for data subjects to protect themselves. The Company conducts quarterly breach response drills and maintains staff training programs to ensure effective implementation of these procedures. Notifications to data subjects will be made within 72 hours of determining high risk exists, unless: appropriate technical and organizational protection measures were applied (such as encryption), subsequent measures ensure high risk is no longer likely to materialize, or individual notification would involve disproportionate effort (in which case public communication will be made).
7. The Company requires all third-party processors and service providers to implement equivalent security measures through contractual obligations and data processing agreements.
Contact Information for Data Protection
1. For all inquiries, requests, or concerns regarding the processing of your personal data, please contact us using the following details:
2. Data Controller Contact Information:
  1. Company: Sourcent Property Group VOF
  2. Email: info@sourcent.co
  3. Registered Address: Herengracht 320, 1016 CE Amsterdam
  4. Chamber of Commerce Registration: 98537547
3. Response Times:
  1. We will acknowledge receipt of your data protection inquiry within 72 hours of receiving your request.
  2. We will provide a substantive response to your request within one month of receipt, or inform you if an extension is required in complex cases.
4. Complaints to Supervisory Authority:
  1. If you are not satisfied with our handling of your personal data or our response to your data protection request, you have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).
  2. Contact details for the Dutch Data Protection Authority:
  3. Website: www.autoriteitpersoonsgegevens.nl
  4. Postal Address: Autoriteit Persoonsgegevens, Postbus 93374, 2509 AJ Den Haag, Netherlands
  5. Phone: +31 (0)70 888 85 00
5. When contacting us regarding data protection matters, please provide sufficient information to allow us to identify you and locate your personal data in our systems.
Governing Law and Jurisdiction
1. This Privacy Policy and all matters relating to the processing of personal data by the Company shall be governed by and construed in accordance with the laws of the Netherlands.
2. The Company's data processing activities are subject to the European Union General Data Protection Regulation (EU) 2016/679 (GDPR) and the Dutch Implementation Act on the General Data Protection Regulation (Uitvoeringswet Algemene verordening gegevensbescherming).
3. Any disputes arising from or in connection with this Privacy Policy or the Company's data processing practices shall be subject to the exclusive jurisdiction of the competent courts of the Netherlands.
4. Data subjects retain the right to lodge complaints with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) regardless of the governing law provisions set forth in this section.
5. Where the Company processes personal data of data subjects residing in other EU/EEA member states, the data protection laws and supervisory authority competence rules of those jurisdictions may also apply in accordance with GDPR provisions.
6. This Privacy Policy shall remain in effect and binding upon the Company notwithstanding any changes in applicable data protection legislation, provided that the Company shall update this Policy as necessary to maintain compliance with current legal requirements.
Policy Updates and Changes
1. The Company reserves the right to update, modify, or replace this Privacy Policy at any time to reflect changes in our data processing practices, legal requirements, or business operations.
2. When material changes are made to this Privacy Policy that affect how we collect, use, or share personal data, we will provide notice to users through one or more of the following methods:
  1. Posting a prominent notice on our website at www.sourcent.co;
  2. Sending an email notification to users who have provided their email address;
  3. Displaying a notification banner or pop-up on the website upon the user's next visit.
3. For non-material changes, such as administrative updates, clarifications, or formatting improvements, we will update the "Last Updated" date at the top of this Privacy Policy without additional notification.
4. Users are encouraged to review this Privacy Policy periodically to stay informed about how we protect their personal data.
5. Continued use of our website and services after the effective date of any Privacy Policy updates constitutes acceptance of the revised terms.
6. If users do not agree with any changes to this Privacy Policy, they should discontinue use of our website and contact us to exercise their rights regarding their personal data, including the right to erasure where applicable.
7. Where required by applicable law, we will obtain renewed consent from users for any new data processing purposes or significant changes to existing processing activities.

This Privacy Policy has been approved and authorized by Sourcent Property Group VOF on 25-11-2025 and is effective as of 25-11-2025.

This Privacy Policy does not require user signatures as it constitutes a unilateral policy statement by the data controller regarding data processing practices.