Privacy Statement

Mason Pete Dynamics B.V.
Breestraat 101, 1941 EG Beverwijk, the Netherlands
Chamber of Commerce (KvK): 93861524
Last updated: 3 June 2026

Mason Pete Dynamics B.V. (“Mason Pete Dynamics B.V.”, “we”, “us”) handles personal data with care. This privacy statement explains which personal data we process, why we do so, on which legal basis, and which rights you have.

This privacy statement is intended for website visitors, contact persons of clients and prospects, suppliers, job applicants, business relations and other individuals with whom Mason Pete Dynamics B.V. has contact.

1. Who is Mason Pete Dynamics B.V.?

Mason Pete Dynamics B.V. is a Dutch consultancy that supports organisations in areas including Microsoft Dynamics 365, CRM adoption, digital transformation, operational processes, cybersecurity advice, risk analyses, and technical and physical penetration tests.

Controller:

Mason Pete Dynamics B.V.

Breestraat 101, 1941 EG Beverwijk

Chamber of Commerce (KvK) number: 93861524

Website: https://masonpete.com/nl/

Privacy contact: privacy@masonpete.com

Mason Pete Dynamics B.V. [has / has not] appointed a Data Protection Officer. If applicable: [insert name and contact details of the DPO].

2. When does this privacy statement apply?

This privacy statement applies to personal data that Mason Pete Dynamics B.V. processes for its own purposes, for example when you:

• visit our website;

• contact us;

• are a client, prospect, supplier or partner on behalf of your organisation;

• request a quotation or enter into an agreement with us;

• take part in business communication with Mason Pete Dynamics B.V.;

• apply for a job with Mason Pete Dynamics B.V.;

• receive marketing communications from us.

In client engagements, Mason Pete Dynamics B.V. may also process personal data within a client's systems, applications or processes. Examples include CRM systems, Microsoft Dynamics 365, Microsoft 365 environments, security tools, log files or project documentation. In those cases, the client usually determines the purposes and means of the processing. Mason Pete Dynamics B.V. then in principle processes those data as a processor and exclusively in accordance with the arrangements made with the client.

3. Roles: controller, processor and joint controllership

Mason Pete Dynamics B.V. is a controller where it itself determines the purposes and means of the processing of personal data. This applies, for example, to our own website, administration, communication, marketing, relationship management, recruitment, security and business operations.

Mason Pete Dynamics B.V. is usually a processor where it processes personal data on behalf of a client, within that client's environment or processes. This may be the case, for example, with implementations, support, risk analyses, incident investigations, penetration tests or work in the client's CRM, Microsoft 365 or security environments.

In those cases, the client is in principle responsible for informing data subjects and for determining the purposes, means and retention periods. Arrangements concerning, among other things, security, confidentiality, sub-processors, incident notification, audits, retention periods and deletion are laid down in a data processing agreement or in other contractual arrangements.

Only where Mason Pete Dynamics B.V. and another party jointly determine the purposes and essential means of a processing operation may joint controllership exist. Where this is the case, the parties record their respective responsibilities in writing.

4. Which personal data do we process?

Depending on your relationship with Mason Pete Dynamics B.V., we may process the following personal data.

4.1 Contact and company details

• name;

• business e-mail address;

• business telephone number;

• job title;

• organisation;

• department;

• business address details;

• communication preferences.

4.2 Communication data

• content of e-mails, messages and contact forms;

• meeting notes;

• meeting appointments;

• correspondence;

• communication metadata, such as date, time and the contact persons involved.

4.3 Quotation, contract and invoicing data

• quotation details;

• order confirmations;

• contract details;

• purchase orders;

• invoices;

• payment details;

• details of authorised signatories or operational contact persons.

4.4 Website data

When you visit our website, we may process:

• IP address;

• browser and device data;

• pages visited;

• referral source;

• date and time of the visit;

• cookie preferences;

• data you enter via forms.

More information is available in our cookie policy.

4.5 Marketing and relationship management data

• name and business contact details;

• organisation and job title;

• areas of interest;

• subscription status for newsletters or events;

• open and click statistics, where applicable;

• opt-out records.

4.6 Job application data

When you apply for a job with Mason Pete Dynamics B.V., we may process:

• name and contact details;

• CV;

• cover letter;

• education and work experience;

• LinkedIn profile or portfolio, if you provide it;

• interview notes;

• references, where relevant and permitted;

• other information you provide yourself in the context of the application.

4.7 Technical, log and security data

In advisory, implementation, management, risk analysis, incident or cybersecurity work, Mason Pete Dynamics B.V. may process technical data such as:

• log files;

• system and application metadata;

• user and access rights;

• audit trails;

• security events;

• vulnerability information;

• incident data;

• network and configuration data;

• data from security tools;

• information about security measures.

Mason Pete Dynamics B.V. processes these data only to the extent necessary for the purpose of the engagement, for its own security, or to be able to demonstrate the work performed.

4.8 Data we encounter in client environments

In client projects, Mason Pete Dynamics B.V. may encounter personal data of employees, customers, prospects, suppliers or other relations of the client. This may occur, for example, in Microsoft Dynamics 365, Microsoft Dynamics CE, CRM systems, Microsoft 365 environments, security tools, service desk systems or project documentation.

Where Mason Pete Dynamics B.V. processes these data exclusively on behalf of the client, Mason Pete Dynamics B.V. does not use them for its own purposes. The processing then takes place within the agreed engagement and in accordance with the client's instructions.

4.9 Data in technical and physical penetration tests

In technical and physical penetration tests, Mason Pete Dynamics B.V. may, depending on the agreed scope, process or encounter personal data necessary for the performance and reporting of the engagement.

In technical penetration tests, this may include:

• usernames or account details;

• system and application logs;

• IP addresses and technical metadata;

• authorisations and access rights;

• vulnerability information;

• configuration data;

• screenshots or evidence of findings, to the extent necessary.

In physical penetration tests, this may include:

• names, job titles or roles of employees or visitors;

• visitor registrations;

• access logs;

• badges, access passes or pass numbers;

• observations of security procedures;

• photographs or screenshots, to the extent necessary for reporting;

• camera footage, to the extent this expressly falls within the agreed scope or is necessary for assessing physical security measures;

• findings concerning physical security measures.

Mason Pete Dynamics B.V. processes these data only to the extent necessary for the performance of the engagement and within the scope agreed in advance. Where possible, personal data in findings and reports are limited, anonymised, pseudonymised or omitted.

Arrangements concerning scope, authority, working methods, confidentiality, security, reporting, retention periods and deletion are primarily laid down in the order confirmation, services agreement and/or data processing agreement.

5. Special categories of personal data

Mason Pete Dynamics B.V. does not knowingly process special categories of personal data, such as health data, data concerning racial or ethnic origin, political opinions, religious beliefs or trade union membership, unless this is strictly necessary and lawful.

Where such data unexpectedly occur in client environments or project information, Mason Pete Dynamics B.V. processes them exclusively within the limits of the engagement and in accordance with the applicable contractual and statutory safeguards.

6. For which purposes do we process personal data?

Mason Pete Dynamics B.V. processes personal data for the following purposes:

• Contact and communication: to answer questions, make appointments and maintain business contacts.

• Quotations and contract management: to prepare quotations, assess engagements, conclude agreements and perform arrangements.

• Performance of advisory and consultancy engagements: to support clients in areas including Microsoft Dynamics 365, CRM adoption, digital transformation, operational processes and IT or security matters.

• Cybersecurity advice, risk analyses and penetration tests: to investigate security risks, identify vulnerabilities, analyse incidents and report findings within the agreed engagement.

• Improvement of our services: to improve our services, processes, communication and project approach.

• Security of systems and business operations: to secure our own systems, data, communication and business operations and to prevent or investigate misuse, unauthorised access or incidents.

• Administration and invoicing: to maintain our financial administration, send invoices, process payments and comply with tax obligations.

• Marketing and relationship management: to inform business relations about relevant services, knowledge sharing, events or developments, to the extent permitted.

• Recruitment: to assess applications, maintain contact with candidates and complete the application procedure.

• Legal obligations and legal position: to comply with legal obligations and to establish, exercise or substantiate rights or claims of Mason Pete Dynamics B.V., clients or third parties.

7. On which legal bases do we process personal data?

Mason Pete Dynamics B.V. processes personal data only where a legal basis exists.

• For contact and communication, we process personal data on the basis of our legitimate interest in answering questions, maintaining business relationships and communicating with clients, prospects, suppliers and other contacts. Where the communication relates to the conclusion or performance of an agreement, the processing may also be necessary for the performance of that agreement.

• For quotations and contract management, we process personal data to assess requests, prepare quotations, record arrangements and perform agreements. This processing takes place on the basis of the performance of an agreement or, prior to that, on the basis of our legitimate interest in handling business requests with due care.

• For the performance of our engagements, we process personal data to the extent necessary to deliver the agreed services. This may include advisory, implementation, consultancy, cybersecurity or penetration testing work. Where Mason Pete Dynamics B.V. processes personal data exclusively on behalf of a client, this is usually done in the role of processor and in accordance with the arrangements made with that client.

• For cybersecurity advice, risk analyses and penetration tests, we process personal data to the extent necessary for the performance of the engagement, the investigation of security risks, the recording of findings and the reporting to the client. Depending on the specific situation, this takes place on the basis of the performance of an agreement, our legitimate interest in secure and reliable services, or as processing on behalf of the client.

• For the security of our own systems, data and business operations, we process personal data on the basis of our legitimate interest. This interest includes preventing, detecting and investigating misuse, unauthorised access, incidents and other security risks.

• For administration and invoicing, we process personal data to the extent necessary for our financial administration, invoicing, payment processing and tax obligations. This processing takes place on the basis of legal obligations and, where relevant, the performance of an agreement.

• For marketing to existing business contacts, we may process personal data on the basis of our legitimate interest, to the extent permitted by law. Where consent is required for certain forms of marketing, such as certain newsletters, electronic marketing or tracking, we ask for consent in advance. You can opt out of marketing communications at any time.

• For non-essential cookies and similar tracking technologies, we process personal data only on the basis of consent, unless the cookies concerned do not require consent by law. More information is available in our cookie policy.

• For recruitment, we process personal data to assess applications, maintain contact with candidates and conduct the application procedure. This is done on the basis of our legitimate interest, the taking of pre-contractual measures or, where we wish to retain application data for longer, on the basis of your consent.

• For establishing, exercising or substantiating legal claims, we process personal data on the basis of our legitimate interest in protecting our legal position.

• Where we rely on legitimate interest, we balance our interest against the privacy interests of data subjects. Examples of legitimate interests include business communication, relationship management, security, fraud prevention, improvement of services and protection of our legal position.

8. Marketing and newsletters

Mason Pete Dynamics B.V. focuses primarily on business clients. We may approach contact persons of clients, prospects and business relations with information about our services, knowledge sharing or events, to the extent permitted by law.

Where consent is required, we ask for it in advance. You can opt out of marketing communications at any time via the unsubscribe option in the message or by contacting us via [privacy contact e-mail address].

After opting out, we retain limited data to prevent us from approaching you again for the same communications.

9. Cookies and website tracking

Mason Pete Dynamics B.V. uses cookies and similar technologies on its website. Some cookies are necessary for the website to function. For analytics, marketing or tracking cookies, we ask for consent where legally required.

More information is available in our cookie policy.

10. From whom do we receive personal data?

We usually receive personal data directly from you, for example when you contact us, become a client, sign up for communications or apply for a job.

In addition, we may receive personal data via:

• your employer or principal;

• colleagues or business relations;

• public business sources, such as the Dutch Commercial Register (Handelsregister), LinkedIn or company websites;

• clients or project partners;

• clients' systems or environments in which Mason Pete Dynamics B.V. performs work.

Where Mason Pete Dynamics B.V. acts as a processor, the client is in principle responsible for informing data subjects.

11. With whom do we share personal data?

Mason Pete Dynamics B.V. does not sell personal data. We share personal data only where necessary for the purposes described in this privacy statement, where required by law, or where consent has been given.

We may share personal data with, among others:

• hosting and website providers;

• IT service providers;

• CRM and communication tools;

• e-mail and marketing tools;

• Microsoft and other cloud or software vendors;

• security vendors, such as [Microsoft Defender], [CrowdStrike], [WithSecure] or other relevant vendors, where applicable;

• bookkeepers, accountants or administrative service providers;

• ISO, compliance or audit service providers, where applicable;

• legal advisors, insurers or external experts;

• clients, to the extent data form part of project results or reports;

• government bodies or supervisory authorities, where we are legally required to do so.

Where third parties process personal data on behalf of Mason Pete Dynamics B.V., we enter into a data processing agreement where necessary. Where Mason Pete Dynamics B.V. processes personal data on behalf of a client, arrangements concerning sub-processors are laid down in the contractual documentation with the client.

An up-to-date list of relevant processors and sub-processors is available on request via privacy@masonpete.com.

12. International transfers

Mason Pete Dynamics B.V. aims to process personal data within the European Economic Area as far as possible. It may occur that suppliers or sub-processors process personal data in countries outside the EEA, for example in the case of international cloud, software, marketing or security vendors.

Where personal data are processed outside the EEA, we ensure that an appropriate transfer mechanism is in place, such as:

• an adequacy decision of the European Commission;

• standard contractual clauses of the European Commission;

• additional technical and organisational measures, where necessary.

The actual countries and suppliers must be determined and completed on the basis of the systems and sub-processors used: [countries outside the EEA] and [insert sub-processors/suppliers].

13. How do we secure personal data?

Mason Pete Dynamics B.V. takes appropriate technical and organisational measures to protect personal data against loss, unauthorised access, misuse, alteration or disclosure.

Mason Pete Dynamics B.V. applies an information security approach aligned with [ISO/IEC 27001 / insert own information security management system if factually correct]. Depending on the nature of the processing, measures may include:

• access restrictions and authorisation management;

• multi-factor authentication;

• secure communication and storage;

• encryption where appropriate;

• logging and monitoring;

• confidentiality obligations;

• periodic review of security measures;

• arrangements with suppliers and processors;

• restriction of access to project information to those who need it.

We do not include in this privacy statement any technical details that could undermine the security of systems.

14. How long do we retain personal data?

Mason Pete Dynamics B.V. does not retain personal data longer than necessary for the purpose for which they were collected, unless a longer retention period is legally required or justified. We apply the following principles:

• We retain contact and communication data for as long as necessary for the business relationship. Thereafter, we may retain these data for a reasonable period for relationship management, follow-up or evidentiary purposes.

• We retain quotation data for [insert retention period] after the last contact, the rejection of the quotation or its expiry, unless longer retention is necessary for evidentiary purposes or further business follow-up.

• We retain contract and project data for the term of the agreement. Thereafter, we retain these data for as long as necessary for administration, evidence, compliance with legal obligations or the handling of any questions, complaints or disputes.

• We retain invoicing and administrative data in principle for seven years, to the extent tax or administrative retention obligations apply.

• We retain marketing data until you opt out or object to the use of your data for marketing purposes. Thereafter, we may retain limited opt-out records to ensure that we respect your opt-out.

• We retain job application data in principle for a maximum of four weeks after completion of the application procedure. If you consent to a longer retention of your data for future vacancies, we retain these data for a maximum of one year, unless you withdraw your consent earlier.

• We retain security logs of our own systems for [insert retention period], unless longer retention is necessary for investigating a security incident, misuse, unauthorised access or another specific security threat.

• We retain penetration testing materials and reports in accordance with the arrangements in the order confirmation, services agreement and/or data processing agreement. The principle applied is that underlying test data and personal data are not retained longer than necessary for the performance, reporting, validation and any follow-up of the engagement. The specific retention period is: [insert retention period].

• We retain cookie data in accordance with the periods set out in our cookie policy.

Where Mason Pete Dynamics B.V. processes personal data on behalf of a client, the retention periods agreed with the client apply.

15. Automated decision-making

Mason Pete Dynamics B.V. does not make decisions about individuals based solely on automated processing that produce legal effects or otherwise significantly affect individuals.

If this changes in the future, we will inform data subjects accordingly.

16. Your rights

Within the limits of the GDPR, you have the following rights:

• the right of access to your personal data;

• the right to rectification of inaccurate or incomplete data;

• the right to erasure of data;

• the right to restriction of processing;

• the right to data portability;

• the right to object to processing based on legitimate interest;

• the right to object to direct marketing;

• the right to withdraw consent, where processing is based on consent;

• the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).

You can exercise your rights by contacting us via privacy@masonpete.com.

We may ask you for additional information to verify your identity. We respond in principle within one month. For complex or extensive requests, we may extend this period by a maximum of two months. In that case, we will inform you within the first month.

Where Mason Pete Dynamics B.V. processes personal data exclusively on behalf of a client, we may refer your request to the relevant client or handle the request in consultation with that client.

17. Withdrawing consent

Where we process personal data on the basis of consent, you may withdraw that consent at any time. Withdrawing consent does not affect the lawfulness of processing carried out before the withdrawal.

18. Objecting to legitimate interest

Where we process personal data on the basis of a legitimate interest, you may object to that processing. We will then cease the processing, unless we have compelling legitimate grounds to continue it or the processing is necessary for legal claims.

You may object to direct marketing at any time. We will then stop using your data for that purpose.

19. Complaints to the Dutch Data Protection Authority

If you believe that Mason Pete Dynamics B.V. does not handle your personal data with due care, you can contact us via privacy@masonpete.com. You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).

Autoriteit Persoonsgegevens

Postbus 93374

2509 AJ Den Haag, the Netherlands

Website: autoriteitpersoonsgegevens.nl

20. Changes

Mason Pete Dynamics B.V. may amend this privacy statement, for example where our services, systems, suppliers or legal obligations change. The most recent version is available on our website. In the event of significant changes, we update the date at the top of this statement and inform data subjects where appropriate.

21. Contact

For questions about this privacy statement or about the processing of personal data, please contact:

Mason Pete Dynamics B.V.
Breestraat 101, 1941 EG Beverwijk
privacy@masonpete.com