1. Introduction
This Privacy Policy describes how GoSpooky B.V. processes and protects personal data. GoSpooky attaches great importance to the protection of personal data and acts in accordance with the General Data Protection Regulation (GDPR) and relevant information security standards, including ISO/IEC 27001.

This Privacy Policy applies to all processing of personal data by GoSpooky, both via the website and in the context of services, collaborations, and internal business operations.

2. Data Controller and Privacy Officer
GoSpooky B.V. is the data controller as defined under the GDPR. GoSpooky has appointed a GDPR Privacy Officer. The Privacy Officer can be reached via: privacy@gospooky.com.

This contact address may be used for:
- questions regarding this Privacy Policy;
- requests relating to the processing of personal data;
- exercising data subject rights under the GDPR.

3. Personal Data We Process
Depending on the context, GoSpooky may process the following categories of personal data:
- Identification and contact details (such as name, email address, and telephone number);
- Business-related information (such as job title and organisation);
- Contractual and administrative data;
- Data relating to freelancers, creators, and partners;
- Communication data (including email correspondence and messages);
- Website and usage data (such as IP address, device information, and browser type);
- Financial and invoicing data, where applicable.
- GoSpooky does not intentionally process special categories of personal data, unless this is required by law or strictly necessary for the execution of services.

4. Purposes and Legal Bases
Personal data are processed solely for specified, explicit, and legitimate purposes, including:
- the performance and management of agreements and contracts;
- relationship management and communication;
- administrative and financial processing;
- recruitment, selection, onboarding, and collaboration with freelancers and partners;
- improvement of services and internal business processes;
- compliance with applicable legal and regulatory obligations.

Processing is based on one or more of the following legal bases:
- performance of a contract;
- compliance with a legal obligation;
- legitimate interests of GoSpooky;
- consent, where required.

5. Data Retention
Personal data are not retained longer than necessary for the purposes for which they are collected, unless a longer retention period is required by law.

Retention periods are periodically reviewed as part of GoSpooky’s information security and privacy management system.

6. Sharing Personal Data with Third Parties
GoSpooky may engage third-party service providers, such as cloud and SaaS providers, to support its business operations. Personal data are shared with such third parties only where this is necessary for the delivery of services or to comply with legal obligations.

Where third parties act as data processors, GoSpooky enters into appropriate data processing agreements to ensure confidentiality, security, and compliance with the GDPR.

7. Transfers Outside the European Economic Area
Where personal data are processed or stored outside the European Economic Area (EEA), GoSpooky ensures that appropriate safeguards are in place in accordance with the GDPR, such as the use of standard contractual clauses or equivalent protection mechanisms.

8. Security of Personal Data
GoSpooky has implemented appropriate technical and organisational measures to protect personal data against loss, unauthorised access, alteration, or unlawful disclosure.

These measures form part of GoSpooky’s Information Security Management System (ISMS) and are aligned with ISO/IEC 27001. Measures include, among others:
- access controls and role-based authorisation;
- encryption where appropriate;
- logging and monitoring of systems;
- periodic risk assessments;
- security awareness and instruction for personnel.

9. Rights of Data Subjects
Data subjects have the following rights under the GDPR, subject to applicable conditions:
- the right of access to their personal data;
- the right to rectification;
- the right to erasure;
- the right to restriction of processing;
- the right to data portability;
- the right to object to processing.

Requests to exercise these rights can be submitted to the GDPR Privacy Officer via privacy@gospooky.com.

To prevent misuse, GoSpooky may request verification of identity.

10. Complaints
If a data subject believes that GoSpooky is not processing personal data in accordance with applicable data protection legislation, they have the right to lodge a complaint with the competent supervisory authority.

11. Changes to This Privacy Policy
GoSpooky may update this Privacy Policy from time to time to reflect changes in legislation, services, or internal processes. The most current version of this Privacy Policy is always available on the GoSpooky website.