Privacy Policy

How we handle your personal data

This policy explains what information we collect, why we collect it, how long we keep it, and the rights you have under the General Data Protection Regulation (GDPR) and applicable Dutch law.

Last updated: today

1. Introduction

Herbalorganic ("we", "us", or "our") respects your privacy and is committed to protecting the personal data you share with us. This document describes our practices regarding the information we receive when you visit our website, contact us, or otherwise interact with our general informational content about light movement during the working day.

We provide general, educational content for office workers. We do not offer medical services, and the personal data we process is limited to what we genuinely need to respond to enquiries and operate the website responsibly.

Please read this policy together with our Cookie Policy and Terms of Use, which form part of how we explain our practices to you.

2. Who we are (data controller)

The data controller responsible for your personal data is Herbalorganic, based in Amsterdam, the Netherlands. You can find our full identification details on the Impressum page. Our contact details are:

  • Address: Johan Cruijff Boulevard 247A, 1101 EJ Amsterdam, the Netherlands.
  • Telephone: +31 20 567 9111.
  • Email: inquiry@herbalorganic.world.

If you have any question about this policy or about how we treat your information, you are welcome to reach out using any of the details above.

3. Data we collect

We aim to collect as little personal data as possible. Depending on how you interact with us, the categories of data we may process include the following.

3.1 Information you provide directly

  • Your name, when you complete the contact form.
  • Your email address, so that we can reply to you.
  • The content of your message, including any details you choose to share about your office or schedule.
  • Your consent record, confirming that you agreed to our privacy terms when submitting an enquiry.

3.2 Information collected automatically

When you browse the website, limited technical information may be processed to keep the site secure and functioning, such as your approximate region, browser type, and pages viewed. Where this involves non-essential cookies, we ask for your consent first, as explained in our Cookie Policy.

3.3 Information we do not seek

We do not ask for special categories of data such as health information. Please do not send us sensitive details through the contact form, as our service is general and informational and is not designed to process that kind of data.

4. Purposes and legal bases

Under the GDPR we must have a valid legal basis for each processing activity. The table below sets out our main purposes and the corresponding legal bases.

  • Responding to enquiries. When you contact us, we process your details to read and reply to your message. The legal basis is your consent and, where relevant, our legitimate interest in answering questions about our content.
  • Operating and securing the website. We process limited technical data to keep the site available and protected. The legal basis is our legitimate interest in running a safe, reliable website.
  • Analytics and marketing cookies. Where you allow them, we may use cookies to understand aggregated usage or to support relevant messaging. The legal basis is your consent, which you can withdraw at any time.
  • Meeting legal obligations. We may process data where the law requires us to, for example to respond to a valid legal request. The legal basis is compliance with a legal obligation.

5. Sharing and service providers

We do not sell your personal data. We share it only where necessary and with appropriate safeguards in place. This may include:

  • Trusted service providers who help us host the website, manage email, or maintain security, acting as processors under written agreements.
  • Professional advisers, such as legal or accounting professionals, where this is necessary and proportionate.
  • Public authorities, where we are legally required to disclose information.

Each processor is required to handle your data only on our instructions and to apply suitable technical and organisational measures to protect it.

6. Retention periods

We keep personal data only for as long as it is needed for the purposes described above, after which it is deleted or anonymised.

  • Enquiry messages: retained for up to twenty-four months from our last contact, so we can follow up if you reach out again.
  • Consent records: retained for as long as needed to demonstrate that valid consent was given, and for a reasonable period afterwards.
  • Technical and security logs: retained for a short period, typically no longer than twelve months, unless a longer period is required for security reasons.

Where a legal obligation requires a longer retention period, we will keep the relevant data for that period and then remove it.

7. Security measures

We take the protection of your data seriously and apply technical and organisational measures appropriate to the risk. These include:

  • Encrypted connections (HTTPS) across the website.
  • Access controls that limit who can view personal data.
  • Regular review of our tools and providers for sound security practices.
  • Data minimisation, so that we hold only what we genuinely need.

While no method of transmission or storage is ever completely secure, we work to protect your information and to address any issues promptly should they arise.

8. Your rights

Subject to the conditions of the GDPR, you have the following rights in relation to your personal data:

  • Access: to request a copy of the personal data we hold about you.
  • Rectification: to ask us to correct inaccurate or incomplete data.
  • Erasure: to request deletion of your data in certain circumstances.
  • Restriction: to ask us to limit how we use your data.
  • Portability: to receive certain data in a structured, commonly used format.
  • Objection: to object to processing based on legitimate interests.
  • Withdraw consent: to withdraw consent at any time where processing is based on it.

To exercise any of these rights, please contact us using the details in section 2. You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) if you believe your data has not been handled properly.

9. International transfers

We aim to keep personal data within the European Economic Area (EEA). If any provider processes data outside the EEA, we ensure appropriate safeguards are in place, such as adequacy decisions or standard contractual clauses, so that your data continues to receive an equivalent level of protection.

10. Children

Our content and services are intended for adults in a professional setting. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us so we can remove it.

11. Changes to this policy

We may update this policy from time to time to reflect changes in our practices or in the law. When we make material changes, we will update the date shown at the top of this page. We encourage you to review this policy periodically.

12. How to contact us

If you have any questions, requests, or concerns about this Privacy Policy or about how we handle your personal data, please contact us at the address, telephone number, or email listed in section 2, or through our contact page. We will respond within a reasonable timeframe.