Legal

Privacy policy

Last updated: 17 April 2026

This policy explains what data we collect when you visit albuscyber.com or get in touch with us, why we collect it, how long we keep it, and what rights you have. We try to keep this short and honest — if anything is unclear, email us and we will explain.

01

Who we are

Albus operates through two legal entities. Together, they are the joint data controllers for the information processed through this website.

Belgian entity
Diomedes BV, Primeurstraat 34 bus 3, 2100 Antwerpen, Belgium. Ondernemingsnummer (KBO) / VAT: BE 0784.423.162.
Dutch entity
Albus Cybersecurity BV, registered in Amersfoort, Netherlands. KvK: 87400448. BTW: NL864284044B01. Contact address: Primeurstraat 34 bus 3, 2100 Antwerpen, Belgium.
General contact
hello@albuscyber.com
Privacy contact
privacy@albuscyber.com

We do not have a Data Protection Officer (DPO). Our processing is not large-scale systematic monitoring and does not involve special-category data, so GDPR Article 37 does not require one.

02

What data we process

We only process data that you actively give us or that is strictly necessary to serve the site.

  • Information you submit through the contact form — name, company, email address, phone number (if provided), and the message you write. This is the only form on the site.
  • Technical data needed to deliver the page — your IP address, the user-agent string your browser sends, and timestamps. This is logged by our hosting provider for security and abuse prevention.
  • Anonymous visit analytics collected by Umami, an open-source analytics tool we self-host on our own subdomain (umami.i.albuscyber.com). For each page view we receive: the URL you visited, the page that referred you, your browser’s language and user-agent, your screen size, and a country derived from your IP. The IP itself is hashed with a salt that rotates every day and is not stored. No cookies are set; a small session token is written to your browser’s localStorage to group page views within a single day and is never read back by the server. If your browser has Do Not Track enabled, Umami does not track you at all.

We do not use marketing pixels, session recorders, or advertising trackers. We do not set any identifiers in your browser beyond what is strictly necessary to serve the site and the anonymous analytics described above.

03

Why we process it, and on what legal basis

For every category of data, there is a concrete purpose and a legal basis under the GDPR:

To answer your contact request
Legal basis: Article 6(1)(b) — pre-contractual steps at your request — and Article 6(1)(f) — our legitimate interest in replying to business enquiries.
To keep the site running and secure
Legal basis: Article 6(1)(f) — legitimate interest in preventing abuse, debugging, and handling incidents.
To comply with a legal obligation
Legal basis: Article 6(1)(c) — e.g. responding to a lawful request from a supervisory authority.
04

How long we keep it

We apply the longest retention periods that are legally defensible for each category, so that we can still be useful if you come back to us after a long gap, and so that our records stay consistent with Belgian and Dutch accounting-law obligations. Shorter retention is always applied where legally required.

  • Contact form submissions: up to 7 years after the last contact. This aligns with the Belgian and Dutch legal retention period for accounting and commercial records (7 years), and with the limitation period for claims arising from pre-contractual exchanges. If the exchange leads to a contract, the record is merged into the client file and kept for 7 years after the last transaction under accounting law.
  • Server and edge logs (hosting provider): up to 12 months, for security, incident response, and abuse prevention.
  • Backups: up to 90 days on a rolling overwrite schedule.

If you want your submission deleted sooner, email us at privacy@albuscyber.com and we will remove it — unless we are legally required to keep it (for example, because it is part of an active contract file).

05

Who else sees this data

We keep the list of processors deliberately short. Everyone on this list is bound by a Data Processing Agreement (DPA) under GDPR Article 28.

Site delivery
Cloudflare Pages — Cloudflare Inc. (US headquarters, EU infrastructure). Serves the static site and records edge logs (IP, user-agent, timestamp) for security and abuse prevention.
Backend & data hosting
Hetzner Online GmbH or Contabo GmbH — both in Germany (EU). Host our own backend, our own CRM, and our self-hosted Umami analytics. No third-party analytics or form handler is involved.
Contact form handling
Processed by our own backend and written into our own CRM (both on Hetzner / Contabo in Germany). We do not use a third-party form handler.
Analytics
Umami (open-source, self-hosted at umami.i.albuscyber.com on our own Hetzner / Contabo infrastructure). No third-party analytics provider is involved; analytics data does not leave our own servers.
Business email
Microsoft 365 (Microsoft Ireland Operations Ltd., EU) — general business mail. Migadu (Switzerland) — selected non-automated mail. Proton Mail (Switzerland) — secure communications.

We do not sell, rent, or share your data with anyone else for their own purposes. The typefaces used on this site are self-hosted — nothing is loaded from Google Fonts or other third-party font CDNs.

06

International transfers

Most of the data we process stays inside the European Economic Area. A small part of it reaches countries outside the EEA because of the providers we use. Here is what that means in practice:

Within the EEA
Hetzner (Germany), Contabo (Germany), Microsoft 365 (Ireland / EU Data Boundary). No international-transfer mechanism needed — these are intra-EEA operations.
Switzerland
Migadu and Proton Mail. Switzerland benefits from a European Commission adequacy decision under Article 45 GDPR, which means transfers are treated as if they were intra-EU. No additional safeguards are required.
United States (via EU subsidiary)
Cloudflare Inc. is certified under the EU–US Data Privacy Framework and has signed the European Commission Standard Contractual Clauses (SCCs, 2021/914) as a fallback. Cloudflare Pages uses EU edge locations where available. Transfers take place with the safeguards required after the Schrems II ruling.
07

Your rights

Under the GDPR you have the following rights regarding your personal data:

  • Access (Art. 15) — a copy of the data we hold about you.
  • Rectification (Art. 16) — correction of inaccurate or incomplete data.
  • Erasure (Art. 17) — deletion of your data, subject to exceptions like legal retention obligations.
  • Restriction (Art. 18) — you can ask us to stop processing while something is contested.
  • Portability (Art. 20) — receive your data in a machine-readable format.
  • Objection (Art. 21) — object to processing based on legitimate interest.
  • Withdraw consent (Art. 7) — where we rely on consent, you can withdraw it at any time. Withdrawal does not affect the lawfulness of processing that already happened.

To exercise any of these rights, email privacy@albuscyber.com. We will respond within one month of receiving the request. If the request is complex, we may extend by up to two further months and will tell you why.

08

Security

We apply reasonable technical and organisational measures proportionate to the data we hold:

  • Traffic to and from the site is encrypted in transit (HTTPS/TLS).
  • Access to systems that hold personal data is restricted, logged, and protected by authentication.
  • Our infrastructure is backed up and patched on a regular schedule.
  • If a personal-data breach happens that is likely to result in a risk to your rights and freedoms, we will notify the Belgian Data Protection Authority within 72 hours as required by Article 33, and we will inform affected individuals without undue delay where the risk is high (Article 34).
09

Children and minors

This site is aimed at professional audiences in business contexts. We do not knowingly collect data from anyone under 16 (under 13 for Belgian residents). If you believe a minor has submitted data to us, contact us and we will delete it.

10

Automated decisions and profiling

We do not make automated decisions with legal or similarly significant effects about you, and we do not profile you.

11

Cookies and similar technologies

This site does not use cookies for analytics, advertising, or behavioural tracking. There is no cookie banner because we do not run anything that would require one under the GDPR or the ePrivacy Directive.

We do make limited use of your browser’s localStorage for our anonymous analytics — details below. No personal identifiers are stored.

Strictly necessary cookies
None currently. If we later introduce, for example, a preference for language or theme, it will be a first-party cookie with a short lifetime and disclosed here.
Analytics (Umami, self-hosted)
We use Umami, an open-source analytics tool, hosted on our own subdomain. Umami sets no cookies. It writes one small token to your browser’s localStorage to group page views from the same visitor within a single day — the token resets every day and is never read back by our server. IP addresses are hashed with a daily-rotating salt and discarded. If your browser sends the Do Not Track signal, Umami is fully disabled for your visit. You can also opt out using the toggle directly below — your choice is saved in this browser and respected on every future visit.
Advertising / behavioural tracking
None. We do not run advertising pixels, behavioural trackers, or cross-site identifiers.
Self-hosted typefaces
All fonts on this site are served from our own domain. No requests are made to Google Fonts or any other third-party font CDN, so no font-related IP data reaches external parties.
Analytics preference

Anonymous analytics is on for this browser.

Your choice is saved in this browser’s localStorage and respected on every future visit.

You can always clear cookies and site storage from your browser settings. Doing so will not break this site. If you would prefer us not to process analytics for you even on future visits, email privacy@albuscyber.com and we will add you to our analytics exclusion list.

12

Complaints

If you believe we are processing your data unlawfully, please contact us first — we want to fix it. You also have the right to lodge a complaint with a supervisory authority:

Belgium
Gegevensbeschermingsautoriteit (GBA) — Drukpersstraat 35, 1000 Brussel — gegevensbeschermingsautoriteit.be
Netherlands
Autoriteit Persoonsgegevens (AP) — Postbus 93374, 2509 AJ Den Haag — autoriteitpersoonsgegevens.nl
Other EU/EEA country
You can contact your national supervisory authority. The European Data Protection Board keeps a current list at edpb.europa.eu.
13

Changes to this policy

If we make material changes, we will update the "last updated" date at the top of this page and, where the change is significant, we will highlight it clearly. For minor edits (typos, clarifications that do not change what we do with your data) we may update the policy silently.