This Privacy Policy describes how Oceanic Consulting VOF collects, uses, stores, and protects your personal data. We process personal data in accordance with Regulation (EU) 2016/679 (GDPR) and applicable Dutch law. As a Netherlands-registered entity, we are subject to supervision by the Autoriteit Persoonsgegevens (AP).
Oceanic Consulting VOF acts as data controller for personal data collected through:
Where Oceanic processes personal data on behalf of a business customer (as data processor), the business customer is the controller and our obligations are governed by a Data Processing Agreement.
When you register for any Oceanic service: full name, email address, password (stored in hashed form), company name (if applicable), and profile information you choose to provide. For SSO sign-in via Google or Microsoft, we receive the data disclosed by your identity provider (typically name and email).
When you purchase a subscription or product: billing address, VAT/BTW number (for business customers), invoice history, and subscription status. Payment card details are processed exclusively by our payment processor (Stripe) and are never stored on Oceanic systems.
How you use our platforms: features accessed, AI queries submitted, documents processed, timestamps, session durations, and platform configuration settings. This data is used to provide and improve the service and to generate aggregated analytics.
IP address, browser type and version, operating system, device identifiers, referrer URL, and access logs. Collected automatically when you access our websites and platforms.
Content of messages you send to us via email, support tickets, or contact forms, including metadata such as timestamps and email headers.
For the TOURIBO travel planning service: flight details, hotel information, travel dates, destination cities, and general location preferences you provide to generate your itinerary. We do not collect real-time GPS location data without your explicit consent.
For the TOTEM private access service: connection timestamps, data volume used per session, and server/node used. We do not log browsing activity, DNS queries, or destination IP addresses. Our no-activity-log policy is strictly enforced.
For eSIM purchases: email address for delivery, selected data plan, country/region, ICCID (eSIM identifier), and activation status. These are required to provision and support your eSIM service.
| Purpose | Legal Basis (GDPR) |
|---|---|
| Account registration and service delivery | Performance of contract (Art. 6(1)(b)) |
| Processing payments and invoicing | Performance of contract / Legal obligation (Art. 6(1)(b) and (c)) |
| Sending transactional emails (receipts, security alerts) | Performance of contract (Art. 6(1)(b)) |
| Platform analytics and service improvement | Legitimate interests (Art. 6(1)(f)) — optimising platform performance |
| Fraud detection and security monitoring | Legitimate interests (Art. 6(1)(f)) — protecting platform integrity |
| Marketing emails and product updates | Consent (Art. 6(1)(a)) — you may withdraw consent at any time |
| Compliance with legal obligations (tax, accounting, law enforcement) | Legal obligation (Art. 6(1)(c)) |
| Responding to support requests and inquiries | Legitimate interests / Pre-contractual steps (Art. 6(1)(b) and (f)) |
We retain personal data only for as long as necessary for the purposes described, or as required by law:
After the applicable retention period, personal data is securely deleted or anonymised.
We share personal data with third parties only where necessary:
We do not sell, rent, or trade personal data with any third party for their own marketing purposes.
Our primary infrastructure is hosted in the EU. Where data is transferred outside the EU/EEA, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission, or adequacy decisions under Art. 45 GDPR. You may request a copy of applicable safeguards by contacting privacy@oceanicco.nl.
We use the following categories of cookies and similar technologies:
You may manage or withdraw cookie consent at any time via the cookie settings accessible in the footer of our websites. Note that disabling functional or analytics cookies does not affect the service's core features.
We do not use cross-site tracking cookies, fingerprinting, or advertising cookies.
Under the GDPR, you have the following rights. To exercise any right, contact us at privacy@oceanicco.nl. We will respond within 30 days (or 90 days for complex requests, with notification of the extension).
If you believe your rights have been violated, you have the right to lodge a complaint with the Dutch supervisory authority: Autoriteit Persoonsgegevens (AP), autoriteitpersoonsgegevens.nl.
Oceanic services are not directed at, and are not intended for use by, children under the age of 16 (or the applicable age of digital consent in your country). We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact privacy@oceanicco.nl and we will delete such data promptly.
We implement appropriate technical and organisational measures to protect personal data against unauthorised access, accidental loss, destruction, or disclosure. Our security practices include:
No system is completely secure. If you discover a security vulnerability, please report it responsibly to security@oceanicco.nl.
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Autoriteit Persoonsgegevens within 72 hours of becoming aware of the breach, in accordance with Art. 33 GDPR. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay (Art. 34 GDPR).
If you use Oceanic platforms (particularly Hubrix AI) to process personal data of your own customers, employees, or third parties, Oceanic acts as a data processor on your behalf. In this capacity, we process such data only on your documented instructions.
A GDPR-compliant Data Processing Agreement (DPA) is available upon request. To request a DPA, contact legal@oceanicco.nl. For enterprise clients, Oceanic's standard DPA template is available at api.hubrix.ai/dpa.
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify you by email (if you have an account) and by posting a prominent notice on the relevant platform. The updated policy will be effective as of the date indicated at the top of this document.
We encourage you to review this policy periodically. Your continued use of our services after the effective date of an updated policy constitutes your acceptance of the changes.
For any privacy-related questions, requests, or concerns:
If you are not satisfied with our response, you have the right to lodge a complaint with: