Privacy Policy

CTRL Disrupt

What We Do

About

Start a Conversation

CTRL Disrupt Consulting B.V. · Last updated [2026-06-08]

Privacy Policy

CTRL Disrupt Consulting B.V. ("CTRL Disrupt", "we", "us") is committed to handling personal data with the same care and rigour we bring to our clients' security and risk programs. This policy explains what personal data we collect through this website, why we collect it, and what your rights are.

1. Who we are

CTRL Disrupt Consulting B.V. Marshalllaan 2, 2625 GZ Delft, The Netherlands KvK 87198983 info@ctrl-disrupt.nl

We are the data controller for the personal data described in this policy.

2. What we collect, and why

Contact form. When you submit our contact form, we collect your name, organisation, email address, phone number (if provided), and the contents of your message. We use this data to respond to your enquiry and, where relevant, to follow up on a potential working relationship. Legal basis: our legitimate interest in responding to enquiries directed at us (Art. 6(1)(f) GDPR), and, where your enquiry leads to an agreement, steps taken at your request prior to entering into a contract (Art. 6(1)(b) GDPR).

Job applications. When you apply for a role through our Careers pages, we collect your name, email address, phone number (if provided), the role you are applying for, any links you choose to share (such as LinkedIn, MainDeck, or a portfolio), and the contents of your message. We use this data solely to assess your application and to communicate with you about it. Legal basis: steps taken at your request prior to entering into a possible employment relationship (Art. 6(1)(b) GDPR) and our legitimate interest in recruitment and assessing candidates (Art. 6(1)(f) GDPR). We ask you not to send us special categories of personal data (such as health or religious information) as part of your application, and we do not request a CV upload at this stage.

Email and phone correspondence. If you contact us directly, we process the personal data you share with us in that correspondence for the purpose of handling your enquiry. Legal basis: legitimate interest (Art. 6(1)(f) GDPR).

Website analytics. We use Framer's built-in, privacy-first analytics to understand aggregate website traffic (such as page views, country, device type, and referral source). This tool does not use cookies or persistent identifiers and does not build profiles of individual visitors. The data we see is aggregated and cannot be traced back to you.

We do not use advertising trackers, social media pixels, or marketing cookies on this website.

3. Cookies

This website does not set tracking or marketing cookies. Our website platform may set strictly necessary, functional cookies required for the website to operate. Because we do not use cookies that require consent, this website does not show a cookie consent banner. If this ever changes — for example, if we introduce tools that require consent — we will update this policy and ask for your consent first.

4. Who we share data with

We do not sell or rent personal data. We share personal data only with service providers (processors) who help us operate:

Framer B.V. (Amsterdam, the Netherlands) — hosts this website and processes contact form submissions on our behalf, under a data processing agreement.
Our email provider — provides our business email, where form submissions and correspondence are received and stored.

Where a service provider processes personal data outside the European Economic Area, transfers take place under appropriate safeguards such as the European Commission's Standard Contractual Clauses.

We may also disclose personal data where required by law or to protect our legal rights.

5. How long we keep your data

Contact form submissions and related correspondence: retained for as long as needed to handle your enquiry, and no longer than 12 months after our last contact, unless the enquiry leads to a client relationship — in which case the data is retained as part of our client records.
Job applications (unsuccessful candidates): deleted within 4 weeks of the application process concluding, unless you give us explicit consent to keep your details on file for future opportunities — in which case we retain them for up to 12 months and then delete them. You can withdraw that consent at any time.
Job applications (successful candidates): retained as part of your employment or engagement records.
Records we are legally required to keep (for example, financial administration) are retained for the statutory period (generally 7 years under Dutch law).

6. Your rights

Under the GDPR you have the right to access, rectify, or erase your personal data; to restrict or object to its processing; and to data portability. Where processing is based on consent, you may withdraw that consent at any time.

To exercise any of these rights, email us at info@ctrl-disrupt.nl. We will respond within one month.

You also have the right to lodge a complaint with the Dutch supervisory authority: Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl).

7. Security

To exercise any of these rights, email us at info@ctrl-disrupt.nl. We will respond within one month.

You also have the right to lodge a complaint with the Dutch supervisory authority: Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl).

8. No automated decision-making

We do not use your personal data for automated decision-making or profiling.

9. Changes to this policy

We may update this policy from time to time, for example when our tooling or services change. The date at the top reflects the most recent version. Significant changes will be noted on this page.