Política de Privacidade

Article 1 Contact details and data controller

1.1 This Privacy Policy applies to the processing of personal data by:

Vignette & Visa B.V.
Oudegracht 294
3511 NX Utrecht
The Netherlands

Website: Tollvignettes.com
Email: [email protected]
Chamber of Commerce (KvK) number: 90577434
VAT numbers: NL865371131B01 / HU30991369

1.2 Vignette & Visa B.V. is the data controller within the meaning of the General Data Protection Regulation (GDPR) for all processing described in this Privacy Policy, unless explicitly stated otherwise.

1.3 For specific services, Vignette & Visa B.V. engages third parties (“processors” or “sub-processors”) who process data on its behalf. Data Processing Agreements (DPAs) are in place to ensure that all data is processed in accordance with the GDPR and ISO/IEC 27001:2022 standards.

Third parties
Third partyPurpose of processingData processedLocation
NuveiPayment processingPayment data (not visible to Vignette & Visa B.V.)EU
Pay.nlPayment processingPayment data (not visible to Vignette & Visa B.V.)EU
PayPalPayment processingPayment data (not visible to Vignette & Visa B.V.)EU
KlaviyoEmail marketingEmail address, order dataUS
ConvergeConversion trackingIP address, email address, order dataEU
Google AnalyticsWebsite analyticsIP address, user behavior, order dataEU
TrengoCustomer supportEmail address, order dataEU
HotjarUX optimizationAnonymized behavioral data (PII masked)EU
TrustpilotCustomer reviewsEmail addressEU
Google AdsAdvertising and remarketingEmail address, order dataEU

1.4 Where data is processed outside the European Economic Area (EEA), this is done exclusively with parties that offer appropriate safeguards in accordance with Articles 44–49 GDPR, including Standard Contractual Clauses (SCCs) or equivalent legal mechanisms.

Article 2 Types of data processed

2.1 Vignette & Visa B.V. processes only those data that are strictly necessary for the provision of its services. This typically includes vehicle-related information and contact details provided directly by the customer when placing an order.

2.2 The following categories of personal data may be processed:

  • Email address – for confirmation, communication, and customer support

  • Vehicle registration number (license plate)

  • Country of vehicle registration

  • Vehicle category/type

  • Start date and duration of validity of the requested vignette

  • Order details and history

2.3 In the following cases, additional personal data are processed due to the requirements of the respective vignette issuers:

  • Vignette Hungary:

    • Full name (first name, surname, and prefixes)

    • Address (street, postal code, city, country)

  • Vignette Moldova:

    • Passport number

    • Vehicle Identification Number (VIN)

  • Vignette Romania:

    • Vehicle Identification Number (VIN)

2.4 Vignette & Visa B.V. does not process any special categories of personal data (as defined in Article 9 GDPR), nor does it knowingly collect personal data from children under the age of 16. Customers must only provide their own data or that of other adult users with proper authorisation.

2.5 Payment information (such as credit card numbers or bank account details) is not processed by Vignette & Visa B.V. All payments are securely handled by certified third-party providers. Vignette & Visa B.V. does not access or store this financial data.

Article 3 Purposes and legal bases of processing

3.1 Vignette & Visa B.V. processes personal and vehicle-related data solely for the following purposes:

  • To fulfil the agreement with the customer, including registration of the requested vignette with the appropriate issuing authority;

  • To communicate with the customer regarding their order status, questions, or support;

  • To ensure proper functioning and optimisation of the website and ordering process;

  • To prevent fraud and monitor service abuse;

  • To comply with legal and administrative obligations (where applicable);

  • To send service-related messages or limited promotional communication (with consent where legally required).

3.2 The processing of data is based on one or more of the following legal grounds under the General Data Protection Regulation (GDPR):

  • Performance of a contract (Article 6(1)(b) GDPR): processing necessary to fulfil the vignette registration service;

  • Legal obligation (Article 6(1)(c) GDPR): e.g., compliance with applicable tax or financial regulations;

  • Legitimate interest (Article 6(1)(f) GDPR): such as fraud prevention, customer support, and improving our digital services;

  • Consent (Article 6(1)(a) GDPR): where explicitly required for certain types of marketing or optional services.

Article 4 Sharing of data with third parties

4.1 Vignette & Visa B.V. does not sell personal or vehicle-related data to third parties. Data are only shared with external parties when this is necessary for the performance of the services requested by the customer, or to meet legal obligations.

4.2 The following third-party service providers may process customer data on behalf of Vignette & Visa B.V., under strict contractual agreements:

  • Payment service providers:

    • Nuvei, Pay.nl, PayPal – for secure processing of customer payments. These providers handle financial data directly; Vignette & Visa B.V. does not access or store any payment card details.

  • Email communication:

    • Klaviyo – for sending transactional emails and limited marketing communications (e.g., reminder emails or feedback requests), based on email addresses.

  • Analytics and conversion tracking:

    • Google Analytics, Google Ads, Converge – to monitor website usage, conversions and improve customer experience. These tools may process IP addresses, order metadata and anonymised behavioural data.

  • Customer support:

    • Trengo – for email-based customer service and order management.

  • UX optimisation tools:

    • Hotjar – for session recording and heatmapping. All sensitive fields (e.g., personal or vehicle data) are excluded from capture or fully masked.

  • Customer feedback:

    • Trustpilot – for collecting verified reviews via email invitations.

4.3 All third parties acting as data processors are bound by data processing agreements with Vignette & Visa B.V., ensuring compliance with the GDPR and adequate protection of customer data.

4.4 Data may also be shared with official vignette issuing authorities solely for the purpose of registering the requested vignette. The categories of data shared vary per country and are limited to what is strictly necessary.

4.5 Where personal data are transferred outside the European Economic Area (EEA), such transfers are based on appropriate safeguards, such as standard contractual clauses approved by the European Commission or adequacy decisions.

Article 5 Data retention periods

5.1 Vignette & Visa B.V. does not retain personal data longer than necessary for the purposes for which they are collected and processed, as outlined in Article 3.

5.2 Retention terms

  • Vehicle and registration data
    Used for vignette processing. Retention period: up to 1 year after the end of the service, for the purpose of customer convenience (e.g. repeat orders), troubleshooting, and defence against legal claims.

  • Personal data for Hungarian and Moldovan vignettes
    Where legally required for proper registration (e.g., name, address, passport number), these data are kept for a maximum of 18 months, unless a longer retention period is required by the relevant issuing authority.

  • Communication data (support and feedback)
    Emails and support interactions are retained for up to 2 years, for the purpose of service quality improvement and resolving disputes.

  • Analytics and conversion data
    Pseudonymised data collected via tools like Google Analytics or Converge may be stored for up to 26 months, in accordance with settings and policies of those services.

5.3 Longer retention periods may apply if:

  • Required by tax or administrative law (e.g., up to 7 years for invoicing data under Dutch law);

  • The data subject has explicitly consented to a longer retention (e.g. for recurring use or marketing);

  • Data are required for legal defence purposes within applicable statutory limitation periods.

5.4 After the expiration of the applicable retention period, data are securely deleted or irreversibly anonymised in accordance with industry standards and internal data destruction policies.

5.5 We periodically review stored personal data and delete or anonymize records that are no longer necessary.

5.6 Our data retention practices are aligned with our ISO 27001:2022-certified information security management system, and based on a formal data classification and retention schedule.

Article 6 Security measures

6.1 Vignette & Visa B.V. takes appropriate technical and organisational measures to protect the personal data it processes against loss, misuse, unauthorised access, disclosure, alteration, or destruction. These measures are regularly evaluated and updated to ensure ongoing data protection.

6.2 The following controls are in place:

  • All communication with the website is secured using TLS encryption (HTTPS).

  • Access to systems and data is restricted to authorised personnel only, based on role-based access control (RBAC).

  • All employees with access to personal data are bound by a confidentiality agreement and receive regular security and privacy training.

  • Customer data are stored in ISO 27001 or SOC 2-certified data centres within the European Economic Area (EEA), unless otherwise contractually secured.

  • Antivirus software, multi-factor authentication (MFA) and timely security updates are applied to all company devices.

  • Regular risk assessments, access reviews and internal audits are conducted in line with ISO 27001:2022 standards.

  • Data processors are subject to Data Processing Agreements (DPAs), ensuring equivalent security obligations.

6.3 In the event of a personal data breach that may pose a risk to the rights and freedoms of data subjects, Vignette & Visa B.V. will notify the competent supervisory authority (Autoriteit Persoonsgegevens) without undue delay and, where required, also inform affected individuals.

6.4 If you suspect that your data is not properly secured, or there are signs of abuse, please contact our support team immediately at [email protected].

Article 7 Cookies

7.1 Vignette & Visa B.V. uses cookies and similar technologies on its website to ensure proper functionality, enhance user experience, analyse traffic, and provide relevant advertising. Cookies are small text files stored on your device when you visit our site.

7.2 We use the following types of cookies:

  • Essential cookies:
    Required for the core operation of the website, such as remembering your session, language preferences, or maintaining your cart contents. These cookies do not require your consent.

  • Analytical cookies:
    Used to measure and analyse website traffic and user behaviour (e.g. via Google Analytics, Converge, or Hotjar). These cookies help us improve the website and are only placed with your consent.

  • Marketing cookies:
    These track browsing behaviour across websites to display personalised ads and offers (e.g. via Google Ads, Klaviyo, Trustpilot). These cookies are only set with your explicit consent.

7.3 Consent for the use of non-essential cookies is obtained via Cookiebot, our certified consent management platform. On your first visit, you will be prompted with a cookie banner that allows you to accept, reject, or configure your preferences. Your consent status is logged and can be changed at any time via the cookie settings on our website.

7.4 You may also manage or delete cookies at any time via your browser settings. Note that disabling certain cookies may affect the functionality or performance of the website.

7.5 – The storage duration of cookies varies depending on their type and purpose. Essential cookies may expire at the end of a session, while analytics or marketing cookies may persist for up to 24 months unless deleted earlier.

7.6 For more details about how we handle data collected through cookies, please refer to Article 3 (Purposes of processing).

Article 8 Data subject rights

8.1 As a data subject under the General Data Protection Regulation (GDPR), you have the following rights regarding your personal data processed by Vignette & Visa B.V.:

  • Right of access – to request insight into the personal data we process about you.

  • Right to rectification – to have incorrect or incomplete personal data corrected.

  • Right to erasure – to request deletion of your data (“right to be forgotten”), unless we have a legal obligation to retain it.

  • Right to restriction of processing – to limit the way we use your data in specific situations.

  • Right to data portability – to receive your personal data in a structured, commonly used and machine-readable format, or to have it transferred to another controller.

  • Right to object – to object to the processing of your personal data for reasons relating to your particular situation, especially in the context of direct marketing.

  • Right not to be subject to automated decision-making – including profiling, where such decisions have legal or significant effects on you.

8.2 To exercise any of the above rights, you may submit a request to our Data Protection Officer by email: [email protected]. To verify your identity, we may ask for a copy of a valid ID (you may redact your photo, document number and BSN/national ID number). We will respond to your request within one month of receipt.

8.3 If you believe that Vignette & Visa B.V. is processing your data unlawfully or in breach of applicable regulations, you have the right to lodge a complaint with the competent supervisory authority.
In the Netherlands, this is the Dutch Data Protection Authority (Autoriteit Persoonsgegevens): www.autoriteitpersoonsgegevens.nl

8.4 Please note that some rights may be subject to conditions or limitations based on the legal basis of the processing or specific contractual obligations (e.g. regulatory retention periods).

Article 9 Supervisory Authority and Applicable Law

9.1 This privacy policy is governed by Dutch law and supervised by the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).

9.2 If you are located in another EU or EEA member state, you may also contact your local supervisory authority. A list of national data protection authorities is available at: https://edpb.europa.eu/about-edpb/about-edpb/members_en

Article 10 Language and prevailing version

10.1 This privacy policy was originally drafted in Dutch. In the event of discrepancies or differences in interpretation between the Dutch version and any translated version, the Dutch version shall prevail.