Legal · GDPR · Dutch privacy law

Privacy Policy

Effective date: 14 May 2026 Last updated: 14 May 2026 Version: 1.0

The short version

  • We're a Dutch IT and AI recruitment firm. We collect and process personal data because that's the nature of recruitment work — but we do it carefully and lawfully.
  • We collect data you give us (forms, email, your CV) and a small amount of technical data (logs, basic analytics).
  • We never sell your data. We share it only with clients you're being matched to, our payroll provider if you're employed by us, and a small set of vetted IT vendors.
  • We keep your data only as long as we have a legitimate reason to. Candidates can ask for deletion at any time.
  • You have rights under GDPR: access, correction, deletion, portability, objection. Email info@noordt.co and we'll respond within 30 days.

01Who we are

This privacy policy explains how Noordt & Co. (referred to as "we", "us", or "Noordt & Co.") collects, uses, stores and protects your personal data.

We are an IT, Data and AI recruitment and secondment firm based in Amsterdam, the Netherlands.

Controller Noordt & Co.
Address World Fashion Centre, Tower 4 — Floor 3, Koningin Wilhelminaplein 13, 1062 HH Amsterdam, the Netherlands
Phone +31 20 369 5989
Chamber of Commerce (KvK) Available on request

We are the data controller for personal data we process about candidates, clients, partners, and website visitors. We comply with the EU General Data Protection Regulation (GDPR / Regulation 2016/679) and the Dutch implementation thereof (UAVG).

02What data we collect

If you are a candidate

Identity & contact Name, email, phone number, postal address, date of birth, nationality, work permit status
Professional CV / résumé, work history, education, qualifications, skills, references, salary expectations, notice period, availability
Online presence LinkedIn URL, GitHub or portfolio URLs, any public information you direct us to
Communications Emails, call notes, interview notes, written correspondence with us
If we place you (employment data) Tax ID (BSN), bank account, IBAN, copy of passport or ID (for legal verification), emergency contact, contract details

If you are a client contact

Business contact Name, job title, business email, business phone, employer
Engagement Role briefs, hiring criteria, contract terms, invoices, payment records, correspondence

If you are a referral partner

Identity & contact Name, email, LinkedIn URL, company affiliation (if any)
Referral details Companies and contacts you introduce, intro context, attribution dates, commission records, payout details

Website visitors

Technical data IP address (truncated), browser type, device type, referring URL, pages visited, timestamps
Form submissions Any data you voluntarily provide via our contact or referral forms (see above)
Special category data — We do not actively collect or process special categories of personal data (health, race, religion, political opinion, sexual orientation, trade union membership, biometrics) unless you voluntarily provide it (e.g., disclosing a disability for accommodation purposes during a hiring process). If you do, we treat it with extra care and process it only with your explicit consent.

03How we collect data

  • Directly from you — via our website forms, email, phone, video calls, in-person meetings, or when you send us your CV.
  • From referral partners — when a partner introduces you as a candidate, with your knowledge.
  • From public sources — primarily LinkedIn and similar professional networks, in line with the platform's terms of service. We use this to identify potential candidates and to verify information you've given us.
  • From clients — they may share your name and basic information with us as part of a search brief or referral.
  • Automatically — when you visit our website, our hosting provider logs basic technical data for security and performance.

If we collect your data without you giving it to us directly (for example, sourcing your LinkedIn profile), we will inform you the first time we contact you and explain why.

04Why we use it (legal basis)

Under GDPR, we need a lawful basis for every type of processing. Ours are:

Legitimate interest Matching candidates to suitable roles, contacting potential candidates we've sourced, contacting business prospects, processing referral introductions, and improving our service. We balance these interests against your privacy rights.
Contract performance Placing you in a role, paying you (if seconded), invoicing clients, paying referral partners.
Legal obligation Tax records, anti-discrimination compliance, employment record-keeping, identity verification for employment.
Consent Storing your CV in our database long-term, sending you marketing communications, or processing any special category data you provide. You can withdraw consent at any time.

05Who we share data with

We share personal data only with parties who genuinely need it, under written agreements, and only for the purposes described in this policy. Categories:

  • Clients — when you are being put forward for a specific role, we share your CV and relevant context with the client. We tell you which client before doing so.
  • Referral partners — only the fact that an introduction resulted in a placement, for commission purposes. We do not share candidate personal data with partners.
  • Payroll & employment providers — if you are seconded through us, our payroll provider processes your salary, tax, and pension data on our behalf.
  • IT vendors — our website host (Netlify), email provider, document storage, CRM, accounting software, and similar tools. These are bound by data-processing agreements and process data only on our instructions.
  • Government & legal authorities — where legally required (tax authority, court order, regulator request).
  • Professional advisors — accountants, lawyers, auditors, under professional confidentiality.

We do not sell your personal data. We do not share it for unrelated marketing purposes. We do not enable advertising tracking on our website.

06How long we keep data

We do not keep data indefinitely. Retention periods depend on the relationship and legal requirements:

Candidate CVs & profiles Up to 2 years from our last meaningful contact, then deleted or anonymised — unless you have explicitly consented to longer retention.
Placement records 7 years after the end of the placement (Dutch tax law and employment record obligations).
Client contracts & invoices 7 years (Dutch tax law).
Partner referral records 7 years after the last commission paid (Dutch tax law).
Email correspondence Up to 3 years, then archived or deleted unless retention is required for legal or contractual reasons.
Website logs 30 days for routine logs, longer if needed to investigate a security incident.

You can request earlier deletion of your data — see Your rights — and we will comply unless we are legally required to keep it.

07How we protect data

We take security seriously and apply industry-standard measures appropriate to the sensitivity of the data:

  • Encryption in transit (HTTPS / TLS) for all data sent to and from our website
  • Encryption at rest for stored data on managed services
  • Strong, unique passwords and multi-factor authentication on all business accounts
  • Access to personal data restricted to staff and contractors who need it for their work
  • Data-processing agreements with all our vendors
  • Regular review of who has access to what
  • Secure deletion procedures when data reaches the end of its retention period

No system is perfectly secure. If a personal data breach occurs that is likely to result in a risk to your rights and freedoms, we will notify the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) within 72 hours, and notify you directly without undue delay where required.

08International transfers

We primarily store and process data within the European Economic Area (EEA). Some of our IT vendors are based outside the EEA — most notably:

  • Netlify (United States) — our website host. Transfers covered by the EU-U.S. Data Privacy Framework and Standard Contractual Clauses.
  • Google Workspace (United States) — if used for email; same protections.

For every transfer outside the EEA, we ensure an adequate level of protection through one of the legally recognised mechanisms (adequacy decisions, Standard Contractual Clauses, or equivalent). You can request a copy of the safeguards in place by emailing info@noordt.co.

09Your rights

Under GDPR you have the following rights regarding your personal data:

  • Right to access — ask for a copy of the personal data we hold about you.
  • Right to rectification — ask us to correct inaccurate or incomplete data.
  • Right to erasure ("right to be forgotten") — ask us to delete your data, subject to our legal retention obligations.
  • Right to restrict processing — ask us to stop using your data while we resolve a dispute or correct it.
  • Right to data portability — receive your data in a structured, machine-readable format and transmit it elsewhere.
  • Right to object — object to processing based on legitimate interest, including direct marketing.
  • Right to withdraw consent — at any time, where processing is based on consent.
  • Right not to be subject to automated decision-making — we do not make decisions about you using solely automated means.

To exercise any of these rights, email info@noordt.co. We will respond within 30 days. We may need to verify your identity before acting on requests.

Exercising your rights is free. We may charge a reasonable fee or refuse only if a request is manifestly unfounded or excessive.

10Cookies & tracking

Our website uses the minimum tracking needed to function and to understand how visitors use the site:

  • Strictly necessary — the website itself and form submissions require basic technical cookies / session storage. These do not track you.
  • Form submissions — handled by Netlify. They log basic technical data (IP, timestamp) for security and spam prevention.

We do not currently use: Google Analytics, Facebook Pixel, advertising trackers, or any third-party marketing cookies. If this changes in the future, we will update this policy and ask for your consent via a cookie banner where required.

11Children

Our services are intended for adult professionals. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, please contact us and we will delete it.

12Changes to this policy

We may update this privacy policy from time to time. When we do, we will update the "Last updated" date at the top of this page and, for material changes, notify you by email or through a notice on our website.

We recommend reviewing this page periodically. The current version is the one published at noordt.co/privacy.html.

13Complaints & supervisory authority

If you believe we have not handled your personal data lawfully, please contact us first — we'd genuinely like the chance to put it right.

You also have the right to lodge a complaint with the Dutch supervisory authority:

Authority Autoriteit Persoonsgegevens (Dutch Data Protection Authority)
Postal address Postbus 93374, 2509 AJ Den Haag
Phone +31 (0)88 1805 250

If you live in another EU/EEA country, you can also lodge a complaint with your local supervisory authority.

14Contact us

For any privacy questions, data requests, or concerns, contact us directly:

Subject Please use "Privacy Request" so it's routed quickly
Post Noordt & Co., World Fashion Centre, Tower 4 — Floor 3, Koningin Wilhelminaplein 13, 1062 HH Amsterdam

We aim to acknowledge all privacy requests within five business days and resolve them within 30 days.