Skip to main content
    Last updated: March 2026

    Privacy policy

    How we collect, use, and protect your personal data.

    1. Who we are

    Digital Front is the data controller for the personal data collected through our websites and services, as defined under the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the Dutch GDPR Implementation Act (Uitvoeringswet AVG, "UAVG").

    Digital Front

    [LEGAL FORM, e.g. eenmanszaak / VOF / BV]

    [REGISTERED ADDRESS]

    KvK: [KVK NUMBER]

    BTW: [VAT NUMBER / BTW-id]

    info@digitalfront.nl

    We have not appointed a Data Protection Officer. For all privacy-related questions, you can contact us at info@digitalfront.nl.

    2. What data we collect

    We collect personal data only when there is a clear purpose and legal basis for doing so. Here is exactly what we collect, and through which channel:

    Contact form

    When you submit our contact form, we collect your first name, last name, email address, phone number (optional), your message, which service you are interested in, and your privacy consent confirmation. Form drafts are temporarily saved in your browser tab and are never sent to our servers.

    AI chat assistant

    When you use the chat widget on our site, we collect the text messages you send during the conversation and a temporary session identifier. Your messages are sent to an AI language model (OpenAI GPT-4o-mini, hosted in the United States) for processing. No account creation is required. OpenAI acts as a data processor on our behalf and does not use your conversations to train its public models when accessed via its API. Chat data is used solely to generate a response to your question — no automated decisions with legal or similarly significant effects are made based on your chat messages.

    Meeting booking

    When you book a meeting through the embedded calendar on our site, your name, email address, and selected time are collected by Cal.com as a third-party service. The calendar only loads after you give functional cookie consent.

    Cookie consent

    When you interact with our cookie consent banner, we store your choice in a cookie called df_consent on your device. This cookie contains only your consent preference and no other personal data. We also keep an anonymized audit log of consent changes, where your IP address is irreversibly hashed.

    Theme preference

    We store your dark/light mode preference in your browser's localStorage. This is stored entirely on your device and is never transmitted to our servers.

    Analytics and error tracking

    When you grant analytics consent, we collect pseudonymous page view data (including a short-lived visitor hash and approximate location), Core Web Vitals performance metrics, and error reports. Sentry is configured to minimize personal data: we mask all text in session replays, block media, and scrub identifying fields wherever technically possible. Session replays are only recorded during errors and may still capture page structure, click coordinates, and scroll behavior. Note: if you revoke analytics consent during a browsing session, error tracking may remain active until the page is closed, as the analytics SDK cannot be fully unloaded at runtime.

    3. How we use your data

    We use the data we collect for the following specific purposes:

    • Contact form submissions — to respond to your inquiry, provide a quote, or follow up about the service you are interested in.
    • Chat messages — to provide real-time assistance and answer your questions through the AI assistant.
    • Booking data — to schedule and manage meetings with you.
    • Cookie consent — to remember and respect your cookie choices across visits.
    • Theme preference — to display the site in your preferred visual mode.
    • Pseudonymous analytics — to understand how our site is used and to improve its performance.
    • Error tracking — to identify, diagnose, and fix technical problems on the website.

    We do not use your data for automated decision-making or profiling. We do not sell your personal data to anyone.

    4. Legal bases for processing

    Under Article 6 of the GDPR, we process personal data only when we have a valid legal basis:

    Consent — Article 6(1)(a)

    AI chat messages (you initiate the chat voluntarily), cookie consent storage, analytics and error tracking (only after you grant consent), and the Cal.com booking calendar (only after functional consent). Refusing or withdrawing consent does not affect your ability to use our core website and services.

    Pre-contractual measures — Article 6(1)(b)

    Contact form data and meeting bookings — when you reach out to discuss a project or book a meeting, we process your data (including the resulting emails) as a necessary step prior to potentially entering into a contract. This covers the active inquiry and any ongoing conversation.

    Legitimate interest — Article 6(1)(f)

    Rate limiting to protect our site from abuse (only temporary, non-identifying session data is used). Retention of contact form emails for up to 2 years after an inquiry is closed, to follow up on earlier conversations and to defend against legal claims. For each activity relying on legitimate interest, we have assessed that the processing is proportionate and does not override your rights and freedoms.

    5. Third-party processors

    We use the following third-party services to operate our website. Where required, we have data processing agreements in place.

    ServicePurposeLocation
    VercelWebsite hosting, serverless functions, pseudonymous analytics, and performance metrics.United States (EU SCCs + Data Privacy Framework)
    OpenAIAI language model processing for the chat assistant. Receives chat messages and page context.United States (EU SCCs)
    ResendEmail delivery for contact form submissions.United States (EU SCCs)
    SentryError tracking and performance monitoring. Configured to minimize personal data — text is masked in replays, media is blocked, and identifying fields are scrubbed wherever technically possible.United States (EU SCCs)
    UpstashRate limiting, temporary chat session storage, consent audit logs, and feedback storage via Redis.EU (Frankfurt)
    Cal.comMeeting scheduling calendar. Only loaded after you grant functional cookie consent.United States (EU SCCs)
    GoogleOAuth authentication for our internal admin panel only — not used for site visitors.United States (EU SCCs + Data Privacy Framework)

    Where personal data is transferred outside the European Economic Area (EEA), we ensure appropriate safeguards are in place, primarily through EU Standard Contractual Clauses (SCCs).

    6. Data retention

    We do not keep your data longer than necessary:

    • Contact form submissions — not stored server-side; data exists only in the resulting emails. These emails are retained for the duration of the sales cycle or project, and up to 2 years after the inquiry is closed, to handle follow-up questions and potential projects. After that period, emails are deleted or anonymised, unless statutory retention obligations (e.g. Dutch tax law) require longer storage.
    • Chat sessions and messages — 30 days (auto-deleted via Redis TTL).
    • Cookie consent preference — 1 year (cookie expiry).
    • Consent audit log — 5 years (per Article 7(1) GDPR and Dutch DPA guidance).
    • Chat feedback (individual) — 90 days.
    • Chat feedback (aggregates) — 1 year.
    • Error tracking data — 90 days (Sentry default).
    • Rate limiting data — seconds to minutes (sliding window, auto-expiry).

    If you request erasure before a retention period ends, we will delete your data promptly.

    7. Your rights

    Under the GDPR and the Dutch UAVG, you have the following rights:

    • Right of access — request a copy of all personal data we hold about you.
    • Right to rectification — ask us to correct inaccurate or incomplete data.
    • Right to erasure — ask us to delete your personal data.
    • Right to restriction — ask us to temporarily stop processing your data.
    • Right to data portability — receive your data in a machine-readable format.
    • Right to object — object to processing based on legitimate interest at any time.
    • Right to withdraw consent — withdraw consent at any time without affecting prior processing.

    To exercise your rights, send a request to info@digitalfront.nl. We will respond within one month.

    If you believe we are not handling your data correctly, you have the right to lodge a complaint with the Dutch Data Protection Authority:

    Autoriteit Persoonsgegevens

    autoriteitpersoonsgegevens.nl

    +31 (0)88 1805 250

    8. Cookies

    Our website uses a limited number of cookies. The df_consent cookie, which stores your cookie preference, is strictly necessary for the site to function and is set without requiring consent, as permitted under the ePrivacy Directive (Article 5(3)). All other cookies are only placed after you grant consent via the cookie banner. For full details about the specific cookies we use, their purposes, and how to manage them, please refer to our Cookie Policy page.

    Cookie policy

    9. Data security

    We take appropriate technical and organizational measures to protect your personal data. No security measure is completely infallible, and we continuously review and improve our safeguards based on incidents, audits, and evolving best practices.

    • All data in transit is encrypted using HTTPS (TLS).
    • Content Security Policy headers prevent cross-site scripting and code injection.
    • All form inputs and API endpoints validate and sanitize data.
    • API routes are protected by rate limiting to prevent abuse.
    • We collect only the data necessary for each stated purpose.
    • Chat sessions and rate limiting data auto-expire via TTL settings.
    • Admin access is protected by OAuth and restricted to authorized team members.

    10. Children's privacy

    Our website and services are not directed at children. In accordance with the Dutch implementation of the GDPR (UAVG), we do not knowingly collect personal data from children under the age of 16 without verifiable parental consent. If you are a parent or guardian and believe your child has provided us with personal data, please contact us at info@digitalfront.nl.

    11. Is providing data mandatory?

    Providing personal data is not a legal requirement. However, some data is necessary for us to deliver specific services:

    • If you do not provide your name and email via the contact form, we cannot respond to your inquiry.
    • If you do not provide your name and email via the booking calendar, we cannot schedule a meeting with you.
    • If you do not send messages in the chat widget, the AI assistant cannot help you. You can use the chat without providing any identifying information.
    • You can browse our website without providing any personal data. Analytics and error tracking are only active if you consent to cookies.

    12. Changes to this policy

    We may update this privacy policy from time to time. When we make changes, we will update the "Last updated" date at the top. For significant changes, we will place a prominent notice on our website.

    13. Contact and complaints

    If you have any questions or requests regarding this privacy policy, please contact us at info@digitalfront.nl. We aim to resolve any concerns directly. If you are not satisfied with our response, you have the right to lodge a complaint with the Autoriteit Persoonsgegevens.

    This privacy policy is governed by the General Data Protection Regulation (EU) 2016/679 and the Dutch Uitvoeringswet Algemene verordening gegevensbescherming (UAVG).

    Contact
    Cookie policyContact