Privacy Policy
Version 2.0 — Effective from 28 April 2026
This privacy policy explains how Sunbytes processes personal data, whether you visit our website, apply for a role through us, or work with us as a client, prospect, or partner.
When you submit your information to us, we process it only when needed to deliver what you’ve engaged us for or what you’ve consented to, and only within our closed network of verified service providers, each operating under signed Data Processing Agreements and disclosed in our Trust Center. We do not sell, share beyond this network, or process your data for purposes outside what is described in this policy.
This policy does not cover the processing of personal data of Sunbytes employees, contractors, or end-employees placed through our Employer of Record service: that is governed by their individual contracts and our internal HR policies.
We handle personal data with care and in line with the EU General Data Protection Regulation (GDPR), the Vietnam Personal Data Protection Decree (Decree 13/2023), and applicable national laws.
If anything is unclear or you’d like to exercise a right, contact us at info@sunbytes.io.
1. Who we are and who is responsible for your data
Sunbytes B.V. (Netherlands) and Sunbytes Vietnam Co. Ltd. operate as joint controllers of personal data within the meaning of Article 26 GDPR, working together across two offices to deliver our services.
Sunbytes B.V.
Stadsplateau 7, 3521 AZ Utrecht, Netherlands
KvK: 66873630 | VAT: NL856734615B01
Sunbytes Vietnam Co. Ltd.
400/8a Ung Van Khiem, Thanh My Tay Ward, Ho Chi Minh City, Vietnam
Tax code: 0311816866
Single point of contact for all privacy matters, including data protection officer queries, requests, and complaints: info@sunbytes.io
A Joint Controller Arrangement is in place between the two entities. Sunbytes B.V. leads data subject requests and regulatory engagement; both entities share equally the obligations of security, lawfulness, and transparency.
2. Your rights
Whatever brought you into contact with us, you always have the right to:
- Access the personal data we hold about you (Art. 15 GDPR / Art. 14 Decree 13/2023)
- Have it corrected if it’s wrong (Art. 16 GDPR / Art. 15 Decree 13/2023)
- Have it deleted (Art. 17 GDPR / Art. 16 Decree 13/2023 — for Vietnamese data subjects, we action valid deletion requests within 72 hours)
- Restrict how we use it (Art. 18 GDPR / Art. 17 Decree 13/2023)
- Object to processing (Art. 21 GDPR / Art. 9.6 Decree 13/2023)
- Receive a portable copy (Art. 20 GDPR)
- Withdraw consent at any time, without explanation (Art. 7(3) GDPR / Art. 12 Decree 13/2023)
- Be informed before processing begins (Art. 13-14 GDPR / Art. 9.1 Decree 13/2023, “right to know”)
- Object to AI-assisted processing of your data
- Lodge a complaint with the relevant data protection authority
For Vietnamese data subjects: the rights above are also enforceable under Decree 13/2023, with complaints routable to the Vietnam Ministry of Public Security (Department of Cybersecurity and High-Tech Crime Prevention).
The fastest way to exercise any of these rights is our self-service data rights form: https://trust.sunbytes.io/your-data. You can also email info@sunbytes.io. We handle requests within the timeframes required by law (within 72 hours for deletion requests from Vietnamese data subjects, within 30 days for all other requests under GDPR).
3. Website visitors
When you visit sunbytes.io for purely informational purposes, your browser sends technical data to our servers that we use to display the site and keep it secure (Art. 6(1)(f) GDPR — legitimate interest):
- Date and time of access
- Referring URL
- IP address (anonymised for analytics — see § 8)
- Browser type and version
- Data transfer volumes
- Success or error during loading
Cookies
We use both transient (session) cookies and persistent cookies (deleted after 12 months automatically, or whenever you clear them). Essential cookies run without consent; functional, analytics, and marketing cookies load only after you consent through our cookie banner (Art. 6(1)(a) GDPR). You can withdraw consent at any time through the same banner.
You can configure your browser to reject some or all cookies. Some website features may not work if you do.
4. Contact form and email
When you reach us through a contact form or by email, we store your name, company, email address, phone number (if provided), and the message itself, so we can answer you. The legal basis is either taking steps prior to entering a contract (Art. 6(1)(b) GDPR) or our legitimate interest in handling enquiries efficiently (Art. 6(1)(f) GDPR).
We delete this data when storage is no longer needed, or restrict processing if law requires us to retain it.
5. Newsletter and marketing communications
When you subscribe to our newsletter, you give consent under Art. 6(1)(a) and Art. 7 GDPR (and Art. 11-12 Decree 13/2023 for Vietnamese data subjects). We use a double opt-in confirmation. Each newsletter contains a one-click unsubscribe link.
We may keep withdrawn email addresses for up to three years on the basis of legitimate interest (proof of prior consent, defence against claims). You can request earlier deletion at any time.
The newsletter is distributed via Mailchimp (The Rocket Science Group, LLC, Atlanta GA, USA), under a signed Data Processing Agreement and with appropriate transfer safeguards including Standard Contractual Clauses and the EU-US Data Privacy Framework. Mailchimp’s terms: https://mailchimp.com/gdpr/
6. Candidates and applicants
If you apply to a role through us, are sourced by our recruiters, or otherwise enter our talent pipeline, this section applies to you.
What we collect
CV and résumé content, contact details, work history, skills, preferences, expectations, interview notes, technical assessment results, and meeting recordings or transcripts where you have been informed and given consent in line with the meeting tool’s notice practice.
Why we use it, and on what legal basis
To match you with current and future opportunities, evaluate your fit for our enterprise clients, and stay in touch about relevant roles and our progress on your behalf. The legal basis is your consent (Art. 6(1)(a) GDPR / Art. 11 Decree 13/2023). You can withdraw it at any time without affecting the lawfulness of any processing already done.
How we use AI
We use AI to help our recruiters work faster, summarising CVs, drafting notes, and finding relevant past conversations so we don’t make you repeat yourself. AI assists our team; it does not decide anything about your candidacy. Every shortlist, interview, and offer is decided by a human. You can object to AI-assisted processing at any time. We only use enterprise AI services contractually prohibited from training their models on your data.
How long we keep it
We keep candidate data for 48 months from our last mutual interaction with you. If 48 months pass without a mutual interaction, your data is deleted automatically.
We keep candidate data on this rolling basis because tech careers move in cycles, the role we can’t place you in today might be the perfect fit in two or three years, and we want to be there when that moment comes. We may extend retention beyond 48 months only where there is a specific, documented reason that justifies it (for example, an active engagement, a pending placement, or a legal obligation). You always have the right to request earlier deletion, which we will action regardless of the rolling clock.
A “mutual interaction” means any two-way exchange initiated by you or that you actively responded to: an email reply, a CV or profile update, attending an interview or call, accepting or declining a role we propose, or a referral. One-way activity from our side (emails we send that you don’t respond to, sourcing activity) does not reset the clock.
7. Clients, prospects, and partners
If you represent a current client, a prospect we are in conversation with, or a business partner, this section applies to you.
What we collect
Business contact information (name, role, employer, email, phone), notes from meetings and calls, contractual records, billing data, and publicly available business intelligence (company size, industry, technology stack) used for sales and account management.
Why we use it, and on what legal basis
To deliver our services under contract (Art. 6(1)(b) GDPR), to manage the commercial relationship, and to engage prospects whose role makes contact a legitimate interest of both parties (Art. 6(1)(f) GDPR, we have completed a Legitimate Interest Assessment). For marketing communications you can always opt out of via an unsubscribe link or by emailing us, we rely on consent (Art. 6(1)(a) GDPR).
How we use AI
The same principles as for candidates apply: AI assists, AI does not decide, AI providers do not train on your data. AI helps us prepare for meetings, summarise conversations, and surface relevant context across the relationship, never to replace human judgment about your account.
How long we keep it
For active clients and partners, for the duration of the relationship plus the period required by tax and commercial law (typically 7 years in the Netherlands; longer where Vietnamese law requires it). For prospects, 36 months after our last mutual interaction unless you ask us to delete sooner.
8. Web analytics and tracking
We use Google Analytics, Salesfeed.nl, and Leadfeeder to understand how people use our website and to optimise our content and campaigns. These tools load only after you consent through the cookie banner (Art. 6(1)(a) and Art. 49(1)(a) GDPR).
We use IP anonymisation, so your full IP is not stored. Persistent cookies expire after a maximum of two years. Logged user-related data is automatically deleted after 26 months.
Google is subject to the US CLOUD Act, which gives US federal law enforcement the right to obtain data stored by Google. Transfers are covered by Standard Contractual Clauses and the EU-US Data Privacy Framework. Google’s privacy details: https://policies.google.com/privacy
You can opt out at any time through the cookie banner, the Google Analytics opt-out add-on (https://tools.google.com/dlpage/gaoptout), or your browser settings.
reCAPTCHA from Google protects our forms from automated abuse, on the basis of legitimate interest (Art. 6(1)(f) GDPR). It transmits your IP (anonymised in the EEA) and behavioural signals to Google for analysis.
9. Cybersecurity services delivered to clients
Where Sunbytes delivers penetration testing, vulnerability scanning, or other cybersecurity engagements, any personal data processed during the engagement is handled under the written services agreement and Data Processing Agreement signed with the client. Sunbytes acts as a processor in this context; the client remains controller. This processing is not governed by this public privacy policy.
If you believe you have been the subject of a Sunbytes cybersecurity engagement and have questions, please contact your employer (the client) first, as they hold the engagement scope. You may also contact info@sunbytes.io.
10. Embedded media and social profiles
We embed YouTube videos and link to our LinkedIn company profile. Loading a YouTube video transfers data to YouTube (Google LLC); visiting our LinkedIn profile transfers data to LinkedIn (LinkedIn Ireland Unlimited Company). We have no control over how those platforms process your data once you interact with them; their privacy notices apply.
Where we operate company profiles on social platforms, those platforms typically use cookies and behavioural data for their own marketing and analytics. We are not responsible for that processing. To prevent profile linkage, log out of those platforms before browsing our site.
11. Service providers and subprocessors — our closed network
Your data only moves through a closed network of verified service providers. Every provider on this network operates under a signed Data Processing Agreement, has been vetted for security and compliance posture, and is contractually prohibited from using your data for any purpose other than delivering the service to Sunbytes.
For transfers outside the EU/EEA, we rely on Standard Contractual Clauses, the EU-US Data Privacy Framework where the importer is certified, and supplementary technical and organisational safeguards.
The complete, always-current list of providers in this network — including which AI providers we use, what they do, and where they are located — is published in our Trust Center: https://trust.sunbytes.io/subprocessors
We update that list as our toolchain evolves. The Trust Center is the single source of truth. We do not engage providers outside this network for processing of personal data.
12. International data transfers
Sunbytes operates across the Netherlands and Vietnam, and uses service providers in the EU/EEA, the United Kingdom, the United States, and other regions. Where personal data is transferred outside the EU/EEA, we rely on:
- Adequacy decisions (e.g. UK)
- EU Standard Contractual Clauses (SCCs) and equivalent UK IDTA
- The EU-US Data Privacy Framework where the importer is certified
- Supplementary technical and organisational safeguards (encryption, access control, audited DPAs)
Recruiters in our Vietnam office access EU-stored personal data from Vietnam under SCCs with a documented Transfer Impact Assessment.
For Vietnamese data subjects, transfers of personal data outside Vietnam are conducted in line with Decree 13/2023 Article 25, with a Transfer Impact Assessment maintained on file. Vietnamese data subjects retain the right to object to cross-border transfer of their personal data.
13. How we protect your data
Sunbytes is ISO 27001 certified and continuously monitored for compliance through Sprinto. In practice this means:
- Multi-factor authentication on every system that holds personal data
- Role-based access — only people who genuinely need to see your information can see it
- Encryption in transit (TLS 1.2+) and at rest (AES-256)
- Continuous vulnerability scanning, prompt patching, regular independent audits
- A documented incident response process aligned with regulatory notification requirements (including 72-hour breach notification to authorities under GDPR Art. 33 and Decree 13/2023 Art. 23)
Full details and current attestations are at https://trust.sunbytes.io
14. Withdrawal and objection
You can withdraw consent at any time without giving a reason. Once you notify us, we stop processing your personal data on the basis of that consent (lawfulness of prior processing is not affected).
Where processing is based on legitimate interest (Art. 6(1)(f) GDPR), you can object. Tell us why our continued processing should not happen, and we will either stop, modify, or explain our overriding legitimate grounds.
You can object to direct marketing or AI-assisted processing at any time, with no justification needed.
15. Changes to this policy
We update this policy when our practices, our toolchain, or applicable law changes. The version number and effective date at the top of this document tell you which version you’re reading. For material changes that affect your rights, we will notify affected data subjects directly where we hold contact details.
A change log is available on request from info@sunbytes.io.
16. Contact
For any privacy question, request, or complaint:
Email: info@sunbytes.io
By post (mark envelope “Data Protection Officer”):
Sunbytes B.V., Stadsplateau 7, 3521 AS Utrecht, Netherlands
You also have the right to lodge a complaint with the relevant data protection authority in your country, including the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) for EU-based data subjects, and the Vietnam Ministry of Public Security (Department of Cybersecurity and High-Tech Crime Prevention) for Vietnamese data subjects.
Privacy Policy v2.0 — Sunbytes B.V. & Sunbytes Vietnam Co. Ltd. — 28 April 2026
Have questions?
Have some questions related to our privacy and data policy? Contact us now