Privacy policy

Article 1 Contact Details and Data Controller

1.1 This privacy policy applies to the processing of personal data by:

Vignette Europe B.V.
Oudegracht 294
3511 NX Utrecht
The Netherlands

Website: Digitalvignettes.com
Email: [email protected]
Chamber of Commerce No.: 97725102
VAT No.: NL868203270B01

1.2 Vignette Europe B.V. is the data controller within the meaning of the General Data Protection Regulation (GDPR) for all processing activities described in this privacy policy, unless explicitly stated otherwise.

1.3 For certain services, Vignette Europe B.V. engages third parties (“processors” or “sub-processors”) to process data on its behalf. Data Processing Agreements (DPAs) have been concluded to ensure that all data is processed in compliance with the GDPR.

Processors engaged by Vignette Europe B.V.:

  • Nuvei – Purpose: payment processing; Data processed: payment data (not visible to Vignette Europe B.V.); Storage location: EU.

  • Pay.nl – Purpose: payment processing; Data processed: payment data (not visible to Vignette Europe B.V.); Storage location: EU.

  • PayPal – Purpose: payment processing; Data processed: payment data (not visible to Vignette Europe B.V.); Storage location: EU.

  • Converge – Purpose: conversion tracking; Data processed: IP address, email address, and order data; Storage location: EU.

  • Google Ads – Purpose: marketing; Data processed: email address and order data; Storage location: EU.

1.4 If data is processed outside the European Economic Area (EEA), this is only done with parties that provide appropriate safeguards in accordance with Articles 44–49 GDPR, such as Standard Contractual Clauses (SCCs) or equivalent legal mechanisms.

Article 2 Types of Data Processed

2.1 Vignette Europe B.V. only processes data that is strictly necessary for the provision of its services, typically vehicle information and contact details provided directly by the customer when placing an order.

2.2 The following categories of personal data may be processed:

  • Email address – for confirmation, communication, and customer support

  • Vehicle license plate number

  • Country of registration of the vehicle

  • Vehicle category/type

  • Start date and duration of validity of the requested vignette

  • Order details and history

2.3 Vignette Europe B.V. does not process special categories of personal data (as defined in Article 9 GDPR), nor does it knowingly collect data from children under the age of 16. Customers may only submit their own data or that of other adult users with proper authorization.

2.4 Payment information (such as credit card or bank account numbers) is not processed by Vignette Europe B.V. All payments are securely handled by certified third-party providers. Vignette Europe B.V. has no access to or storage of such financial data.

Article 3 Purposes and Legal Grounds for Processing

3.1 Personal and vehicle data is processed solely for the following purposes:

  • Fulfilling the agreement with the customer, including registration of the requested vignette with the relevant issuing authority

  • Communicating with the customer regarding the order status, inquiries, or support

  • Ensuring proper functioning and optimization of the website and ordering process

  • Preventing fraud and monitoring abuse of the service

  • Compliance with legal and administrative obligations (where applicable)

  • Sending service-related messages or limited promotional communications (with consent where legally required)

3.2 Processing is based on one or more of the following legal grounds under the GDPR:

  • Performance of a contract (Article 6(1)(b) GDPR): necessary for vignette registration

  • Legal obligation (Article 6(1)(c) GDPR): e.g., tax or financial compliance

  • Legitimate interest (Article 6(1)(f) GDPR): such as fraud prevention, customer service, or service improvement

  • Consent (Article 6(1)(a) GDPR): where explicitly required for certain marketing or optional services

Article 4 Sharing Data with Third Parties

4.1 Vignette Europe B.V. does not sell personal or vehicle data to third parties. Data is shared only when necessary to perform requested services or to meet legal obligations.

4.2 The following external service providers may process customer data on behalf of Vignette Europe B.V., under strict contractual arrangements:

  • Payment service providers:

    • Nuvei, Pay.nl, PayPal – for secure handling of payments. These providers process financial data directly; Vignette Europe B.V. does not have access to or store payment card information.

  • Analytics and conversion tracking:

    • Google Ads and Converge – to monitor website usage, track conversions, and enhance customer experience. These tools may process IP addresses, order metadata, and anonymized behavioral data.

4.3 All processors are contractually bound to comply with the GDPR and ensure appropriate data protection through Data Processing Agreements.

4.4 Data may also be shared with official vignette-issuing authorities solely for the registration of the requested vignette. The categories of shared data vary by country and are limited to what is strictly necessary.

4.5 Where personal data is transferred outside the EEA, such transfers are based on appropriate safeguards such as European Commission-approved Standard Contractual Clauses or adequacy decisions.

Article 5 Data Retention Periods

5.1 Personal data is not retained longer than necessary for the purposes stated in Article 3.

5.2 Retention periods:

  • Vehicle and registration data: Retained up to 1 year after service completion for repeat orders, support, and legal defense.

  • Personal data for Hungarian and Moldovan vignettes: Retained for up to 18 months if legally required for registration, unless a longer retention is mandated.

  • Communication data (support and feedback): Emails and interactions stored for up to 2 years for service improvement and dispute resolution.

  • Analytics and conversion data: Pseudonymized data (e.g., via Google Analytics or Converge) may be stored for up to 26 months per the tools’ configurations.

5.3 Longer retention may apply if:

  • Required under tax or administrative law (e.g., 7 years for invoice records under Dutch law)

  • The data subject has given explicit consent (e.g., for reuse or marketing)

  • Necessary for legal defense within applicable statutory limitation periods

5.4 After the applicable retention period, data will be securely deleted or irreversibly anonymized in accordance with industry standards and internal data destruction policies.

5.5 Stored data is periodically reviewed and deleted or anonymized if no longer needed.

5.6 Our retention policy aligns with our ISO 27001:2022-certified Information Security Management System and is based on a formal classification and retention schedule.

Article 6 Security Measures

6.1 Vignette Europe B.V. implements appropriate technical and organizational measures to protect personal data against loss, misuse, unauthorized access, disclosure, alteration, or destruction. These measures are regularly evaluated and updated.

6.2 Security measures include:

  • TLS encryption (HTTPS) for all website communications

  • Role-based access control (RBAC) limiting system and data access to authorized personnel

  • Employee confidentiality agreements and regular privacy/security training

  • Data stored in ISO 27001 or SOC 2-certified data centers within the EEA (unless contractually agreed otherwise)

  • Use of antivirus software, multi-factor authentication (MFA), and timely security updates

  • Periodic risk assessments, access controls, and internal audits in line with ISO 27001:2022

  • Processor agreements containing equivalent security obligations

6.3 In the event of a data breach that poses a risk to individuals’ rights and freedoms, Vignette Europe B.V. will promptly notify the relevant supervisory authority (Autoriteit Persoonsgegevens) and, if required, the affected individuals.

6.4 If you suspect your data has not been properly secured or believe it has been misused, please contact our customer support immediately via [email protected].

Article 7 Cookies

7.1 Vignette Europe B.V. uses cookies and similar technologies to ensure proper website functionality, improve user experience, analyze traffic, and display relevant advertisements. Cookies are small text files stored on your device when visiting our site.

7.2 We use the following types of cookies:

  • Essential cookies:
    Required for core website functionality such as session management, language preferences, or cart contents. No consent required.

  • Analytical cookies:
    Used to measure and analyze website traffic and behavior. Placed only with your consent.

  • Marketing cookies:
    Track browsing behavior across websites to show personalized ads and offers. Placed only with your explicit consent.

7.3 Consent for non-essential cookies is obtained via Cookiebot, our certified consent platform. Upon your first visit, you’ll see a cookie banner to set, accept, or reject preferences. Your consent status is recorded and can be modified anytime via our cookie settings.

7.4 You can also manage or delete cookies via your browser settings. Disabling certain cookies may impact site functionality or performance.

7.5 Cookie retention periods vary by type and purpose. Essential cookies may expire at session end, while analytical/marketing cookies can remain active for up to 24 months unless deleted earlier.

7.6 See Article 3 (Purposes of Processing) for more details on how data collected via cookies is used.

Article 8 Data Subject Rights

8.1 As a data subject under the GDPR, you have the following rights regarding your personal data processed by Vignette Europe B.V.:

  • Right of access – to view the personal data we process about you

  • Right to rectification – to correct inaccurate or incomplete data

  • Right to erasure – to request deletion of your data (“right to be forgotten”), unless legally required to retain it

  • Right to restriction of processing – to restrict how your data is used in specific cases

  • Right to data portability – to receive your data in a structured, commonly used format or have it transferred to another controller

  • Right to object – to object to data processing based on your specific situation, particularly for direct marketing

  • Right not to be subject to automated decision-making – including profiling, where such decisions have legal or similarly significant effects

8.2 To exercise any of these rights, please submit a request to our Data Protection Officer via email at [email protected]. We may ask for a copy of a valid ID for identity verification (you may redact your photo, document number, and citizen service number). We will respond within one month.

8.3 If you believe Vignette Europe B.V. is unlawfully processing your data or acting in violation of regulations, you have the right to file a complaint with the relevant supervisory authority. In the Netherlands, this is the Dutch Data Protection Authority: www.autoriteitpersoonsgegevens.nl

8.4 Please note that certain rights may be subject to conditions or limitations depending on the legal basis for processing or specific contractual obligations (such as statutory retention periods).

Article 9 Supervisory Authority and Governing Law

9.1 This privacy policy is governed by Dutch law and supervised by the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).

9.2 If you reside in another EU or EEA Member State, you may also contact your local data protection authority. A list of national authorities is available at: https://edpb.europa.eu/about-edpb/about-edpb/members_en

Article 10 Language and Controlling Version

10.1 This privacy policy was originally drafted in Dutch. In the event of discrepancies or differences in interpretation between the Dutch version and a translation, the Dutch version shall prevail.