Legal

Privacy Policy

Last updated: May 2026

This policy explains how Andrea van der Loos collects, uses, and protects personal data through this website. It applies to all visitors, whether based in the United Kingdom or the European Economic Area (EEA).

This site is covered by both UK GDPR (for UK residents) and EU GDPR (Regulation 2016/679, for EEA residents). Where the two frameworks differ, both are addressed separately below.

Data controller

The data controller for this website is:

Andrea van der Loos

Strategy Consultant

Cambridge, United Kingdom

strategy@vdloos.com

strategy.vdloos.com

Note for EU/EEA visitors: As a UK-based business operating post-Brexit, Andrea van der Loos is not currently required to appoint an EU representative under Article 27 EU GDPR if data processing is occasional, does not involve large-scale processing of special category data, and is unlikely to result in a risk to the rights and freedoms of individuals. This site processes minimal personal data on an occasional basis and meets these criteria. If this changes, this policy will be updated accordingly. EU/EEA residents retain all rights described in this policy and can contact their local supervisory authority (see Your Rights section below).

What data we collect

This is a simple informational website. Data collection is minimal:

Email address and message content — when you contact us directly via the email link on this site.
Booking information — if you use Cal.com to book a session, the data you enter (name, email, any notes) is processed by Cal.com . Cal.com's own privacy policy applies to that data.
Analytics data — if you consent to cookies, Google Analytics collects anonymised information about how visitors use the site (pages visited, approximate location by country, device type, referral source). This does not identify you personally.
Technical/server log data — your IP address and browser type may be recorded automatically by our hosting provider's infrastructure. This is standard and is not used to profile or track you.

Legal basis for processing

Data	Purpose	Legal basis
Email correspondence	Responding to your enquiry	Legitimate interest; pre-contractual steps
Analytics cookies	Understanding site usage to improve content	Consent (opt-in via cookie banner)
Server logs	Security and infrastructure	Legitimate interest

Cookies

When you first visit this site, a cookie banner asks for your consent before any analytics cookies are set. If you decline, no tracking cookies are stored. Your choice is saved in your browser's local storage and respected on future visits.

If you accept analytics, Google Analytics may set the following cookies:

_ga — distinguishes unique users. Expires after 2 years.
_ga_XXXXXXX — maintains session state. Expires after 2 years.

You can withdraw consent at any time by clearing your browser's site data, or by contacting us and we will assist you. No cookies are set prior to your consent.

How long we keep data

Email correspondence — retained for as long as necessary for the purpose of the communication or any resulting engagement, then deleted. Typically no longer than 3 years.
Analytics data — retained for 14 months in Google Analytics (the default), after which it is automatically deleted.
Server logs — retained by our hosting provider in line with their standard data retention policies, typically 30–90 days.

Who we share data with

We do not sell or trade personal data. Data is only shared with:

Google LLC (Google Analytics) — only if you consent to analytics cookies. Google processes data under Standard Contractual Clauses (SCCs) for transfers outside the UK/EEA.
Cal.com, Inc — if you use Cal.com to book a session. Cal.com, Inc is a US-based company and processes data under SCCs. See Cal.com's Privacy Policy.
Hosting provider — server log data as standard infrastructure.

International data transfers

Some of the third-party services listed above (Google, Cal.com) are based in the United States. Transfers of personal data to the US are made under appropriate safeguards — specifically Standard Contractual Clauses (SCCs) approved by the European Commission and adopted under UK GDPR where applicable.

You may request a copy of the applicable transfer mechanisms by contacting us at strategy@vdloos.com.

Your rights

Under both UK GDPR and EU GDPR, you have the right to:

Access — request a copy of the personal data we hold about you.
Rectification — request correction of inaccurate or incomplete data.
Erasure — request deletion of your data ("right to be forgotten").
Restriction — request that we limit how we use your data.
Objection — object to processing based on legitimate interests.
Portability — receive your data in a portable format where applicable.
Withdraw consent — at any time, where processing is based on consent (e.g. analytics cookies).

To exercise any of these rights, email strategy@vdloos.com. We will respond within 30 days.

UK residents — you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
ico.org.uk/make-a-complaint · 0303 123 1113

EU/EEA residents — you have the right to lodge a complaint with the data protection supervisory authority in your country of residence. A full list of EU supervisory authorities is available at:
edpb.europa.eu — list of supervisory authorities

Security

We take reasonable steps to protect personal data from unauthorised access, loss, or misuse. Email correspondence is transmitted over encrypted connections where supported by email providers. This site is served over HTTPS.

No method of electronic transmission or storage is 100% secure. If you have concerns about the security of your data, please contact us.

Children's data

This site is directed at business professionals and founders. We do not knowingly collect personal data from anyone under the age of 16. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

Changes to this policy

We may update this policy from time to time to reflect changes in our practices or applicable law. The date at the top of this page shows when it was last revised. Continued use of the site after changes constitutes acceptance of the updated policy. Significant changes will be communicated where reasonably practicable.

Contact

For any questions, requests, or concerns about this privacy policy or how we handle personal data:

Andrea van der Loos

strategy@vdloos.com

We aim to respond to all privacy-related requests within 30 days.