Last updated: 26 June 2026
This Privacy Policy describes how Engyon collects, uses and shares personal data when you visit our website, create an account or use our Service. It also explains the rights you have under the General Data Protection Regulation (GDPR) and how to exercise them.
Engyon processes personal data in two distinct roles:
The controller for the processing described in this Policy is:
Engyon B.V.
Stationsplein 45 – 3.111, 3013 AK Rotterdam, The Netherlands
Chamber of Commerce (KvK) number: 94076987
Email: info@engyon.eu
Depending on your relationship with Engyon, we process the following categories of data:
Our Service is aimed at business users. We do not collect special categories of personal data through the Website.
We process your personal data only for the purposes set out below, each on the legal basis indicated under Article 6 GDPR.
| Purpose | Data | Legal basis (GDPR) |
|---|---|---|
| Providing, maintaining and managing the Service | Account, usage and technical data | Performance of the contract (Art. 6(1)(b)) |
| Creating and managing your account | Account and profile data | Performance of the contract (Art. 6(1)(b)) |
| Performing the agreement and billing | Account and billing data | Performance of the contract (Art. 6(1)(b)) |
| Communicating with you about the Service, including security and service notices | Account and contact data | Performance of the contract / legitimate interest (Art. 6(1)(b)/(f)) |
| Handling your questions and requests | Communication and support data | Legitimate interest (Art. 6(1)(f)) |
| Securing our Service, preventing misuse and analysing and improving its operation | Usage and technical data | Legitimate interest (Art. 6(1)(f)) |
| Placing non-essential cookies and analytics | Cookie data | Consent (Art. 6(1)(a)) |
| Informing you about similar services and updates (see Marketing) | Name and email address | Legitimate interest / consent (Art. 6(1)(f)/(a)) |
| Complying with legal obligations and responding to requests from competent authorities | Relevant data | Legal obligation (Art. 6(1)(c)) |
| Preparing for or carrying out a business transfer (merger, acquisition, reorganisation) | Relevant data | Legitimate interest (Art. 6(1)(f)) |
Where we rely on a legitimate interest, we have weighed that interest against your privacy. Where Engyon processes data on the basis of your consent, you may withdraw that consent at any time.
We use cookies and similar techniques to make the Website function, remember your preferences and analyse usage. For cookies other than strictly necessary ones, we ask for your prior consent through our cookie banner. You can change or withdraw your choice at any time via the cookie settings on the Website.
We currently place the following cookies and services:
| Service | Provider | Category | Purpose | Consent | Retention |
|---|---|---|---|---|---|
| Cookie consent (CMP) | Engyon | Strictly necessary | Remembering your cookie choice | No | approx. 12 months |
| Session and security cookies | Engyon | Strictly necessary | Logging in, session management and security | No | Session |
| Google Tag Manager | Functional | Managing scripts and tags on the Website | No | Does not set cookies itself | |
| Google Fonts | Functional | Correct display of fonts | No | - | |
| Google CDN | Content Delivery Network | Faster and reliable loading of website content | No | - | |
| Google Analytics 4 | Analytics | Measuring visits to and use of the Website | Yes | up to 24 months (_ga) |
We place analytics cookies only after you have given your consent. In doing so, Google Analytics may process data, including your IP address, to Google; see the section International transfers.
If you are an Engyon customer, we may email you about similar services, product updates and relevant news, on the basis of our legitimate interest. If you are not a customer, we do so only with your consent. In both cases:
We do not sell your personal data. We do engage carefully selected sub-processors that process data on our instructions and under our direction, such as our hosting provider (AWS), email and communication provider, payment service provider, and support and analytics tooling. We enter into data processing agreements with these parties and remain responsible for their conduct.
The current list of approved sub-processors is publicly available at https://trust.engyon.eu/subprocessors. We inform our customers of new sub-processors in accordance with the DPA.
In addition, we may share data where legally required, in response to a request from a competent authority, or in the context of a business transfer; in the latter case we will notify you before your data becomes subject to a different privacy policy.
We process your personal data within the European Economic Area (EEA). Our Service is hosted on the infrastructure of Amazon Web Services in Frankfurt (Germany) and in the Netherlands.
Where a sub-processor processes data outside the EEA, we ensure an adequate level of protection, for example on the basis of an adequacy decision by the European Commission or the Standard Contractual Clauses with additional safeguards. For example, our analytics provider (Google) may transfer data to the United States; this only happens after you have given consent and on the basis of the EU-US Data Privacy Framework and, where necessary, the Standard Contractual Clauses. You may request information from us about the safeguards applied.
We do not retain your personal data longer than necessary for the purposes for which it was collected, or as long as legally required.
| Category | Retention period |
|---|---|
| Account and profile data | For as long as the account is active; thereafter deleted in accordance with the agreement and the DPA |
| Client data in the platform | Retrievable up to 60 days after termination; thereafter securely deleted (in accordance with the DPA) |
| Billing and administrative data | 7 years (statutory tax retention obligation) |
| Communication and support data | 24 months after handling |
| Data of prospects / leads | Until consent is withdrawn, or 18 months after the last contact |
| Usage and log data | 12 months, unless longer is needed for security |
| Cookie data | In accordance with the lifespan of each cookie (see cookie table) |
The security of your data is important to us. Our Service runs on AWS infrastructure and Engyon is ISO/IEC 27001 certified. We take appropriate technical and organisational measures, including encryption of data, access control, multi-factor authentication (MFA) and regular security assessments. Personnel with access to personal data are bound by confidentiality. An overview of our security measures (Information Security Overview) is available on request. However, no method of transmission or storage is entirely secure; we cannot guarantee absolute security.
In the event of a data breach that poses a risk to your rights and freedoms, we will report it to the Dutch Data Protection Authority within 72 hours and, where required, to you.
Under the GDPR, you have the following rights regarding your personal data:
You can exercise your rights by contacting us at info@engyon.eu. We will in principle respond within one month. To handle your request, we may ask you to confirm your identity.
If you disagree with how we handle your data, you can lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, www.autoriteitpersoonsgegevens.nl).
In the context of this Privacy Policy, we do not take decisions based solely on automated processing that produce legal effects concerning you or similarly significantly affect you.
When our customers enter client data into the Engyon platform for the purpose of financial audits and CSRD assurance, Engyon acts as a processor and the customer as the controller. This typically concerns data of the customer's employees, contractors and clients, such as names, contact details and employment data.
Engyon processes that data only in accordance with the customer's documented instructions and the terms of the DPA. Engyon does not use client data for its own purposes and does not use it to train AI models outside the Engyon software. Data breaches are reported to the relevant customer within 24 hours. Following termination of the agreement, entered data can be retrieved for up to 60 days, after which it is securely deleted.
If your request concerns data entered into the platform by a customer, please contact that customer as the controller.
Our Service is not directed at persons under the age of 16, and we do not knowingly collect their data. If you believe we have collected data from a minor without the required consent, please contact us so that we can delete it.
Our Service may contain links to third-party websites. We have no control over, and accept no responsibility for, the content and privacy policies of those websites. We encourage you to review the privacy policy of every site you visit.
We may update this Privacy Policy from time to time. When we do, we will update the 'Last updated' date at the top of this page and, for significant changes, notify you by email or through a prominent notice in the Service. We encourage you to review this Policy periodically.
If you have any questions about this Privacy Policy or about the processing of your data, please contact us: