Privacy policy

Who we are:

We are the controller for the personal data described in this policy.

• H.O.L.M. Security Sweden AB a company registered in Sweden.
• Holm Security Benelux B.V. a company registered in Netherlands.

What we collect: Information you give us through forms on the site (such as your name, business email, and company), information collected automatically when you visit (such as your IP address and, if you have provided your consent to cookies, how you interact with our pages), and information we receive from third parties (such as third parties that provide additional business contact data and LinkedIn for job applicants).

Why we collect it: To respond to your enquiries, provide services you request (such as a free trial or demo), send marketing communications if you have provided your consent, run our recruitment process, secure our website, and meet our legal obligations.

Who we share it with: Our service providers (such as our CRM, email tools, and advertising partners), our group company, professional advisors, and authorities where required by law.

International transfers: Data is transferred outside the European Economic Area, through the marketing and analytics tools used on this website. This applies to website data only. Personal data processed in our platform (Next-Gen Vulnerability Management Platform, and Partner Portal) is only stored and processed within the EU/EEA.

Your rights: You can access, correct, delete, or object to our use of your personal data. Contact our Data Protection Officer, dpo@holmsecurity.com.

This policy covers our website only. Separate notices apply to our platform (see Platform privacy notice) and to our customers and partners through their contracts with us.

1. Who is responsible for your data

The controller for the personal data described in this policy are:

H.O.L.M. Security Sweden AB
Gustavslundsvägen 137, 167 51 Bromma
Sweden
Company registration number: 5590304217

Holm Security Benelux B.V.
Cruquiusweg 111 H, 1019 AG Amsterdam
Netherlands
Corporate identity number: 74312936

H.O.L.M Security Sweden AB and Holm Security Benelux B.V. are part of the same corporate group and act as joint controllers for the personal data processed through this website, because we share the same systems (including our CRM and marketing platform) and pursue the same purposes together. The two companies have a joint controller arrangement under Article 26 GDPR that determines our respective responsibilities, and this privacy policy reflects the essence of that arrangement. H.O.L.M Security Sweden AB is the lead controller for the group. When you contact us, the entity that handles your enquiry depends on your region.

Data Protection Officer

We have appointed a Data Protection Officer (DPO) who is responsible for overseeing our handling of personal data and answering questions about this policy or your rights.

• Email: dpo@holmsecurity.com
• Phone: +46 8-550 05 570

2. What personal data we collect

We collect personal data in three ways: information you give us directly, information collected automatically when you use the site, and information we receive from other sources.

2.1 Information you give us

When you fill in a form or contact us, we collect:

• Identity and contact details: name, business email address, phone number
• Professional details: company name, job title, country, industry
• Communication content: the message you send us, and any follow-up correspondence

The specific data collected depends on which form you use.

2.2 Information collected automatically

When you visit the site, we and our service providers automatically collect:

• Technical data: IP address, region, browser type and version, operating system, device type, language preference
• Usage data: pages visited, time spent on pages, links clicked, referring website, search terms used to find us
• Cookie data: information stored in cookies and similar technologies, see our Cookie policy for details and to manage your preferences

2.3 Information from other sources

We also receive personal data about you from:

• Data enrichment providers: which add company information, job title, and similar professional details to records we already hold
• Prospecting partners: which conduct outreach campaigns on our behalf
• LinkedIn: when you apply for a job at Holm Security through LinkedIn
• Resellers, distributors, and other partners: when they refer you to us
• Publicly available sources: such as company websites, LinkedIn profiles, and business directories
• Our group company Holm Security Benelux B.V.

3. Why we use your personal data and our legal basis

Under the General Data Protection Regulation (GDPR), we must have a lawful basis for each use of your personal data. The table below explains what we do with your data and the legal basis for each activity.

Purpose	Personal data used	Legal basis
Responding to your demo, quote, trial, meeting or contact request	Identity, contact, and communication content	Our legitimate interest in responding to your enquiry (GDPR Article 6(1)(f))
Sending you our newsletter and marketing communications	Identity, contact, professional details	Your consent (GDPR Article 6(1)(a))
Sending marketing communications to existing customers	Identity, contact	Our legitimate interest in keeping customers informed about our products and services (GDPR Article 6(1)(f))
B2B outbound prospecting	Identity, contact, professional details	Our legitimate interest in reaching potential business customers (GDPR Article 6(1)(f))
Analyzing website performance and improving the site	Cookie data, usage data	Your consent for analytics and tracking cookies; our legitimate interest for basic server logs that we keep regardless of cookie consent (GDPR Articles 6(1)(a) and 6(1)(f))
CRM enrichment to maintain accurate records	Identity, contact, professional details from enrichment vendors	Our legitimate interest in keeping our records accurate (GDPR Article 6(1)(f))
Securing the website and preventing fraud or abuse	Technical data, usage data	Our legitimate interest in protecting our website and visitors (GDPR Article 6(1)(f))
Recruitment and evaluating job applicants	Identity, contact, application content	Our legitimate interest in assessing your suitability for a role, including conducting interviews and reference checks (GDPR Article 6(1)(f))
Running background checks on job applicants	Identity, employment history, and other information required for the check (varies by country)	Our legitimate interest in assessing your suitability for employment, we always ask before running a check (GDPR Article 6(1)(f))
Complying with our legal, accounting, and tax obligations	As required	Legal obligation (Art. 6(1)(c))
Establishing, exercising, or defending legal claims	As required	Legitimate interest (Art. 6(1)(f))

Where we rely on legitimate interest, we consider whether our interests are outweighed by your rights and freedoms. If you have any questions about how we apply legitimate interest, please contact our DPO.

Where we rely on consent, you have the right to withdraw it at any time. Withdrawing consent does not affect the lawfulness of processing carried out before withdrawal.

4. Who we share your personal data with

We share personal data only where necessary and with appropriate safeguards. The categories of recipients are:

4.1 Service providers (processors)

These are companies that process personal data on our behalf, under contract, for specific purposes. The list below reflects the service providers active on holmsecurity.com. A full, current cookie inventory is available in our Cookie policy.

4.2 Other Holm Security group companies

H.O.L.M Security Sweden AB and Holm Security Benelux B.V. share personal data with each other where necessary to operate as a group. This includes sharing leads and customer records between sales teams, providing customer support across regions, running joint marketing activities, and maintaining a single CRM and marketing platform across the group. The legal basis for this sharing is our legitimate interest in operating as a coordinated group, and where applicable, fulfilling a contract with you.

4.3 Professional advisors

Lawyers, accountants, auditors, and consultants where necessary for legal, financial, or compliance purposes.

4.4 Authorities and public bodies

Where we are required to disclose personal data by law, by a court order, or in connection with a regulatory request, or where disclosure is necessary to protect our rights or the safety of others.

4.5 Buyers in a business transaction

If we sell, merge, or reorganize parts of our business, personal data may be transferred to the buyer or successor entity as part of that transaction. We will tell you if your data will be subject to a different privacy policy as a result.

We do not sell your personal data to third parties.

4.6 Insurance providers

Where necessary, we may share personal data with our insurance providers in connection with legal claims, disputes, or risk management.

4.7 Background check providers

As part of our recruitment process, we may share an applicant’s personal data with an external background check provider. The provider varies by country. We only share the data needed for the check (such as identity and employment history), and we always ask the applicant for their consent before initiating a check.

4.8 Reference persons (for recruitment)

When evaluating a job applicant, we may contact people the applicant has nominated as references. In doing so, we process the reference person’s name, contact details, and any information they share with us about the applicant. The legal basis is our legitimate interest in assessing the applicant’s suitability for the role.

5. International transfers of personal data

Some of our marketing service providers process or store personal data outside the European Economic Area (EEA), primarily in the United States. When this happens, we make sure the provider offers an adequate level of protection. We normally rely on the European Commission’s adequacy decision under the EU-US Data Privacy Framework where the recipient is certified, and otherwise on the European Commission’s Standard Contractual Clauses for international transfers.

If you'd like more details on the safeguards in place for a specific provider, contact our DPO at dpo@holmsecurity.com.

6. How long we keep your personal data

We keep personal data only as long as needed for the purpose we collected it for. The table below sets out, for each purpose, how long we typically keep the data.

Purpose of processing	Retention period
Responding to your enquiries (demos, quotes, contact forms)	Up to 2 years from your last interaction with us
Sending newsletter and marketing communications	Until you unsubscribe, or up to 2 years if you become inactive
B2B outbound prospecting	Up to 2 years from first contact, sooner if you opt out
Website analytics and advertising	See our Cookie policy
CRM enrichment to maintain accurate records	Up to 2 years from your last interaction
Securing the website and preventing fraud or abuse	Server logs and security data are typically kept for 12 months
Recruitment (including interviews, reference checks, and background checks)	Duration of the recruitment process, plus 24 months (to manage any legal claims)
Customer relationship and contract management	For the duration of your contract with us, plus any period required by law
Complying with our legal, accounting, and tax obligations	As required by applicable laws (for example, the Swedish Bookkeeping Act requires us to keep accounting records for 7 years)
Establishing, exercising, or defending legal claims	Duration of the claim plus the applicable limitation period

 

Where data is no longer needed, we delete it or anonymize it so it can no longer be associated with you.

7. Your rights

Under the GDPR, you have the following rights in relation to your personal data:

• Right of access: You can ask us for a copy of the personal data we hold about you.
• Right to rectification: You can ask us to correct inaccurate or incomplete data.
• Right to erasure (right to be forgotten): You can ask us to delete your data in certain circumstances.
• Right to restrict processing: You can ask us to limit how we use your data in certain circumstances.
• Right to data portability: Where we process your personal data based on your consent or to perform a contract with you, and the processing is carried out by automated means, you can ask us to provide that data in a structured, commonly used, machine-readable format, or where technically feasible, to transfer it to another organization.
• Right to object: You can object to our processing of your data where we rely on legitimate interest, and to direct marketing at any time.
• Right to withdraw consent: Where we rely on consent, you can withdraw it at any time without affecting the lawfulness of earlier processing. You can withdraw consent by clicking the unsubscribe link in any marketing email or by contacting our DPO.
• Right not to be subject to automated decisions: You have the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects. We do not currently make any such decisions in relation to the categories of individuals covered by this privacy policy.

To exercise any of these rights, contact our DPO at dpo@holmsecurity.com. To protect your data, we will verify your identity before responding, and may ask for additional information if needed to do so. We will respond within one month of receiving your request or tell you within that time if we need longer (up to two additional months for complex requests).

If you are not satisfied with how we have handled your data, you have the right to lodge a complaint with the supervisory authority in the EU/EEA member state where you live, work, or where the alleged infringement took place.

8. Cookies and similar technologies

We use cookies and similar tracking technologies on holmsecurity.com to operate the site, remember your preferences, analyze how the site is used, and deliver relevant advertising.

For full details, including the cookies we use, how to manage your preferences, and how to withdraw consent, see our Cookie policy.

9. Security

We use appropriate technical and organizational measures to protect personal data against unauthorized access, loss, alteration, and disclosure. These include encryption in transit, access controls, regular security testing, employee training, and an information security management system certified to ISO/IEC 27001:2022.

No method of transmission or storage is completely secure, but we work continuously to maintain and improve our security practices.

10. Changes to this policy

We may update this policy from time to time. When we make material changes, we will update the "Last updated" date at the top and, where appropriate, notify you by email or through a notice on the site.