Skip to content
Victaura

هذه الوثيقة متاحة باللغة الإنجليزية فقط. تسود النسخة الإنجليزية في حالة أي تعارض.

Privacy Policy

Last updated: 29 May 2026

This Privacy Policy explains how Greystone B.V., operating under the Victaura brand (hereinafter, "Victaura", "we", "us"), collects, uses, retains and shares your personal data when you visit victaura.com (the "Site"), submit a form, or otherwise interact with us. We process personal data in accordance with the EU General Data Protection Regulation 2016/679 ("GDPR") and the Dutch Implementation Act (UAVG). If you have any questions about this Policy, please write to [email protected].

Data Controller

The data controller is Greystone B.V., a Dutch private limited liability company (besloten vennootschap met beperkte aansprakelijkheid) incorporated in the Netherlands, operating under the Victaura brand. Statutory registration details (Chamber of Commerce / KvK number, VAT identification number, statutory director and registered office) are available on request to data subjects exercising their rights and to qualified investors. The primary contact for data protection matters is [email protected].

We have assessed our processing activities and determined that appointment of a Data Protection Officer is not required under Article 37 GDPR, as our core activities do not consist of processing operations which, by virtue of their nature, scope or purposes, require regular and systematic monitoring of data subjects on a large scale.

What Personal Data We Collect

We collect the following categories of personal data:

(i) Data you provide directly through our contact form: name, surname, email address, optional message.

(ii) Data you provide through our investor enquiry form: name, surname, email address, location, investor profile, area of interest, ticket range, optional message, GDPR consent record (gdprConsent), and, where you opt in, marketing consent record (marketingConsent).

(iii) Data automatically collected via your browser: IP address, user-agent string, and locale preference stored through the technical cookie NEXT_LOCALE.

(iv) Data we receive from third-party service providers we engage to deliver the Site and our communications.

How Long We Retain Your Data

Contact and enquiry data: retained for 24 months from your last form submission or email exchange, after which the data is either deleted or anonymised, unless a contractual relationship has been initiated, in which case retention follows the contract lifecycle.

Investor qualification data: retained for the duration of our pre-contractual assessment plus 24 months from your last form submission or email exchange, then deleted or anonymised.

KYC and AML records (where collected): retained for 5 years from the end of the business relationship or the date of the occasional transaction, in accordance with applicable Wwft and AMLD obligations.

Consent audit trail records: retained for 3 years from the date of submission, for accountability purposes.

Technical and security logs: retained for up to 12 months for the purposes of operational integrity and abuse prevention.

Server-side rate-limiting state for the contact and investor forms: retained in volatile memory for the duration of each 60-second rolling window only.

Sub-Processors and Recipients

We rely on a limited set of carefully selected sub-processors to deliver our Site and communications. Each sub-processor is bound by a data processing agreement that contractually requires them to process personal data only on our documented instructions.

Our current sub-processors are:

Vercel Inc. (United States) — hosting and edge delivery of the Site. Transfer basis: EU-U.S. Data Privacy Framework (Vercel is self-certified under the DPF).

Cloudflare, Inc. (United States) — DNS, content delivery and DDoS protection. Transfer basis: Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914).

Resend (United States / Netherlands) — transactional email delivery. Transfer basis: Standard Contractual Clauses, supplemented by additional technical measures (TLS in transit, access controls, audit logging) in accordance with the EDPB recommendations post-Schrems II.

GitHub, Inc. (United States) — source-code repository hosting. Transfer basis: EU-U.S. Data Privacy Framework (GitHub is self-certified under the DPF). No end-user personal data is processed in the repository.

International Transfers

Some of our sub-processors are established outside the European Economic Area. Where personal data is transferred to a third country, we rely on the European Commission's Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914, "SCCs") or, where applicable, on an adequacy decision (including the EU-U.S. Data Privacy Framework where the recipient is self-certified under that framework).

We have assessed the level of protection afforded in each destination country in light of the Court of Justice of the European Union's ruling in Data Protection Commissioner v Facebook Ireland Ltd, Maximillian Schrems (C-311/18, "Schrems II"). Where the SCCs alone do not ensure an essentially equivalent level of protection, we apply supplementary technical measures, which may include encryption of data in transit and at rest, pseudonymisation, minimisation of data transferred, and contractual commitments to notify us of any government access requests before complying with them to the extent permitted by law.

A copy of the relevant transfer safeguards (SCCs or DPF certificate) is available on request at [email protected].

Your Rights

You have the following rights under the GDPR. You can exercise any of them by writing to [email protected].

Right to access (Article 15). You can ask us for a copy of the personal data we hold about you.

Right to rectification (Article 16). You can ask us to correct data that is inaccurate or incomplete.

Right to erasure (Article 17). You can ask us to delete your data in certain circumstances, for example when it is no longer needed for the purpose for which it was collected.

Right to restriction (Article 18). You can ask us to pause processing in certain circumstances, for example while we verify the accuracy of data you have contested.

Right to data portability (Article 20). Where processing is based on your consent or on a contract and is carried out by automated means, you can ask us to send your data to you or to another organisation in a structured, commonly used, machine-readable format.

Right to object (Article 21). You can object at any time to processing based on our legitimate interests. We will stop processing unless we can demonstrate compelling legitimate grounds that override your interests. You can also object at any time to processing of your data for direct marketing purposes.

Rights related to automated decision-making (Article 22). We do not make decisions about you solely by automated means that produce legal or similarly significant effects. If this changes, we will update this Policy and provide you with the right to request human review.

Right to withdraw consent (Article 7(3)). Where we rely on your consent, you can withdraw it at any time without affecting the lawfulness of processing carried out before the withdrawal.

We will respond within one month of receiving your request, as required by Article 12(3) GDPR. You also have the right to lodge a complaint with a supervisory authority. Our lead supervisory authority is the Autoriteit Persoonsgegevens (Netherlands), Postbus 93374, 2509 AJ Den Haag, autoriteitpersoonsgegevens.nl. You may also contact the Garante per la protezione dei dati personali (Italy) at garanteprivacy.it.

Security and Data Breach

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure and destruction, including HTTPS in transit, encryption at rest where supported by our sub-processors, server-side input validation, rate-limiting on form endpoints, and a strict Content Security Policy on the Site.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Autoriteit Persoonsgegevens within 72 hours of becoming aware of the breach, as required by Article 33 GDPR. If the breach is likely to result in a high risk to your rights and freedoms, we will also notify you without undue delay, as required by Article 34 GDPR.

Cookies

We use only one strictly necessary technical cookie, NEXT_LOCALE, which stores your language preference and is set with a one-year expiry. No advertising, analytics or social cookies are placed by the Site. For details, see our Cookie Policy.

Changes to this Policy

We may update this Privacy Policy from time to time to reflect changes in our processing activities, in our sub-processors, or in applicable law. The "Last updated" date at the top of this page indicates the latest revision. Material changes will be made evident on the Site and, where appropriate, communicated to users with an active relationship.

Contact

For any privacy-related question, request or complaint, please contact us at [email protected]. Our registered postal address in the Netherlands is available on request.