Lire notre politique de confidentialité

This privacy policy (hereinafter referred to as “Privacy Policy”) applies to the processing activities by 9altitudes BV and its affiliated entities (hereafter ‘9altitudes’). 9altitudes BV has its headquarters at Beneluxpark 7, 8500 Kortrijk, Belgium and is registered in the Crossroads Bank for Enterprises under number 0802.069.244 (e-mail: info@9altitudes.com). 

The protection of your privacy and handling your personal data in a responsible manner are of paramount importance at 9altitudes. Therefore, 9altitudes treat personal data carefully and provide appropriate security. In this Privacy Policy, 9altitudes determines how it handles personal data.

1.1 Scope

This Privacy Policy applies to the handling of all personal data of customers, vendors, suppliers, users, partners, stakeholders and other personal data processed by data subjects, both digital and non-digital, within 9altitudes.

This Privacy Policy is based on the privacy rules that arise from the General Data Protection Regulation (GDPR).

This Privacy Policy does not apply to the handling of personal data of employees as this is documented in a dedicated Privacy Policy for Employees, which is made available internally to employees at 9altitudes.

1.2 Review and update

This Privacy Policy is maintained by the Corporate Privacy Officer (hereinafter referred to as “CPO”) of 9altitudes.

The Privacy Policy shall be updated to reflect changes in law and regulations, the organization or information systems and such changes shall be communicated to all relevant stakeholders affected.

2/ Laws and Regulations

For the protection of privacy within organisations in Europe, the General Data Protection Regulation (GDPR) came into effect on 25 May 2018. Additional legislation applies in the various European member states.

This legislation, together with the European Data Protection Board (EDPB) Guidelines and the guidelines of national Data Protection Authorities together with national data protection legislation forms the basis for this Privacy Policy.

2.1 What are personal data?

Personal data are data that can be traced back to a person and be identified, directly or indirectly. This can be done based on a name, an identification number, location data or one or more elements that characterise the physical, physiological, genetic, psychological, economic, cultural or social identity of that individual.

Different types of personal data can be distinguished:

• General personal data

These are data associated with everyday use. Examples of general personal details are names, telephone numbers, e-mail addresses and birth dates.

• Sensitive data

These are data that have a major impact on the privacy of the individual, but that are not special categories of personal data. Common sensitive data types are information about a person's financial situation, authentication credentials (such as passwords), photos and video and information about a person’s private life.

• Special categories of personal data

These are data that have a major influence on someone's privacy. These special details are mentioned separately in the GDPR. As a rule, special categories of personal data may not be processed, unless the grounds for exemption laid down in the law are met.

2.2 The General Data Protection Regulation (GDPR)

9altitudes complies with the following rules of thumb of the GDPR:

• Purpose limitation

Personal data may only be collected for specific and legitimate purposes, and not further processed for purposes that are incompatible.

• Legitimate basis

Any use of personal data must be based on a legitimate basis from the GDPR. These bases are: unambiguous consent of the person involved, the execution of an agreement, compliance with a legal obligation, the protection of a vital interest or a legitimate interest of 9altitudes. We comply with the General Data Protection Regulation (GDPR) and other applicable laws and regulations concerning the processing of personal data.

• Quality and data minimisation

Personal data should be, as far as possible, accurate, adequate and relevant. No more data will be processed than is necessary for the purpose of the processing. We regard all personal data as confidential information, which is subject to a duty of confidentiality. Internally, work is done on the basis of the need-to-know principle, which means that employees and suppliers only gain access to data, insofar as these data are necessary for the performance of their duties.

• Storing and destroying data

The processed data will not be stored longer than necessary to achieve the goal or as long as needed for legal obligations.

• Transparency

The person whose personal data is being processed must be able to see who is processing data and for what purposes. 9altitudes actively informs the data subject about the data processing via this Privacy Policy, Cookie Policy and our Employee Privacy Policy.

• Appropriate security

9altitudes has a security obligation and has taken appropriate technical and organisational measures to protect personal data.

• Rights of data subjects

The individual whose personal data are processed has the right to become acquainted with the processed personal data. In some cases, they have the right to correct or delete the personal data. In certain cases, a data subject may also oppose processing or restrict processing.

• Reporting obligation for data breaches

When we detect a data breach of personal data, we analyse the severity of the breach within 72 hours and depending on the nature and extent of the breach may report the data breach to the Local Data Protection Authority and/or the data subjects involved.

• Data Processing Agreements

With suppliers who process personal data on behalf of 9altitudes, we conclude a data processing agreement in which we regulate the obligations of parties and rights of data subjects under the terms of the GDPR.

• Privacy by Design and Privacy by Default

9altitudes takes protective measures and data protection principles into account from the design phase of a new product and/or service, project or process, onwards. We make sure that settings are so implemented that they protect privacy by default.

9altitudes processes personal data for the following purposes and on the following legal grounds:

3.2 Legal Grounds

9altitudes does not process more personal data than is necessary for the purposes and legal grounds mentioned in the abovementioned clause 3.1.

Processing of personal data only takes place if one or more of the following points apply:

1. The processing of data is necessary for the performance of an agreement in which the data subject (person to whom the data relates) is or wishes to be a party;
2. The processing of data is necessary for the pursuit of a legitimate interest of 9altitudes, in so far as that interest outweighs the privacy rights of data subjects (e.g. cases such as internal management, marketing and fraud prevention);
3. Data processing is necessary to fulfil a legal obligation.
4. If none of the above applies, then the person concerned must give written, explicit, informed and freely given consent. This means, that it must be clear to the person concerned what permission is given for, what the data are needed for, how the data are handled and that the person concerned is free to refuse permission.

4/ Data Transfer to Third Parties and Processors

9altidus does not rent or sell any personal data to third parties. 9altitudes has taken the necessary contractual and organisational measures, to ensure that the personal data will only be used by the third party for the above purposes.

4.1 9altitudes Entities (internal)

9altitudes can exchange data with 9altitudes entities within the group based on data sharing agreements from one data controller to another data controller. The exchange of information must take place within the legal framework and will not comprise more personal data than is strictly necessary intra-group on a need-to-know basis.

In such data sharing agreements, it is stipulated what data we exchange, for what purpose, on what legal basis, what security we apply, how the liability is settled, and how we exercise the rights of those involved. In this way we create the frameworks that are needed to be able to exchange personal data with our group entities.

A full list of all 9altitudes entities can be found here: www.9altitudes.com/legal-notice.

4.2 (Sub)-Processors (external)

A lot of processing of personal data is outsourced to us by our customers. In that case we are the processor and the customer is controller, as they determine which personal data is processed. The obligations of both parties relating to the GDPR are laid down in data processing agreements.

9altitudes also use services by external parties, which makes them (sub) processors to us. Examples of processors are hosting parties, ICT and software suppliers, service providers providing statistical research and analysis, contractors who have access to our system or who have a copy of the database, but also suppliers who take care of (part of) marketing. These suppliers have access to the personal data in, for example, our systems or make the backups for us and store the data for us, which will not comprise more personal data than is strictly necessary on a need-to-know basis. In a data processing agreement, 9altitudes has made agreements with these parties, about how they should handle our personal data. In such agreements, it is stipulated which data will be processed, for what purpose, on what legal basis, and what securities to be applied. 9altitudes remains responsible for the data processing that these parties carry out on our behalf.

4.3 Legal Obligation (external)

9altitudes is legally obliged to provide personal information to third parties in certain cases. Consider, for example, the provision of data to the tax authorities on the basis of legislation and regulations. Another example is providing data to police authorities in the context of a criminal investigation. In the latter case, personal data will only be provided if there is a statutory regulation which states that the data must be provided (for example, on the order of the examining prosecutor).

5.9altitudes is legally obliged to provide personal information to third parties in certain cases. Consider, for example, the provision of data to the tax authorities on the basis of legislation and regulations. Another example is providing data to police authorities in the context of a criminal investigation. In the latter case, personal data will only be provided if there is a statutory regulation which states that the data must be provided (for example, on the order of the examining prosecutor).

5/ Rights of the Data Subject

A privacy helpline has been set up for handling of privacy issues. Customers or employees who have questions, comments or complaints (including requests as further set out in clauses 5.2-5.7 and 5.9) about the processing of personal data can contact privacy@9altitudes.com.

Data subjects have the right to inspect, correct and delete their own personal data, as well as the right to object to a particular processing and/or to limit the processing (except for exceptions). Requests must be made in writing, including by e-mail and will be handled by the CPO. Within four weeks of receiving the request, the CPO decides whether and to what extent the request is being met and informs the person concerned. A rejection of the request must be motivated.

In the event that an application for removal or correction is granted, 9altitudes will inform parties to whom the data of data subjects have been provided about the exercise of the right, unless this is impossible or requires a disproportionate effort.

5.1 Obligation to Inform

At the moment we collect personal data, we provide the following information to the person concerned:

• The processing purposes for which the personal data are intended;
• The recipients or categories of recipients of the personal data;
• The period during which the personal data will be stored;
• The rights that the person concerned has.

Exceptions to the information requirement may apply.

5.2 Right to Access

Data subjects have the right to request their own personal data, which are known to us, to ask for the purposes for which this data is used and with whom this data is shared. Data subjects also have the right to receive a copy thereof.

If data from a third party are included in the file in which the data subject wishes to be inspected, this data will be protected, unless explicit permission is granted for inspection by this third party.

5.3 Right to Rectification

Data subjects have the right to have data corrected or supplemented. Correcting or supplementing information is only possible if the data is incorrect or incomplete - think for example of a telephone number or bank details. The data subject will always have to specify which data should be adjusted and for what reason.

5.4 Right to Erasure

The data subject has the right to obtain data exchange of his/her personal data without unreasonable delay, and 9altitudes is obliged to do so, among other things in one of the following cases:

• The personal data are no longer required for the purposes for which they were collected;
• The personal data have been processed unlawfully;
• The person concerned withdraws his or her consent (if the processing is based on this).

5.5 Right to Object

Data subjects have the right to oppose any processing or provision to a particular recipient. To this end, the person concerned must provide (compelling) personal circumstances. The right of objection may be used by data subjects when they believe that their data is being processed incorrectly.

Should a data subject wish to make use of this right, 9altitudes will first have to assess whether the application is justified. This is done by weighing the individual interests against its own interests. The starting point is that the right of opposition may not disadvantage 9altitudes disproportionately.

5.6 Right to Restriction

The person concerned has the right to obtain the limitation of the processing in, among other things, the following cases:

• The accuracy of the personal data is disputed by the data subject;
• The controller no longer needs the personal data for processing purposes, but the data subject needs it for the establishment, exercise or substantiation of a legal claim.

5.7 Right to Data Portability

The data subject has the right to receive the personal data concerning him or her, which he or she has provided to 9altitudes, in a structured, commonly used and machine-readable (digital) format.

5.8 Right to Lodge a Complaint

The data subject has the right to be lodge a complaint to his/her national Data Protection Authority . See for the contact information below at 6.2 Local Data Protection Authority.

5.9 Right not to be subject to automated decision-making

The data subject has the right not to be subject to a decision based solely on automated processing, including profiling and may demand human intervention in the decision-making process.

6/ International Data Transfers

6.1 Standard Contractual Clauses (SCC’s)

Personal data in the EU is protected by the General Data Protection Regulation, but other countries may not have necessary the same standards on privacy or protection of personal data. It may be necessary that a 9altitudes entity requires access to personal data to process and/or store these Personal data. This entity may be located within or outside the EEA. For these purposes, all 9altitudes entities located outside the EEA, such as in Turkey and in Brazil, have concluded an internal agreement including EU Standard Contractual Clauses in accordance with the data protection principles.

9altitudes abides by the standard provisions regarding data protection (SCC’s) within the meaning of Article 46 (2) (c) and (d) GDPR in the name and on behalf of 9altitudes. For the record, in that case 9altitudes is the data exporter (as defined in the SCC’s) and any non-EEA entity is the data importer (as defined in the SCC’s).

Data subjects can obtain a copy of the guaranteed measures upon written request by sending a mail to privacy@9altitudes.com. 

6.2 Local Data Protection Authorities

The Local Data Protection Authorities are national supervisors for the GDPR. Data Protection Authority have, in addition to an investigative power, also the power to hand out fines. Furthermore, the authorities conduct research into privacy-related topics, provide advice to both organisations and stakeholders, and are the reporting point for data breaches.

Below, you will find a summary of other relevant Local Data Protection Authorities concerning the processing of the personal data:

• The Netherlands:
  • Dutch Data Protection Authority / PO Box 93374 2509 AJ Den Haag;
  • https://autoriteitpersoonsgegevens.nl/nl/meldingsformulier-klachten / +31 708888500;
• Slovenia
  • Slovenian Information Commissioner (IPRS) / Dunajska cesta 22, SI-1000 Ljubjana ;
  • Gp.ip@ip-rs.si / +386 1 230 97 30;
• Spain
  • Spanish Data Protection Authority (AEPD) / St Jorge Juan 6, 28001 Madrid;
  • +34 900 293 183;
• Portugal
  • Comissao Nacional de Protecacao de Dados (CNPD) / Av D. Carlos I, 134, 1° 12000-651 Lisboa;
  • Geralécnpd.pt / +351 21 392 84 00;
• France
  • Commission Nationale de l’informatique et des libertés (CNIL) / 3 Pl. de Fontenoy, 75007 Paris, France;
  • info@cnil.fr / +33 1 53 73 22 22;
• Denmark
  • Datatilsynet (Danish Data Protection Authority) / Carl Jacobsens Vej 35, 2500 Valby;
  • dt@datatilsynet.dk / +45 33 19 32 00.

7/ Retention Period

9altitudes does not store personal data longer than legally permitted and is necessary for the realisation of the purposes for which the personal data are processed. How long certain data is stored depends on the nature of the data, the purposes for which it is processed and the applicable national data retention period. The retention period can therefore differ per purpose and per 9altitudes entity.

The reference point for storing personal data is in general the legal retention period. Such a period is often up to 10 years after the end of an agreement or 5 years after the last processing for which the information was originally obtained. If the law does not prescribe a period, the archiving will be internally determined keeping in mind the principle of data minimisation.

The personal data will be retained for the following subsequent periods:

When the retention periods have expired, 9altitudes ensures that the personal data are destroyed in a secure manner. 9altitudes understands the importance of the fact that that the destruction of the personal data is done with care.

8/ Cookies

9altitudes uses cookies on its website which may process personal data. We treat such personal data carefully and provide appropriate security. Which cookies we use, for which purposes and how long they are stored on your browser is described in our Cookie Policy accessible on our website www.9altitudes.com/cookie-policy.

It is permitted to collect non-personal and anonymous data when our website is visited and to anonymize personal data. These data do not allow to identify an individual person and these data may be shared with third parties, including for statistical purposes.

As you first access our website a cookie banner appears requesting that you accept, refuse or manage the use of our cookies. By accessing the website you accept the use of cookies in accordance with the terms of this Cookie Policy.

9/ Measures for the Protection of Personal Data

9altitudes gives priority to the security of personal data. The data stored is therefore protected by technical and organisational measures to effectively prevent loss or misuse by third parties to safeguard and protect personal data, against unauthorized or unlawful processing and against accidental destruction, loss, access, misuses, damage and any other unlawful forms of processing of the personal data in our possession.

You also have an important role to play in securing your personal data, e.g. by keeping your PC up-to-date and keeping your login data confidential and secure.

Employees who process this personal data are obliged to observe confidentiality. Technical safety measures to protect the personal data are checked regularly and, if necessary, adapted to the latest state of the art techniques.

9altitudes has a data breach protocol in case of an intentional or unintentional breach or loss of personal data.

10/ Complaints

Complaints and disputes about the application, implementation and / or interpretation of these regulations, the application of privacy laws and regulations can be submitted in writing and motivated to the CPO to privacy@9altitudes.com.

The person concerned will, if necessary, receive an invitation within two weeks of receipt to explain the complaint. The person concerned will receive a decision on the complaint within four weeks of receipt of the complaint, or within two weeks of the explanation.

11/ Changes to the Privacy Policy

This Privacy Policy may be updated periodically to reflect changes in our personal data practices. 9altitudes will post a prominent notice on the Website as a notification of any significant changes to our Privacy Policy and indicate at the top of the notice the date at which it was last amended. If one or more clauses from this Privacy Policy are declared partially or completely null and void or non-binding by judicial intervention, this will not affect the validity of the other clauses or the validity of the entire Privacy Policy.

If the clause(s) in question wish to be amended or replaced, the amended or new clause must be as closely aligned as possible with the clause(s) declared void or non-binding. The failure to demand strict compliance with the provisions of this Privacy Policy shall not be construed as any waiver or rejection thereof.

Any dispute or claim relating to the processing of personal data and the Privacy Policy or any data mentioned herein is governed by Belgian law and falls under the exclusive jurisdiction of the courts and tribunals of West-Vlaanderen, Kortrijk (Belgium).

Last update on: 20/01/2025

12/ Contact

If you have any questions or comments regarding this Privacy Policy, please contact the CPO via privacy@9altitudes.com.