GDPR Information
Last updated: 26 September 2025
This page complements our user-facing Privacy Policy. It provides implementation details for compliance (records of processing, processors, transfers, security, cookies, Data Subject Requests).
1) Roles & entities
Controller: Andrii Trush (self-employed in Belgium)
Registered address: 9200 Dendermonde, Belgium
Enterprise number (KBO/BCE): BE 1016.452.805
Email:contact@isapp.be
DPO: Not appointed.
Websites covered: isapp.be, isap.me, isap.dev
2) Records of processing activities (ROPA)
| Purpose | Data categories | Data subjects | Legal basis | Legitimate interest (if 6(1)(f)) | Retention | Recipients / processors | Key security measures |
|---|---|---|---|---|---|---|---|
| Contact form handling | Name, email, message content; optional phone/company | Website users, prospects | Contract (6(1)(b)) or Legitimate interests (6(1)(f)) | Efficient handling of enquiries | Up to 12 months after last interaction (unless legal retention applies) | Service providers supporting contact handling (if any) | HTTPS/TLS; spam filtering; access controls |
| Project briefing & proposals | Identity/contact, company, project scope, requirements, timeline, budget, uploaded files | Prospects, website users | Contract (6(1)(b)) pre-contractual steps; or Legitimate interests (6(1)(f)) | Efficient scoping and proposal preparation | Up to 24 months after last interaction if no contract is formed; longer if legal retention applies once contracted | Internal tools (CRM/task/docs, if any) | Access controls; avoid special categories; secure file storage |
| Analytics (opt-in) | IP (truncated/aggregated where applicable), device and usage data, pages viewed | Website users | Consent (6(1)(a)) via Cookiebot | — | 2–14 months (per analytics settings) | Google Analytics 4, Microsoft Clarity, Cloudflare Web Analytics / RUM, Ahrefs Web Analytics | Consent gating; retention limits; privacy-friendly modes where available |
| Security & error monitoring | IP, request metadata, error traces/logs | Website users | Legitimate interests (6(1)(f)) | Ensure availability, integrity and secure operation of the Sites | ~90 days | CDN/WAF, error monitoring | Network firewalling, WAF, rate-limiting, RBAC, logging |
| Marketing & remarketing (opt-in) | Cookie IDs, page events, campaign attribution | Users who consented | Consent (6(1)(a)) | — | Per vendor policy | Google Ads, Meta Pixel | Consent gating, periodic reviews |
3) Processors & sub-processors
We maintain DPAs with our processors. They act on our documented instructions and implement appropriate measures. The list below reflects our current stack for the Sites.
| Vendor | Purpose | Primary locations | Transfer mechanism | DPA/Terms | Notes |
|---|---|---|---|---|---|
| Usercentrics (Cookiebot) | Consent Management Platform (CMP) | EU/Global | Standard terms / SCCs where applicable | DPA | Blocks non-essential scripts until consent |
| Cloudflare Gateway Tag Manager | Tag delivery/routing (fires only per Cookiebot consent) | Global | Standard terms; SCCs where applicable | Service | Infrastructure only; no cookies by itself |
| Cloudflare (CDN/WAF) | CDN, security (WAF, DDoS) | Global | Standard terms; SCCs where applicable | DPA | Strictly necessary by default |
| Cloudflare Web Analytics / RUM | Website analytics (opt-in) | EU/Global | Standard terms; SCCs where applicable | Service | Runs only after Statistics consent |
| Ahrefs Web Analytics | Privacy-first website analytics (opt-in) | EU/Global | Standard terms | Service | Cookieless mode supported; gated under Statistics |
| Google Analytics 4 | Website analytics (opt-in) | EU/US | SCCs | Processor Terms | Runs only after consent; IP masking |
| Microsoft Clarity | Session analytics (opt-in) | EU/US | SCCs | Microsoft GDPR & DPA | Session recording/heatmaps only after consent |
| Sentry | Error monitoring | EU/US | SCCs | DPA | Log minimization; personal data limited |
| Google Ads | Advertising & remarketing (opt-in) | EU/US | SCCs | Ads Processor Terms | Consent required |
| Meta Pixel | Advertising & remarketing (opt-in) | EU/US | SCCs | Business Tools Terms | Consent required |
4) Cookies & Consent Management
We use Cookiebot (Usercentrics) as our CMP. By default, all non-essential tags and scripts are blocked. Tags are delivered via Cloudflare Gateway Tag Manager and will fire only when the corresponding Cookiebot category is granted. You can change or withdraw your consent at any time via Change cookie preferences.
Cookie categories & tag mapping
| Category | Purpose | Tools | Consent required? | Release condition (Cookiebot) |
|---|---|---|---|---|
| Necessary | Security, load balancing, consent storage, tag delivery infrastructure | Cloudflare (CDN/WAF), Cloudflare Gateway Tag Manager, Cookiebot core | No (legitimate interest) | Always on (infrastructure only; no analytics/marketing code) |
| Preferences | Remember language/UX choices | Site settings | Yes | preferences = true |
| Statistics | Measure usage and performance | Google Analytics 4, Microsoft Clarity, Cloudflare Web Analytics / RUM, Ahrefs Web Analytics | Yes | statistics = true (tags released via CF Gateway TM) |
| Marketing | Remarketing, ad performance | Google Ads, Meta Pixel | Yes | marketing = true (tags released via CF Gateway TM) |
5) SEO crawlers (not cookies; not under CMP)
We use Ahrefs Webmaster Tools for technical SEO and link analysis. Its bot (AhrefsBot) crawls publicly available pages to evaluate site health and links. It does not set cookies or track visitors and does not depend on your cookie consent.
6) International data transfers
Where a processor is outside the EEA, we rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses (SCCs) and implement supplementary measures if needed. We periodically review transfer frameworks and vendor documentation.
7) Security measures (overview)
- Encryption in transit (TLS) and at rest where available
- Role-based access control, least privilege, 2FA for admin access
- Regular patching and dependency management
- Backups and restore testing
- Network protections (WAF, rate limiting, DDoS mitigation)
- Logging/monitoring and alerting for anomalies
- Secrets management and environment segregation
8) Data Subject Request (DSR) workflow
- Submit: Email contact@isapp.be from the address you used on our Sites and describe your request.
- Verify: We may ask for limited information to confirm your identity.
- Assess: We locate relevant data and assess any legal restrictions (e.g., legal obligations, third-party rights).
- Respond: We respond within 30 days (extendable where permitted for complex requests).
- Escalate: If you are not satisfied, you can complain to the Belgian Data Protection Authority (APD/GBA).
APD/GBA: Rue de la Presse 35, 1000 Brussels, contact@apd-gba.be, www.dataprotectionauthority.be.