Privacy Policy

Because we are comitted to security and privacy

Privacy Policy

What data do we collect and why

Last updated: July 14, 2020

Phone: +31 622 254 251


UNICORN Security is a trademark of UNICORN Holding B.V. (in the following UNICORN). As such this privacy policy applies to UNICORN Holding B.V. and all its subdivisions.

UNICORN is committed to the security and privacy of its users. We want to make sure you, as a (potential) customer or researcher understand what information we collect from you and why. UNICORN treats your personal data and/or those of your business with the greatest possible care and confidentiality. We believe it is important to inform you of the manner in which your personal data is processed and secured by us. In this privacy statement you can find more information on:

  • what personal data UNICORN processes of you and/or your company;
  • what UNICORN uses this personal data for;
  • on what legal grounds and for what purposes UNICORN processes this personal data;
  • when UNICORN shares the personal data with third parties;
  • when we deploy processors for the processing of the personal data; and
  • what rights you have with regard to this personal data.

This privacy statement is applicable to:

  • visitors of the website;
  • potential customers and other persons with whom UNICORN is in contact, or tries to be, by email or by telephone;
  • newsletter subscribers;
  • recipients of invitations for events (in the following: Marketing) of UNICORN;
  • customers and researchers of UNICORN; and
  • all other persons who contact UNICORN and of whom UNICORN processes personal data.

  1. Definitions
    In this privacy statement, the following definitions apply:
    1. processor: a natural or legal person, a government institution, a service or other body who/which processes personal data for UNICORN;
    2. third party: any other besides: you, UNICORN, a processor, or any person who is authorised to process personal data under the direct authority of the data controller or the processor;
    3. you: the person whose personal data is processed by UNICORN;
    4. personal data: any data which regard you and can also be traced back to you, especially by way of an identifier such as a name, an identification number, location data, online identifier, or of one or more elements which are characteristic for your physical, physiological, genetic, psychological, economic, cultural, or social identity;
    5. consent: any free, specific, informed and unequivocal expression of will by which, through a statement or an unequivocal active operation you accept the processing of your personal data;
    6. provision of personal data: the disclosure or making available of personal data;
    7. processing of personal data: an act of processing or a whole of acts of processing regarding personal data or a whole of personal data, whether or not carried out through automatic procedures, such as the collecting, recording, ordering, structuring, storing, updating or modifying, requesting, perusing, using, providing by way of forwarding, distributing or making available in another manner, aligning or combining, shielding or destroying of data;
    8. (UNICORN) Service(s): the services offered by UNICORN, which focus on the assessment of the security of your online information systems;
    9. Researcher(s): the researchers deployed by UNICORN for the benefit of the UNICORN Services.

  1. When do we receive personal data from you?
    UNICORN receives personal data from you in the following situations:
    1. When you visit the website;
    2. When you make use of the Services;
    3. When you contact UNICORN, for example by email, by way of the registration form on the website, by telephone, or through social media, such as LinkedIn or Twitter;
    4. When you register for the Marketing of UNICORN; and/or
    5. When you provide data to us on account of a customer relation with UNICORN.

  1. What personal data does UNICORN process?
    1. Visiting the website
      In case of a visit to the website, our servers automatically store information, such as the URL, IP-address, browser type and language, date and time of the visit. Currently the website does not store cookies on your systems, therefore we do not need to publish a cookie statement.
    2. Contact with UNICORN
      When you contact UNICORN, for instance with a request for information or advice on our Services, UNICORN processes the personal data which you thereby transmit to us, such as the contact information provided by email, through the registration form on the website, or by telephone, but also the information provided during an introductory conversation, or during an event which is organised by UNICORN. We keep this information in our customer database, Hubspot. The email address, name and/or phone number provided by you, through the registration form on the website or otherwise, will be used for providing information or advice as requested.
    3. Marketing (and unsubscribing)
      UNICORN makes use of newsletters, subscribers are sent newsletters with things which may be relevant to our (potential) customers and researchers, such as events, blog posts or customer cases. We make use of registration forms on the website. We ask for your name, organisation, email address and phone number, so we can reach out to you. We keep your contact information in our customer database. We keep this information until you unsubscribe or ask us to remove this data (see Article 9 for more information). The information will only be used for the purpose it was given to us.
    4. Data provided and collected from other sources on account of the customer relation with UNICORN
      When you make use of the UNICORN Services, UNICORN processes the personal data which you have transmitted to us by email, the contact form on the website, during consultations or in another manner. We process the following personal data:
First name, last name, email address, company name, phone number, function, country.
    5. Transmission of data outside the European Economic Area
      Any possible personal data we process as a result of the delivery of our Services can in some cases be transmitted outside the European Economic Area (“EEA”), because the Service can take place globally (also see in the following under 11, Third Parties).

  1. Purposes of processing of personal data and grounds
    1. Optimisation website, Services, and provision of information
      The information which the website automatically stores and generates of you (see Article 3, sub 1 and 2) is used by us to further optimise the organisation, our website, and Services and to improve the provision of information concerning, but also to prevent fraud.
    2. Implementation of the agreement between you and UNICORN
      For the implementation of the agreement between you and UNICORN, UNICORN in any case needs your contact and invoicing information, besides being required in many cases to process other personal data as well, depending on the type of Service you purchase from UNICORN.
      • Maintaining contact with you
        If you request information from UNICORN, UNICORN processes the personal data provided to comply with that request and/or to answer your questions.
      • Other purposes for the use of personal data
        Personal data is only used for audits and assessments.

  1. Grounds
 The personal data is only processed if one of the following conditions (grounds) has been complied with:
    1. you have given your consent for it;
    2. it is necessary for the implementation of an agreement to which you are a party;
    3. it is necessary to comply with a legal obligation which UNICORN is subject to;
    4. it is necessary to protect the vital interests of you or of another natural person (these grounds are not rare);
    5. it is necessary to defend the legitimate interests of UNICORN, for instance to protect the security or integrity of our Service, or a third party, except in the event that your interests or basic rights and fundamental freedoms outweigh the interests of UNICORN and/or the third party.

  1. Security
    The security of your personal data is our top priority. We are constantly assessing and improving the manner in which we collect, process, and store your personal data.
UNICORN has taken both organisational and technical measures to assure the security of our customers. UNICORN observes a security level for the processing of the personal data which, within the possibilities of current techniques, is sufficient to prevent unauthorised access, modification, publication, or loss of your personal data. The security measures taken by UNICORN are based on ISO/IEC 27002 (2013) and the security guideline NCSC (2015). The most important (security) measures of UNICORN are:
    1. The data security policy, in which specific attention is also dedicated to data classification, the granting of access, and the control of vulnerabilities;
    2. The appointment of a Data Protection Officer.
      The Data Protection Officer is responsible for, amongst other things, the attribution of authorisations for access to sensitive customer information, the securing of back-ups, the registration and handling of incidents and the monitoring of compliance with the security policy.
    3. The screening of staff (including Researchers) prior to possible employment.
      Furthermore, every five years a certificate of good behaviour is required from all collaborators. In addition, collaborators sign a non-disclosure statement.
    4. The application of information classification, that is, a distinction will be made in the provision of information to collaborators. UNICORN uses the following information classification:
      1. Public – this information can be shared without restrictions;
      2. Confidential – this information can only be shared within UNICORN (your personal data is classified as such);
      3. Company Secret – this information is only available to selected UNICORN personnel.
    5. All data in the online environment of UNICORN are also secured by access authorisations.
    6. Having a policy for network protection.
      There is an internal network at the office; on this internal network sensitive information is handled. This network is not accessible from the outside, as it is password-secured.
    7. The application of a ‘clear screen’ and ‘clean desk’ policy.
      Collaborators are obliged when leaving to lock their workstation. The workstation must be left behind clean and tidy when leaving the building.
    8. Having a policy in place for the physical security of both access and environment.
      The office of UNICORN is protected against invaders by way of high security locks. The office area is closed outside office hours and to gain access a physical key must be used.
    9. The policy for security incidents.
      Future incidents are registered in the internal incident register. The Data Protection Officer becomes responsible for the registration and timely handling of the incidents. After handling the incident, it will be evaluated, and appropriate improvement measures will be taken.
    10. We have also implemented efficacious procedures.
      If UNICORN were to face a data leak, our Data Protection Officer (contact information is listed in Article 16) will be informed of the data leak. If the nature, the severity, and the extent of the data leak require such, the data subjects will be informed accordingly within 48 hours and UNICORN will make a report to the monitoring agency Autoriteit Persoonsgegevens within 72 hours. When reporting the data leak, we indicate information and facts regarding the data leak. We indicate in addition in which category the data subjects were, and additional information so the report can be treated with due care.
Our database with customer information is saved digitally. The database is only accessible for authorised staff inside UNICORN. Our database with customer information is only accessible through personal login data and a secured connection of authorised staff.

  1. Your rights
    You have the right to peruse your personal data, to have it corrected, supplemented, modified, or even removed. For some personal data, it could be that UNICORN is legally obliged to keep it. To this personal data it applies that UNICORN cannot modify and/or remove it on your request.
We ask you to mail requests to: We will take your request into consideration as soon as possible, with a final term of four weeks. If you submit a request, we ask for a copy of your ID, so we can verify your identity against the requested information. We want to ask you emphatically to black out the social security number on the copy of the ID. Because we may not process social security numbers without being legally obliged to do so. Could you indicate in the email you send us regarding the request that you have blacked out the social security number on the copy of the ID? Take into account besides that, after we have modified or removed your personal data on your request, it may be that this information will still be available for a while in our back-ups, until these back-ups will be deleted as well. If you have deregistered, we will keep the deregistration (that is, not the personal data themselves) for 5 years after deregistration.
In some cases, you also have the right to obtain your personal data, which you have provided UNICORN with, in a structured, customary, and machine-readable form and you have the right to transfer this data, if the processing by UNICORN takes place in the manner to which in the applicable legislation and regulations the transferability of data has been assigned.
To exercise the rights mentioned in the preceding, you can send an email to

  1. Cookies and log-data
    Cookies are files with a tiny quantity of data. Cookies are sent from a website to your browser and stored on the hard disk of your computer. We do not use cookies to collect information. You can order your browser to refuse cookies or use your browser to see how long cookies are stored.
Since our Website does not use cookies we are not obligated to publish a cookie statement. We can also collect information that your browser sends when you visit our Website (“log-data”). This log-data can contain information such as the internet protocol address (“IP address”) of your computer, browser type, browser version, the pages you visit, the time and the date of your visit, the time spent on those pages, and other statistics.

  1. Third Parties
    We will not transmit your personal data to third parties without your consent, unless:
    1. It is necessary in the context of negotiations on, the conclusion of, and the implementation of the assignment agreement between you and UNICORN; and/or
    2. It is necessary to offer the Service to you; and/or
    3. UNICORN on grounds of a legal obligation or in an emergency is obligated to transmit the personal data to government agencies, such as in the event a court order imposing the obligation of providing personal data to third parties. Exclusively the data we are obliged to provide will be furnished; and/or
    4. UNICORN organises a training or event with a third party, in which case exclusively your contact information will be shared with a third party; and/or
    5. A reorganisation or transfer of business activities takes place at UNICORN with the result that UNICORN must transfer personal data to another organisation.

  1. For the provision of Services mentioned under Article 1, we deploy Researchers. In addition, we may deploy third parties to implement and facilitate our Services, to provide Service-related services or to help us with the analysis of the manner in which our Service is used. The Researchers only have limited access to your personal information: they only see the business email address and/or phone number of the contact of your company as submitted by you. In addition, they may be able to see the personal data of your customers. We deem it necessary that these parties see the personal data so as to be able to provide the Services to you. We commit ourselves and are obliged not to disclose this personal data, nor to use it for other purposes. We conclude agreements with the parties deployed by us in which we oblige these parties to maintain secrecy and to exclusively process personal data to offer the Services to you. Our IT infrastructure is hosted in the EEA. As our Researchers may also be located outside the EEA, it is possible that the servers of the Researchers are outside the EEA and are also hosted outside this area.

  1. International transfer Your information, including personal information, can be transferred to – and maintained on – computers outside your state, province, land, or other jurisdiction of the government where legislation regarding data protection may be different from that in your jurisdiction. If you are located outside the EEA and you choose to provide us with information, please take into account that we transfer the information, including personal information, to the EEA where we will process it.
By using the website and/or our Service outside the EEA, followed by the submittal of such information, you indicate your approval of the international transfer.

  1. Privacy statements of third parties
    The privacy statement of UNICORN is not applicable to websites and/or applications of third parties, possibly because UNICORN has placed a hyperlink or connection on its website to these other websites. It may happen that upon the use of our website by way of links to other websites you are conducted to websites which are not managed by us. If you choose to click on such a link, you will be conducted to the website of that third party. UNICORN does not accept any responsibility and liability with regard to the manner in which these third parties handle personal data and cookies. We advise you to take cognisance of the privacy statements and cookie statements of those websites, before you visit them.

  1. Processors
    UNICORN deploys third parties to process your personal data. These third parties (Processors) process your personal data exclusively within our assignment and we conclude processor agreements with these third parties which are compliant with the requirements of GDPR (or its Netherlands ratification AVG). This regards, amongst other things, service providers which provide hosting services. In addition, our accountant processes personal data.

  1. Retention periods
    Your personal data is kept for as long as it is necessary for the realisation of the purposes as mentioned in article 4 of this privacy statement. After the (statutory) retention period, your personal data is destroyed.
UNICORN keeps the reports of the Researchers for 2 years after the reports have been finalised. We keep the customer information for a period of 5 years after the end of the agreement or termination of the provision of services. This term is necessary for defence in case of a claim on UNICORN. The customer base is protected by way of the security measures as stipulated in Article 6 of this privacy statement.
The above retention period does not apply in case UNICORN is subject to a legal obligation to keep the personal data any longer.

  1. Privacy of children
    We do not aim our services at children under 18, so our service does not regard minors. We do not deliberately collect personal, identifiable information on minors. If you are a parent or guardian and you know that your children have provided us with personal data, please contact us. In case we become aware that we have collected personal information on a child younger than 16 without the parents’ consent, we take actions to remove the information from our servers.

  1. Contact UNICORN
    If you have questions about our privacy statement, contact the UNICORN Holding B.V. Data Protection Officer at:

  1. Modifications
    We reserve ourselves the right to modify the privacy statement at all times, for example because legislation or regulations change. The most recent can always be found on the Website. If and when the privacy statement is comprehensively reviewed, we report this on the Website. You are advised to regularly check this privacy statement for any possible changes. Modifications to this privacy statement are effective when they are published on this page.
If you have questions, comments and/or complaints in general or about/regarding our privacy statement, you can contact the monitoring agency of Autoriteit Persoonsgegevens.