Legal
Platform privacy statement
Protection of personal data of Toolsquare platform users · Version 2.0 · May 2025
1. Purpose
Through this privacy statement, Toolsquare BV (The Beacon, Sint-Pietersvliet 7, B2000 Antwerp, Belgium, VAT BE 0746.407.674) informs users of the Toolsquare platform about the personal data that are processed in the context of their use of the platform.
The processing of personal data is justified and necessary for either (i) the execution of the contract between Toolsquare and the client organisation, and/or (ii) the execution of the employment contract or agreement between the user and the client organisation.
This statement has been prepared in accordance with the General Data Protection Regulation (Regulation 2016/679) and the Law of 30 July 2018 on the protection of natural persons with regard to the processing of personal data.
2. Data processed and purposes
2.1 Access and usage management
Purpose: to manage, control and record access to and use of equipment.
Legal basis: execution of the employment contract/agreement between the user and the client organisation.
Data categories: personal identification data (name, first name, email address, phone number); authentication data (password stored in hashed form, badge/card identifier); organisational data (employer/client identification); usage data (start and end time of machine use, machine identifier, session duration); billing data (only applicable where equipment use takes place outside the framework of an employment contract).
2.2 Safety and access control
Purpose: to enforce training-based access rules, ensure only qualified users operate specific equipment, and maintain a safety and compliance audit trail.
Legal basis: legitimate interest of the client organisation and/or legal obligation (safety regulations, GxP, ISO, 21 CFR Part 11).
Data categories: user identity, certification status, access events (granted/denied), timestamps.
2.3 Incident management
Purpose: to record and route equipment incidents and defects reported via the platform.
Legal basis: legitimate interest of the client organisation.
Data categories: user identity, machine identifier, incident description, timestamp.
3. Sub-processors
Toolsquare uses the following sub-processors to operate the platform: (i) Cloud infrastructure provider (hosting and data storage): data processed within the EU/EEA. (ii) Authentication services: used for single sign-on (SSO) integrations where configured by the client. (iii) Email delivery service: used for system notifications.
A current list of sub-processors is available on request at privacy@toolsquare.io. Toolsquare will inform clients of any intended changes to this list in advance, giving clients the opportunity to object.
4. Retention periods
Toolsquare retains personal data no longer than necessary for the purposes described above:
Active user account data: retained for the duration of the user account, until inactivation.
Usage session data: retained for the duration of the active contract. After contract termination, data is pseudonymised within 30 days unless the client has configured a longer retention period, subject to a maximum of 7 years for audit trail purposes under applicable regulatory requirements (GxP, ISO, 21 CFR Part 11).
Access and incident logs: retained for the duration of the active contract plus 1 year, or longer if required by applicable regulatory frameworks.
In the event of termination of the contractual relationship between a user and the client organisation, the client must inactivate the user account as soon as possible. If the client or user does not do so, the client commits to notify Toolsquare promptly.
Note: if your organisation operates under GxP, ISO or 21 CFR Part 11 requirements and requires extended retention of usage and audit data beyond the default periods above, please contact your Toolsquare account manager to configure this accordingly.
5. User rights
Right of access
You are entitled to access and inspect the personal data processed by Toolsquare at any time. Upon request, Toolsquare will provide a copy of your personal data.
Right to rectification
You have the right to have incorrect, incomplete, inappropriate or outdated personal data corrected or removed.
Right to erasure
You have the right to erasure of your personal data if: (i) the data is no longer necessary for the purposes for which it was processed; (ii) the data was processed unlawfully; or (iii) you justifiably object to the processing.
Right to restriction of processing
You have the right to restrict data processing if: (i) you dispute the accuracy of the data pending verification; (ii) processing is unlawful and you request restriction rather than erasure; (iii) Toolsquare no longer needs the data but you need it for a legal claim; or (iv) you have objected to processing pending verification of that objection.
Right to data portability
You have the right to obtain your personal data processed by Toolsquare in a structured, commonly used and machine-readable format.
Right to object
You have the right to object to processing for reasons related to your specific situation. Toolsquare will cease processing unless it establishes compelling legitimate grounds that outweigh your interests, rights and freedoms, or grounds related to a legal claim.
Exercising your rights
To exercise any of the above rights, send a dated and signed written request together with a copy of your identity document to Toolsquare at privacy@toolsquare.io. Requests are handled free of charge within one month, extendable by two months for complex cases. Manifestly unfounded or excessive requests (including repeated requests) may be subject to a reasonable administrative fee.
6. Data security
Users' personal data are strictly confidential. Toolsquare takes appropriate technical and organisational measures to protect personal data against destruction, loss, unintentional modification, damage, accidental or unlawful access, or any other unauthorised processing.
Measures include: encrypted data transmission (TLS), encrypted data storage, role-based access controls, regular security assessments and penetration testing, and incident response procedures.
In the event of a personal data breach that poses a risk to the rights and freedoms of users, Toolsquare will notify the Belgian Data Protection Authority within 72 hours. If the breach poses a high risk, affected users will be notified directly without undue delay.
All personal data breaches are recorded in a breach register, including the facts, consequences and remedial measures taken.
7. Supervisory authority
Users have the right to file a complaint with the Belgian Data Protection Authority (Gegevensbeschermingsautoriteit), Drukpersstraat 35, 1000 Brussels, contact@apd-gba.be, www.dataprotectionauthority.be.
8. Changes to this statement
Toolsquare reserves the right to amend this privacy statement at any time. If significant changes are made, the date of the statement will be updated and users will be notified and provided with a copy of the updated statement.
Current version: 2.0, May 2025. Replaces version 1.0 of 8 June 2022.