Privacy Policy

At Blindspot Group BV, we value your privacy and are committed to protecting the personal data of our Customers, Users, and partners. This Privacy Policy explains how we collect, use, store, and protect personal data in the context of the services we offer through our platform and Application. This policy is intended to ensure transparency and to inform you of your rights under applicable data protection laws, including the General Data Protection Regulation (EU) 2016/679 (GDPR). By using our services, accessing the Application, or otherwise interacting with Blindspot Group BV, you acknowledge that you have read and understood this Privacy Policy. If you act as a Customer and provide or manage personal data through the Application, you are responsible for ensuring that such processing is done in accordance with the applicable privacy legislation. If you have any questions or concerns about how your personal data is handled, you may contact us at info@blindspotapp.com.

1. Data Controller Responsibility
1.1. Blindspot Group BV acts as a data controller in relation to the processing of personal data that is necessary for the provision of its Services. In this capacity, Blindspot Group BV determines the purposes and means of such processing in accordance with the applicable data protection legislation, including the General Data Protection Regulation (GDPR).

1.2. The Customer, as the party making use of the Blindspot® Application, remains solely responsible for ensuring that any data entered, uploaded, or otherwise managed within the Application is processed in accordance with all applicable privacy laws and regulations. This includes, where required, obtaining valid consents from data subjects (e.g., employees or other Users) whose personal data may be processed via the Application.

2. Categories and Legal Grounds for Processing
2.1. The Blindspot® Application may collect and process various categories of personal data, including
but not limited to:

Identification details (e.g., names of employees or Users);
Contact information (e.g., email addresses, phone numbers);
Usage data (e.g., login activity, feature usage, technical logs).
Integration data (only if you connect a calendar integration such as Google Calendar)
including calendar and scheduling data (e.g., calendars, events, availability/free-busy) and
authentication data (OAuth tokens). See Section 8 for full details on Google user data.

2.2. The processing of this personal data is carried out based on one or more of the following legal
grounds:

Performance of a contract: when processing is necessary to deliver the Services as agreed upon with the Customer;

Legitimate interests: when processing is necessary for purposes such as system integrity, fraud prevention, and improving the functionality and security of the Application, except where such interests are overridden by the rights and freedoms of the data subjects;

Legal obligations: when processing is necessary to comply with applicable laws, including obligations related to tax, accounting, or judicial proceedings.

3. Data Subject Rights
3.1. Individuals whose personal data is processed by Blindspot Group BV (including Users and third parties) have the following rights under the GDPR:

The right to access their personal data;
The right to rectify inaccurate or incomplete data;
The right to erase personal data ("right to be forgotten");
The right to restrict the processing of their personal data;
The right to object to processing;
The right to data portability;
The right to lodge a complaint with the Belgian Data Protection Authority.

3.2. To exercise these rights, individuals may contact Blindspot Group BV at the following email address: info@blindspotapp.com. Blindspot Group BV undertakes to respond to all valid requests within a reasonable timeframe, and in any event within the deadlines imposed by applicable law.

3.3. The Customer remains responsible for facilitating the exercise of data subject rights in relation to the personal data that it enters or manages within the Application. Blindspot Group BV will provide reasonable cooperation and assistance to the Customer to ensure compliance with applicable privacy legislation.

4. Data Retention
Blindspot Group BV retains personal data only for as long as necessary to fulfill the purposes for which the data was collected, or to comply with legal or regulatory obligations. Upon expiration of this retention period, the personal data will be securely deleted or irreversibly anonymized. Specific retention periods can be provided to the Customer upon written request.

5. Security Measures
Blindspot Group BV has implemented appropriate technical and organizational measures to ensure a level of security appropriate to the risks associated with personal data processing. These measures include, but are not limited to:

Data encryption;
Access control protocols;
Role-based user access restrictions;
Regular vulnerability scans and security audits;
Incident response procedures.
For calendar integrations (e.g., Google Calendar): OAuth 2.0 protocol for authentication and
authorization, combined with minimum relevant permissions.

6. Data Breaches
In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of data subjects, Blindspot Group BV will notify the affected Customer(s) without undue delay and, where feasible, within 72 hours of becoming aware of the breach. The notification shall include:

A description of the nature of the breach;
The types and volume of data affected;
The potential consequences;
The corrective actions taken or proposed by Blindspot Group BV to mitigate any adverse effects.

7. International Data Transfers
Where personal data is transferred to or processed in countries outside the European Economic Area (EEA), Blindspot Group BV ensures that such transfers are subject to appropriate safeguards as required by the GDPR. These safeguards may include:

The use of Standard Contractual Clauses approved by the European Commission;
Transfers to countries with an adequacy decision by the European Commission;
Binding corporate rules or other legally acceptable mechanisms.

8. Google User Data (Google Calendar Integration)
If you choose to connect Google Calendar to the Blindspot® platform, we will access and process Google user data as described below. Our use and transfer of information received from Google APIs will comply with the Google API Services User Data Policy ( https://developers.google.com/terms/api- services-user-data-policy ), including the Limited Use requirements, and the Google APIs Terms of Service (https://developers.google.com/terms ).

8.1 Data Accessed: Depending on the features enabled, the Application may access: calendar identifiers, event metadata (title, summary, start/end time, location, attendees), and availability (free/busy) information. We also store OAuth access and refresh tokens to maintain the integration. We do not access your Google account password.

8.2 Data Usage: We use Google Calendar data strictly to provide the requested features, such as: synchronizing appointments with the Blindspot® route planning engine, detecting scheduling conflicts, and updating events when explicitly triggered by the user. We do not use Google user data for advertising, profiling, or selling data. We do not use Google user data to develop, improve, or train generalized or non-personalized AI and/or machine learning models.

8.3 Data Sharing: We do not share Google Calendar data with third parties for their own purposes, and we do not share Google user data with third parties for marketing, advertising, or other commercial purposes that do not directly contribute to providing the requested functionality. Google user data may be processed by our service providers strictly on our behalf (e.g., cloud hosting, database, analytics limited to technical logs, customer support tooling) to deliver the Services. Such providers are bound by contractual confidentiality and data protection obligations.

8.4 Data Storage & Protection: All Google-sourced data is stored on secure servers located within the EEA. Access is restricted to authorized personnel who require it to support the integration. Human access to Google user data is restricted and permitted only (i) with the user’s explicit consent for specific support requests, or (ii) as necessary for security purposes (e.g., investigating abuse, fraud, or suspected vulnerabilities), or (iii) to comply with applicable law.

8.5 Data Retention & Deletion: OAuth tokens are stored until you disconnect the integration or revoke access via your Google Account settings. Any cached calendar data is retained for a maximum of 30 days for synchronization purposes and then deleted. Deletion requests sent to info@blindspotapp.com will be processed within 30 days. You can also revoke the Application’s access to your Google account at any time via your Google Account permissions page (https://myaccount.google.com/permissions) or via Google’ Security/Third-party access settings. After revocation, we will stop synchronization and remove stored OAuth tokens. After revocation, account deletion, or a user request, all Google Calendar data associated with your account will be permanently deleted from Blindspot’s systems within 30 days.

Blindspot Group BV reserves the right to amend or update this Privacy Policy at any time in order to reflect changes in legal obligations, our data processing activities, or the services we offer. In case of material changes, we will inform the Customer through appropriate channels, such as email or in-app notifications. We encourage you to review this Privacy Policy periodically to stay informed about how we process and protect personal data.

Contact Information
If you have any questions, concerns, or requests regarding this Privacy Policy or the way Blindspot Group BV handles personal data, you can contact us at:

Blindspot Group BV
VAT: BE1030.248.579
Email: info@blindspotapp.com
Address: Jordaensstraat 73 bus 0102, 2550 Kontich