Privacy Policy

Last updated: 16 June 2026

This Privacy Policy explains how LutraCAD ("LutraCAD", "we", "us" or "our") collects, uses and protects your personal data when you visit www.lutracad.com (the "Website") or contact us. We process personal data in accordance with the General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") and the Dutch GDPR Implementation Act (Uitvoeringswet AVG).

1. Who we are (the controller)

LutraCAD is the controller responsible for your personal data under Article 4(7) GDPR.

• Company name: LutraCAD B.V.
• Registered address: Plein 1969 1A, 5473 CA Heeswijk-Dinther, the Netherlands
• Chamber of Commerce (KvK) number: 67514308
• VAT number: NL857042257B01
• Email for privacy enquiries: [email protected]

We have not appointed a Data Protection Officer, as we are not required to do so under Article 37 GDPR. For any privacy-related question you can reach us at the email address above.

2. What personal data we collect

We collect the following categories of personal data:

• Contact and enquiry data — when you complete a contact form, request a quote, book a demo or otherwise contact us: your name, work email address, telephone number, company name and the content of your message. Depending on the form, this may also include your address, city, postcode, country, number of employees and your product interests.
• Correspondence data — the content of emails and other communications you exchange with us.
• Technical and usage data — when you use the Website: your IP address, device and browser information, pages viewed, referral source and interactions, collected through cookies and similar technologies (see section 7). Our hosting and security providers also keep server and access logs (including IP addresses and request times) for security, abuse prevention and troubleshooting.
• Advertising data — where you reach us via an online advertisement, we may receive click identifiers (such as Google "gclid", "gbraid" or "wbraid" parameters) used to measure advertising performance.

We do not intentionally collect special category data (Article 9 GDPR). Please do not include sensitive information in free-text fields. The Website is intended for business users and is not directed at children.

3. Why we process your data and our lawful basis

Purpose	Lawful basis (Art. 6 GDPR)
Responding to your enquiries, quote and demo requests, and providing customer support	Steps taken at your request prior to entering into a contract, and performance of a contract — Art. 6(1)(b)
Managing our customer and prospect relationships in our CRM, and following up on sales leads	Our legitimate interest in operating and growing our business — Art. 6(1)(f)
Sending marketing communications about our products (where applicable)	Your consent, or our legitimate interest where permitted for existing business relationships — Art. 6(1)(a) / Art. 6(1)(f)
Analytics, measuring advertising performance and improving the Website	Your consent for non-essential cookies — Art. 6(1)(a); ePrivacy / Art. 11.7a Dutch Telecommunications Act
Securing the Website, keeping server/access logs and preventing spam and abuse	Our legitimate interest in the security of our services — Art. 6(1)(f)
Complying with legal obligations (e.g. tax and accounting retention)	Compliance with a legal obligation — Art. 6(1)(c)

Where we rely on legitimate interests, we have balanced those interests against your rights and freedoms (Art. 6(1)(f)). You may object to such processing at any time (see section 8).

4. Who we share your data with

We do not sell your personal data. We share it only with the following categories of recipients, who act as our processors under a data processing agreement (Article 28 GDPR) unless stated otherwise:

• Pipedrive — CRM and sales pipeline management (Pipedrive OÜ, Estonia, and Pipedrive Inc., USA).
• Google (Google Ireland Ltd.) — Google Tag Manager, Google Analytics and Google Ads, used for website analytics and advertising measurement.
• LinkedIn (LinkedIn Ireland Unlimited Company) — advertising and conversion measurement via the LinkedIn Insight Tag.
• Microsoft 365 (Microsoft Ireland Operations Ltd.) — our corporate email service, where email correspondence with you is sent, received and stored.
• Cloudflare (Cloudflare, Inc.) — content delivery network and security/anti-abuse layer that sits in front of our website and processes connection data (including IP addresses) and sets strictly necessary cookies.
• Our hosting provider (TransIP, the Netherlands) — hosts the website and database and sends the website's transactional emails (such as form notifications) directly from the server. Located in the Netherlands (EU).

We may also disclose personal data where required to comply with a legal obligation, a court order or a request from a competent authority, or to establish, exercise or defend legal claims.

5. International data transfers

Some of our processors (in particular Google, LinkedIn, Pipedrive, Microsoft and Cloudflare) may process personal data outside the European Economic Area, including in the United States. Where this happens, we ensure an appropriate safeguard under Chapter V GDPR is in place, such as:

• the EU–U.S. Data Privacy Framework, where the recipient is certified (Art. 45 — adequacy decision); and/or
• the European Commission's Standard Contractual Clauses (Art. 46(2)(c)).

You can request a copy of the relevant safeguard by contacting us at [email protected].

6. How long we keep your data

We keep personal data only for as long as necessary for the purposes set out above (Article 5(1)(e) GDPR). Our retention periods are:

Data	Retention period
Contact / quote / demo enquiries where no business relationship follows	24 months after last contact
Prospect and lead records in our CRM	Until no longer relevant, or 24 months of inactivity
Customer records and correspondence	Duration of the contract plus 7 years
Invoices and accounting records	7 years (Dutch statutory tax retention obligation, Art. 52 AWR)
Analytics data	14 months (Google Analytics data retention setting)
Server and access logs	Short term, typically up to 6 months, for security and troubleshooting
Cookies	See section 7 (advertising click cookies: up to 90 days; session cookies: until the browser is closed)

7. Cookies and similar technologies

The Website uses cookies and similar technologies, managed through our consent platform (Cookiebot). We place non-essential cookies (analytics and advertising) only after you have given consent. You can change or withdraw your choice at any time via the Cookie settings link in the footer of every page.

The full, automatically updated list of the cookies we use — including their provider, purpose and duration — is shown below:

We also load fonts from Google Fonts. Blocking cookies in your browser may affect how parts of the Website work.

8. Your rights

Under the GDPR you have the following rights regarding your personal data:

• Access — obtain a copy of the data we hold about you (Art. 15).
• Rectification — correct inaccurate or incomplete data (Art. 16).
• Erasure — ask us to delete your data in certain circumstances (Art. 17).
• Restriction — ask us to limit our processing (Art. 18).
• Data portability — receive your data in a structured, machine-readable format (Art. 20).
• Object — object to processing based on our legitimate interests, and to direct marketing at any time (Art. 21).
• Withdraw consent — where we rely on consent, withdraw it at any time, without affecting prior processing (Art. 7(3)).

To exercise any of these rights, contact us at [email protected]. We will respond within one month (Art. 12(3)). There is normally no charge.

9. Automated decision-making

We do not make decisions that produce legal or similarly significant effects about you based solely on automated processing, including profiling (Art. 22 GDPR).

10. Complaints

If you have a concern about how we handle your personal data, please contact us first. You also have the right to lodge a complaint with the Dutch supervisory authority (Art. 77 GDPR):

Autoriteit Persoonsgegevens
Postbus 93374, 2509 AJ Den Haag, the Netherlands
www.autoriteitpersoonsgegevens.nl

11. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. The latest version will always be published on this page, with the "Last updated" date shown at the top.