Privacy Policy
Last updated: 20 May 2026
This Privacy Policy describes how Hipsvitalelbow.world (“we”, “us”, “our”) processes personal data when you use our website about evening relaxation and sleep preparation. We process data in accordance with the General Data Protection Regulation (GDPR) (EU) 2016/679, the Dutch Uitvoeringswet Algemene verordening gegevensbescherming (UAVG), and other applicable Netherlands and EU law. For cookies and similar technologies, see our Cookie Policy.
1. Data controller
The data controller responsible for processing is:
Hipsvitalelbow.world
Oudegracht 243, 3511 NL Utrecht, Netherlands
Email (privacy & general contact): reach@hipsvitalelbow.world
Telephone: +31 6 38535436
For questions about this policy or to exercise your rights, contact us using the details above. We have not appointed a Data Protection Officer (DPO), as we are not required to do so under Article 37 GDPR; privacy inquiries are handled directly by the controller.
2. Personal data we process
Depending on how you use the site, we may process:
- Identity and contact data: name and email address when you submit the contact form.
- Communication content: the text of your message and any information you choose to include (e.g. event registration or preferences).
- Consent records: confirmation that you agreed to data processing (GDPR checkbox on the contact form) and the time of submission.
- Cookie preferences: your choices regarding analytics and marketing categories (stored in browser local storage under the key
tdde_cookie_consent). - Technical data: IP address, browser type, operating system, referrer URL, and pages viewed—primarily where necessary for security or, if you consent, for analytics.
We do not intentionally collect special categories of personal data (Article 9 GDPR), such as detailed health information, through the contact form. Please do not send medical records or sensitive health data unless strictly necessary; we may delete such content to limit risk.
Providing name, email, and consent is voluntary but required to use the contact form. Without this data we cannot respond to your message.
3. Purposes and legal bases (Article 6 GDPR)
| Purpose | Data involved | Legal basis |
|---|---|---|
| Answering contact and event enquiries | Name, email, message, consent record | Article 6(1)(b) GDPR (steps at your request before a possible agreement) and Article 6(1)(f) GDPR (legitimate interest in operating our service and communicating with visitors) |
| Website security, fraud prevention, and technical operation | IP address, logs, essential cookies/storage | Article 6(1)(f) GDPR (legitimate interest in secure and stable operation) |
| Storing and proving cookie consent | Consent preferences in local storage | Article 6(1)(c) GDPR (legal obligation under the Telecommunicatiewet and ePrivacy rules) and Article 6(1)(f) GDPR |
| Analytics and marketing (only if enabled) | Usage data via optional cookies | Article 6(1)(a) GDPR (consent)—withdraw anytime via cookie settings |
| Compliance with law (tax, legal claims, regulatory requests) | Relevant data where required | Article 6(1)(c) GDPR (legal obligation) |
Where we rely on legitimate interests (Article 6(1)(f)), we balance our interests against your rights and freedoms; you may object as described in Section 9. Our legitimate interests include running an informative website, responding to correspondence, and protecting the site from abuse.
4. Sources of data
We obtain data directly from you (contact form, cookie banner) or automatically from your device when you visit the site (technical logs). Embedded services such as Google Maps on the contact page may collect data under their own policies; see Section 6.
5. Recipients and processors
We do not sell your personal data. Data may be shared with:
- Hosting and IT providers that store the website and process email on our behalf (processors under Article 28 GDPR with written processing agreements).
- Authorities (e.g. courts, regulators) when required by Netherlands or EU law.
- Professional advisers (e.g. lawyers, accountants) under confidentiality obligations where strictly necessary.
A current list of main processor categories is available on request. If we add analytics or marketing tools, we will update this policy and our Cookie Policy before activating non-essential tracking.
6. Third-party content and international transfers
Our contact page embeds Google Maps. Google Ireland Limited / Google LLC may process personal data (including IP address and device data) in accordance with Google’s Privacy Policy. Loading the map may involve transfers outside the European Economic Area (EEA); Google relies on appropriate safeguards such as EU Standard Contractual Clauses where applicable.
We also load Google Fonts and Material Icons from Google servers, which may involve connection data (IP address). You may block these via browser settings; layout may change.
Where any processor transfers data outside the EEA, we ensure a valid transfer mechanism under Chapter V GDPR (e.g. EU Standard Contractual Clauses, adequacy decision, or binding corporate rules).
7. Retention periods
- Contact form messages: up to 24 months after the last correspondence, unless a longer period is required for legal claims or you request earlier deletion.
- Consent proof (contact form GDPR checkbox): retained with the message for the same period.
- Server and security logs: up to 90 days, unless needed longer for incident investigation.
- Cookie consent preferences: up to 12 months in local storage, after which we ask for your choice again.
- Analytics/marketing data: according to the relevant tool’s policy, not longer than necessary, and only while consent remains valid.
- Business records: where Netherlands law requires retention (e.g. tax or accounting rules under the Algemene wet inzake rijksbelastingen), data may be kept for the statutory period (often up to seven years for financial administration).
After retention ends, data is deleted or anonymised unless Netherlands law requires longer storage.
8. Security
We apply appropriate technical and organisational measures under Article 32 GDPR, including HTTPS encryption where available, access controls, and updates to software components. No online transmission is completely secure; please contact us promptly if you believe your data has been compromised.
In the event of a personal data breach likely to pose a risk to your rights, we will notify the Autoriteit Persoonsgegevens (AP) within 72 hours where required under Article 33 GDPR and inform you without undue delay when required under Article 34 GDPR.
9. Your rights under GDPR and UAVG
You have the following rights, subject to conditions in the GDPR and UAVG:
- Access (Article 15)—obtain confirmation whether we process your data and receive a copy.
- Rectification (Article 16)—correct inaccurate or incomplete data.
- Erasure (Article 17)—request deletion where grounds apply (“right to be forgotten”).
- Restriction (Article 18)—limit processing in certain cases.
- Data portability (Article 20)—receive data you provided in a structured, commonly used, machine-readable format where processing is based on consent or contract and carried out by automated means.
- Objection (Article 21)—object to processing based on legitimate interests, including profiling; we will stop unless we demonstrate compelling legitimate grounds.
- Withdraw consent (Article 7(3))—at any time for consent-based processing (e.g. optional cookies), without affecting the lawfulness of processing before withdrawal.
To exercise your rights, email us with sufficient detail to identify you. We respond within one month (extendable by two further months for complex requests, with notice under Article 12(3) GDPR). We may request proof of identity where reasonably needed to prevent fraud.
You also have the right to lodge a complaint with the Dutch supervisory authority:
Autoriteit Persoonsgegevens (AP)
Bezuidenhoutseweg 30, 2594 AV Den Haag, Netherlands
Postbus 93374, 2509 AJ Den Haag, Netherlands
Website: autoriteitpersoonsgegevens.nl
10. Automated decision-making and profiling
We do not use automated decision-making or profiling that produces legal or similarly significant effects within the meaning of Article 22 GDPR.
11. Children
Our website is not directed at children under 16. We do not knowingly collect personal data from children under 16 without parental authority consent as required under Article 8 GDPR and the UAVG. If you believe a child has provided data, contact us for deletion.
12. Online advertising (Google Ads and similar)
If you arrive via online advertising (e.g. Google Ads in the Netherlands), the ad describes the same free educational content as this website. We do not use ads that promise medical outcomes, sell regulated health products, or misrepresent our services.
Where you consent to marketing cookies, conversion measurement may process technical data (e.g. page views, referrer). Legal basis: consent (Article 6(1)(a) GDPR). You may refuse marketing cookies via our banner without losing access to the site. We do not sell personal data to advertisers.
13. Changes to this policy
We may update this Privacy Policy to reflect legal or operational changes. The “Last updated” date at the top will change accordingly. Material changes will be communicated on this page; we encourage you to review it periodically.