Privacy Policy (GDPR/AVG)

1. Controller (Data Controller)

The controller within the meaning of the GDPR (DSGVO/AVG) is: Mygenzy Mosae Forum 1C, 6211DW Maastricht, Netherlands Represented by: Benedikt Wieser Email: hello@mygenzy.com Phone: +31 6 25 55 01 83

2. Applicable Law

This website is subject in particular to: • the GDPR (AVG) and the Dutch GDPR Implementation Act (UAVG), and • the Dutch Telecommunications Act (Telecommunicatiewet), in particular Article 11.7a (access to data on end devices / cookies).

3. General Information on Data Processing

We process personal data only to the extent necessary and where a legal basis exists (Art. 6 GDPR). This includes in particular: • Consent (Art. 6(1)(a) GDPR), • Contract / pre-contractual measures (Art. 6(1)(b) GDPR), • Legal obligation (Art. 6(1)(c) GDPR), • Legitimate interests (Art. 6(1)(f) GDPR), e.g. operational security.

4. Processing When Accessing the Website (Server Log Files)

4.1 Scope

Each time the website is accessed, the web server technically processes data, in particular: • IP address (to the extent technically required), • date/time, accessed page/file, • referrer URL, • browser type/version, operating system, • status codes, amount of data transferred.

4.2 Purposes

Ensuring technical availability, stability, IT security, error analysis, and abuse prevention.

4.3 Legal Basis

Art. 6(1)(f) GDPR (legitimate interest in a secure and functional online service).

4.4 Storage Duration

Log data is stored only as long as necessary to achieve the purposes and is then deleted or anonymized, unless legal obligations require otherwise.

5. Contact and Inquiry Form

5.1 Scope

If you contact us (e.g., via form or email), we process the data you provide, e.g. name, email address, message content, and, where applicable, project-related information (briefing, requested service, budget range).

5.2 Purposes

Handling your request, communication, preparing an offer, and initiating or performing a contract.

5.3 Legal Basis

Art. 6(1)(b) GDPR (pre-contractual measures/contract) and, where applicable, Art. 6(1)(f) GDPR (general business communication).

5.4 Storage Duration

Inquiry data is deleted after final processing unless statutory retention obligations (e.g., commercial/tax law) require longer storage.

6. Contract Performance (Video Editing / Media Services)

6.1 Scope and Categories

To provide our services, we process project-related data, in particular: • communication and project organization (e.g., briefings, agreements), • provided media content (video, audio, images), which may contain personal data (e.g., faces, voices).

6.2 Purposes and Legal Basis

Performance of the contract pursuant to Art. 6(1)(b) GDPR.

6.3 Storage Duration

Project documentation is stored as long as necessary for service delivery, aftercare (e.g., revisions), and to meet legal obligations.

7. Cookies, Consent Management and Access to End Devices

7.1 Legal Framework (Netherlands)

Storing information on your device or accessing information already stored (e.g., cookies, pixels, local storage) is governed in the Netherlands in particular by Art. 11.7a Telecommunicatiewet. In principle, informed consent is required unless it is strictly necessary for a service you explicitly requested.

Dutch supervisory guidance notes that tracking cookies without valid consent may be unlawful and expects appropriate adjustments.

7.2 Consent and Withdrawal

We use a cookie/consent management solution. Non-essential technologies (analytics/marketing/external media) are activated only after you consent (Art. 6(1)(a) GDPR). You can withdraw or change your consent at any time with effect for the future via the cookie settings.

8. Web Analytics: Google Analytics (GA4)

8.1 Provider

Google Ireland Limited, Ireland.

8.2 Scope

Google Analytics (GA4) processes usage data (e.g., page views, interactions/events, technical characteristics of browser/device, approximate location derivation) for statistical evaluation.

8.3 Purposes

Reach measurement, usage analysis, website optimization.

8.4 Legal Basis

Consent (Art. 6(1)(a) GDPR) in conjunction with Art. 11.7a Telecommunicatiewet (where device access occurs).

8.5 Third-Country Transfers

Processing outside the EEA (e.g., USA) cannot be ruled out. Transfers occur only under the conditions of Art. 44 et seq. GDPR (e.g., EU Standard Contractual Clauses and/or applicable adequacy mechanisms).

9. Usage/UX Analysis: Microsoft Clarity

9.1 Provider

Microsoft (EU provider: Microsoft Ireland Operations Limited, Ireland).

9.2 Scope

Microsoft Clarity may process interaction data (e.g., mouse movements, scrolling, clicks, navigation flows) and technical data to enable heatmaps and session analytics. Where session analytics are used, sensitive inputs should be excluded or masked where possible.

9.3 Purposes

Usability analysis, error and optimization analysis, improvement of the website.

9.4 Legal Basis

Consent (Art. 6(1)(a) GDPR) in conjunction with Art. 11.7a Telecommunicatiewet.

9.5 Third-Country Transfers

Processing outside the EEA cannot be ruled out; Art. 44 et seq. GDPR applies.

10. Marketing/Conversion: Meta Pixel

10.1 Provider

Meta Platforms Ireland Limited, Ireland.

10.2 Scope

Meta Pixel may process event data (e.g., page views, interactions, conversion events) and use cookies/similar technologies. Depending on settings and identifiers, Meta may link this data to existing Meta accounts.

10.3 Purposes

Measuring and optimizing advertising campaigns, conversion tracking, creating audiences (retargeting/custom audiences).

10.4 Legal Basis

Consent (Art. 6(1)(a) GDPR) in conjunction with Art. 11.7a Telecommunicatiewet.

10.5 Joint Controllership (where applicable)

For certain processing steps related to the collection/transmission of event data, joint controllership under Art. 26 GDPR may apply. Meta provides a “Controller Addendum” for this purpose.

10.6 Third-Country Transfers

Transfers outside the EEA (e.g., USA) cannot be ruled out; Art. 44 et seq. GDPR applies.

11. Embedded Content: Vimeo

11.1 Provider

Vimeo (Vimeo.com, Inc., USA).

11.2 Scope and Purposes

When you access pages with Vimeo embeds, a connection to Vimeo servers may be established. Technical data (e.g., IP address, device/browser data, referrer) may be processed and cookies/similar technologies may be set to provide video content and possibly optimize playback.

11.3 Legal Basis

Consent (Art. 6(1)(a) GDPR) for “External Media” if the embed enables device access or tracking, in conjunction with Art. 11.7a Telecommunicatiewet.

11.4 Third-Country Transfers

As Vimeo is based in the USA, third-country transfers may occur; Art. 44 et seq. GDPR applies.

12. Embedded Content: Instagram

12.1 Provider

Instagram (Meta).

12.2 Scope and Purposes

With Instagram embeds, Meta may process technical data (e.g., IP address, browser/device information, referrer) as well as cookie IDs/identifiers, even if you are not logged in. The purpose is to display and provide social media content.

12.3 Legal Basis

Consent (Art. 6(1)(a) GDPR) as “External Media”, in conjunction with Art. 11.7a Telecommunicatiewet.

12.4 Third-Country Transfers

Processing outside the EEA cannot be ruled out; Art. 44 et seq. GDPR applies.

13. Recipients, Processors, Disclosure

We share personal data only where necessary: • with technical service providers (hosting/IT) acting as processors, • with the providers named in this policy if you have consented to the respective categories (analytics/marketing/external media), • with authorities/tax or legal advisors where a legal obligation exists.

Where required, processor agreements pursuant to Art. 28 GDPR are concluded.

14. Storage Periods

We store personal data only as long as necessary for the respective purposes or where statutory retention obligations apply. Afterwards, data is deleted or anonymized.

15. Rights of Data Subjects

Under the GDPR, you have in particular the right to: • access (Art. 15), rectification (Art. 16), erasure (Art. 17), • restriction (Art. 18), data portability (Art. 20), • object to processing based on legitimate interests (Art. 21), • withdraw consent with effect for the future (Art. 7(3)).

To exercise your rights, simply contact hello@mygenzy.com.

16. Right to Lodge a Complaint with the Dutch Supervisory Authority

You have the right to lodge a complaint with a supervisory authority. In the Netherlands, this is in particular the Autoriteit Persoonsgegevens (AP).

17. Data Security

We implement appropriate technical and organizational measures to protect personal data against loss, misuse, and unauthorized access. Encrypted transmission (TLS/SSL) is used where technically available.

18. No Fully Automated Decision-Making

No solely automated decision-making, including profiling under Art. 22 GDPR, takes place through mere website usage.

19. Changes to This Privacy Policy

We reserve the right to adapt this privacy policy if legal requirements, the website, used services, or processing activities change.