Privacy Policy
How we collect, use, and protect your personal data.
Last updated: 1 July 2026
1. Data Controller
Moonbase BV
Frankrijklei 5, 2000 Antwerpen, Belgium
VAT / enterprise no.: BE1039343221
Email: privacy@moonbase.be
Website: https://moonbase.be
For questions about how we handle your personal data, contact our privacy team at privacy@moonbase.be.
2. What Data We Collect
We collect the following categories of personal data:
| Category | Data | Source |
|---|---|---|
| Contact, demo and waitlist submissions | Name, email, company, phone, message | You provide directly |
| Technical data | IP address, browser type, device, pages visited | Automatic collection |
| Cookie data | Preferences, analytics identifiers | Cookies (with consent) |
3. Why We Process Your Data
| Purpose | Legal Basis (GDPR) |
|---|---|
| Responding to your contact form enquiry | Legitimate interest (Art. 6(1)(f)) |
| Handling demo requests and waitlist registrations | Pre-contractual measures (Art. 6(1)(b)) |
| Analysing website usage to improve the site | Consent (Art. 6(1)(a)) |
| Marketing communications | Consent (Art. 6(1)(a)) |
| Complying with legal obligations | Legal obligation (Art. 6(1)(c)) |
| Website security and abuse prevention | Legitimate interest (Art. 6(1)(f)) |
4. Data Processors
Your data is processed on the following third-party services and hosting infrastructure, all of which process data in the EU or under adequate safeguards:
| Processor | Purpose | Location |
|---|---|---|
| SiteGround | Static website hosting | EU |
| Hetzner | Application infrastructure | Germany (EU) |
| Payload CMS (self-hosted) | Website content, form and lead storage | Moonbase-managed infrastructure (EU) |
| Listmonk (self-hosted) | Waitlist and newsletter mailing lists | Moonbase-managed infrastructure (EU) |
| Supabase | Portal database and authentication | Self-hosted on Hetzner (EU) |
| Mollie | Payment processing | Netherlands (EU) |
| Resend | Transactional email delivery | US (DPF certified) |
| GitHub | Source code hosting and CI/CD | US (DPF certified) |
| Microsoft 365 | Email, documents, communication | EU (EU Data Boundary) |
Data Processing Agreements (DPAs) are in place or being executed with all processors in accordance with GDPR Article 28.
5. Data Retention
| Data Category | Retention Period |
|---|---|
| Contact form submissions | 2 years, then deleted |
| Project estimates / assessments | 2 years, then deleted |
| Portal account data | Until account deletion + 30-day grace period |
| Billing and invoice data | 7 years (Belgian tax law) |
| Analytics data | 26 months |
| Server logs | 90 days |
| Cookie consent records | 5 years after last update |
6. Your Rights
Under the GDPR, you have the following rights:
- Right of access (Art. 15) — Request a copy of your personal data
- Right to rectification (Art. 16) — Correct inaccurate data
- Right to erasure (Art. 17) — Request deletion of your data
- Right to restrict processing (Art. 18) — Limit how we use your data
- Right to data portability (Art. 20) — Receive your data in a machine-readable format
- Right to object (Art. 21) — Object to processing based on legitimate interest
- Right to withdraw consent (Art. 7(3)) — Withdraw consent at any time without affecting the lawfulness of processing before withdrawal
To exercise any of these rights, contact us at privacy@moonbase.be. We will respond within 30 days.
7. International Data Transfers
Where data is transferred outside the EU/EEA, we rely on:
- EU-US Data Privacy Framework (DPF) for US-based processors with DPF certification
- Standard Contractual Clauses (SCCs) where DPF does not apply
8. Cookies
We use cookies as described in our Cookie Policy. You can manage your preferences at any time using the cookie settings on our website.
9. Data Security
We protect your data through:
- TLS encryption in transit for all connections
- Encryption at rest for databases and backups
- Role-based access control and audit logging
- Regular security reviews and supplier assessments
- An information security management approach we are actively developing toward ISO/IEC 27001 alignment (not yet certified)
10. Data Breach Notification
In the event of a personal data breach, we will notify the Belgian Data Protection Authority (Gegevensbeschermingsautoriteit / GBA) within 72 hours where required, and affected individuals without undue delay if the breach poses a high risk to their rights and freedoms.
11. Complaints
If you believe we have not handled your data correctly, you have the right to lodge a complaint with:
Gegevensbeschermingsautoriteit (GBA)
Drukpersstraat 35, 1000 Brussels, Belgium
www.gegevensbeschermingsautoriteit.be
Email: contact@apd-gba.be
12. Changes to This Policy
We may update this policy from time to time. Material changes will be communicated via our website. The "Last updated" date at the top reflects the most recent revision.