Privacy policy
Last updated: 15 June 2026
This English version is provided for LLM context (per our GEO strategy). The canonical Dutch version is at /privacy. In case of conflict, the Dutch version prevails for Dutch B2B subjects under Dutch GDPR implementation.
This policy explains which data we process about agencies, clients, and visitors, why we do so, and how we protect it.
Who we are
Marketingburos is a Dutch marketplace for marketing agencies. The data controller is Tawny Owl Holding B.V. (trading as Marketingburos). Marketingburos is a joint venture of Thijs Bongertman (via Tawny Owl Holding B.V.) and Olivier Janssen (Bedrijfsdata.nl BV).
- Chamber of Commerce (KvK) number: 96168285
- Registered address: Van Ostadelaan 2, 3117XL Schiedam, Netherlands
- Contact for privacy queries: privacy@marketingburos.nl
We respond within 48 hours on working days and formally resolve requests within 30 days (GDPR art. 12).
What data do we process
Agency data
- Public sources (Dutch Chamber of Commerce open data, Bedrijfsdata.nl, public LinkedIn company pages, agency website): company name, KvK number, VAT number, registered address, generic info@ email, phone number, LinkedIn company profile URL, sector classification (SBI), trade names, company description, and legal/insolvency status.
- Derived profile characteristics (derived from those public sources): a working-style/cultural-fit indication, specialisms, target-audience segments, and profile summaries for onboarding. These are read-only for agencies and disputable (see "Your rights").
- Internal data-quality signals (not public, no effect on ordering): signals for data quality and abuse prevention, such as source changes and duplicate detection. Reviews remain an internal signal under the TDM exception (EU directive 2019/790 art. 4) and are not reproduced on profile pages.
- Claim validation (when claiming a profile): KvK and VAT checks as an ownership corroboration. We store only a verification timestamp, not directors' names from registers.
- Post-claim self-reporting (only after a claim with consent to the Terms): specialism fine-tuning, pricing band, case portfolio, target-audience corrections, and contact preferences.
- Subscription data (only active subscribers via Mollie): Mollie customer_id, mandate_id, tier, status, payment history.
Client data
- Wizard input: goal, sector, company size, agency size preference, cultural-fit preference, budget, timeline.
- Contact at RFQ submission: name, email, company name, phone (optional).
- Feedback: your 14-day survey response.
Legal basis
We process your data on three legal bases (GDPR art. 6(1)(a)/(b)/(f)), depending on the processing. The main ones:
| Processing | GDPR basis | Notes |
|---|---|---|
| Directory inclusion | art. 6(1)(f) — legitimate interest | Complete Dutch marketing-agency directory. Balancing test documented; key points below. |
| Cold-claim emails | art. 6(1)(f) | 1-click opt-out in every email; no profile mutation without consent. |
| Profile editing post-claim | art. 6(1)(a) — consent | Agency accepts the Terms on claim — explicit consent to self-reporting. |
| Subscription (Mollie) | art. 6(1)(b) — contract performance | Subscription billing. |
| RFQ flow (client) | art. 6(1)(b) | Contract between client and platform. |
| Derived profile characteristics | art. 6(1)(f) | Necessary to match supply and demand; read-only for agencies, with a dispute option. |
| Data quality and abuse prevention | art. 6(1)(f) | Data quality and fraud prevention; no effect on the order in which agencies appear. |
| Analytics / marketing cookies | art. 6(1)(a) — consent | Only after your choice in the cookie banner (see "Cookies"). |
A summary of the balancing test for art. 6(1)(f): marketing agencies benefit from the automated claim route and the RFQ pipeline; opt-out is directly available in every email; no special-category data is processed; and the Dutch Chamber of Commerce, Bedrijfsdata, and public LinkedIn company pages are public sources. The full balancing test is archived and shared on request (lawyer or DPA request).
Cookies
Not yet active. Only the cookie-less Plausible measurement currently runs; we place no analytics or marketing cookies. The cookie banner and the tags below take effect once we switch on Cookiebot.
Once the banner is live, we manage cookie consent via Cookiebot: on your first visit the cookie banner asks which categories you allow, and you then adjust your choice via the "Cookie preferences" link in the footer.
| Category | Consent needed? | Examples |
|---|---|---|
| Functional (strictly necessary) | No | Supabase Auth session cookie (login session in the dashboard); the Cookiebot cookie that stores your choice. |
| Analytics | Yes | Google Analytics 4, loaded via Google Tag Manager. |
| Marketing / company identification | Yes | ProspectPro company identification (see below). |
Our baseline web analytics via Plausible is fully cookie-less and does not identify you; it runs without consent. Analytics and marketing cookies are placed only after you consent via the Cookiebot banner (Google Consent Mode). If you do not consent, only Plausible runs.
A complete, up-to-date overview of all cookies — with name, purpose, and retention — appears automatically in our Cookiebot cookie declaration.
Visitor identification
Not yet active. Visitor identification is currently switched off. This section only takes effect once we enable this feature — which never happens without a cookie banner and your explicit consent.
When you visit an agency profile and give consent for the "Marketing / company identification" category via the Cookiebot banner, we identify the company behind your visit using ProspectPro (Bedrijfsdata.nl BV). The result — company name, industry, and size class — is shown to the agency whose profile you visited.
What we record
- IP address (hashed): SHA-256 of your IP address + a server-side salt. We never store the raw IP address.
- Page visited + timestamp: which agency profile you visited and when.
- Resolved company (after ProspectPro matching): company name, domain, industry, size class, city, province, visit count, date of last visit.
What we do NOT record
- Personal data of individuals at the company (no names, no email addresses via the ProspectPro people lookup).
- Sole-proprietorship data separate from the company: identification is at company level. If ProspectPro resolves a sole proprietorship (eenmanszaak), that data constitutes personal data — your consent is the lawful basis.
Legal basis
Both the access to your device (Dutch Telecommunications Act art. 11.7a / ePrivacy Directive) and the processing of your IP address (GDPR art. 6(1)(a)) are based on your explicit consent via the cookie banner. No consent = no identification, no recording. Plausible remains always active (cookie-less, no identification).
Joint controllers (art. 26 GDPR)
For visitor identification, we are joint controllers (art. 26 GDPR) with Bedrijfsdata.nl BV (ProspectPro). Olivier Janssen is co-founder of Marketingburos and owner of Bedrijfsdata.nl BV — both parties jointly determine the purposes and means of this processing. A written art. 26 arrangement is archived. Agreement: Marketingburos is the single point of contact for all privacy rights of visitors — via privacy@marketingburos.nl.
Retention
| Category | Term |
|---|---|
| Raw visit log (hashed IP address) | 90 days |
| Resolved company | 12 months |
| After consent withdrawal | Immediate stop of future processing; existing records deleted on request (art. 17) |
Your rights as a visitor
| Right | How to exercise |
|---|---|
| Access (art. 15) | Email privacy@marketingburos.nl — we confirm whether your company has been identified and on which profile pages. |
| Erasure (art. 17) | Email privacy@marketingburos.nl — we delete your company record from all agency dashboards. |
| Objection (art. 21) | Withdraw your consent via "Cookie preferences" in the footer (or email privacy@marketingburos.nl while the banner is not yet live). Future identification stops immediately. |
Engagement outcomes
Once an agency accepts your request, we process the outcome of the match from that moment: the scheduled intro call (you pick a time together via a secure link), a 2-question closed review after the call, and 3 closed questions after 90 days — to both you and the agency. Basis: legitimate interest (art. 6(1)(f)) — a fair match and a verifiable track record per agency. There are no free-text fields in these questions.
Specifically:
- An outcome is only labelled "verified" if both sides report the same picture after 90 days. One side = lower confidence, and it is never shown as fact.
- If you delete your data (art. 17), we erase the briefing, the calendar proposals, and the review answers. The closed 90-day answers (yes/no plus a 1–5 score) and the outcome label remain as anonymised statistics — they no longer contain personal data.
- You can unsubscribe from feedback emails in any email; that also stops the 90-day question on your side.
Who we share data with
Joint controller (art. 26 GDPR):
Partner Role Basis Bedrijfsdata.nl BV (ProspectPro) Joint controller for visitor identification art. 26 GDPR — arrangement archived
We share data with the following processors. Full DPA status available on request via privacy@marketingburos.nl.
| Processor | Role | Data region |
|---|---|---|
| Supabase Inc. | Postgres database + Auth + Storage | EU-Frankfurt |
| Postmark (ActiveCampaign) | Transactional email (claim mails, RFQ mails, GDPR confirmations) | EU |
| Mollie B.V. | Payments (active subscribers only) | NL |
| Vercel Inc. | Frontend hosting + edge functions | EU |
| Railway Corp. | Python workers + Redis | EU |
| Google Ireland Ltd. | Google Tag Manager + Google Analytics 4 (analytics cookies, only after consent) | EU / US (EU-US Data Privacy Framework) |
| Anthropic PBC | LLM analysis — only on public sources | US (model API) |
| Voyage AI | Embeddings — only on public sources | US (model API) |
| OpenAI L.L.C. | Fallback embeddings — only on public sources | US (model API) |
| Plausible Insights OÜ | Cookie-less analytics | EU-Estonia |
| ProspectPro (Bedrijfsdata.nl BV) | IP-to-company matching (visitor identification) — joint controller (art. 26 GDPR) | NL |
The analysis pipeline (Anthropic + Voyage + OpenAI) processes only public sources to derive profile characteristics. Personal data of agency employees does not go to these parties, other than public LinkedIn company information.
Security
We protect your data with appropriate technical and organisational measures:
- Database encryption and row-level security (RLS) — each account sees only its own data.
- Two-factor authentication (2FA) on admin accounts and periodic password rotation (at least every six months).
- Storage in EU data centres; processors outside the EU only under an appropriate transfer mechanism (see the table above).
In case of a data breach, we inform the data subjects and the Dutch Data Protection Authority in line with GDPR art. 33–34.
Retention
| Category | Term | Why |
|---|---|---|
| Active agency data | As long as the agency is active | — |
| Soft-deleted agency data | 30 days → then permanently deleted | — |
| Internal data-quality signals | With the agency data — deleted on soft-delete + 30 days | Operator curation |
| Claim-validation timestamps | With the claim row — deleted on soft-delete + 30 days | Only a verification timestamp, no register persons |
| Soft-deleted client data | 30 days → then permanently deleted | — |
| Audit log (general) | 60 days | — |
| Audit log (deletion chain) | 7 years | statutory retention (financial records) |
| RFQs + responses | 5 years (dispute evidence + feedback loop) | — |
| Financial records (Mollie) | 7 years | statutory retention |
| Profile-characteristic disputes | With the agency data — deleted on soft-delete + 30 days | — |
| Visit log (hashed IP address) | 90 days | — |
| Resolved company | 12 months | — |
Your rights
Under GDPR art. 15-22 you have the following rights. We respond within 30 days (GDPR art. 12) to every request.
| Right | How to exercise | Notes |
|---|---|---|
| Access (art. 15) | Agency: dashboard → GDPR rights → "Export my data". Client: enter your email below and choose "Export data". | ZIP export (JSON) by email. |
| Rectification (art. 16) | Agency: dashboard edit for self-reporting; dispute flow for derived profile characteristics. Client: mail privacy@marketingburos.nl. | Derived profile characteristics are read-only and only corrigible via dispute; self-reported fields via the dashboard. |
| Erasure (art. 17) | Agency: dashboard → "Delete my agency" (type VERWIJDER). Client: use the form below and choose "Delete". | Soft-delete immediate + permanent deletion after 30 days. |
| Restriction (art. 18) | Agency: dashboard → "Stop profiling". Client: use the form below and choose "Stop profiling". | Agency no longer appears in RFQ shortlists; client no longer profiled. |
| Portability (art. 20) | Same as access (the ZIP export is machine-readable JSON). | — |
| Objection (art. 21) | Same as restriction. | — |
| Withdraw consent | Adjust your cookie choice via "Cookie preferences" in the footer (or email privacy@marketingburos.nl while the banner is not yet live). | Stops analytics and marketing cookies immediately. |
Exercise your rights directly:
Visitors (not logged in): Send an email to privacy@marketingburos.nl for access (art. 15), erasure (art. 17), or objection (art. 21) relating to visitor identification. We respond within 30 days.
Complaints
If you are not satisfied with our handling, you can file a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) — file a complaint yourself.
Changes
Substantial changes are announced via email to claimed agencies and published on this page with a new effective date.
Questions about this policy or a specific processing? Contact privacy@marketingburos.nl.