Privacy Notice

1. Introduction

This Privacy Notice describes how we, Stichting Xconea (operating the ColorAptitude product), process personal data in connection with the ColorAptitude website, the ColorAptitude assessment platform, the dealer programme, and related services. It applies to all personal data we process in our role as data controller within the meaning of Article 4(7) of the General Data Protection Regulation (Regulation (EU) 2016/679, the "GDPR").

We have written this notice to be readable. Where information is technical, we explain the practical effect first.

2. Who We Are

The data controller responsible for processing your personal data is:

We do not have a statutory obligation to appoint a Data Protection Officer, but the privacy contact above handles all privacy-related queries.

3. Whose Data We Process

We process personal data of four broad groups of people. The remainder of this notice describes how we treat each.

• Website visitors — anyone visiting coloraptitude.com or related pages.
• Customers and end users — individuals who take a ColorAptitude assessment, complete training, or hold an account on the platform, whether on a personal subscription or through a business account.
• Business contacts — administrators, billing contacts and other commercial contacts within customer organisations.
• Reseller contacts — primary, billing and commercial contacts at organisations that participate in the ColorAptitude reseller programme.

4. What Data We Process and Why

5. Automated Decision-making and Profiling

The ColorAptitude assessment generates scores and a competency profile through automated calculation against established colour-difference metrics (OKLCH / CIEDE2000) using a three-layer scoring framework (Discrimination, Attribution and Communication layers) with provisional competence profiles. The result is a descriptive profile, not a decision with legal or similarly significant effect within the meaning of Article 22 GDPR.

Where you use the assessment within an employment, qualification or compliance context (for example, observer qualification under ASTM E1499-16), the use of your score by your employer or organisation is the responsibility of that organisation, not of ColorAptitude. We do not make hiring, promotion, or other employment decisions on your behalf.

We do not engage in profiling for advertising or behavioural prediction outside the assessment service itself.

6. Who Receives Your Data

7. International Transfers

We process personal data primarily within the European Economic Area (EEA). Where transfer to a country outside the EEA is necessary — typically because a service provider operates from outside the EEA — we rely on appropriate safeguards under Chapter V GDPR.

In practice, transfers to non-EEA service providers are covered by Standard Contractual Clauses (SCCs) adopted by the European Commission, supplemented where necessary by additional technical and contractual measures. You may request a copy of the relevant safeguards from privacy@coloraptitude.com.

8. How Long We Keep Your Data

We retain personal data only as long as needed for the purposes described in this notice, plus the legal retention periods that apply to us.

9. Your Rights

Under the GDPR, you have the rights set out below. To exercise any of these rights, contact us at privacy@coloraptitude.com. We respond within one month of a verifiable request, extendable by a further two months for complex requests.

Right of access

You may obtain confirmation of whether we process your personal data and a copy of the data we hold.

Right to rectification

You may have inaccurate or incomplete data corrected.

Right to erasure

You may have your personal data deleted where the legal grounds in Article 17 GDPR apply, in particular when the data is no longer necessary for the purposes for which it was collected.

Right to restriction of processing

You may have processing restricted in the cases listed in Article 18 GDPR.

Right to data portability

For data we process based on your consent or in performance of a contract, you may obtain a copy in a structured, commonly used, machine-readable format and have it transmitted to another controller where technically feasible.

Right to object

You may object to processing based on legitimate interest, including profiling, on grounds relating to your particular situation. Where you object, we cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights and freedoms, or for the establishment, exercise or defence of legal claims.

Right to withdraw consent

Where processing is based on consent, you may withdraw consent at any time, without affecting the lawfulness of processing carried out before withdrawal.

Right to lodge a complaint

You have the right to lodge a complaint with a data protection supervisory authority. In the Netherlands this is the Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl). You may also lodge a complaint with the supervisory authority of the EU member state where you live or work.

To verify your identity before responding to a rights request, we may ask you to confirm details that match what we hold, in line with Article 12(6) GDPR. We do not charge for handling requests except where requests are manifestly unfounded or excessive.

10. Security

We apply appropriate technical and organisational measures to protect personal data against unauthorised access, accidental loss, alteration or disclosure, in line with Article 32 GDPR. Measures include access control with role-based permissions, multi-factor authentication on administrative access, encryption of data in transit (TLS) and at rest where applicable, regular backups, security patching, logging, and a documented incident response procedure.

In the event of a personal data breach likely to result in a risk to your rights and freedoms, we notify the Autoriteit Persoonsgegevens within 72 hours, in line with Article 33 GDPR. Where the risk is high, we also notify you directly, in line with Article 34 GDPR.

11. Children

ColorAptitude is a professional service intended for adults. We do not knowingly collect personal data from individuals under 16 years of age. Where we become aware that data of a person under 16 has been collected without an appropriate legal basis, we delete it without undue delay.

12. Cookies and Similar Technologies

We use cookies and similar technologies for essential site operation, security, and (with your consent) for analytics. Detailed information on the cookies we use, their purpose, and your choices is available in our Cookie Policy.

13. Changes to this Notice

We may update this Privacy Notice from time to time, for example to reflect changes in our services, in our service providers, or in applicable law. The version date at the top of this notice indicates when the notice was last updated.

Material changes — those that significantly affect the way your data is processed or your rights — will be communicated to active customers and resellers by email at least 30 days before the effective date. Non-material changes (clarifications, corrections, additions to the sub-processor list) take effect on publication.

14. Contact

For any privacy-related question, request, or concern, contact us at: