---

title: "Privacy Policy" company: "Enigma Labs BV" effective_date: "January 22, 2026" last_updated: "January 28, 2026" version: "1.0" sections:

• id: "summary" title: "Plain-Language Summary"
• id: "introduction" title: "Introduction"
• id: "information-we-collect" title: "Information We Collect"
• id: "how-we-use-information" title: "How We Use Your Information"
• id: "legal-bases" title: "Legal Bases for Processing"
• id: "data-sharing" title: "Data Sharing and Disclosure"
• id: "international-transfers" title: "International Data Transfers"
• id: "data-retention" title: "Data Retention"
• id: "data-security" title: "Data Security"
• id: "your-rights" title: "Your Rights Under GDPR"
• id: "cookies" title: "Cookies and Tracking Technologies"
• id: "third-party-links" title: "Third-Party Links and Services"
• id: "childrens-privacy" title: "Children's Privacy"
• id: "processor-role" title: "Data Processing on Behalf of Customers"
• id: "changes" title: "Changes to This Policy"
• id: "governing-law" title: "Governing Law and Jurisdiction"
• id: "contact" title: "Contact Information"

---

Privacy Policy

This summary provides a quick overview of our Privacy Policy. For complete details, please read the full policy below.

Who we are: Enigma Labs BV is a Dutch cybersecurity company providing B2B threat detection and network monitoring services. We are registered in Amsterdam (KvK 99568322).

What data we collect: We collect business contact information, account details, security logs, network metadata, and data necessary to provide our cybersecurity services. We do not collect data from consumers or children.

Why we collect it: We use your data to provide our services, maintain security, comply with legal obligations, and improve our platform.

Your rights: Under GDPR, you have rights to access, correct, delete, and port your data, as well as object to certain processing. You can exercise these rights by contacting us.

Data transfers: We may transfer data outside the European Economic Area using approved safeguards like Standard Contractual Clauses.

How to contact us: For privacy questions, email privacy@enigmalabs.nl. For data protection matters, contact our DPO at dpo@enigmalabs.nl.

---

1.1 Who We Are

Enigma Labs BV ("we," "us," "our," or the "Company") is a Besloten Vennootschap (Dutch private limited company) registered in the Netherlands. We provide B2B cybersecurity solutions, including AI-powered threat detection, network monitoring, vulnerability assessment, and compliance management services.

Company Details:

• Legal Name: Enigma Labs BV
• Registered Address: Korte Lijnbaanssteeg 1, 1012SL Amsterdam, Netherlands
• Chamber of Commerce (KvK) Number: 99568322
• Website: https://enigmalabs.nl
• Privacy Contact: privacy@enigmalabs.nl

1.2 Scope of This Policy

This Privacy Policy explains how we collect, use, store, and protect personal data when you:

• Visit our website at https://enigmalabs.nl
• Use our cybersecurity platform and services
• Communicate with us regarding our services
• Enter into a contractual relationship with us

This policy applies to all personal data we process as a Data Controller under the General Data Protection Regulation (GDPR). For data we process on behalf of our enterprise customers, we act as a Data Processor (see Section 14).

1.3 Regulatory Framework

This Privacy Policy is designed to comply with:

• Regulation (EU) 2016/679 (General Data Protection Regulation or "GDPR")
• The Dutch GDPR Implementation Act (Uitvoeringswet AVG)
• Guidelines issued by the European Data Protection Board (EDPB)
• Guidance from the Dutch Data Protection Authority (Autoriteit Persoonsgegevens)

---

We collect different categories of personal data depending on our relationship with you and the services you use.

2.1 Information You Provide Directly

Account and Contact Information:

• Full name and job title
• Business email address and phone number
• Company name and department
• Billing address and payment information
• Account credentials (username, encrypted password)

Communications Data:

• Email correspondence and support tickets
• Meeting notes and call recordings (with consent)
• Feedback and survey responses
• Information provided during sales inquiries

Contractual Information:

• Signed agreements and order forms
• Purchase order numbers and invoicing details
• Authorized user lists and access permissions

2.2 Information Collected Automatically

Technical and Usage Data:

• IP addresses and device identifiers
• Browser type, version, and language
• Operating system and platform
• Referral source and exit pages
• Pages viewed and features accessed
• Date, time, and duration of visits
• Error logs and system performance data

Security and Network Data: When you use our cybersecurity platform, we process:

• Network traffic metadata (packet headers, connection logs)
• Security event logs and alerts
• Authentication and access logs
• Threat intelligence indicators
• Vulnerability scan results
• System configuration data

Note: Our agentless monitoring is designed to analyze network patterns and metadata rather than content. We do not intentionally collect personal data embedded in network traffic unless necessary for threat detection and with appropriate legal basis.

2.3 Information from Third Parties

We may receive personal data from:

• Business partners and resellers
• Public directories and professional networks (e.g., LinkedIn)
• Credit reference agencies (for due diligence)
• Regulatory and law enforcement agencies (when legally required)

2.4 Special Categories of Personal Data

We do not intentionally collect special categories of personal data as defined in Article 9 GDPR (e.g., racial or ethnic origin, political opinions, religious beliefs, health data, biometric data). If such data is inadvertently collected through security monitoring, we implement strict access controls and deletion procedures.

---

We process personal data for the following purposes, each with a specific legal basis under GDPR:

3.1 Service Provision and Contract Performance

Purpose: To deliver our cybersecurity services, maintain your account, and fulfill our contractual obligations.

Activities:

• Provisioning and configuring the platform
• Authenticating users and managing access
• Processing network monitoring and threat detection
• Generating security reports and alerts
• Providing customer support and technical assistance
• Processing payments and invoices

Legal Basis: Article 6(1)(b) GDPR — Processing is necessary for the performance of a contract to which you are a party.

3.2 Legal and Regulatory Compliance

Purpose: To comply with applicable laws, regulations, and legal obligations.

Activities:

• Maintaining financial and accounting records
• Responding to legal requests and court orders
• Cooperating with regulatory investigations
• Filing required reports with authorities
• Complying with cybersecurity and data protection laws
• Preventing fraud and illegal activities

Legal Basis: Article 6(1)(c) GDPR — Processing is necessary for compliance with a legal obligation to which we are subject.

3.3 Legitimate Business Interests

Purpose: To operate, secure, and improve our business and services.

Activities:

• Ensuring network and information security
• Preventing unauthorized access and cyberattacks
• Monitoring service performance and reliability
• Conducting data analytics to improve our platform
• Developing new features and capabilities
• Managing business operations and internal reporting
• Enforcing our terms and protecting legal rights
• Preventing fraud and abuse

Legal Basis: Article 6(1)(f) GDPR — Processing is necessary for the purposes of our legitimate interests, except where such interests are overridden by your fundamental rights and freedoms.

Legitimate Interests Assessment: Our legitimate interests include maintaining a secure and reliable cybersecurity platform, improving our services to better protect our customers, and operating a sustainable business. We have conducted a balancing test to ensure these interests do not unjustifiably infringe on your privacy rights. You have the right to object to processing based on legitimate interests (see Section 10).

3.4 Marketing and Business Development (with Consent)

Purpose: To communicate about our products, services, and industry developments.

Activities:

• Sending newsletters and product updates
• Inviting you to events and webinars
• Sharing thought leadership and security insights
• Conducting market research

Legal Basis: Article 6(1)(a) GDPR — Consent. You may withdraw consent at any time by clicking "unsubscribe" in our emails or contacting privacy@enigmalabs.nl.

3.5 Vital Interests and Public Interest

In rare circumstances, we may process personal data to protect vital interests (e.g., preventing imminent harm) or for tasks carried out in the public interest related to cybersecurity threat sharing.

---

In accordance with Article 6 GDPR, we rely on the following legal bases for processing personal data:

4.1 Consent (Article 6(1)(a))

We obtain explicit consent for:

• Marketing communications
• Non-essential cookies and tracking technologies
• Processing special categories of personal data (if applicable)

Consent must be freely given, specific, informed, and unambiguous. You have the right to withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

4.2 Contract Performance (Article 6(1)(b))

Processing is necessary for contract performance when:

• Providing our cybersecurity platform and services
• Managing your account and user access
• Delivering customer support
• Processing payments

4.3 Legal Obligation (Article 6(1)(c))

We process data to comply with legal obligations including:

• Tax and accounting requirements
• Data retention laws
• Regulatory reporting obligations
• Court orders and legal process

4.4 Vital Interests (Article 6(1)(d))

May apply in emergency situations involving the protection of life.

4.5 Public Interest (Article 6(1)(e))

May apply for tasks related to cybersecurity information sharing in the public interest.

4.6 Legitimate Interests (Article 6(1)(f))

Our legitimate interests include:

• Information Security: Protecting our systems, network, and data from unauthorized access, attacks, and breaches
• Service Improvement: Analyzing usage patterns to enhance platform functionality and user experience
• Business Operations: Managing our company, conducting audits, and ensuring business continuity
• Legal Protection: Establishing, exercising, or defending legal claims
• Fraud Prevention: Detecting and preventing fraudulent activities

We conduct a Legitimate Interests Assessment (LIA) for processing activities relying on this basis to ensure our interests are balanced against your privacy rights.

---

5.1 Categories of Recipients

We may share personal data with the following categories of recipients:

Service Providers and Sub-processors:

• Cloud infrastructure providers (hosting and storage)
• Payment processors
• Customer relationship management (CRM) platforms
• Email and communication service providers
• Analytics and monitoring tools
• IT support and maintenance providers

Professional Advisors:

• Legal counsel
• Accountants and auditors
• Insurance providers
• Consultants and professional service firms

Business Partners:

• Authorized resellers and distributors
• Technology integration partners
• Joint marketing partners (with consent)

Regulatory and Legal Authorities:

• Dutch Data Protection Authority (Autoriteit Persoonsgegevens)
• Law enforcement agencies
• Courts and tribunals
• Regulatory bodies with jurisdiction over our operations

5.2 Sub-processor Management

We engage sub-processors to assist in delivering our services. These include cloud hosting providers, payment processing services, email delivery services, and customer support platforms. All sub-processors are bound by contractual obligations to protect personal data in accordance with GDPR requirements.

A complete and current list of sub-processors is available upon request to privacy@enigmalabs.nl. We notify customers of any intended changes to sub-processors with at least 30 days' notice.

5.3 No Sale of Personal Data

We do not sell personal data to third parties. We do not engage in data brokering or monetization of personal information.

5.4 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, personal data may be transferred to the acquiring entity. We will ensure the recipient agrees to protect your personal data consistent with this Privacy Policy and applicable law. You will be notified of any such change in ownership.

5.5 Legal Disclosures

We may disclose personal data when required by law, including:

• To comply with legal process (subpoenas, court orders)
• To respond to requests from public authorities
• To enforce our terms and agreements
• To protect our rights, property, or safety
• To prevent fraud or illegal activity

---

6.1 Transfers Within the EEA

Personal data transferred within the European Economic Area (EEA) is protected under GDPR without requiring additional safeguards.

6.2 Transfers Outside the EEA

We may transfer personal data to countries outside the EEA, including:

• United States (for cloud infrastructure and SaaS tools)
• United Kingdom (post-Brexit, under adequacy decision)
• Other jurisdictions where our sub-processors operate

6.3 Safeguards for International Transfers

For transfers to countries without an EU adequacy decision, we implement appropriate safeguards:

Standard Contractual Clauses (SCCs): We use EU Commission-approved Standard Contractual Clauses (2021/914) for transfers to third countries. These contractual terms provide appropriate safeguards for personal data protection.

Adequacy Decisions: We rely on adequacy decisions adopted by the European Commission for transfers to countries deemed to provide adequate protection (e.g., UK, and other jurisdictions with adequacy status).

Binding Corporate Rules (BCRs): Where applicable, we may implement Binding Corporate Rules for intra-group transfers.

Additional Technical Safeguards:

• Encryption of data in transit (TLS 1.2 or higher)
• Encryption of data at rest (AES-256)
• Access controls and authentication measures
• Regular security assessments of sub-processors

6.4 US Transfers

For transfers to the United States:

• We have implemented Standard Contractual Clauses with our US-based sub-processors
• We conduct Transfer Impact Assessments (TIAs) for US transfers
• We monitor legal developments regarding US surveillance laws (FISA 702, EO 12333)
• We implement supplementary measures where necessary to ensure an essentially equivalent level of protection

You may request a copy of our Standard Contractual Clauses and Transfer Impact Assessments by contacting dpo@enigmalabs.nl.

---

7.1 Retention Principles

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, including:

• Fulfilling contractual obligations
• Complying with legal and regulatory requirements
• Resolving disputes and enforcing agreements
• Maintaining security and preventing fraud

7.2 Specific Retention Periods

| Data Category | Retention Period | Basis | |--------------|------------------|-------| | Account and contact information | Duration of contract + 7 years | Legal obligation (tax/accounting) | | Billing and payment records | 7 years | Dutch tax law requirement | | Security logs and audit trails | 1-3 years | Legitimate interest (security) | | Network monitoring data | 90 days - 1 year | Contract performance, security | | Marketing communications data | Until consent withdrawal + 2 years | Consent, legitimate interest | | Support tickets and correspondence | 3 years after case closure | Contract performance, legal protection | | Cookie and analytics data | 13-26 months | Consent, legitimate interest | | Threat intelligence data | Indefinite (anonymized) | Legitimate interest (security) |

7.3 Retention Criteria

The specific retention period depends on:

• Nature of the data: Sensitive data receives shorter retention periods
• Purpose of processing: Data retained only as long as needed for its original purpose
• Legal requirements: Mandatory retention periods under applicable law
• Contractual obligations: Retention required by customer agreements
• Potential disputes: Extended retention where litigation is anticipated

7.4 Data Deletion and Anonymization

At the end of the retention period, we:

• Securely delete personal data using industry-standard methods
• Or anonymize data so it can no longer identify individuals
• Maintain evidence of deletion for audit purposes

Upon contract termination, customers may request return or deletion of their data in accordance with our Data Processing Agreement.

---

8.1 Security Commitment

We implement appropriate technical and organizational measures to protect personal data against unauthorized access, alteration, disclosure, or destruction. However, no method of data transmission or storage can be guaranteed to be completely secure. While we strive to use commercially acceptable means to protect your personal data, we provide security measures on an "as-is" basis and cannot guarantee absolute security.

8.2 Technical Measures

Encryption:

• Data in transit: TLS 1.2 or higher for all data transmissions
• Data at rest: AES-256 encryption for stored data
• Key management: Hardware Security Modules (HSMs) for key protection

Access Controls:

• Role-based access control (RBAC)
• Multi-factor authentication (MFA) for all administrative access
• Principle of least privilege
• Regular access reviews and recertification

Network Security:

• Firewalls and intrusion detection/prevention systems
• Network segmentation and isolation
• DDoS protection
• Regular vulnerability scanning and penetration testing

System Security:

• Regular security patching and updates
• Anti-malware and endpoint protection
• Secure software development lifecycle (SDLC)
• Code reviews and security testing

8.3 Organizational Measures

Policies and Procedures:

• Information Security Policy (aligned with ISO 27001)
• Acceptable Use Policy
• Incident Response Plan
• Business Continuity and Disaster Recovery Plan

Personnel Security:

• Background checks for employees with data access
• Confidentiality agreements
• Regular security awareness training
• Phishing simulation exercises

Physical Security:

• Secure data center facilities with access controls
• Environmental controls and monitoring
• Equipment disposal procedures

8.4 Data Breach Notification

In the event of a personal data breach:

• We will notify the Dutch Data Protection Authority within 72 hours of becoming aware of the breach, where feasible
• If the breach is likely to result in a high risk to your rights and freedoms, we will notify affected individuals without undue delay
• For enterprise customers, we will notify the designated contact within 48 hours of a confirmed breach affecting their data
• We maintain an internal breach register documenting all breaches and our response

8.5 Limitation of Liability

While we implement reasonable security measures appropriate to the risk, we cannot be held liable for:

• Unauthorized access resulting from circumstances beyond our reasonable control
• Security breaches caused by third-party services outside our control
• Losses resulting from your failure to maintain credential confidentiality
• Circumstances constituting force majeure (see Section 16.4)

Your obligations regarding data accuracy and credential security are further detailed in our Terms of Service. Our liability for data breaches is limited to the extent permitted by applicable law and subject to the limitations in our Terms of Service.

---

Under the General Data Protection Regulation, you have the following rights regarding your personal data:

9.1 Right of Access (Article 15)

You have the right to obtain:

• Confirmation of whether we process your personal data
• Access to your personal data
• Information about the processing (purposes, categories, recipients, retention periods)
• A copy of your personal data (in a commonly used electronic format)

How to exercise: Submit a written request to privacy@enigmalabs.nl with proof of identity.

Response time: Within one month of receipt (extendable to three months for complex requests).

Fee: Free for the first copy; reasonable fee for additional copies.

9.2 Right to Rectification (Article 16)

You have the right to request correction of inaccurate personal data and completion of incomplete data.

How to exercise: Contact privacy@enigmalabs.nl or update your account information directly through our platform where available.

Response time: Without undue delay, typically within one month.

9.3 Right to Erasure / "Right to be Forgotten" (Article 17)

You have the right to request deletion of your personal data when:

• The data is no longer necessary for its original purpose
• You withdraw consent (where consent was the legal basis)
• You object to processing and we have no overriding legitimate grounds
• The data was unlawfully processed
• Deletion is required by law

Exceptions: This right does not apply where processing is necessary for:

• Exercising the right of freedom of expression
• Compliance with a legal obligation
• Performance of a task carried out in the public interest
• Establishing, exercising, or defending legal claims

How to exercise: Submit a written request to privacy@enigmalabs.nl with proof of identity and grounds for erasure.

9.4 Right to Restriction of Processing (Article 18)

You have the right to request restriction of processing when:

• You contest the accuracy of the data (for verification period)
• Processing is unlawful but you oppose erasure
• We no longer need the data but you require it for legal claims
• You have objected to processing pending verification of our legitimate grounds

Effect: During restriction, we will only store the data and process it with your consent or for legal claims.

9.5 Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller when:

• Processing is based on consent or contract performance
• Processing is carried out by automated means

How to exercise: Contact privacy@enigmalabs.nl specifying your preferred format (JSON, CSV, XML).

9.6 Right to Object (Article 21)

You have the right to object to processing based on:

• Legitimate interests (Article 6(1)(f)): We must stop processing unless we demonstrate compelling legitimate grounds that override your interests
• Direct marketing: We must stop processing immediately for marketing purposes
• Research or statistical purposes: Unless processing is necessary for public interest tasks

How to exercise: Contact privacy@enigmalabs.nl or click "unsubscribe" in marketing emails.

9.7 Rights Related to Automated Decision-Making (Article 22)

You have the right not to be subject to decisions based solely on automated processing (including profiling) that produce legal or similarly significant effects, unless:

• Necessary for contract performance
• Authorized by law with suitable safeguards
• Based on your explicit consent

Our AI-powered threat detection involves automated analysis but does not make solely automated decisions with legal or significant effects on individuals. We do not engage in profiling that produces legal effects on individuals. Human review is always available for security alerts affecting user access.

9.8 Right to Withdraw Consent

Where processing is based on consent, you may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.

How to exercise: Contact privacy@enigmalabs.nl or adjust preferences in your account settings.

9.9 Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority if you believe our processing violates GDPR.

Dutch Supervisory Authority:

• Name: Autoriteit Persoonsgegevens (AP)
• Address: Bezuidenhoutseweg 30, 2594 AV Den Haag, Netherlands
• Phone: +31 70 888 8500
• Website: https://autoriteitpersoonsgegevens.nl
• Email: info@autoriteitpersoonsgegevens.nl

You may also lodge a complaint with the supervisory authority in your country of residence, place of work, or place of the alleged infringement.

9.10 Exercising Your Rights

To exercise any of these rights:

1. Submit a written request to privacy@enigmalabs.nl or dpo@enigmalabs.nl
2. Include proof of identity (copy of ID with sensitive information redacted)
3. Specify which right you are exercising and provide relevant details
4. We will acknowledge your request within 5 business days
5. We will respond substantively within one month (extendable to three months for complex requests)
6. We may charge a reasonable fee for manifestly unfounded or excessive requests

---

10.1 Cookie Usage

Our website and platform use cookies and similar technologies to enhance user experience, analyze usage, and deliver targeted content.

10.2 Types of Cookies

Essential Cookies (Strictly Necessary):

• Purpose: Enable core functionality (authentication, security, session management)
• Legal basis: Legitimate interest (Article 6(1)(f))
• Cannot be disabled without affecting service functionality

Analytics Cookies:

• Purpose: Understand website usage and improve services
• Legal basis: Consent (Article 6(1)(a))
• Data is aggregated and anonymized where possible

Functionality Cookies:

• Purpose: Remember preferences and settings
• Legal basis: Consent (Article 6(1)(a))
• Examples: Language preferences, display settings

Marketing Cookies:

• Purpose: Deliver relevant advertisements and track campaign effectiveness
• Legal basis: Consent (Article 6(1)(a))
• May include tracking pixels and social media cookies

10.3 Cookie Management

You can manage cookie preferences through:

• Our cookie consent banner (appears on first visit)
• Browser settings to block or delete cookies
• Third-party opt-out tools

Browser Settings:

• Chrome: Settings → Privacy and Security → Cookies
• Firefox: Preferences → Privacy & Security → Cookies
• Safari: Preferences → Privacy → Cookies
• Edge: Settings → Cookies and Site Permissions

10.4 Cookie Policy

For detailed information about the specific cookies we use, their purposes, and retention periods, please refer to our Cookie Policy.

10.5 Do Not Track Signals

We do not currently respond to "Do Not Track" browser signals. However, you can opt out of tracking through the mechanisms described above.

---

11.1 External Links

Our website and communications may contain links to third-party websites, services, or resources. This Privacy Policy does not apply to those third parties.

11.2 Disclaimer

We are not responsible for:

• The privacy practices of third-party websites
• The content or security of external sites
• Any personal data you provide to third parties

Access to third-party services is at your sole discretion and risk. We recommend reviewing the privacy policies of any third-party sites you visit.

11.3 Integrated Third-Party Services

Our platform may integrate with third-party services (e.g., SSO providers, cloud storage). Your use of these integrations is subject to the third party's terms and privacy policy.

---

12.1 Not Intended for Children

Our services are designed for and directed at businesses and organizations. We do not knowingly collect personal data from individuals under the age of 16.

12.2 Age Verification

By using our services, you represent that you are at least 16 years old and have the authority to bind your organization to our terms.

12.3 Discovery of Underage Data

If we become aware that we have collected personal data from a child under 16 without parental consent, we will:

• Take immediate steps to delete the information
• Terminate any associated accounts
• Notify the relevant customer organization

If you believe we may have collected data from a child under 16, please contact us immediately at privacy@enigmalabs.nl.

---

13.1 Controller vs. Processor Distinction

Important Legal Distinction:

• When we act as Data Controller: For data we collect directly from you (e.g., account information, website usage, direct communications), Enigma Labs BV is the Data Controller responsible for this Privacy Policy.

• When we act as Data Processor: For personal data our customers upload to or process through our platform (e.g., employee data for identity management, network traffic data), Enigma Labs BV acts as a Data Processor and our customers are the Data Controllers.

13.2 Processor Obligations

When acting as a Data Processor, we:

• Process personal data only on documented instructions from the Data Controller
• Ensure personnel confidentiality commitments
• Implement appropriate security measures
• Engage sub-processors only with Controller authorization
• Assist Controllers in responding to data subject requests
• Assist Controllers with security and breach notification obligations
• Delete or return data at the end of the contract
• Provide information for compliance demonstrations

13.3 Data Processing Agreement (DPA)

Enterprise customers must execute our Data Processing Agreement (DPA), which:

• Documents our processor obligations under Article 28 GDPR
• Specifies the subject matter, duration, nature/purpose of processing
• Defines the types of personal data and data subjects
• Lists authorized sub-processors
• Includes Standard Contractual Clauses for international transfers

To request a copy of our DPA, contact privacy@enigmalabs.nl or your account representative.

13.4 Customer Responsibilities

As Data Controllers, our customers are responsible for:

• Obtaining lawful basis for processing end-user data
• Providing privacy notices to their employees and end-users
• Responding to data subject requests regarding their data
• Ensuring their data processing instructions comply with applicable law

13.5 Record of Processing Activities

We maintain a Record of Processing Activities in accordance with Article 30 GDPR, available to supervisory authorities upon request.

---

14.1 Policy Updates

We may update this Privacy Policy from time to time to reflect:

• Changes in our business practices
• New products or services
• Legal and regulatory developments
• Changes in technology or security practices

14.2 Notification of Changes

• Material changes: We will notify you via email or prominent notice on our website at least 30 days before the changes take effect.
• Non-material changes: We may update the policy without prior notice; the "Last Updated" date will reflect the change.

14.3 Version Control

This Privacy Policy includes version control through:

• Version number (see frontmatter)
• Effective date
• Last updated date

Previous versions are available upon request.

14.4 Acceptance of Changes

Continued use of our services after changes take effect constitutes acceptance of the revised Privacy Policy. If you do not agree with the changes, you must discontinue use of our services.

---

15.1 Governing Law

This Privacy Policy and any disputes arising from it shall be governed by and construed in accordance with the laws of the Netherlands, without regard to conflict of law principles.

15.2 Jurisdiction

Any disputes arising from this Privacy Policy shall be subject to the exclusive jurisdiction of the courts of Amsterdam, the Netherlands.

15.3 Alternative Dispute Resolution

We encourage amicable resolution of disputes. Before initiating legal proceedings, please contact us at privacy@enigmalabs.nl to attempt resolution. We will acknowledge all privacy complaints within 5 business days and provide a substantive response within 30 days.

15.4 Force Majeure

We shall not be liable for any failure or delay in performing our obligations under this Privacy Policy where such failure or delay results from circumstances beyond our reasonable control, including but not limited to:

• Acts of God, natural disasters, or pandemics
• War, terrorism, or civil unrest
• Government actions or regulations
• Internet or telecommunications failures
• Cyberattacks or security incidents beyond our reasonable control

15.5 Severability

If any provision of this Privacy Policy is found to be invalid, illegal, or unenforceable by a court of competent jurisdiction, such provision shall be severed and the remaining provisions shall continue in full force and effect.

15.6 Entire Agreement

This Privacy Policy, together with our Terms of Service and Data Processing Agreement (where applicable), constitutes the entire agreement between you and Enigma Labs BV regarding the processing of personal data and supersedes all prior agreements and understandings.

15.7 Waiver

No waiver of any provision of this Privacy Policy shall be effective unless in writing and signed by the waiving party. Failure to enforce any right shall not constitute a waiver of that right.

---

16.1 Privacy Inquiries

For general privacy questions, data subject requests, or concerns about this Privacy Policy:

Email: privacy@enigmalabs.nl

Postal Address: Enigma Labs BV Attn: Privacy Team Korte Lijnbaanssteeg 1 1012SL Amsterdam Netherlands

16.2 Data Protection Officer

We have voluntarily appointed a Data Protection Officer (DPO) responsible for overseeing our data protection strategy and compliance.

DPO Contact:

• Email: dpo@enigmalabs.nl
• Postal Address: Same as above, Attn: Data Protection Officer

The DPO can be contacted directly for:

• Questions about our data protection practices
• Concerns about how we handle personal data
• Data subject requests
• Data breach notifications
• Regulatory inquiries

16.3 Supervisory Authority

You have the right to lodge a complaint with the Dutch Data Protection Authority:

Autoriteit Persoonsgegevens (AP)

• Address: Bezuidenhoutseweg 30, 2594 AV Den Haag, Netherlands
• Phone: +31 70 888 8500
• Website: https://autoriteitpersoonsgegevens.nl
• Email: info@autoriteitpersoonsgegevens.nl

16.4 General Support

For non-privacy-related support inquiries:

• Email: support@enigmalabs.nl
• Website: https://enigmalabs.nl/support

---

| Field | Details | |-------|---------| | Document Title | Privacy Policy | | Company | Enigma Labs BV | | Version | 1.0 | | Effective Date | January 22, 2026 | | Last Updated | January 28, 2026 | | Jurisdiction | Netherlands / European Union | | Applicable Law | GDPR (EU) 2016/679, Dutch Uitvoeringswet AVG |

---

This Privacy Policy was prepared in accordance with the General Data Protection Regulation (GDPR) and Dutch data protection law. It is intended to provide transparency about our data processing activities while protecting the legitimate interests of Enigma Labs BV and our customers.