Privacy Policy

1. Who are we?

deXes is a data intermediary and marketplace operator based in Utrecht, enabling sovereign and secure data sharing between organisations using open EU data space standards. deXes is recognised as a data intermediary under the EU Data Governance Act and is ISO 27001:2022 certified.

Controller:
deXes B.V. — de Blend Offices, Vleutensevaart 100, 3532 AD Utrecht
+31 (0)30 2272 652 · [email protected]

2. What data do we collect?

We collect personal data in two contexts: through this website, and through the operational systems deXes runs on behalf of its clients.

Website

Contact form — name, email address, organisation (optional), and your message.
Job applications — name, email address, CV, and motivation letter.
Support tickets — name, email address, and a description of your issue.
Website analytics — anonymised usage data (pages visited, browser type, session duration) collected via privacy-friendly analytics. No personal identifiers are stored.

Operational systems

deXes operates a number of data services on behalf of its clients, including the DMI ecosystem, the Dexes marketplace, OpenGDC, and the Open Building Passport. In the context of these systems, the following data may be processed for the purpose of access management and identity verification:

Usernames and passwords — used for authentication to the relevant platform. Passwords are stored in hashed form and never readable in plain text.
Organisation names — used to identify the participating organisation within the data space and to verify access rights.

Important: deXes processes only the metadata necessary to facilitate data exchange — such as identity credentials and access rights. deXes does not access, store, or process the actual data that clients share with each other through these systems. This is a core principle of deXes's role as a neutral data intermediary and is a fundamental requirement of compliance with the EU Data Governance Act.

Processing in these systems is carried out under contract with the relevant client organisation, which acts as the data controller. deXes acts as a data processor in that context and processes personal data solely on documented instructions from the controller.

3. Why do we use your data?

Each category of data has a specific purpose and legal basis under the GDPR:

Responding to contact requests

Legal basis: legitimate interest (Art. 6(1)(f) GDPR). Retention: up to 1 year after last contact.

Processing job applications

Legal basis: pre-contractual steps (Art. 6(1)(b) GDPR). Retention: up to 4 weeks after the position is filled, or up to 1 year with your consent.

Handling support requests

Legal basis: contract performance or legitimate interest (Art. 6(1)(b)/(f) GDPR). Retention: up to 2 years.

Website analytics

Legal basis: consent (Art. 6(1)(a) GDPR), obtained via cookie banner. Retention: aggregated, anonymised data only — no retention limit applies to personal data.

Access management in operational systems

deXes processes usernames, hashed passwords, and organisation names solely to authenticate users and manage access rights within its operational platforms (DMI ecosystem, Dexes marketplace, OpenGDC, Open Building Passport). deXes does not process the actual data exchanged between participants — only the metadata required to control and facilitate that exchange. Legal basis: contract performance (Art. 6(1)(b) GDPR) for direct users; legitimate interest (Art. 6(1)(f) GDPR) for organisational identifiers. Retention: for the duration of the active account, plus up to 12 months after account closure. Exception: access logs and transaction metadata may be retained for longer periods where required for auditing, dispute resolution, or trust enforcement obligations under the EU Data Governance Act or applicable contractual agreements.

4. Sharing with third parties

We do not sell or trade your personal data. We may share data with the following categories of processors who act strictly on our instructions:

Hosting and cloud infrastructure providers (EU-based)
Email delivery service providers
Support ticket platform
Governance and audit parties — such as accreditation bodies, supervisory authorities, or trust framework auditors — where disclosure is required to demonstrate compliance with the EU Data Governance Act or other applicable regulations.

All processors are bound by GDPR-compliant data processing agreements. We do not transfer personal data outside the European Economic Area.

5. Cookies

This website uses functional cookies (required for the site to work) and, with your consent, analytical cookies to understand how visitors use the site. No advertising or tracking cookies are placed. See our Cookie Policy for full details.

6. Your rights (GDPR)

Under the GDPR you have the right to:

Access — request a copy of the data we hold about you.
Rectification — ask us to correct inaccurate data.
Erasure — request deletion of your data where no legal ground applies.
Restriction — ask us to limit how we use your data.
Portability — receive your data in a structured, machine-readable format.
Objection — object to processing based on legitimate interest.
Withdraw consent — at any time, for processing based on consent.

To exercise any of these rights, email [email protected]. We will respond within 30 days. You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).

7. Security

deXes is ISO 27001:2022 certified. We apply appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, or disclosure — including encryption in transit, access controls, and regular security audits.

8. Changes to this policy

We may update this policy from time to time. Material changes will be communicated on this page with an updated date. We encourage you to review this page periodically.

Questions? Get in touch ← Back to home