Skip to content
Draft version: this text is still under legal review and is not yet final.

Privacy Policy

Last updated: 1 June 2026

OXIAE places great importance on the protection of personal data. In this privacy policy we explain which personal data we process, for what purpose and on which legal basis, how long we retain it, with whom we share it and what rights you have. This policy applies to the use of our website oxiae.com and to the platform and services that OXIAE offers.

1. Introduction & who we are

OXIAE provides infrastructure for secure customer acquisition: a platform that collects, verifies, routes and delivers requests (leads) in a controllable way, with demonstrable provenance and consent. This service involves the processing of personal data. This policy describes how we handle that, in line with the General Data Protection Regulation (GDPR).

The data controller for the processing described in this policy is:

VDS International S.A. (trading as OXIAE)

Country of registration: Panama

Folio (Registro Público de Panamá): 155777850, registered on 31 December 2025

Website: oxiae.com

Privacy e-mail: privacy@oxiae.com

For some processing activities, OXIAE does not act as a data controller but as a processor on behalf of a customer. In that case the customer determines the purpose and the means of the processing, and the terms of the data processing agreement apply. In section 5 we explain that distinction further.

2. Which personal data we process

We do not collect more data than is necessary for the purpose for which we process it (data minimisation). Which data this involves depends on your relationship with OXIAE.

2.1 From visitors to our website

  • Technical and usage data such as IP address (often stored in truncated form), browser type, device and operating system information, pages visited, referring URL and time of the visit.
  • Data you enter yourself in a contact or demo form, such as your name, e-mail address, telephone number, organisation and the content of your message.
  • Data from cookies and similar techniques, insofar as you have given consent for them. See section 8 and our cookie policy.

2.2 From applicants and leads

When someone submits a request via a form, landing page or a connected partner that is processed through the OXIAE platform, the following data may be processed:

  • Contact details such as name, e-mail address, telephone number and (postal) address.
  • The content of the request: the subject, the question or the product the applicant is interested in, and any context provided.
  • Consent and provenance data: the time at which consent was given, the consent text shown, the source or channel of the request and the associated technical metadata.
  • Processing data: the status of the request, validation and quality outcomes, the recipient to which it was delivered and the log records that capture the processing.

We do not ask applicants for special categories of personal data. When our customers configure forms, data minimisation is the guiding principle: only fields that are necessary for the purpose are requested.

2.3 From customers and platform users

  • Account and contact details of the users within the customer organisation, such as name, business e-mail address, telephone number, job title and role.
  • Login and security data, such as an encrypted password and data for two-factor authentication.
  • Usage and log data about the use of the platform, needed for security, support and the audit trail.
  • Administrative and billing data needed to perform the agreement and to meet our tax obligations.

3. Purposes & legal bases

We process personal data solely for specific, predefined purposes and only when a valid legal basis under the GDPR exists for it. The main processing activities and their legal basis are:

Purpose
Legal basis
Processing, verifying and delivering a request to a recipient
Consent of the data subject; where applicable, performance of a contract
Quality control, fraud prevention and security of the platform
Legitimate interest, following a balancing of interests
Responding to contact and demo requests
Consent, or taking pre-contractual steps on request
Providing, managing and supporting the platform for customers
Performance of the contract
Billing and administration
Legal obligation and performance of the contract
Analysis and improvement of the website via cookies
Consent

When we rely on consent, you can withdraw it at any time. Withdrawal does not affect the lawfulness of the processing carried out before the withdrawal. For each request we record which legal basis applies, so that a processing activity is never separated from its justification.

4. Retention periods

We do not retain personal data longer than is necessary for the purposes for which it was collected, or for as long as legally required. A retention period is attached to each category of data; once it has expired, the data is deleted or anonymised. The periods below are indicative and may differ per processing activity and per customer policy:

  • Rejected requests: retained briefly for control and analysis and then automatically deleted (guideline: 30 days).
  • Delivered requests: retained for as long as needed for accountability, billing and any warranty (guideline: up to 24 months).
  • Requests in dispute: retained frozen until the dispute is resolved; the retention period resumes afterwards.
  • Contact and demo requests: retained for as long as needed to handle your question and, if relevant, for follow-up.
  • Customer account and usage data: retained for the duration of the agreement and a reasonable period thereafter.
  • Administration and billing: retained in accordance with the statutory tax retention obligation of seven years.

Expired data is actively removed from storage. The audit trail records that and when a record expired, without retaining the deleted content.

5. Sharing with third parties & sub-processors

We do not sell personal data. We only share data when it is necessary for the purposes described above or when we are legally obliged to do so. This occurs in the following situations:

  • Recipients of requests: a request is delivered to the recipient for which consent was given and that fits within the agreed routing rules. The recipient becomes the data controller for any further processing.
  • Sub-processors: for components such as hosting, e-mail handling, payment and analytics services, we engage providers that process data on our behalf. With each sub-processor we conclude a data processing agreement, binding them to the same obligations.
  • Competent authorities: when we are legally obliged to do so, for example on the basis of a lawful request from a supervisory or law enforcement authority.

For processing that OXIAE carries out on behalf of a customer, OXIAE acts as a processor. The customer is then the data controller and determines the purpose and the means; the mutual arrangements are set out in a data processing agreement. An up-to-date overview of the sub-processors engaged is available on request via privacy@oxiae.com.

6. Transfers outside the EEA

We aim to process and store personal data within the European Union and the European Economic Area (EEA). Should a transfer to a country outside the EEA nevertheless be necessary, it takes place only with appropriate safeguards as defined in the GDPR. That may be an adequacy decision of the European Commission, or the use of standard contractual clauses (SCCs) adopted by the Commission, supplemented where necessary with additional measures. On request, we provide insight into the safeguards that apply to a specific transfer.

7. Security

We take appropriate technical and organisational measures to protect personal data against loss and against unlawful processing. These include, among others:

  • Encryption of data in transit and, where appropriate, at rest.
  • Access control based on roles and context, so that data is only visible to those who need it.
  • Logging and monitoring via an audit trail, in which every processing step is recorded in a traceable way.
  • Two-factor authentication for access to the platform and periodic review of our security measures.

Should a data breach occur despite these measures, we act according to a predefined procedure and comply with our notification and information obligations under the GDPR, including notifying the relevant supervisory authority within 72 hours where required.

8. Cookies

Our website uses cookies and similar techniques. Functional cookies are necessary to make the site work properly; for analytical and any marketing cookies we ask for your consent in advance. You can adjust or withdraw your preferences at any time. A full explanation of the cookies we use can be found in our cookie policy.

9. Your rights as a data subject

The GDPR grants you a number of rights over your own personal data. Among others, you can invoke:

  • Right of access: request which data we process about you and for what purpose.
  • Right to rectification: have incorrect or incomplete data corrected or completed.
  • Right to erasure: have your data erased when there is a valid ground for it (“right to be forgotten”).
  • Right to restriction: have the processing temporarily halted, for example while a request or dispute is ongoing.
  • Right to object: object to processing based on legitimate interest.
  • Right to data portability: receive the data you provided in a common, machine-readable format.
  • Right to withdraw consent: withdraw previously given consent at any time.

You can submit a request via privacy@oxiae.com. In order to handle your request, we may ask you to substantiate your identity. We respond in principle within one month. When OXIAE processes the data on behalf of a customer (as a processor), we forward your request to the relevant data controller and support them in handling it.

10. Lodging a complaint with a supervisory authority

If you believe that we are not handling your personal data carefully, please first contact us via privacy@oxiae.com, so that we can look for a solution together. You also always have the right to lodge a complaint with the data protection supervisory authority competent for you. You can find more information about this on the website of your national supervisory authority.

11. Contact

If you have questions about this privacy policy or about the way we handle personal data, please contact us:

OXIAE Privacy Team

E-mail: privacy@oxiae.com

The contact details of the data protection officer, if appointed: [officer name]

12. Changes to this privacy policy

We may adjust this privacy policy from time to time, for example when our services or the regulations change. You can always find the most current version at oxiae.com, with the date of the last change at the top of this page. For significant changes we will inform you where appropriate. We recommend that you consult this policy regularly.

Questions about privacy or compliance?

We are happy to think along about how OXIAE delivers provenance, consent and an audit trail by default. Get in touch via privacy@oxiae.com.