Privacy Policy

1. Who We Are

Hermon is a product operated by Consulting Systems B.V., a company incorporated under the laws of the Netherlands.

Legal Name	Consulting Systems B.V.
Address	Geelhartje 2, 2224DT Katwijk, The Netherlands
KvK	96362367
Contact	[email protected]

In this policy, "Hermon", "we", "us", and "our" refer to Consulting Systems B.V.

2. What Data We Collect

We collect the following categories of personal data when you use our platform or interact with our services:

Category	Examples	Purpose
Identity	First name, last name	Account creation, communication
Contact	Email address, phone number	Service delivery, support, notifications
Address	Street, zip code, city, country	Invoicing, contract generation
Payment	Payment method details (processed by Stripe)	Payment processing
Usage	Feature usage, login timestamps	Product improvement, security

We do not use cookies for tracking or analytics purposes. We do not use any third-party analytics tools.

3. Legal Basis for Processing (GDPR)

We process your personal data based on the following legal grounds under the General Data Protection Regulation (GDPR):

• Performance of a contract — To provide you with our platform and services as agreed.
• Legitimate interest — To improve our services, ensure platform security, and prevent fraud.
• Legal obligation — To comply with applicable laws, such as tax and accounting requirements.
• Consent — Where you have given explicit consent, for example for marketing communications. You may withdraw consent at any time.

4. How We Use Your Data

We use your personal data to:

• Create and manage your Hermon account.
• Provide, maintain, and improve our platform.
• Process payments and generate invoices.
• Generate contracts and payment links.
• Send transactional messages (e.g. notifications, account updates).
• Respond to your support requests.
• Comply with legal and regulatory obligations.

5. Third-Party Processors

We share personal data only with the following third-party service providers, who act as data processors on our behalf:

Provider	Purpose	Data Shared
Stripe	Payment processing	Name, email, payment details

All processors are contractually bound to process data only on our instructions and in compliance with GDPR. We do not sell your personal data to any third party.

6. Data Transfers

Your data may be transferred to and processed in countries outside the European Economic Area (EEA). When this occurs, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission, or the processor's participation in an approved data transfer framework.

7. Data Retention

We retain your personal data only for as long as necessary for the purposes set out in this policy:

• Account data — Retained for the duration of your account and up to 12 months after account deletion, unless longer retention is required by law.
• Payment and invoice data — Retained for 7 years to comply with Dutch fiscal record-keeping obligations (AWR).
• Support communications — Retained for up to 24 months after the last interaction.

After the applicable retention period, your data will be securely deleted or anonymised.

8. Your Rights

Under the GDPR, you have the following rights regarding your personal data:

• Right of access — Request a copy of the personal data we hold about you.
• Right to rectification — Request correction of inaccurate or incomplete data.
• Right to erasure — Request deletion of your personal data ("right to be forgotten").
• Right to restriction — Request that we limit how we process your data.
• Right to data portability — Receive your data in a structured, machine-readable format.
• Right to object — Object to processing based on legitimate interest.
• Right to withdraw consent — Where processing is based on consent, withdraw it at any time.

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

9. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These measures include encryption in transit and at rest, access controls, and regular security reviews.

10. Children's Privacy

Our services are not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us and we will promptly delete it.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by updating the "Last updated" date at the top of this page. We encourage you to review this page periodically.

12. Contact

If you have any questions about this Privacy Policy or our data practices, please contact us:

Consulting Systems B.V.
Geelhartje 2, 2224DT Katwijk, The Netherlands
Email: [email protected]

You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) if you believe your data is being processed unlawfully.