As of 14 August 2025

1. Controller and how to contact us

Bright Green Partners B.V. is the controller for the processing described in this notice.
Address: Arcenlaan 34, 5709 RA, Helmond, The Netherlands
Privacy contact: floor@brightgreenpartners.com
This section implements GDPR Article 13(1)(a) and 13(1)(b).

2. What data we process

Bright Green Partners collects, processes and uses your personal data exclusively for purposes of referring you as an expert to Bright Green Partners’ clients and for business purposes permitted in connection with our business activities, which are related to your relationship in our company. This includes:

  • Processing of applications, e.g. signing up to FoodTech Expert Network by Bright Green Partners
  • Execution and termination of the expert relationship
  • Exercise and fulfilment of the rights and obligations arising from a law or an agreement
  • Determination of performance and performance of management
  • Determination of fees
  • Compliance with legal requirements, e.g. according to tax law
  • Internal administrative and organizational purposes
  • Ensuring the security and protection of processing methods and data against unauthorized access, falsification, and unauthorized use
  • Protection of facilities, assets, and assets of the company from thieves and other damages

Your data will only be processed for purposes other than those mentioned, when this processing is compatible with the purposes of the expert relationship. We will inform you about such further processing of your data and, if necessary, your consent thereto.

We do not intentionally collect special categories of data. If you provide such data without a legal need, we will delete or restrict it. This implements GDPR Article 13(1)(c).

3. Where we obtain data

We obtain data directly from you, from your employer or colleagues during a project, and for experts from referrals and publicly available professional sources where lawful. If we collect data from other sources, we provide the information required by Article 14.

4. Purposes and legal bases

We process personal data for the purposes below and rely on the listed legal bases. Where we rely on legitimate interests we have completed a balancing test that you can request.

  • Managing client and supplier relationships, performing contracts, paying invoices. Legal bases: Article 6(1)(b) contract and Article 6(1)(f) legitimate interests.
  • Running our expert network including sourcing, evaluating, and referring experts to clients. Legal bases: Article 6(1)(b) and Article 6(1)(f).
  • Business development communications to corporate contacts, subject to e-privacy rules. Legal bases: Article 6(1)(f) or Article 6(1)(a) consent where required.
  • Operating and improving our websites and services, including basic analytics as set out in the Cookie Policy. Legal basis: Article 6(1)(f).
  • Complying with legal obligations including tax and accounting. Legal basis: Article 6(1)(c).
    This mapping follows GDPR Article 13(1)(c) and 13(1)(d).

5. Recipients and processors

We share data with service providers acting as processors under Article 28, including IT hosting, CRM and communications, analytics, and professional advisers. We also share data with clients when you participate in an engagement or are referred as an expert. We have contracts with processors to ensure confidentiality and security.

6. Security

We apply appropriate technical and organizational measures and restrict access to authorized personnel and processors bound by confidentiality and security obligations. This section reflects Transparency Guidelines expectations.

7. Retention

We keep personal data only as long as necessary for the purposes described above and to meet legal duties. We apply these criteria:

  • Contract and project files: for the duration of the engagement and the time needed to handle queries or possible claims arising from the engagement.
  • Expert network profiles and applications: for the period of your membership or evaluation and until you ask us to delete your data or we deactivate your profile after sustained inactivity.
  • Marketing contact data: until you opt out or we consider your contact inactive.
  • Security and web logs: for the period needed to ensure system security and investigate incidents.
  • Invoicing and tax records: for at least 7 years to meet Dutch tax retention duties.

You can ask us for more information about how we apply these criteria. We will delete or anonymize data when it is no longer needed.

8. International data transfers

Where our use of Google Analytics or other providers involves transfers to the United States or other third countries, we rely on appropriate safeguards such as the EU-US Data Privacy Framework for Google LLC and, where required, the European Commission Standard Contractual Clauses.

9. Your rights

You have the right to request access, rectification, erasure, restriction, portability, and to object to processing based on legitimate interests or direct marketing, and the right to withdraw consent where used. You also have the right to lodge a complaint with the Dutch Data Protection Authority. See the Autoriteit Persoonsgegevens complaints information. This section implements Article 13(2)(b) to 13(2)(d).

10. Requirement to provide data

Where we need personal data to enter into or perform a contract or to comply with law, we will inform you at the point of collection. If you do not provide such data, we may be unable to provide the service. This implements Article 13(2)(e).

11. Cookies and similar technologies

Our website uses cookies. Details and choices are set out in our Cookie Policy. Consent is required for non-essential cookies and most analytics or marketing cookies under Dutch rules.

12. Automated decision making

We do not make decisions based solely on automated processing that produce legal or similarly significant effects. If this changes, we will inform you and explain your rights. This implements Article 13(2)(f).