Privacy Statement — RefManager

RefManager, a sole proprietorship (eenmanszaak) of Yermo Abrahams, established in Amersfoort, the Netherlands (hereinafter "RefManager", "we" or "us"), attaches great importance to the protection of personal data. This privacy statement explains which personal data we process, for what purpose, on what legal basis, and what rights you have. It has been drawn up in accordance with the General Data Protection Regulation (GDPR) and the Dutch GDPR Implementation Act (UAVG).

Article 1 – Who we are

The controller for the processing operations described in Article 2.2 is:

RefManager — sole proprietorship of Yermo Abrahams

Address: Coulissen 278, 3826 PG Amersfoort, the Netherlands
Chamber of Commerce (KvK) number: 42093562
Email: info@refmanager.nl

RefManager is not legally required to appoint a Data Protection Officer (DPO) and has not done so. For all privacy questions, please use the email address above.

Article 2 – Our role: processor and controller

RefManager provides its application as a cloud service (SaaS) to organisations such as sports federations, leagues and clubs (hereinafter "customer organisations"). Our role under the GDPR depends on the type of data.

2.1 RefManager as processor

For the personal data of referees and other users that a customer organisation creates and manages within the application, RefManager acts as a processor. In that case the customer organisation is the controller: it determines why and how the data are processed. RefManager processes these data solely on the instructions of the customer organisation, under a data processing agreement (Article 28 GDPR). If you have been invited as a referee or user via your organisation, your organisation is the primary point of contact for your privacy rights (see Article 8).

2.2 RefManager as controller

For a limited number of processing operations, RefManager itself determines the purpose and means and is the controller, namely for:

data of contact persons at (prospective) customer organisations;
invoicing and administrative data;
data of individuals who contact us directly (for example by email).

This privacy statement applies in particular to these operations.

Article 3 – Which personal data we process

We only process personal data of users who hold an account. Anyone who merely visits the website or application without logging in does not need to provide any personal data.

3.1 Data of application users (RefManager as processor)

name;
email address;
telephone number;
login credentials (username and encrypted/hashed password);
content uploaded by the user or organisation (such as availability, appointments, evaluations and related data);
usage and log data required for the operation and security of the service.

The application is not intended for special categories of personal data or the Dutch citizen service number (BSN); we ask you not to enter these.

3.2 Data we process as controller

contact details of contact persons at customer organisations (name, role, business email address, telephone number);
invoicing and payment data;
correspondence you conduct with us.

Article 4 – Purposes and legal bases

Purpose	Legal basis (GDPR)
Providing and making the application available to users of a customer organisation	Performance of the contract with the customer organisation; for data for which we are processor, the legal basis lies with the customer organisation
Authentication and security of accounts	Legitimate interest (secure access)
Invoicing and administration	Legal obligation and performance of the contract
Maintenance, improvement and security of the service	Legitimate interest
Answering questions and contact requests	Legitimate interest
Complying with legal obligations	Legal obligation

Article 5 – Disclosure to third parties and sub-processors

We do not sell your data. We engage the following sub-processors to deliver the service:

Sub-processor	Service	Processing location
Amazon Web Services EMEA SARL	Hosting and storage of the application and data	EU (EEA)
Amazon Web Services (Amazon SES)	Sending transactional email (such as notifications)	EU region (EEA)

Data processing agreements have been concluded with these parties. Beyond this, we only disclose data to third parties where legally required.

Article 6 – Storage and transfers outside the EEA

We process and store your personal data exclusively within the European Economic Area (EEA). Hosting takes place at Amazon Web Services in a data centre within the EU, and email is sent via Amazon SES within an EU region. The AWS Data Processing Addendum applies to the use of Amazon Web Services, including the standard contractual clauses (SCCs) it contains, as a safeguard should a transfer outside the EEA nevertheless occur.

Article 7 – Retention periods

Data of users managed within the application by a customer organisation are retained for the duration of the contract with that organisation. Upon termination we make the data available for export for thirty (30) days, after which we delete them, unless a statutory retention obligation prevents this. Invoicing and administrative data are retained for seven (7) years under Dutch tax law. Other data are not retained longer than necessary for the purposes set out above.

Article 8 – Your rights

Under the GDPR you have the right of access, rectification, erasure, restriction of processing, objection and data portability. Which contact point you need depends on our role:

If your request concerns data managed within the application by your organisation (data for which we are processor), please address your request to your own organisation as controller. If we receive such a request directly, we forward it to the relevant organisation and do not handle it independently.
If your request concerns data for which RefManager is itself the controller (see Article 2.2), you may submit your request to us directly via info@refmanager.nl. We respond within the statutory period of one month.

Would you like your account to be deleted? If you were invited via an organisation, please contact your organisation's administrator, who can delete your account within the application. If you manage an organisation yourself, or deletion via your administrator is not possible, you can request deletion from us directly via info@refmanager.nl.

Article 9 – Cookies and tracking

The RefManager website and application do not use tracking, analytics or marketing cookies. Only strictly necessary technical functionality (such as maintaining a logged-in session) may be used; no consent is required for this.

Article 10 – Security

We take appropriate technical and organisational measures to protect your data, including encryption in transit (TLS/HTTPS), encrypted storage of passwords, access control based on the need-to-know principle, logging and monitoring, periodic backups, and logical separation of data between customer organisations. Our hosting takes place in an ISO 27001-certified environment within the EU.

Article 11 – Data breaches

If you discover a possible security issue or data breach, please contact us as soon as possible at info@refmanager.nl. For data for which we are processor, we report data breaches to the relevant customer organisation under the data processing agreement; the assessment of whether notification to the Dutch Data Protection Authority and/or data subjects is required rests with that organisation.

Article 12 – Complaints

If you have a complaint about how we handle your personal data, please contact us first. You also always have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, www.autoriteitpersoonsgegevens.nl).

Article 13 – Changes

We may amend this privacy statement from time to time. We publish the most current version on our website, stating the date of the most recent change.