Capture Privacy Policy
Last updated: 2025-11-26
At Vintecc, owner of the Capture platform, we are committed to protecting your privacy and managing your personal data in accordance with the General Data Protection Regulation (GDPR). This policy explains how we collect, use, share, and protect your personal information and describes your rights with regards to your data.
1. Who Are We
Name: Vintecc BV
Address: Hof Ter Weze 3 8800 Roeselare Belgium
Enterprise number: 0645.963.679
RLE: Ghent, division Kortrijk
Contact: privacy@vintecc.com
2. Introduction
You are typically a user of the Capture platform, and Vintecc processes your personal data in two distinct capacities, depending on the context:
(i) when processing email addresses and technical usage data (such as login metrics), Vintecc acts as a data controller; and
(ii) for other personal data processed via the platform, Vintecc acts solely as a data processor, processing such data on behalf of the customer.
Where Vintecc acts as data processor, Vintecc’s customer is the data controller, and Vintecc does not pursue any independent purposes; any further processing is carried out only under the customer’s instructions. For more information regarding the processing of personal data by the customer, we refer to the customer’s privacy policy and their contact details.
3. How we collect your personal data
We collect your personal data in several ways, depending on how you use the Capture platform:
• Directly from you : when you register or log into the Capture platform using your
work email.
• From our customer (who is typically your employer, or the legal entity you otherwise work for or are engaged by): if our customer has created an account or invited you to use the platform, they may provide your work email address or other relevant user details necessary for onboarding and account management.
• Automatically: through functional cookies and the collection of platform usage metrics (e.g., logins, number of active users, dashboard usage) for platform improvement.
4. Categories of Personal Data
We process different types of personal data; this depends on how you use the Capture platform, how you interact with us, and which data you decide to share with us.
When Vintecc acts as a Data Controller, we typically process the following categories of
• Work email address: collected for authentication/login.
• Usage Metrics: aggregated statistics on how the platform is used (logins, dashboards accessed); these metrics do not personally identify individuals.
• Technical Data: device/browser information may be used strictly for security and functionality purposes (not for profiling or marketing)
5. Purposes and Legal Bases for Processing
We will process personal data for the purposes and on the legal basis specified in this section (if and to the extent applicable to your situation).
As a Data Controller:
| Category | Description | Purpose | Legal Basis | Retention period |
|---|---|---|---|---|
| Work email address | Email used for authentication and user identification. | To provide secure access to the platform and enable account-related communication (account creation, login, password reset). Also used for technical support if you contact us. | Performance of contract between the customer/employee and Vintecc or its customer; legitimate interest in securing platform access and supporting user queries. | Stored as long as the account is active. Deleted upon account closure. |
| Usage Metrics | Aggregated statistics about platform usage, including logins, dashboards accessed, and feature interaction. | To improve platform functionality, monitor system health, generate anonymized usage reports for customers, and ensure service continuity. These metrics are not used to profile specific individuals. | Legitimate interest for improving the service and security; analytics considered anonymous when not linked to individual users. | Retained only in an anonymized or aggregated form, not linkable to individuals. Anonymized data is not bound to specific retention periods. |
| Technical Data | Information about the device and browser used to access the platform (IP address, operating system, browser version). | To maintain system integrity, detect and prevent fraud or misuse, and optimize user experience for different devices. No profiling or marketing. | Legitimate interest in ensuring platform security and performance. | Retained as long as needed for security monitoring, typically up to 12 months, unless required longer for security incidents. |
As a Data Processor:
| Category | Description | Purpose | Legal Basis | Retention period |
|---|---|---|---|---|
| Other Personal Data (if applicable) | Additional personal data collected on behalf of the customer (e.g., names, roles, contact details entered by employer). | Processed strictly according to instructions from the customer/data controller for business-related platform workflows or statutory requirements. This can be in the Capture platform itself or integrated custom apps. | As defined by the customer/data controller; Vintecc acts as processor according to the customer's documented legal basis (for more information, reference is made to the applicable customer's privacy policy). | Retention defined by the customer's data retention policy. Vintecc deletes or returns data upon termination of services, unless legally required otherwise. |
6. Provision of Data and Consequences
Your work email is required to create and access a Capture account. Without it, using the Capture platform is not possible.
7. Use and Sharing of Data
If required for carrying out the purposes set out above, we may share your personal data with:
• Internal Access: Only authorized IT/support personnel can access your work email for maintenance and support reasons.
• Service providers: Service providers can have (indirect) access to your data e.g. hosting providers, IT service providers or security providers.
• Legal requirements: Where legally obliged, we may share data with authorities or courts.
Our (sub-)processors always act under our responsibility. If we engage (sub)processors, this will always be done in accordance with a data processing agreement that meets the requirements of the GDPR. We require all our (sub-)processors to take appropriate
technical and organizational (including security) measures to protect your personal data in line with our policies. We do not allow our (sub-)processors to use your personal data for their own purposes.
8. International Data Transfers
In principle, Vintecc does not transfer your personal data to third countries located outside the European Economic Area (“EEA”) unless you are located outside the EEA (and are visiting our Platform or otherwise provide personal data from outside the EEA).
Additionally, it is possible that in some cases Vintecc – through its (sub-)processors – does transfer your personal data to countries outside the EEA. In this event, Vintecc will only transfer your personal data outside the EEA in accordance with the applicable data protection legislation and subject to appropriate safeguards.
Please contact us if you want further information on the specific mechanism(s) used when transferring personal data outside the EEA.
9. Data Security
Vintecc applies a range of technical and organizational measures to protect your data, including:
• Access controls: Only relevant staff can access your information.
• Pseudonymization: Where appropriate for analytics.
• Regular security reviews: We review policies, train staff, and conduct audits to improve protection.
12. Your Rights Under GDPR
You have the following rights under the GDPR:
Right of access — You have the right to be informed whether we process your personal data and, if so, to obtain access to that personal data.
Right to rectification — You have the right to have inaccurate or incomplete personal data corrected.
Right to erasure ("right to be forgotten") — You have the right to request deletion of your personal data where one of the following applies:
- The personal data are no longer necessary for the purposes for which they were collected or otherwise processed.
- You withdraw your consent on which the processing is based and there is no other legal ground for the processing.
- You object to the processing where the processing is for direct marketing purposes.
- The personal data have been unlawfully processed.
- The personal data must be erased to comply with a legal obligation under EU or member-state law.
When we receive an erasure request we will consider our interests and those of third parties, and any legal and regulatory obligations or court/administrative decisions that may be in contradiction with erasing the personal data.
Right to restriction — You have the right to request restriction of processing where one of the following applies:
- You contest the accuracy of the personal data, for a period enabling us to verify the accuracy.
- The processing is unlawful and you oppose the erasure of the personal data and request restriction of their use instead.
- We no longer need the personal data for the purposes of processing, but you require them for the establishment, exercise or defense of legal claims.
- You have objected to processing pending verification whether our legitimate interests override yours.
Right to object — You have the right to object to processing of your personal data where processing is based on Article 6(1)(e) or (f) of the GDPR (including profiling). If you object, we will stop processing unless we can demonstrate compelling legitimate grounds that override your interests, rights and freedoms, or processing is necessary for the establishment, exercise or defense of legal claims.
Right to data portability — Where processing is based on consent or on a contract and carried out by automated means, you have the right to receive the personal data you provided to us in a structured, commonly used and machine-readable format and to transmit those data to another controller.
Right to lodge a complaint — With the competent supervisory authority (in particular in the member state of your habitual residence, the place of work or the place of alleged infringement). In Belgium, the competent supervisory authority is the Belgian Data Protection Authority (GBA/APD).
Any complaints can also be handled by Vintecc by sending an e-mail to: privacy@vintecc.com
13. How to Exercise Your Rights
To submit a request or query regarding your personal data, you can use our trust sender to issue and follow-up on a request: https://app.formalize.com/trust-center/9f12e87c-1b1f-4e97-97cb-7fdc46d71b46/data-subject-requests
Or you can send us an e-mail with your specific request: privacy@vintecc.com
To be able to process your request adequate identification will be necessary, if we doubt your identity we remain the right to ask for additional identification to verify your identity proportional to your request.
If we are acting as a data controller, we shall acknowledge receipt of your request and provide you with information on the action taken without undue delay and, in any event, within one month of receipt of the request. This period may be extended by two further months where necessary, taking into account the complexity and number of requests, and we will inform you of the reasons for any delay.
If we are acting a a data processor, we will forward your request to the relevant customer (the data controller), who is responsible for handling and responding to such requests
The exercise of your rights is free of charge. However, if your requests are manifestly unfounded or excessive, in particular because of their repetitive character, we may either:
• charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or
• refuse to act on your request.
14. Policy Updates
We may update this policy in response to changes in law, technology, or our practices. The latest version will always be available on our website. Changes will be indicated on our website or the platform, and where required in line with the significance of the changes, may be notified to you by email or will be brought to your attention on your next website or platform visit (e.g. through a “pop-up”). Where such changes involve new or significantly modified processing activities, we will inform the data subjects concerned before those changes take effect, and if legally required, they will be submitted for approval.
15. Third-party links
We are not responsible for the privacy, information or other practices of third parties, including third parties who operate a website to which our website contains a link. Including a link on the Website does not mean that we endorse the linked website.
16. To what extent are we liable?
To the maximum extent permitted by applicable law, we shall not accept any liability in the following events:
• If we have lawfully shared your personal data with a third party (not being our (sub-)processor), we shall not be liable for any subsequent unlawful processing or misuse of that personal data by such third party and any direct or indirect damages resulting therefrom.
• If third parties unlawfully process or use your personal data and we have implemented appropriate technical and organizational measures to prevent, to the best of its abilities, such unlawful processing or use (e.g. in the event of hacking or any other cyberattack).
In any case, we shall only be liable for damages caused by non-compliance of our specific obligations under the GDPR. We shall in no event be liable for any special, incidental, indirect or consequential losses or damages in this regard.
17. Governing law and jurisdiction
This privacy policy shall be governed, interpreted, and implemented in accordance with Belgian laws. The Ghent courts (division Kortrijk) are exclusively competent to decide on any dispute that may arise from the interpretation or implementation of this privacy policy.