Amstel Dutch respects your privacy and is committed to processing your personal data in a secure and diligent manner, in accordance with applicable laws and regulations, including the General Data Protection Regulation (GDPR). This statement sets out which personal data Amstel Dutch processes, for what purpose, how Amstel Dutch handles and protects this data, and how long it is retained. You are encouraged to review this privacy statement carefully.

Responsible for the processing of personal data is Amstel Dutch, with its registered office in (1018 GE) Amsterdam, at Sarphatistraat 173 2 and registered in the Trade Register of the Chamber of Commerce under number 67716113.

Do you have questions about your privacy? Please contact Amstel Dutch via info@amsteldutch.com. For additional information on the protection of personal data, please visit the website of the Dutch Data Protection Authority: www.autoriteitpersoonsgegevens.nl.

Personal Data

Amstel Dutch processes personal data within the meaning of Article 4 GDPR. Personal data is defined as any information relating to an identified or identifiable natural person. Amstel Dutch does not process personal data of persons under the age of 16 without the consent of a parent or guardian. If it appears that personal data of a minor has been processed without valid consent, Amstel Dutch will delete such data without undue delay. If you suspect that Amstel Dutch has processed personal data of a minor without consent, you may contact Amstel Dutch.

How does Amstel Dutch collect personal data?

Amstel Dutch obtains personal data when you use the web application or otherwise interact with Amstel Dutch. This occurs, among other things, when:

• you create an account or register in the web application;
• you log in via a Magic Link or use functionalities within the web application;
• you enter or generate data during the use of the web application;
• you contact us via email, telephone, or other means of communication;
• you voluntarily provide information, for example through feedback or correspondence.

Personal data, purposes and legal bases

Amstel Dutch processes personal data that is necessary for the provision, operation, and improvement of the web application and related services. This includes, among others, the following personal data:

• first and last name and email address (for account registration and access via Magic Link);
• account and user data within the web application;
• data that you enter or generate during the use of the web application, including progress, results and achieved scores;
• optionally: a profile photo;
• IP address and technical data, such as browser information and device data;
• other personal data that you actively provide, for example via correspondence.

Amstel Dutch processes this personal data, and where applicable additional business-related data (such as company name, Chamber of Commerce number, and VAT number), for the following purposes:

• creating and managing user accounts;
• providing access to the web application;
• performance of the agreement;
• tracking progress, results and performance within the web application;
• communication with users;
• improving the web application and services;
• ensuring the security and technical functioning of the web application.

The processing of personal data is based on one or more of the following legal grounds:

• performance of a contract;
• consent of the user, where required;
• a legitimate interest of Amstel Dutch, such as improving services and securing the web application;
• a legal obligation.

Personal data is not processed in a manner that is incompatible with the purposes for which it was obtained. The web application processes and records data relating to the use of the services, including progress, results and achieved scores. This data is used for the performance of the agreement, providing functionalities within the web application, and enabling insight into the user's performance and progress.

Logging in via Magic Link

Users can log in to the web application via a so-called Magic Link. In this process, a temporary, secure login link is sent to the provided email address. This link is personal, has limited validity, and can only be used once. After use or upon expiration, the link automatically becomes invalid to prevent unauthorized access. The user is solely responsible for maintaining the confidentiality of their email address and access to the received Magic Link.

When you use the website or web application of Amstel Dutch, technical and usage data may be collected automatically. This includes, among others:

• IP address;
• browser information;
• device and operating system;
• date and time of access;
• visited pages and used functionalities;
• error messages and system logs.

This data is processed to ensure security, proper technical functioning, and the improvement of the web application and services.

Retention period of personal data

Amstel Dutch does not retain personal data longer than necessary for the purposes for which it was collected, unless a longer retention period is required by law (Article 5 GDPR). Invoices and financial administration are retained for at least 7 years in accordance with applicable tax legislation. After this retention period, the data will be deleted or anonymized.

Personal data related to offers or information requests is not retained longer than necessary for their follow-up, unless an agreement results from this. Personal data linked to a user account within the web application is retained as long as the account is active. After termination of the account, data relating to progress and achieved scores will be deleted, unless such data is anonymized and used for statistical or analytical purposes.

Administrative data related to payments or invoicing may be retained longer if necessary to comply with legal obligations. Reviews or other voluntarily provided feedback will be deleted upon request, unless there is a legitimate interest in retaining such data.

Sharing personal data with third parties

Amstel Dutch does not share your personal data with third parties, unless this is necessary for the performance of the agreement, to comply with accounting and other administrative obligations, or where required by applicable laws and regulations. These third parties are bound to confidentiality based on a data processing agreement and/or legal obligation.

Where necessary, Amstel Dutch will conclude a data processing agreement/confidentiality agreement with companies that process your personal data on behalf of Amstel Dutch, in order to ensure a consistent level of security and confidentiality. Amstel Dutch remains responsible for these processing activities. Amstel Dutch will never sell personal data to third parties.

Your personal data may (possibly) be shared with the following third parties:

• engaged third parties, such as external partners, postal and delivery services, software providers, etc.;
• IT partners responsible for hosting and maintenance of the website and platform;
• collection agencies and/or bailiffs, if necessary for the collection of claims;
• payment services and systems;
• marketing software or online learning platforms;
• accounting software/accountant;
• telecommunications providers.

If the client acts in the course of a profession or business, data relating to participation, progress, results, and certification of users may be shared with that client, insofar as this is necessary for the performance of the agreement.

Automated decision-making

Personal data processed by Amstel Dutch is always handled by a person. Amstel Dutch does not make decisions based on automated processing that can have legal or similarly significant effects on individuals. Such decisions would otherwise be made by computer programs and/or systems without human intervention.

Your privacy rights

With regard to your personal data, you have several important rights under the GDPR:

• right to information: you have the right to clear information about how your data is processed;
• right of access: you may request which data is processed about you;
• right to rectification: you may have incorrect or incomplete data corrected;
• right to erasure: you may request deletion of your data;
• right to restriction of processing: in certain cases you may request temporary restriction of processing;
• right to data portability: you may receive your data in a structured, commonly used format and transfer it to another party;
• right to object: you may object to the processing of your data.

To exercise these rights, you can send your request to info@amsteldutch.com. Amstel Dutch will assess your request without undue delay and in any event within 30 days. If Amstel Dutch cannot comply with your request, you will always be informed of the reasons for refusal. Amstel Dutch is entitled to verify your identity by requesting a valid ID, driver's license, or passport. In such a copy, please black out your photo, MRZ (machine readable zone), passport number, and citizen service number (BSN) to protect your privacy.

Amstel Dutch also informs you of the possibility to file a complaint with the national supervisory authority, the Dutch Data Protection Authority. This can be done via: https://autoriteitpersoonsgegevens.nl/nl/contact-met-de-autoriteit-persoonsgegevens/tip-ons.

Cookies

Cookies are small text files stored on your device when using a website or web application. Amstel Dutch uses cookies and similar techniques to the extent necessary for the functioning and security of the web application. Where non-essential cookies are used, such as analytical or marketing cookies, prior consent is requested.

You can manage or delete cookies via your browser settings. Disabling cookies may result in certain parts of the web application not functioning optimally. Where applicable, a separate cookie policy is available via the website.

Security

Amstel Dutch handles your personal data with care and takes appropriate technical and organizational measures to protect personal data against loss, destruction, or unlawful use, taking into account the state of the art, implementation costs, and the nature of the data processed. If you nevertheless believe that your personal data is not properly secured or there are indications of misuse, please contact Amstel Dutch.

Liability

This privacy statement only relates to personal data processed by Amstel Dutch for the purposes described herein. Amstel Dutch accepts no liability or responsibility for the operation and/or content of third-party websites or services.

Changes to this privacy statement

This privacy statement was last amended on 27 March 2026. Amstel Dutch reserves the right to amend or update this statement at any time. The most recent version can be found on the Amstel Dutch website.