GDPR Compliant

Privacy Policy

Entity: Oceanic Consulting VOF  ·  KVK 84553081  ·  Poortugaal, Netherlands
Effective date: 1 June 2026  ·  Last updated: 22 June 2026
Data Controller Contact: privacy@oceanicco.nl

This Privacy Policy describes how Oceanic Consulting VOF collects, uses, stores, and protects your personal data. We process personal data in accordance with Regulation (EU) 2016/679 (GDPR) and applicable Dutch law. As a Netherlands-registered entity, we are subject to supervision by the Autoriteit Persoonsgegevens (AP).

Table of Contents

  1. Identity of the Data Controller
  2. What Personal Data We Collect
  3. Purposes and Legal Bases for Processing
  4. Retention Periods
  5. Recipients and International Transfers
  6. Cookies and Tracking Technologies
  7. Your Rights as a Data Subject
  8. Children's Privacy
  9. Security Measures
  10. Data Breach Notification
  11. Data Processing Agreements (B2B)
  12. Changes to This Policy
  13. Contact and Supervisory Authority

1 Identity of the Data Controller

Oceanic Consulting VOF acts as data controller for personal data collected through:

Where Oceanic processes personal data on behalf of a business customer (as data processor), the business customer is the controller and our obligations are governed by a Data Processing Agreement.

2 What Personal Data We Collect

2.1 Account and Identity Data

When you register for any Oceanic service: full name, email address, password (stored in hashed form), company name (if applicable), and profile information you choose to provide. For SSO sign-in via Google or Microsoft, we receive the data disclosed by your identity provider (typically name and email).

2.2 Billing and Payment Data

When you purchase a subscription or product: billing address, VAT/BTW number (for business customers), invoice history, and subscription status. Payment card details are processed exclusively by our payment processor (Stripe) and are never stored on Oceanic systems.

2.3 Usage and Platform Data

How you use our platforms: features accessed, AI queries submitted, documents processed, timestamps, session durations, and platform configuration settings. This data is used to provide and improve the service and to generate aggregated analytics.

2.4 Technical and Device Data

IP address, browser type and version, operating system, device identifiers, referrer URL, and access logs. Collected automatically when you access our websites and platforms.

2.5 Communications Data

Content of messages you send to us via email, support tickets, or contact forms, including metadata such as timestamps and email headers.

2.6 Travel and Location Data (TOURIBO)

For the TOURIBO travel planning service: flight details, hotel information, travel dates, destination cities, and general location preferences you provide to generate your itinerary. We do not collect real-time GPS location data without your explicit consent.

2.7 Connectivity Data (TOTEM)

For the TOTEM private access service: connection timestamps, data volume used per session, and server/node used. We do not log browsing activity, DNS queries, or destination IP addresses. Our no-activity-log policy is strictly enforced.

2.8 eSIM and Connectivity Products (TOURIBO eSIM)

For eSIM purchases: email address for delivery, selected data plan, country/region, ICCID (eSIM identifier), and activation status. These are required to provision and support your eSIM service.

3 Purposes and Legal Bases for Processing

Purpose Legal Basis (GDPR)
Account registration and service delivery Performance of contract (Art. 6(1)(b))
Processing payments and invoicing Performance of contract / Legal obligation (Art. 6(1)(b) and (c))
Sending transactional emails (receipts, security alerts) Performance of contract (Art. 6(1)(b))
Platform analytics and service improvement Legitimate interests (Art. 6(1)(f)) — optimising platform performance
Fraud detection and security monitoring Legitimate interests (Art. 6(1)(f)) — protecting platform integrity
Marketing emails and product updates Consent (Art. 6(1)(a)) — you may withdraw consent at any time
Compliance with legal obligations (tax, accounting, law enforcement) Legal obligation (Art. 6(1)(c))
Responding to support requests and inquiries Legitimate interests / Pre-contractual steps (Art. 6(1)(b) and (f))

4 Retention Periods

We retain personal data only for as long as necessary for the purposes described, or as required by law:

After the applicable retention period, personal data is securely deleted or anonymised.

5 Recipients and International Transfers

5.1 Recipients

We share personal data with third parties only where necessary:

We do not sell, rent, or trade personal data with any third party for their own marketing purposes.

5.2 International Transfers

Our primary infrastructure is hosted in the EU. Where data is transferred outside the EU/EEA, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission, or adequacy decisions under Art. 45 GDPR. You may request a copy of applicable safeguards by contacting privacy@oceanicco.nl.

6 Cookies and Tracking Technologies

We use the following categories of cookies and similar technologies:

You may manage or withdraw cookie consent at any time via the cookie settings accessible in the footer of our websites. Note that disabling functional or analytics cookies does not affect the service's core features.

We do not use cross-site tracking cookies, fingerprinting, or advertising cookies.

7 Your Rights as a Data Subject

Under the GDPR, you have the following rights. To exercise any right, contact us at privacy@oceanicco.nl. We will respond within 30 days (or 90 days for complex requests, with notification of the extension).

📋 Right of Access (Art. 15) Request a copy of the personal data we hold about you and information about how we use it.
✏️ Right to Rectification (Art. 16) Request correction of inaccurate or incomplete personal data.
🗑️ Right to Erasure (Art. 17) Request deletion of your data where there is no overriding legitimate purpose or legal obligation to retain it.
⏸️ Right to Restriction (Art. 18) Request that we limit processing of your data in certain circumstances (e.g. while a dispute is pending).
📦 Right to Data Portability (Art. 20) Receive your data in a structured, machine-readable format and transfer it to another controller, where technically feasible.
🚫 Right to Object (Art. 21) Object to processing based on legitimate interests, including profiling. We will cease processing unless we can demonstrate compelling grounds.
📧 Withdraw Consent Where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.
🚫 Opt Out of Marketing Unsubscribe from marketing communications at any time via the unsubscribe link in emails or by contacting us.

If you believe your rights have been violated, you have the right to lodge a complaint with the Dutch supervisory authority: Autoriteit Persoonsgegevens (AP), autoriteitpersoonsgegevens.nl.

8 Children's Privacy

Oceanic services are not directed at, and are not intended for use by, children under the age of 16 (or the applicable age of digital consent in your country). We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact privacy@oceanicco.nl and we will delete such data promptly.

9 Security Measures

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, accidental loss, destruction, or disclosure. Our security practices include:

No system is completely secure. If you discover a security vulnerability, please report it responsibly to security@oceanicco.nl.

10 Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Autoriteit Persoonsgegevens within 72 hours of becoming aware of the breach, in accordance with Art. 33 GDPR. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay (Art. 34 GDPR).

11 Data Processing Agreements (B2B)

If you use Oceanic platforms (particularly Hubrix AI) to process personal data of your own customers, employees, or third parties, Oceanic acts as a data processor on your behalf. In this capacity, we process such data only on your documented instructions.

A GDPR-compliant Data Processing Agreement (DPA) is available upon request. To request a DPA, contact legal@oceanicco.nl. For enterprise clients, Oceanic's standard DPA template is available at api.hubrix.ai/dpa.

12 Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify you by email (if you have an account) and by posting a prominent notice on the relevant platform. The updated policy will be effective as of the date indicated at the top of this document.

We encourage you to review this policy periodically. Your continued use of our services after the effective date of an updated policy constitutes your acceptance of the changes.

13 Contact and Supervisory Authority

For any privacy-related questions, requests, or concerns:

If you are not satisfied with our response, you have the right to lodge a complaint with: