Privacy Policy
Last updated: 13 March 2026
1) Who we are (Controller) & Contact
Controller: Andrii Trush (self-employed in Belgium)
Registered address: 9200 Dendermonde, Belgium
Enterprise number (KBO/BCE): BE 1016.452.805
Email: contact@isapp.be
DPO: We have not appointed a Data Protection Officer (DPO).
Website covered: isapp.be (the "Site")
2) Scope
This Policy explains what personal data we collect when you use the Site, why we collect it, how we process it, and your rights under the GDPR. For implementation details (processors, cookies, transfers, security, DSR), see our GDPR page.
3) What data we collect
- Contact forms: name, email, company, message, and any optional fields you provide.
- Project briefs & attachments: information to scope a project (company details, goals, requirements, timeline, budget, links, files you upload). Please avoid sharing special categories of data (e.g., health, biometric, political opinions) unless strictly necessary.
- Automatically collected data: IP address, device/browser info, pages viewed, timestamps, referrers; stored in server logs and (if you consent) analytics tools.
- From third parties (if applicable): advertising/remarketing platforms receive event data only when you have consented to Marketing cookies.
4) Purposes, legal bases, retention, recipients
We process data only for specific and legitimate purposes. All non-essential scripts (analytics/marketing) are blocked until you consent via Cookiebot.
| Purpose | Examples of data | Legal basis (Art. 6 GDPR) | Retention | Recipients / processors |
|---|---|---|---|---|
| Handle contact requests and enquiries | Name, email, company, message | Contract (6(1)(b)) or Legitimate interests (6(1)(f)) | Up to 12 months after last interaction (or longer where legally required) | Service providers supporting contact handling (if any) |
| Pre-contract steps: project briefs & proposals | Contact/company details, project scope, requirements, timeline, budget, attachments | Contract (6(1)(b)) — steps at your request prior to entering into a contract; or Legitimate interests (6(1)(f)) | Up to 24 months after last interaction if no contract is formed; if a contract follows — for the contract term and statutory retention (e.g., tax/VAT) | Internal tools (CRM/task/docs if used); need-to-know only |
| Site analytics and improvements (opt-in) | IP (truncated/aggregated where applicable), device, usage data | Consent (6(1)(a)) via Cookiebot | 2–14 months (per analytics settings) | Google Analytics 4, Microsoft Clarity, Cloudflare Web Analytics / RUM, Ahrefs Web Analytics |
| Security, performance & error monitoring | IP, request metadata, error traces | Legitimate interests (6(1)(f)) | ~90 days (typical log retention) | CDN/WAF, error monitoring |
| Marketing & remarketing (opt-in) | Cookie IDs, page events | Consent (6(1)(a)) | Per vendor policy; see cookie banner | Google Ads, Meta Pixel |
5) Cookies & tracking
We use cookies and similar technologies. Necessary cookies enable the Site to function. Preferences, Statistics, and Marketing categories are disabled by default and load only after your consent. You can review or change your choices at any time via Change cookie preferences.
6) Disclosures and processors
We share data with service providers (processors) who support the Site (consent management, tag delivery, CDN/security, analytics, error monitoring, ads). They process data only on our documented instructions under appropriate agreements. See our GDPR page for the current list of processors and tools.
7) International transfers
Some of our processors are located outside the European Economic Area (EEA), primarily in the United States. For US-based processors that are certified under the EU-US Data Privacy Framework (DPF), transfers rely on the European Commission's adequacy decision (Implementing Decision (EU) 2023/1795). Where a processor is not DPF-certified or is located in another non-EEA country, we rely on the European Commission's Standard Contractual Clauses (SCCs) and implement supplementary measures where necessary. We periodically review transfer frameworks and vendor certifications. Copies of applicable safeguards are available upon request.
8) Security
We apply technical and organizational measures appropriate to risk, including encryption in transit, access controls, least-privilege principles, 2FA for administrative access, backups, patching, logging/monitoring, and WAF/DDoS protections.
9) Your rights
- Access, rectification, erasure
- Restriction and objection to processing
- Data portability
- Withdrawal of consent at any time (where processing is based on consent)
To exercise your rights, email contact@isapp.be. We may request limited information to verify your identity. We respond within 30 days as required by the GDPR. You also have the right to lodge a complaint with the Belgian Data Protection Authority (APD/GBA): Rue de la Presse 35, 1000 Brussels, contact@apd-gba.be, www.dataprotectionauthority.be.
10) Automated decision-making
We do not use automated decision-making or profiling as defined in Article 22 of the GDPR. No decisions that produce legal effects or similarly affect you are made solely by automated means.
11) Children's data
Our services are not directed to children. In Belgium, a child can consent to information society services from 13 years old; otherwise, consent must be given by a holder of parental responsibility. We do not knowingly collect personal data from children.
12) Changes to this Policy
We will post updates on this page and adjust the "Last updated" date above. If material changes occur, we will use reasonable means to notify you.
Contact:
Trush Andrii, VAT BE 1016.452.805
andrii.trush@isapp.be