This Privacy Policy explains how Muncly collects, uses, and safeguards personal data provided through this website and in connection with our services. It applies to every visitor, prospect, and client of Muncly.

Who we are

Our website address is: https://muncly.com.

Muncly is a CRM consulting and auditing firm based in the Netherlands. We help small and mid-sized businesses implement, optimise, and get more value from their CRM systems, primarily Salesforce and HubSpot. Muncly acts as the data controller for all personal data collected through this website and in connection with our services.

What data we collect

We collect personal data in the following ways:

• Contact and enquiry forms. When you fill in a form on our site, we collect your name, business email address, company name, phone number, and any information you include in your message.
• Booking a call. When you schedule a discovery or audit call, we collect your name, email, company, and any pre-call questionnaire responses you provide.
• Website analytics. Anonymised or pseudonymised data about how visitors use our site, including pages visited, time on page, referral source, browser type, and approximate location derived from IP address.
• Cookies. We use cookies and similar tracking technologies. See the Cookies section below for full details.
• Embedded content. Pages on our site may include embedded third-party content. See the Embedded Content section below.
• Comments. If you leave a comment, we collect your name, email, and IP address. An anonymised hash of your email may be shared with Gravatar (automattic.com/privacy) to display your profile picture next to your comment.
• Media uploads. If you upload images to the website, avoid images with embedded location data (EXIF GPS). Visitors can download and extract that data from any image on the site.

Why we collect it

We use your personal data only for the following purposes:

• Responding to enquiries. To understand your situation and reply to messages, calls, or audit requests you send us.
• Delivering our services. To carry out CRM consulting, implementation, or audit projects you engage us for, including invoicing and project communication.
• Business relationship management. To send you relevant updates, case studies, or occasional service information. You can unsubscribe at any time.
• Improving our website. To understand how visitors use our site and make it better, using aggregated, anonymised analytics only.
• Legal and administrative obligations. To comply with applicable laws, including tax record-keeping and responding to lawful requests from authorities.

Legal basis for processing

Under the GDPR, we rely on the following legal bases:

• Performance of a contract (Art. 6(1)(b)). Processing necessary to provide the services you have engaged us for.
• Legitimate interests (Art. 6(1)(f)). Processing for our legitimate business interests, such as relationship management, service improvement, and website analytics, where these do not override your rights.
• Consent (Art. 6(1)(a)). For non-essential cookies and direct marketing communications. You can withdraw consent at any time.
• Legal obligation (Art. 6(1)(c)). Where processing is required to meet a legal obligation, such as financial record-keeping.

Cookies

We use cookies, small files stored on your device, for the following purposes:

• Functional cookies. Strictly necessary for the website to work. Includes session and login state cookies. No consent required.
• Comment cookies. If you leave a comment, you may opt in to saving your name, email, and website in cookies for one year so you do not need to re-enter them on your next visit.
• Login cookies. Logging in sets cookies that save your session for two days (or two weeks if you select “Remember Me”). Screen option cookies last one year. All login cookies are removed when you log out.
• Article editing cookie. If you edit or publish an article, a temporary cookie is saved containing the post ID. It expires after one day and contains no personal data.
• Analytics cookies. Used to understand how visitors navigate our site. Where possible, data is anonymised before storage.
• Marketing cookies. Only placed with your explicit consent. Withdraw consent at any time via the cookie preference centre on our site.

A full breakdown of the specific cookies we use, including names, purposes, and durations, is available in our Cookie Policy.

Embedded content from other websites

Pages on our site may include embedded content such as videos, images, or articles from third-party services (for example YouTube, Vimeo, LinkedIn). Embedded content behaves exactly as if you had visited those websites directly.

These third-party services may collect data about you, use their own cookies, embed additional tracking, and monitor your interaction with the embedded content, including if you have an account and are logged in to that website. We do not control and are not responsible for those third-party privacy practices.

Who we share your data with

We do not sell your personal data. We may share it with the following categories of recipients:

• Service providers (processors). Third-party tools and platforms we use to run our business, including CRM software, email platforms, scheduling tools, website hosting, and accounting software. We have data processing agreements in place with each processor in line with Art. 28 GDPR.
• Spam detection. Visitor comments may be checked through an automated spam detection service.
• Password reset flow. If you request a password reset, your IP address is included in the reset email for security purposes.
• Professional advisers. Accountants and legal advisers, where necessary and bound by confidentiality.
• Authorities. Law enforcement or regulators where we are required to do so by law.

Where your data is sent

Some of our service providers are based outside the European Economic Area (EEA). Where personal data is transferred outside the EEA, we ensure adequate safeguards are in place, typically the European Commission’s Standard Contractual Clauses (SCCs) or an equivalent approved mechanism.

Visitor comments may be checked through an automated spam detection service that processes data outside the EEA under appropriate safeguards.

How long we retain your data

We only keep personal data for as long as necessary for the purposes it was collected, or as required by law.

• Comments. Approved comments and metadata are retained indefinitely so we can recognise and auto-approve follow-up comments. You can request deletion at any time.
• User accounts. Personal data in user profiles can be viewed, edited, or deleted by the user at any time (except usernames). Administrators can also access and edit this information.
• Enquiry and contact data. Up to 12 months after last contact, unless an engagement has started.
• Client project data. 7 years after project completion, in line with Dutch tax retention obligations.
• Financial records and invoices. 7 years, as required under Dutch law (Art. 52 AWR).
• Website analytics logs. Up to 90 days, then anonymised or deleted.

Your rights over your data

If you have an account on this site, or have left comments, you can request an exported file of the personal data we hold about you. You can also request that we erase any personal data we hold, except data we are obliged to keep for administrative, legal, or security purposes.

Under the GDPR, you have the following rights:

• Access (Art. 15). Request a copy of the personal data we hold about you.
• Rectification (Art. 16). Ask us to correct inaccurate or incomplete data.
• Erasure (Art. 17). Request deletion of your data where there is no overriding legal ground to keep it.
• Restriction (Art. 18). Ask us to pause processing while a complaint or correction is resolved.
• Portability (Art. 20). Receive your data in a structured, machine-readable format.
• Object (Art. 21). Object to processing based on legitimate interest or for direct marketing.

To exercise any of these rights, contact us using the details in the Contact section below. We will respond within one month. If you believe we are not handling your data correctly, you have the right to lodge a complaint with the Dutch Data Protection Authority: autoriteitpersoonsgegevens.nl.

Security

We take reasonable technical and organisational measures to protect your personal data against unauthorised access, loss, or disclosure. These include:

• Encrypted data transfer via HTTPS / TLS.
• Access controls based on need-to-know, with multi-factor authentication.
• Regular backups with encrypted storage.
• Periodic security reviews of our systems and tools.
• Contractual security requirements for all processors and sub-processors.

In the event of a data breach likely to result in a risk to your rights and freedoms, we will notify the Autoriteit Persoonsgegevens within 72 hours and inform you directly where required under Art. 34 GDPR.

Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our services, applicable law, or regulatory guidance. The current version is always available on our website, with the effective date shown at the top.

For material changes that significantly affect how we process your data, we will notify you directly by email or via a prominent notice on our website before the change takes effect.

Contact us

For questions, data requests, or complaints about how we handle your personal data, please reach out to us.

We aim to respond within five business days. The legal maximum is one month from receipt of your request.