Privacy Policy UpCross

The privacy policy below is effective as of May 25, 2018.

UpCross (provider of CyberTense®) is a young and ambitious digital commerce company based in the Netherlands, which translates market demand into innovative concepts. Our overall goal is to empower people to make strong decisions - based on solid information, figures, sound principles and science - by giving them the tools and information they deserve.

UpCross processes personal data and wants to communicate clearly and transparently about it. In this privacy statement, UpCross provides information about how it processes personal data. Not all elements of the statement apply to you as a user of our website or service.

UpCross values the protection of the personal details of its members, partners and other relations. Personal data are therefore treated and protected with the utmost care by UpCross. UpCross meets the requirements set by the General Data Protection Regulation.

This privacy policy describes how UpCross registers, processes and stores personal data. Related topics, such as exchanging and supplying data to third parties are also described.
This privacy policy encompasses all online and offline systems that contain personal data and is applicable to all organizational units affiliated with UpCross.

Identity data processor

CyberTense® is an initiative of UpCross B.V.
Beukweg 49
7556 DC Hengelo Ov.
The Netherlands

Chamber of Commerce
65584988 / Enschede
VAT number

For any questions regarding privacy matters, please contact us by sending an e-mail to




Requirements processing personal data for associations
The GDPR has six bases for processing personal data. To be allowed to process personal data, at least one of these principles must apply:

  • The person concerned gives permission.
  • It is necessary to execute an agreement.
  • It is necessary for compliance with a legal obligation.
  • It is necessary for protecting a vital interest.
  • It is necessary for carrying out a task of general interest or public authority.
  • It is necessary to look after legitimate interests.

Additional requirements
With this privacy policy, UpCross also sets a number of additional guidelines for the processing of personal data in addition to the legal requirements. This policy contains requirements for members, users, administrators and designers of systems to ensure privacy not only now but also in the future.

Personal data
Personal data refers to information, which allows a person to be directly or indirectly identified as an individual person. Examples of personal data include: email address, name and date of birth.

In addition, the law distinguishes special personal data, such as information about health. This is information that can seriously affect someone's privacy. Therefore, this information may only be processed under strict conditions.

UpCross processes personal data in various systems. These systems are hosted in European data centers.

Right of inspection
If someone's personal data is processed, this person has the right to know which data, for which purpose these are being used exactly and with whom these may be shared. Someone can only request information about themselves, not about others.

Automatically collected data
Automatically collected non-personal data (via our website or service) will be used to improve our service. However, we may also share aggregated non-personal information with third parties for marketing, advertising, and analytics purposes. We will never sell these non-personal information to third parties.

With a written request it is possible to inspect the registered personal data and the processing that takes place. This request can be sent via email to: Please indicate 'right of access' in the subject line. UpCross will react within the legal one-month period.


Right to be forgotten
Under the GDPR ruling, a person has the right to be forgotten or to have personal data removed from the administration of UpCross. UpCross must grant such a request in the following situations:

  • The data is no longer necessary for the purpose for which it was collected.
  • The consent given is withdrawn and there is no other legal basis for the processing.
  • An objection is made to the processing.
  • The data has been processed unlawfully.

A written request for the removal of personal data must sent via email to: Please indicate 'right to be forgotten' in the subject line. UpCross will react within the legal one-month period. 

The implication of the execution may be, that the invoice will not be carried out optimally or even can not be carried out at all.

In some cases, UpCross may not grant the request. This may be the case if, for example, there is a legal obligation to keep the data such as cooperating in criminal and/or tax investigation. The person concerned will be informed about this.

Persons authorized to register and consult personal data (both general and special data) are obliged to maintain confidentiality. One can only deviate from this if there is a legal or reasonable need to provide information to third parties.

Privacy statement
UpCross processes personal data and wants to communicate about it as clearly and transparently as possible. The privacy statement provides answers to the most important questions about the processing of personal data by UpCross. The most recent privacy statement can be found here :

Updates privacy policy
UpCross reserves the right to make unilateral changes to this privacy policy. On this page you will, however, always contain the most recent privacy policy used.
Changes on our privacy policy which affects the processing of already collected or issued personal information, will be communicated to our users by e-mail. We strive to communicate minor changes also via the electronic newsletter.


Processing and storage of personal data

Processing in customer administration
The Customer Relationship Management (CRM) application is used by staff of UpCross. 
The purpose of this application is to provide customers with the correct information faster and to make these kind of administrative tasks more efficient. 
Currently, we do not use any third party to host, maintain and deliver this CRM functionality. Instead, we use our own CRM application. This system is relatively tightly coupled with our sales administration system.

Processing in sales administration
The following processes are handled in the sales administration application:

  • Invoice administration.
  • Financial administration including debtor and creditor administration.
  • Sold store items in the webstore.

To ensure that these processes run smoothly, general personal data are recorded, such as name and address details, email addresses, telephone numbers, date and place of birth.
The information you provide to us during the order process, is used exclusively for processing the order itself. This information is being used internally only and is not shared with other parties for commercial goals.

Processing this data by UpCross is based upon:

  • Data processing is required to settle a payment. 
    To be able to settle a payment by our payment provider, personal data may be shared with the payment provider for this purpose only.
  • The person in question gives permission for the data processing. 
    UpCross processes personal data on the basis of permission; The person must give explicit permission for this. Typically, we ask a user for its' approval when registering to one of our services.

Users are free to withhold or withdraw permission. The consequence of the decision may be that the service is not optimal or can not be carried out at all.

Additional data 
Automatically collected non-personal data (by our website or service) will be used to improve our service. We may use and share aggregated non-personal information with third parties for marketing, advertising, and analytics purposes. We do not sell or trade your non-personal Information to third parties.

Provision to third parties 
In order to optimally implement the services provided by UpCross, third parties are involved. It is sometimes necessary to provide personal data for their activities. In order to guarantee privacy, agreements are concluded with these parties on the use and security of personal data. 

Typically shared data:

  • Research bureaus for conducting research and surveys.
  • Email service providers for sending digital mailings and newsletters.
  • Settle a payment via an external payment provider.
  • Persistence of customer data within a CRM application hosted by an external party.

UpCross will only share your Personal Information with third parties to the

extent necessary to perform these functions, in accordance with the purposes set out in this Privacy Policy and applicable laws. We do not sell or trade your Personal Information to third parties.

We make use of software modules developed internally, to process your order and to gather information about customer experience.
To settle a payment, we use an external party / payment service provider called Buckaroo.

UpCross provides various services, online platforms and websites, such as The hosting systems process (and temporary persist) some personal data. 
This personal data concerns: names, address information, email addresses, membership information and IP addresses.

Preceding the processing of this data, UpCross always needs the users' consent. The user always has the possibility to withdraw his consent. This can be done by sending an email to

UpCross bases these processing operations on the following bases

  • Data processing is necessary to represent a legitimate interest . 
    The collection of certain data is necessary in order to offer visitors of the website(s) of UpCross relevant information based on previous use of the websites, such as ordered products. This registration also serves statistical purposes in order to be able to follow the usage of the website(s) and be able improve overall user experience.
  • The person in question gives permission for data processing . 
    UpCross processes personal data on the basis of permission. To register personal data, explicit permission must be requested.

Visitors are free to withhold or withdraw permission. It may be that such a decision means that the service is not optimal or can not be carried out at all.

We do not sell or trade your Personal Information to third parties.

Data in the sales administration records are saved as long as the person is seen as a customer. This is the case as long as the person not actively proposes or asks UpCross to undo its' membership. The data in the sales administration includes both personal data, persisted in our own sales system, and, for example, and bank details which are persisted with our third party payment processor Buckaroo. 
Even after the membership ends, the data are still retained for the legally required term of seven years. Thereafter, the data of the ex-member is deleted or anonymized.

Security measures and protection
The security of your Personal Information is important to us.


No method of transmission over the Internet, or method of electronic storage is 100% secure. However, UpCross in its sole discretion undertakes a variety security measures aimed at protecting against unauthorized access, alteration, disclosure or destruction of Personal Information. We offer the use of a secure server. All supplied sensitive/credit information is transmitted via Secure Socket Layer (SSL) technology. It is your responsibility to safeguard your password and login details. If you know or suspect that your password is known to others, please contact us so we can take immediate measures.

While we strive to use commercially acceptable means to protect your Personal Information, we cannot guarantee its absolute security.


We may use your Personal Information to contact you with newsletters, marketing or promotional materials and other information that may be of interest to you. You may opt out of receiving any, or all, of these communications from us by following the instructions provided in any email we send.

System messages such as invoices and reminders and messages that are essential for membership do not, according to the GDPR, have an opt-out option.

What happens in the event of a change of control
If we sell or otherwise transfer part or the whole of UpCross or our assets to another organization (e.g. in the course of a transaction like a merger, acquisition, bankruptcy, dissolution, liquidation), your information such as name and email address and any other information collected through the service(s) or website(s) may be among the items sold or transferred. You will continue to own your User Content. The buyer or transferee will have to honor the commitments we have made in this Privacy Policy.

Portions of our website may use cookies. Cookies are small files which are stored on a user's computer. They are designed to hold a modest amount of data specific to a particular client and website, and can be accessed either by the web server or the client computer. This allows the server to deliver a page tailored to a particular user.
You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent. However, if you do not accept cookies, you may not be able to use some portions of our Website.

Permanent cookies
With the help of a permanent cookie, UpCross registers that a visitor returns. The websites can thus be better adjusted to the preferences of this visitor. When a visitor has given permission for the placing of cookies, the websites can remember this by means of a cookie. This means that the visitor does not always have to repeat his preferences, which results in time savings and user-friendliness of the website. 
Permanent cookies can be removed by the visitor via the settings of the browser.

Session cookies 
Using a session cookie, UpCross registers which parts of the website the visitor has viewed during a specific visit. With this information, UpCross can adapt the services as much as possible to the surfing behavior of the visitors. These cookies are automatically deleted when someone closes his web browser.

Tracking cookies from UpCross 
UpCross only places a cookie on visitors' equipment with permission. These can be requested as soon as the visitor visits a website from UpCross. With use of this cookie, a profile is built up that is not linked to a person with a name, address, e-mail address and the like. This profile is used to tailor personally relevant messages to the visitor. Tracking cookies can be removed by the visitor by configuring his browser.

Tracking cookies from advertisers 
Only with permission advertisers may place tracking cookies on the equipment of visitors of website(s) of UpCross. They use these cookies to keep track of which pages from their network the visitor views, in order to build up a profile of that visitor's online surfing behavior. This profile is also built on the basis of comparable information that they receive from visiting other websites from their network. This profile is not linked to a person with a name, address, e-mail address and the like as known to UpCross. That profile is used to match advertisements with the visitor. These cookies can be removed centrally via Your Online Choices ( so that they are not returned to a third-party website.

Google Analytics 
The websites of UpCross may place a cookie from Google as part of the Analytics service. UpCross uses this service to keep track of and to receive reports on how visitors use the websites with the aim of improving user experience.

Google may provide this information to third parties if Google is legally obliged to do so, or if third parties process the information on behalf of Google. UpCross has no influence on this. As a user, UpCross has allowed Google to use the obtained analytics information for other Google services. 
The information that Google collects is anonymized as much as possible. For example, IP addresses are not included. The information is transferred to and stored by Google on servers in the United States. 

Social networks 
Websites of UpCross may contain buttons to promote or share web pages on social networks such as Facebook and Twitter. These buttons work through pieces of code that come from Facebook or Twitter itself. Only when such a button is clicked, cookies are placed on the visitor's computer. 
The privacy statements of Facebook and Twitter state what they do with (personal) data that they process via these cookies. The information they collect is anonymized as much as possible. The information is transferred to and through Twitter, Facebook, Google and LinkedIn and stored on servers in the United States. 

LinkedIn, Twitter, Facebook and Google adhere to the Privacy Shield principles and are affiliated with the Privacy Shield program of the US Department of Commerce. This means that there is an appropriate level of protection for the processing of any personal data.

Data leaks
Naturally, UpCross does everything to prevent that the personal data mentioned in this document ends up in the hands of parties who are not entitled to this data. 
If this does happen however, it is a 'data breach'. 

Article 34 of the General Data Protection Regulation provides that if a data breach takes place, this must be reported. Here we are talking about the leakage of personal data as a result of security problems. These data leaks must be reported to the supervisory authority, the Dutch Data Protection Authority (AP) without delay.

What is a data breach? 
A data breach is a security incident in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so.

Data breaches may involve personal health information (PHI), personally identifiable information (PII), trade secrets or intellectual property.

Procedure to communicate data leaks

Notifying UpCross (of suspicious event)
Any individual who suspects that a Personal Data Breach has occurred due to the theft or exposure of Personal Data must immediately notify UpCross providing a description of what occurred.

Notification of the incident can me made via email to:

Upon a suspicion or reporting of a data breach, a security expert is tasked to thoroughly investigate the available logging, alerts or indicator(s) of compromise to determine if the case qualifies as a data breach, outlined by the GDPR. If so, this must be reported.

To the supervisor 
As soon as a data breach has been confirmed by the security expert, this must be reported to the supervisor within 72 hours

To the user affected 
After a data leak has taken place and it is probable that the leak will have adverse effects on the privacy of the user concerned, this user must receive a notification. This notification will contain at least the nature of the infringement, the bodies where more information about the infringement can be obtained and the recommended measures to limit the negative consequences of the infringement.

A key priority for UpCross is reducing any complaints we receive by addressing the underlying causes.

Please send an email with your complaints to We will actively seek to a solution. If this does not work satisfactorily, there is still the possibility to file a complaint with the privacy regulator, the Dutch Data Protection Authority.

Contact person: M. Mollenhorst