BalansPointe Health
Trust & Compliance

Privacy Policy

Version 1.0 · Last updated 2026-05-14 · Governing law: Netherlands (GDPR / EU Regulation 2016/679)

This policy describes how BalansPointe Health BV (“BalansPointe”, “we”, “us”) processes personal data in the course of our B2B workforce-consulting and platform services. If you are a patient or clinician of a hospital that uses BalansPointe’s services, your relationship with that hospital is governed by the hospital’s own privacy notice — we process your data as a processor on their behalf and under our Data Processing Agreement.

1. Who we are

BalansPointe Health BV is the data controller for personal data processed in connection with our marketing, sales, and customer-relationship activities described in this policy.

We have not appointed a formal Data Protection Officer because our scale and processing activities do not meet the GDPR Art. 37 thresholds. The contact above handles all privacy inquiries.

2. What personal data we collect, why, and on what lawful basis

We collect the minimum data needed to operate our business. The following table maps each processing activity to its purpose, lawful basis under GDPR Art. 6, and retention period.

CategoryWhat we collectWhyLawful basisRetention
Prospect / customer contactsName, work email, work phone, job title, employer, notes on business conversationsIdentify the right people to talk to at hospitals and health systems; track sales and account-management activityLegitimate interest (Art. 6(1)(f)) — running a B2B businessActive relationship + 24 months after last meaningful interaction; then deleted or anonymised
Inbound inquiries (website form)Name, email, message contentsRespond to your questionLegitimate interest / pre-contractual steps (Art. 6(1)(b))24 months from last reply
Customer account holdersName, work email, role assignment, audit log of actions in our toolsOperate the platform; enforce access control; security auditContract (Art. 6(1)(b))Duration of contract + 6 years (statutory accounting period)
Email correspondence (sent/received)From / to / subject / body of business emails connected to a relationshipService history; audit trail of commitmentsLegitimate interest (Art. 6(1)(f))7 years from sending
Billing and contractsCompany billing contact, invoices, signed agreementsInvoice, account for revenue, comply with tax lawLegal obligation (Art. 6(1)(c)) — Dutch tax retention7 years (Dutch Algemene wet inzake rijksbelastingen)
Marketing emails (opted-in)Email address, engagement (opens, clicks)Send invited newsletters and product updatesConsent (Art. 6(1)(a)) — withdraw any timeUntil you unsubscribe

We do not sell personal data. We do not use personal data for automated decision-making with legal effect, nor do we engage in profiling.

We do not knowingly process special-category data (health, ethnicity, etc.) about prospects or customer contacts via our CRM. Patient and clinician data inside hospital workforce datasets is handled separately, under a Data Processing Agreement with the hospital — see the DPA template.

3. Where the data lives, and international transfers

We aim to keep European customer data in the European Economic Area wherever feasible. The breakdown:

  • Primary database: hosted by Neon in eu-central-1 (Frankfurt, Germany). No transfer outside the EEA for data at rest.
  • Application runtime: hosted by Vercel. Vercel is a US company; functions execute in the region nearest the user, which for our European customers means EU regions. Vercel acts as a processor under its Data Processing Addendum and Standard Contractual Clauses.
  • Authentication: provided by Clerk (US company). Authentication metadata (email, session tokens) may be processed in the US. Transfers rely on Clerk’s Data Processing Addendum and the Standard Contractual Clauses (Commission Decision 2021/914).
  • Transactional email: sent via Resend (US company). Email content (which may contain customer-contact data) transits a US-based service. Transfers rely on Resend’s DPA and SCCs. We are evaluating an EU-region replacement.
  • Source-code and backups: stored in private GitHub repositories (US). Database backup archives created by our GitHub Actions workflow live in GitHub-managed artifact storage (US) for up to 90 days. Subject to GitHub’s DPA and SCCs.

For full subprocessor details — including each processor’s location, role, and how to challenge a new one — see our subprocessor list.

4. Who we share data with

We disclose personal data to:

  • Our subprocessors (listed at /subprocessors), only to the extent necessary to deliver the service.
  • Professional advisors (accountants, lawyers, tax advisors) under confidentiality, when necessary.
  • Authorities when compelled by valid legal process (court order, regulator request). We push back on overbroad requests.
  • An acquirer in the event of a business sale or merger, with prior notice and contractual protections.

We do not share personal data with advertising networks, data brokers, or marketing-list resellers.

5. Cookies and analytics on this site

Our authenticated CRM application sets only strictly necessary cookies (session, CSRF). We do not run third-party advertising trackers or cross-site analytics on customer-facing application surfaces. If we later add a privacy-preserving analytics tool to this marketing site, this section will be updated and a consent banner will be surfaced where required.

6. Your rights under GDPR

If your personal data is processed by us as a controller, you have the following rights:

  • Access — ask for a copy of the personal data we hold about you (Art. 15).
  • Rectification — correct inaccurate or incomplete data (Art. 16).
  • Erasure — request deletion, subject to our retention obligations (Art. 17).
  • Restriction — limit processing while a dispute is resolved (Art. 18).
  • Portability — receive your data in a structured, commonly used, machine-readable format (Art. 20).
  • Objection — object to processing based on legitimate interests, including direct marketing (Art. 21).
  • Withdraw consent — for any processing based on consent, with no effect on prior lawful processing (Art. 7(3)).

To exercise any of these rights, email admin@balanspointe.com. We respond within one month (extendable by two months for complex requests, with notice). We may need to verify your identity before acting.

You also have the right to lodge a complaint with a supervisory authority — for example, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens), or your local authority in another EU member state.

7. How we secure data

  • TLS encryption in transit; encryption at rest for the database.
  • Role-based access control inside the CRM; every change is recorded to an audit log retained for the contract duration.
  • Authentication via Clerk with multi-factor authentication available and recommended for all customer accounts.
  • Daily automated database backups with 90-day retention; point-in-time recovery available within the database provider’s window.
  • Secrets and credentials stored outside source control; deployments gated behind reviewed CI workflows.

8. Children

Our services are B2B and not directed at children under 16. We do not knowingly collect personal data from children. If you believe we have inadvertently done so, please contact us and we will delete it.

9. Changes to this policy

We may update this policy to reflect changes in our practices, our subprocessor list, or the law. Material changes will be communicated to existing customers by email or in-product notice at least 30 days before they take effect. The version number and “Last updated” date at the top of this page change with every revision; the full revision history is available in our public source repository (Git history).

10. Contact

Questions, requests, or complaints about how we handle personal data: admin@balanspointe.com.