Privacy & Cookie Policy

Last updated: March 2026 — Version 1.0

1. Data Controller

Controller	Aldewereld Consultancy, h.o.d.n. SourceParts.eu
Legal Form	Eenmanszaak (Sole Proprietorship)
Owner / Proprietor	Nick Aldewereld
Address	Nieuwe Hemweg 26, 1013CX Amsterdam, The Netherlands
KvK	61862533
BTW-ID (VAT)	NL002168402B79
Email (Privacy)	privacy@sourceparts.eu
General Email	iwant2@sourceparts.eu
Supervisory Authority	Autoriteit Persoonsgegevens, The Hague, The Netherlands — autoriteitpersoonsgegevens.nl

2. Personal Data We Collect

We collect different categories of personal data depending on how you interact with us:

2.1 Data you provide directly

Category	Examples	When
Identity data	Name, company name, job title	Account creation, orders, inquiries
Contact data	Email address, phone number, postal address	Account creation, orders, inquiries
Financial data	Bank account details, VAT number, payment information	Orders, invoicing
Order data	Products ordered, quantities, delivery preferences	Purchases, quotes
Technical data	PCB designs, BOM files, DFM specifications	Design services, manufacturing orders
Communication data	Email correspondence, support tickets	Customer support, project coordination

2.2 Data collected automatically

Category	Examples	Purpose
Usage data	Pages visited, features used, time spent	Platform improvement (with consent)
Device data	Browser type, operating system, screen resolution	Technical compatibility
Network data	IP address, approximate location (country/city)	Security, fraud prevention
Cookie data	See Section 10 (Cookie Policy)	See Section 10

2.3 Data we do NOT collect

We do not collect special categories of personal data (Article 9 GDPR) such as racial or ethnic origin, political opinions, religious beliefs, genetic or biometric data, health data, or data concerning sexual orientation. We do not engage in automated decision-making or profiling that produces legal effects.

3. Legal Basis for Processing

We process your personal data based on the following legal grounds under Article 6(1) GDPR:

Legal Basis	When Applied
Contract performance Art. 6(1)(b)	Processing necessary to fulfill an order, deliver Products, provide Services, manage your account, and handle returns or complaints.
Legal obligation Art. 6(1)(c)	Tax and accounting records, export control compliance, sanctions screening, fraud prevention, and responding to lawful requests from authorities.
Legitimate interest Art. 6(1)(f)	Platform security and fraud prevention, improving our Services, internal analytics (aggregated), business-to-business marketing communications to existing customers, and protecting our legal rights.
Consent Art. 6(1)(a)	Non-essential cookies and tracking, newsletter subscriptions, and marketing communications to individuals who have not previously purchased from us. You may withdraw consent at any time.

4. Purposes of Processing

We use your personal data for the following purposes:

1. Order fulfillment: Processing and shipping orders, managing payments, providing order confirmations and tracking information.
2. Service delivery: Performing DFM analysis, design reviews, manufacturing support, and managed services.
3. Account management: Creating and managing your user account, providing access to Platform features.
4. Customer support: Responding to inquiries, resolving complaints, providing technical assistance.
5. Legal compliance: Export control screening, sanctions compliance, tax obligations, regulatory reporting.
6. Platform improvement: Analyzing usage patterns (aggregated) to improve functionality and user experience.
7. Security: Detecting and preventing fraud, unauthorized access, and other malicious activities.
8. Communication: Sending transactional emails (order confirmations, shipping updates), and — with your consent — marketing communications about products and services.

5. Data Sharing & Recipients

We share your personal data only when necessary and with appropriate safeguards:

Recipient Category	Purpose	Safeguards
Payment processors	Processing payments (iDEAL, credit card, etc.)	PCI DSS compliant, DPA in place
Shipping carriers	Delivering products	DPA in place, minimum data shared
Hosting providers	Website and platform infrastructure	EU-based servers, DPA in place
Financing partners	Processing managed service contracts	Separate agreement, NL-based
Installation partners	On-site installation services	DPA in place, minimum data shared
Tax and legal advisors	Legal compliance, dispute resolution	Professional confidentiality
Government authorities	When legally required (tax, customs, export controls)	Only upon lawful request

We do not sell, rent, or trade your personal data to third parties for marketing purposes.

6. International Data Transfers

Your personal data is primarily stored and processed within the European Economic Area (EEA) on servers located in the Netherlands.

Source Parts has operations in Shenzhen, China, and New York, USA. In cases where personal data needs to be accessed from outside the EEA for operational purposes (such as manufacturing coordination), we ensure appropriate safeguards are in place:

• EU Standard Contractual Clauses (SCCs) as adopted by the European Commission
• Data minimization: Only necessary data is shared for specific operational purposes
• Encryption: Data is encrypted in transit and at rest

We do not transfer bulk customer personal data outside the EEA. Technical design files and manufacturing specifications are handled under separate confidentiality agreements.

7. Data Retention

We retain personal data only as long as necessary for the purposes for which it was collected:

Data Category	Retention Period	Basis
Account data	Duration of account + 12 months	Contract performance
Order & invoice data	7 years from transaction date	Dutch tax law (AWR)
Export control records	5-10 years depending on regulation	EU/national export control law
Communication records	3 years from last contact	Legitimate interest
Cookie data	See Section 10	Consent
Marketing consent	Until consent is withdrawn	Consent

After the retention period expires, data is securely deleted or anonymized.

8. Your Rights

Right	Description
Access (Art. 15)	Request a copy of the personal data we hold about you.
Rectification (Art. 16)	Request correction of inaccurate or incomplete personal data.
Erasure (Art. 17)	Request deletion of your personal data ("right to be forgotten"), subject to legal retention obligations.
Restriction (Art. 18)	Request restriction of processing in certain circumstances.
Data Portability (Art. 20)	Receive your personal data in a structured, machine-readable format.
Objection (Art. 21)	Object to processing based on legitimate interests, including direct marketing.
Withdraw Consent (Art. 7)	Withdraw previously given consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.
Automated Decisions (Art. 22)	You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you. We do not currently engage in such processing.
Lodge a Complaint	You have the right to lodge a complaint with the Autoriteit Persoonsgegevens or the supervisory authority in your EU member state of residence.

9. Security Measures

We implement appropriate technical and organizational security measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction:

• Encryption: TLS/SSL encryption for all data in transit. AES-256 encryption for data at rest on our servers.
• Infrastructure: EU-based colocated servers in Amsterdam with military-grade hardening, LUKS2 full-disk encryption, and comprehensive audit logging.
• Access control: Role-based access control (RBAC), multi-factor authentication for administrative access, and principle of least privilege.
• Monitoring: Intrusion detection systems, regular security audits, and vulnerability assessments.
• Incident response: Documented breach notification procedures in compliance with Article 33 and 34 GDPR (notification to authorities within 72 hours of becoming aware of a breach, notification to affected individuals when required).

10. Cookie Policy

10.1 What are cookies?

Cookies are small text files placed on your device when you visit our website. They help us provide you with a good experience and allow us to improve our site.

10.2 Cookies we use

Cookie Type	Purpose	Duration	Consent Required
Strictly Necessary	Essential for website functionality: session management, security, language preference.	Session / 1 year	No (Art. 6(1)(f) GDPR)
Functional	Remember your preferences and settings (e.g., selected language).	1 year	No (Art. 6(1)(f) GDPR)
Analytics	Understand how visitors use our website (aggregated, anonymized). See Section 11.	Up to 2 years	Yes
Marketing	Currently not used. If introduced, will require explicit consent.	N/A	Yes

10.3 Managing cookies

When you first visit our website, a cookie consent banner allows you to accept or decline non-essential cookies. You can change your cookie preferences at any time by:

• Clicking the "Cookie Settings" link in the footer of any page
• Adjusting your browser settings to block or delete cookies
• Using browser extensions that manage cookie consent

Please note that blocking essential cookies may affect the functionality of our website.

10.4 Third-party cookies

We minimize the use of third-party cookies. If we use any third-party services that place cookies (such as analytics providers), these are listed in the table above and require your explicit consent before activation.

11. Analytics & Tracking

We may use privacy-friendly analytics solutions to understand how visitors use our Platform. If analytics cookies are used, they will only be activated after you have given explicit consent via our cookie banner.

Where possible, we use anonymized or aggregated data for analytics purposes so that individual visitors cannot be identified. We do not use Google Analytics or other tracking tools that transfer data to the United States without appropriate safeguards.

12. Minors

Our Platform and Services are not directed at individuals under the age of 16. We do not knowingly collect personal data from minors. If you are a parent or guardian and believe your child has provided us with personal data, please contact us at privacy@sourceparts.eu and we will delete such data.

13. Changes to This Policy

We may update this Privacy & Cookie Policy from time to time. Changes will be published on this page with an updated "Last updated" date. Material changes that affect your rights will be communicated via email to registered users at least 30 days before they take effect.

We encourage you to review this page periodically for the latest information on our privacy practices.

14. Contact Us

For any questions, concerns, or requests regarding this Privacy Policy or the processing of your personal data:

Privacy inquiries	privacy@sourceparts.eu
General inquiries	iwant2@sourceparts.eu
Postal address	Aldewereld Consultancy — Attn: Privacy Nieuwe Hemweg 26, 1013CX Amsterdam, The Netherlands

We aim to respond to all privacy-related inquiries within 30 days. If you are not satisfied with our response, you have the right to lodge a complaint with the Autoriteit Persoonsgegevens at autoriteitpersoonsgegevens.nl.

© 2024-2026 Aldewereld Consultancy — All rights reserved.
This Privacy & Cookie Policy complies with the General Data Protection Regulation (EU 2016/679), the Dutch UAVG, the ePrivacy Directive (2002/58/EC), and the Dutch Telecommunications Act (Telecommunicatiewet). This document is provided for informational purposes and does not constitute legal advice.