Data controller
Zero Trust is the data controller for the processing described in this privacy policy. Company registration details are not yet final and are therefore shown here as placeholders: [TBD: legal form], [TBD: registered office], [TBD: BCE/KBO number], [TBD: VAT number]. You can contact us at info@zero-trust.be.
What personal data we process
Through the /contact page, we process the data you choose to enter into the contact form: name, email address, subject, and free-text message content. When you submit the form, the message is sent over HTTPS POST to a small Node/Fastify backend. That backend then forwards the message through the Microsoft Graph API to info@zero-trust.be, a Microsoft 365 mailbox hosted by Microsoft Ireland.
In addition to the form content, the backend records a limited server-side log entry at the time of submission containing the IP address and the browser User-Agent. These logs are kept for about 30 days in container logs and are used only for abuse prevention, security, and technical debugging.
The web server for this site, Caddy, also keeps access logs. Those logs contain the IP address, request path, User-Agent, and timestamp. These logs are also retained for about 30 days and are used only for security, abuse detection, and operational follow-up.
Zero Trust runs limited first-party server-side analytics from Caddy access logs. Before storage, IP addresses are reduced to a rotating salted hash; approximate GeoIP information is resolved locally; and User-Agent metadata is parsed for aggregate device, browser, and operating-system reporting. We do not use client-side analytics scripts, marketing automation, CRM tracking, advertising pixels, or third-party trackers. There is therefore no advertising profiling and no automated marketing segmentation based on your behaviour on this site.
External requests made by your browser
When the site loads, your browser may send a request to rsms.me to load the CSS for the Inter font. That third party may therefore receive technical connection data such as your IP address, browser information, and the time of the request.
On the /scan page only, your browser first sends same-origin requests to /api/scan/context and /api/scan/proxy-ipapi. At /api/scan/context, the server derives an approximate geolocation from your public IP address using a local GeoIP database. At /api/scan/proxy-ipapi, the edge proxy forwards an IP geolocation lookup to ipapi.co server-side. If those lookups are unavailable, the page may still fall back to direct requests to ipapi.co, ipwho.is, and api4.ipify.org and api6.ipify.org to recover IP/geolocation context. If IP-based lookups fail, the page may also request optional browser geolocation permission to place the map marker. After that, the page loads dark map tiles from basemaps.cartocdn.com (OpenStreetMap data rendered by CARTO) centered on that approximate location. This awareness demo shows how much context can be visible from network and browser data. These requests are made only on /scan and not on the other pages of this site.
Legal basis
For the data you voluntarily enter and submit through the contact form, we rely on your consent within the meaning of Article 6(1)(a) GDPR. You choose whether to fill in and send the form.
For server and security logs, we rely on legitimate interests within the meaning of Article 6(1)(f) GDPR. Those interests are securing the website and backend, preventing abuse, investigating incidents, and resolving technical issues.
For first-party server-side analytics, we also rely on legitimate interests within the meaning of Article 6(1)(f) GDPR. Those interests are understanding aggregate use of the public website, improving content and availability, and detecting unusual traffic patterns without using marketing trackers.
Retention periods
Messages you send through the contact form are received in the mailbox info@zero-trust.be. The retention period for those emails is currently [TBD: retention period for received contact emails].
Backend logs containing the IP address and User-Agent at form submission are kept for about 30 days.
Caddy access logs containing IP address, request path, User-Agent, and timestamp are kept for about 30 days.
First-party analytics records derived from Caddy access logs are stored in the analytics database with hashed visitor identifiers and are pruned according to the deployment's configured analytics retention period.
Processors and recipients
For the processing connected to this website, we use the following processors or recipients:
- Microsoft Ireland Operations Ltd, Ireland, for Microsoft 365 and Microsoft Graph API, so that contact form messages can be received in our mailbox;
- Zero Trust BV itself, via self-hosting in a Tier 4 colocation facility in Oostkamp, Belgium — the website and backend run on hardware owned and operated by Zero Trust BV, so there is no separate third-party hosting provider;
- Let's Encrypt, public certificate authority, for the issuance and management of TLS certificates.
International transfers
We are established in Belgium and aim for processing within the EU/EEA. Microsoft 365 for our mailbox is provided through Microsoft Ireland. Even so, Microsoft may, as part of support, security, infrastructure administration, or network routing, allow data to transit through systems outside the EEA, including the United States. Where such transfers occur, they take place under the contractual and organisational mechanisms Microsoft provides for that purpose. The current detail of those safeguards depends on Microsoft's own documentation.
Your rights
Under the GDPR, you have the right of access, rectification, erasure, restriction of processing, data portability, and, in some cases, the right to object to processing. Where processing is based on consent, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing that took place before the withdrawal.
You can exercise these rights by emailing info@zero-trust.be. Please state as clearly as possible which processing your request relates to. We may ask for reasonable additional information to verify your identity before acting on your request.
Complaints
If you believe that we process your personal data incorrectly, you can contact us at info@zero-trust.be. You also have the right to lodge a complaint with the Belgian Data Protection Authority via autoriteprotectiondonnees.be.
Changes
We may update this privacy policy if the operation of the site, the service providers we use, or the applicable rules change. The latest version is always available on zero-trust.be.
Last updated
Last updated: 24 April 2026.