PRIVACY POLICY – ETERNAL SUN B.V.
Last updated: 18/12/2025

________________________________________

1. Introduction

This Privacy Policy explains how Eternal Sun B.V. (“we”, “us”, “our”) processes your personal data when you visit our website www.eternalsun.com.
We provide this information in accordance with the EU General Data Protection Regulation (GDPR).
________________________________________

2. Controller

Eternal Sun B.V.
Wolga 11
2491 BK ’s-Gravenhage
The Netherlands
Tel: +31 (0)15 744 0161
Email: contact@eternalsun.com

________________________________________

3. Data Protection Officer

For privacy-related inquiries, you may contact our Data Protection Officer:
Email: sroest@eternalsun.com

________________________________________

4. Summary of the data we process

When you use our website, we process the following categories of personal data:

• Cookies & tracking data (Google Analytics 4, Google Ads)
• Data submitted via Pipedrive web forms
• Server log files generated automatically by our hosting environment
• Metadata and technical data indirectly collected through analytics or ads
________________________________________

5. Server log files

When you visit our website, our server automatically stores log data:

• Browser type and version
• Operating system
• Referrer URL
• Hostname of the accessing device
• Time of server request
• IP address

Legal basis: Article 6(1)(f) GDPR – legitimate interest
(interests: website security, fraud prevention, and technical functioning)

Log files are automatically deleted after a short technical retention period.

________________________________________

6. Contact via Pipedrive Web Forms

If you submit a request or message through our contact forms, we process:

• Name
• Company
• Email address
• Phone number
• Content of your message

Purposes:

• Responding to your inquiry
• Sales communication
• Providing requested information

Legal bases:

• Article 6(1)(b) GDPR – steps prior to entering a contract
• Article 6(1)(f) GDPR – responding to inquiries

Your data is saved in Pipedrive and accessible only to authorized Eternal Sun employees.

________________________________________

7. Cookies, tracking technologies & consent management

7.1 Cookiebot (Usercentrics CMP)

We use Cookiebot by Usercentrics to manage cookie consent on our website.

When you visit our website:

• A banner is displayed requesting your consent
• Cookiebot scans and categorizes all cookies used
• Only cookies you consent to are activated
• Cookiebot stores your consent status
• You can change or withdraw consent at any time

Legal basis: Article 6(1)(c) GDPR (compliance with legal obligations)
and Article 6(1)(a) GDPR (user consent).

You can update your cookie preferences at any time via the Cookiebot icon/footer link on our website.
More information: https://www.cookiebot.com/en/privacy-policy/

________________________________________

7.2 Legal bases for cookie categories

To comply with GDPR and ePrivacy rules, we use the following legal bases:

Cookie Category Purpose Legal Basis Activated Only With Consent?
Necessary cookies Website functionality, security, loading forms Art. 6(1)(f) Legitimate interest ❌ No consent required
Preferences cookies Remembering settings (e.g., language) Art. 6(1)(a) Consent ✔ Yes
Statistics cookies GA4 analytics Art. 6(1)(a) Consent ✔ Yes
Marketing cookies Google Ads conversion tracking Art. 6(1)(a) Consent ✔ Yes

________________________________________

7.3 Google Analytics 4 (GA4)

We use Google Analytics 4 to understand how our website is used.
GA4 processes, for example:

• IP address (anonymized)
• Device and browser information
• Approximate location
• Pages visited and interactions
• UTM parameters / campaign data
• Technical identifiers (client ID, user ID)

Legal basis: Article 6(1)(a) GDPR – consent

You can withdraw consent anytime through Cookiebot.
More information: https://policies.google.com/privacy

________________________________________

7.4 Google Ads Conversion Tracking

We use Google Ads to measure the performance of our advertising campaigns.
Google may process:

• Cookies linking ad clicks to website visits
• Conversion events (e.g., form submissions)
• Device, browser, and timestamp data
• Advertising IDs

Legal basis: Article 6(1)(a) GDPR – consent

You can withdraw consent via Cookiebot or opt out here:
https://adssettings.google.com

________________________________________

7.5 Pipedrive Web Form Cookies

Our forms may set necessary cookies to ensure secure and correct submission.
Legal basis: Article 6(1)(f) GDPR – legitimate interest
(interests: website operation and prevention of spam/misuse)

________________________________________

7.6 LinkedIn Insight Tag

We use the LinkedIn Insight Tag to measure the effectiveness of our LinkedIn advertising campaigns and to better understand our website visitors.
LinkedIn may process:

• Cookie and pixel data linking LinkedIn ad interactions to website visits
• Conversion events (e.g., page views, form submissions)
• Professional demographic data (job title, industry, company size) in aggregated form
• Device, browser, and timestamp data

Legal basis: Article 6(1)(a) GDPR – consent

You can withdraw consent via Cookiebot or adjust your LinkedIn ad preferences here: https://www.linkedin.com/psettings/advertising
More information: https://www.linkedin.com/legal/privacy-policy

________________________________________

7.7 Insightly CRM

We use Insightly as a customer relationship management (CRM) platform to manage business inquiries and customer communications.
When you contact us or submit information, Insightly may process:

• Name
• Company
• Email address
• Phone number
• Content of communications
• Interaction history

Purposes:

• Managing customer relationships
• Sales communication and follow-up
• Providing requested information

Legal basis: Article 6(1)(b) GDPR – steps prior to entering a contract, and Article 6(1)(f) GDPR – legitimate interest (interests: effective customer relationship management)
More information: https://www.insightly.com/privacy-policy/

________________________________________

8. Sources of data (Article 14 GDPR)

In addition to data you provide directly, we may receive data indirectly through:

• Google Analytics (e.g., UTM tags, referrer URLs, device metadata)
• Google Ads (click IDs, campaign parameters)
• Browser/server interactions (technical metadata)

We do not obtain personal data from external data brokers or third-party sellers.

________________________________________

9. International data transfers

Some of our service providers (e.g., Google, Pipedrive) may process data outside the European Economic Area (EEA).
When this occurs, such transfers are protected by:

• Standard Contractual Clauses (SCCs) under Article 46(2)(c) GDPR
• Additional safeguards implemented by providers
• Certifications and internal compliance frameworks

Despite these safeguards, international transfers may carry risks.
By giving consent to cookies or submitting forms, you acknowledge that data may be transferred outside the EU.

________________________________________

10. Data recipients

We only share personal data with third parties when necessary for:

• providing our website
• processing inquiries
• analytics and marketing (with consent)
• fulfilling legal obligations

Examples of recipients:

• Google (analytics & ads)
• Pipedrive (form processing)
• Website/IT service providers (maintenance & security)

We do not sell or share your data for third-party marketing.

________________________________________

11. Retention

We store personal data only as long as necessary for the purposes described:

• Form submissions: until inquiries are resolved or legal retention requires longer
• GA4 analytics data: 14 months
• Server logs: short technical retention period
• Cookies: per Cookiebot’s duration overview

________________________________________

12. Your rights

You have the following rights regarding your personal data:

• Right of access (Art. 15)
• Right to rectification (Art. 16)
• Right to erasure (Art. 17)
• Right to restrict processing (Art. 18)
• Right to data portability (Art. 20)
• Right to object (Art. 21)
• Right to withdraw consent at any time (Art. 7(3))
• Right to lodge a complaint with the Dutch supervisory authority:

Autoriteit Persoonsgegevens
PO Box 93374
2509 AJ Den Haag
www.autoriteitpersoonsgegevens.nl
You may be asked to verify your identity before we fulfill your request.

________________________________________

13. Changes to this policy

We may update this policy from time to time.
The latest version is always available on our website.