GDPR Compliance
Last updated: 13 March 2026
This page complements our user-facing Privacy Policy. It provides implementation details for compliance (records of processing, processors, transfers, security, cookies, Data Subject Requests).
1) Roles & entities
Controller: Andrii Trush (self-employed in Belgium)
Registered address: 9200 Dendermonde, Belgium
Enterprise number (KBO/BCE): BE 1016.452.805
Email: contact@isapp.be
DPO: Not appointed.
Website covered: isapp.be (the "Site")
2) Records of processing activities (ROPA)
| Purpose | Data categories | Data subjects | Legal basis | Legitimate interest | Retention | Recipients/processors | Key security measures |
|---|---|---|---|---|---|---|---|
| Contact form handling | Name, email, message content; optional phone/company | Website users, prospects | Contract (6(1)(b)) or Legitimate interests (6(1)(f)) | Efficient handling of enquiries | Up to 12 months after last interaction (unless legal retention applies) | Service providers supporting contact handling (if any) | HTTPS/TLS; spam filtering; access controls |
| Project briefing & proposals | Identity/contact, company, project scope, requirements, timeline, budget, uploaded files | Prospects, website users | Contract (6(1)(b)) pre-contractual steps; or Legitimate interests (6(1)(f)) | Efficient scoping and proposal preparation | Up to 24 months after last interaction if no contract is formed; longer if legal retention applies once contracted | Internal tools (CRM/task/docs, if any) | Access controls; avoid special categories; secure file storage |
| Analytics (opt-in) | IP (truncated/aggregated where applicable), device and usage data, pages viewed | Website users | Consent (6(1)(a)) via Cookiebot | — | 2–14 months (per analytics settings) | Google Analytics 4, Microsoft Clarity, Cloudflare Web Analytics / RUM, Ahrefs Web Analytics | Consent gating; retention limits; privacy-friendly modes where available |
| Security & error monitoring | IP, request metadata, error traces/logs | Website users | Legitimate interests (6(1)(f)) | Ensure availability, integrity and secure operation of the Site | ~90 days | CDN/WAF, error monitoring | Network firewalling, WAF, rate-limiting, RBAC, logging |
| Marketing & remarketing (opt-in) | Cookie IDs, page events, campaign attribution | Users who consented | Consent (6(1)(a)) | — | Per vendor policy | Google Ads, Meta Pixel | Consent gating, periodic reviews |
3) Processors & sub-processors
We maintain DPAs with our processors. They act on our documented instructions and implement appropriate measures. The list below reflects our current stack for the Site.
| Vendor | Purpose | Primary locations | Transfer mechanism | DPA/Terms | Notes |
|---|---|---|---|---|---|
| Usercentrics (Cookiebot) | Consent Management Platform (CMP) | EU/Global | Standard terms / SCCs where applicable | DPA | Blocks non-essential scripts until consent |
| Google Tag Manager | Tag management and delivery (fires tags per Cookiebot consent) | EU/US | DPF + SCCs | Google Ads Data Processing Terms | Infrastructure only; no cookies by itself when configured without analytics |
| Cloudflare (CDN/WAF) | CDN, security (WAF, DDoS) | Global | DPF + SCCs where applicable | DPA | Strictly necessary by default |
| Cloudflare Web Analytics / RUM | Website analytics (opt-in) | EU/Global | DPF + SCCs where applicable | Covered under Cloudflare DPA | Runs only after Statistics consent |
| Ahrefs Web Analytics | Privacy-first website analytics (opt-in) | EU/Global | Standard terms | Service | Cookieless mode supported; gated under Statistics |
| Google Analytics 4 | Website analytics (opt-in) | EU/US | DPF + SCCs | Processor Terms | Runs only after consent; IP masking |
| Microsoft Clarity | Session analytics (opt-in) | EU/US | DPF + SCCs | Microsoft GDPR & DPA | Session recording/heatmaps only after consent |
| Sentry | Error monitoring | EU/US | DPF + SCCs | DPA | Log minimization; personal data limited |
| Google Ads | Advertising & remarketing (opt-in) | EU/US | DPF + SCCs | Ads Processor Terms | Consent required |
| Meta Pixel | Advertising & remarketing (opt-in) | EU/US | DPF + SCCs | Business Tools Terms | Consent required |
4) Cookies & Consent Management
We use Cookiebot (Usercentrics) as our CMP. By default, all non-essential tags and scripts are blocked. Tags are managed via Google Tag Manager and will fire only when the corresponding Cookiebot consent category is granted. You can change or withdraw your consent at any time via Change cookie preferences.
Cookie categories & tag mapping
| Category | Purpose | Tools | Consent required? | Release condition (Cookiebot) |
|---|---|---|---|---|
| Necessary | Security, load balancing, consent storage, tag delivery infrastructure | Cloudflare (CDN/WAF), Google Tag Manager, Cookiebot core | No (legitimate interest) | Always on (infrastructure only; no analytics/marketing code) |
| Preferences | Remember language/UX choices | Site settings | Yes | preferences = true |
| Statistics | Measure usage and performance | Google Analytics 4, Microsoft Clarity, Cloudflare Web Analytics / RUM, Ahrefs Web Analytics | Yes | statistics = true (tags released via GTM) |
| Marketing | Remarketing, ad performance | Google Ads, Meta Pixel | Yes | marketing = true (tags released via GTM) |
5) SEO crawlers (not cookies; not under CMP)
We use Ahrefs Webmaster Tools for technical SEO and link analysis. Its bot (AhrefsBot) crawls publicly available pages to evaluate site health and links. It does not set cookies or track visitors and does not depend on your cookie consent.
6) International data transfers
Some of our processors are located outside the European Economic Area (EEA), primarily in the United States. For US-based processors that are certified under the EU-US Data Privacy Framework (DPF), transfers rely on the European Commission's adequacy decision (Implementing Decision (EU) 2023/1795). Where a processor is not DPF-certified or is located in another non-EEA country, we rely on the European Commission's Standard Contractual Clauses (SCCs) and implement supplementary measures where necessary. We periodically review transfer frameworks and vendor certifications. The processor table above indicates the applicable transfer mechanism for each vendor.
7) Security measures (overview)
- Encryption in transit (TLS) and at rest where available
- Role-based access control, least privilege, 2FA for admin access
- Regular patching and dependency management
- Backups and restore testing
- Network protections (WAF, rate limiting, DDoS mitigation)
- Logging/monitoring and alerting for anomalies
- Secrets management and environment segregation
8) Data breach notification
In the event of a personal data breach, we follow a structured response process in accordance with GDPR Articles 33 and 34:
- Detection and containment. We take immediate steps to contain the breach and assess its scope.
- Risk assessment. We evaluate the likelihood and severity of risk to the rights and freedoms of affected individuals.
- Notification to the supervisory authority. If the breach is likely to result in a risk to individuals' rights and freedoms, we notify the Belgian Data Protection Authority (APD/GBA) without undue delay and, where feasible, within 72 hours of becoming aware of the breach. If notification is delayed beyond 72 hours, we provide reasons for the delay.
- Notification to data subjects. If the breach is likely to result in a high risk to individuals' rights and freedoms, we inform the affected individuals without undue delay, describing the nature of the breach, likely consequences, and measures taken or proposed.
- Documentation. We document all breaches, including facts, effects, and remedial actions taken, regardless of whether notification to the DPA was required.
9) Data Protection Impact Assessment (DPIA)
We have assessed our processing activities against the criteria in GDPR Article 35 and the Belgian DPA's list of processing operations that require a DPIA. Based on the nature, scope, context, and purposes of our processing — which is limited to standard business operations (contact handling, analytics with consent, security logging) — we have concluded that a DPIA is not required at this time. We will reassess if our processing activities change materially.
10) Data Subject Request (DSR) workflow
- Submit: Email contact@isapp.be from the address you used on our Site and describe your request.
- Verify: We may ask for limited information to confirm your identity.
- Assess: We locate relevant data and assess any legal restrictions (e.g., legal obligations, third-party rights).
- Respond: We respond within 30 days (extendable where permitted for complex requests).
- Escalate: If you are not satisfied, you can complain to the Belgian Data Protection Authority (APD/GBA).
APD/GBA: Rue de la Presse 35, 1000 Brussels, contact@apd-gba.be, www.dataprotectionauthority.be.