Privacy Policy — MPL Legal Tech Advisors

1. Introduction

This Privacy Policy explains how MPL Legal Tech Advisors processes personal data in connection with our legal technology consultancy services and website operations. We are committed to protecting your privacy and being transparent about our data practices.

This policy applies to all personal data we collect through our Website (https://www.mpladvisors.com/), during consultancy engagements, in business communications, and through our professional relationships. We process personal data in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the Dutch Implementation Act (Uitvoeringswet Algemene verordening gegevensbescherming).

As specialists in legal technology optimization, we understand the critical importance of data protection and implement robust safeguards to ensure your personal information is handled securely and lawfully.

2. Data Controller

MPL Legal Tech Advisors is the data controller for all personal data processing described in this policy.

Company Details:

Legal Name: MPL Legal Tech Advisors (sole proprietorship)
Principal: Rok Popov Ledinski
Business Address: Burgemeester Elmersstraat 98, 1655 KK, Sijbekarspel, Netherlands
Chamber of Commerce Registration: 86237152
Email: info@mpladvisors.com
Website: https://www.mpladvisors.com/

Data Protection Contact: rok@mpladvisors.com

3. Types of Personal Data Collected

3.1 Contact and Professional Information

We collect the following categories of personal data directly from you:

Professional Identity Data: Full name, job title, company name, professional role
Contact Information: Business email address, phone number, office address
Professional Background: Areas of legal practice, firm size, technology experience level
Communication Records: Email correspondence, meeting notes, consultation records

3.2 Website Usage and Technical Data

We automatically collect certain information when you visit our Website:

Device Information: IP address, browser type and version, operating system
Usage Analytics: Pages visited, time spent on pages, referral sources, download activity
Preference Data: Cookie settings, content personalization choices
Session Data: Login sessions, form interactions, search queries

3.3 Consultancy Engagement Data

During our consultancy services, we may process:

Organizational Information: Team structure, reporting relationships, operational workflows
System Data: Technology inventory, software configurations, integration mappings
Process Information: Workflow descriptions, bottleneck analyses, efficiency metrics
Strategic Data: Business objectives, implementation priorities, resource constraints

4. Purposes of Processing

4.1 Service Delivery and Client Management

We process personal data to provide our legal technology consultancy services:

Consultation Services: Conducting assessments, developing recommendations, providing strategic guidance
Project Management: Coordinating engagements, managing deliverables, tracking progress
Client Communication: Responding to inquiries, providing updates, delivering reports
Relationship Management: Maintaining client records, managing ongoing relationships

4.2 Business Operations and Compliance

We process personal data for essential business operations:

Financial Management: Invoicing, payment processing, expense tracking
Legal Compliance: Tax reporting, regulatory obligations, contract management
Quality Assurance: Service improvement, methodology development, training purposes
Professional Development: Case study development (anonymized), best practice sharing

4.3 Marketing and Business Development

With appropriate consent, we process personal data for:

Content Marketing: Newsletter distribution, educational content sharing
Professional Networking: Industry event invitations, webinar announcements
Service Promotion: Information about new services, relevant case studies
Market Research: Understanding client needs, service development insights

4.4 Website Operations and Security

We process personal data to maintain our Website:

Site Functionality: User authentication, preference management, content delivery
Security Monitoring: Fraud prevention, unauthorized access detection, threat mitigation
Performance Optimization: Load balancing, error tracking, user experience improvement
Analytics and Insights: Usage pattern analysis, content effectiveness measurement

5. Legal Basis for Processing

5.1 Contract Performance (Article 6(1)(b) GDPR)

We process personal data to perform our consultancy services and fulfill contractual obligations:

Service Delivery: All activities necessary to provide legal technology consultancy services
Project Execution: Data processing required for assessment delivery and recommendation development
Client Support: Ongoing assistance and follow-up services as agreed in our Service Agreement

5.2 Legal Obligation (Article 6(1)(c) GDPR)

We process personal data to comply with legal requirements:

Tax and Accounting: 7-year retention of financial records as required by Dutch tax law
Professional Liability: Record keeping for insurance and regulatory compliance
Anti-Money Laundering: Client verification and transaction monitoring as required
Data Breach Notification: Reporting obligations to supervisory authorities

5.3 Legitimate Interests (Article 6(1)(f) GDPR)

We process personal data based on legitimate interests that do not override your fundamental rights:

Website Operations: Ensuring site security, functionality, and performance optimization
Business Analytics: Understanding service effectiveness and market demand
Professional Development: Improving methodologies through anonymized insights
Relationship Management: Maintaining professional contacts and business relationships

5.4 Consent (Article 6(1)(a) GDPR)

We process personal data based on your explicit consent for:

Marketing Communications: Newsletter subscriptions, promotional materials
Non-Essential Cookies: Analytics, marketing, and personalization cookies
Optional Services: Additional features requiring separate consent

6. Data Retention

6.1 Client Data Retention Periods

We retain client data according to the following schedule:

Active Engagement Data: Throughout service delivery plus 12 months for support purposes
Completed Project Records: 3 years after project completion for reference and warranty obligations
Financial Records: 7 years as required by Dutch accounting and tax regulations
Legal Documentation: 7 years for contracts and professional liability requirements

6.2 Marketing and Communication Data

Marketing-related data is retained as follows:

Newsletter Subscriptions: Until unsubscribed or 3 years from last engagement
Marketing Analytics: 26 months in aggregated form (Google Analytics standard)
Communication Records: 2 years from last meaningful interaction
Event Registrations: 1 year for follow-up and future event planning

6.3 Website and Technical Data

Technical data retention periods:

Server Logs: 12 months for security monitoring and system optimization
Analytics Data: 26 months in anonymized/aggregated form
Session Data: Deleted upon session expiration (typically 24 hours)
Security Incident Data: 5 years for threat analysis and prevention

6.4 Automatic Deletion Procedures

We have implemented automated systems to ensure data deletion at the end of retention periods, except where:

Legal holds prevent deletion due to ongoing disputes
Extended retention is specifically requested by the client
Professional liability requirements mandate longer retention

7. Data Security

7.1 Technical Security Measures

We implement comprehensive technical safeguards to protect personal data:

Encryption and Protection:

TLS 1.3 encryption for all data transmission
AES-256 encryption for data at rest
End-to-end encryption for sensitive client communications
Secure key management with regular rotation

Access Controls:

Multi-factor authentication for all system access
Role-based access restrictions limiting data exposure
Regular access reviews and automated deprovisioning
Privileged access monitoring and logging

7.2 Organizational Security Measures

We maintain robust organizational safeguards:

Personnel Security:

Background verification for personnel with data access
Comprehensive data protection training for all staff
Confidentiality agreements exceeding legal requirements
Regular security awareness updates and testing

Governance Framework:

Designated Data Protection Officer overseeing compliance
Regular security risk assessments and gap analyses
Incident response procedures with defined escalation paths
Continuous monitoring and improvement of security posture

8. Data Sharing and Disclosure

8.1 Service Providers and Processors

We share personal data with carefully vetted service providers who process data on our behalf:

Technology Infrastructure Providers:

Cloud Hosting Services: Secure data storage and website hosting
Email Service Providers: Client communication and marketing automation
Analytics Platforms: Website performance and usage analysis
Security Services: Threat monitoring and incident response

All processors are bound by Data Processing Agreements ensuring GDPR compliance and restricting data use to specified purposes.

8.2 Professional Service Providers

We may share data with professional advisors:

Legal and Compliance:

Legal counsel for contract review and dispute resolution
Auditors for financial and compliance verification
Professional liability insurers for coverage and claims management
Regulatory consultants for specialized compliance requirements

Business Operations:

Accounting firms for financial management and tax compliance
IT consultants for specialized technical services
Business advisors for strategic planning and development

8.3 Legal and Regulatory Authorities

We may disclose personal data when required by law:

Tax Authorities: Financial records for tax compliance and audits
Regulatory Bodies: Information requested during investigations or inspections
Law Enforcement: Data disclosed pursuant to valid legal process
Court Orders: Information required for legal proceedings

8.4 Business Transfer Scenarios

In the event of business restructuring, merger, or acquisition, personal data may be transferred to successors, subject to:

Equivalent privacy protections for all transferred data
Notification to affected individuals prior to transfer
Opportunity to object or request data deletion
Compliance with all applicable data protection requirements

9. International Data Transfers

9.1 Transfer Principles and Safeguards

As a Netherlands-based consultancy, we primarily process data within the European Economic Area (EEA). However, some international transfers may occur:

United States Transfers:

Service providers with adequacy decisions (where applicable)
Standard Contractual Clauses (SCCs) for other US-based services
Supplementary measures including enhanced encryption and access controls
Regular assessment of legal landscape and transfer mechanisms

Other International Transfers:

Only to countries with adequate protection or appropriate safeguards
Standard Contractual Clauses as primary transfer mechanism
Additional technical and organizational measures where required
Ongoing monitoring of destination country legal frameworks

9.2 Specific International Processing

Current international data transfers include:

Google Analytics (United States):

Google Analytics 4 with IP anonymization
Standard Contractual Clauses with Google LLC
Data Processing Amendment with enhanced protections
Option to opt-out via browser add-on or cookie settings

Professional Software Services:

Cloud-based tools for project management and communication
Due diligence conducted on all international service providers
Contractual restrictions on data access and processing
Regular review of transfer necessity and alternatives

9.3 Your Rights Regarding International Transfers

You have the right to:

Request information about specific transfers affecting your data
Object to transfers to particular countries or regions
Request that your data be processed only within the EEA (subject to technical feasibility)
Receive copies of appropriate safeguards governing transfers

10. Data Subject Rights

10.1 Right of Access (Article 15 GDPR)

You have the right to obtain confirmation that we process your personal data and receive:

Data Categories: Types of personal data we hold about you
Processing Purposes: How and why we use your personal data
Recipients: Third parties who have received your data
Retention Periods: How long we plan to store your data
Data Copy: Electronic copy of your personal data in commonly used format

Exercise Process: Submit requests via info@mpladvisors.com or written request to our business address. We respond within 30 days with secure delivery of requested information.

10.2 Right to Rectification (Article 16 GDPR)

You can request correction of inaccurate or incomplete personal data:

Inaccuracy Correction: Update incorrect contact details, professional information, or preferences
Completion: Add missing information relevant to our processing purposes
Third-Party Notification: We inform relevant processors and recipients of corrections
Verification: We may request supporting documentation for significant changes

Exercise Process: Contact us with specific details of inaccuracies and supporting evidence. Corrections implemented within 72 hours for critical information.

10.3 Right to Erasure (Article 17 GDPR)

You may request deletion of personal data when:

Purpose Fulfillment: Data no longer necessary for original processing purpose
Consent Withdrawal: You withdraw consent for consent-based processing
Unlawful Processing: Data has been processed contrary to legal requirements
Legal Obligation: Erasure required to comply with applicable law

Limitations: We may retain data where required for legal obligations, legitimate interests, or professional liability requirements as described in Clause 6.

10.4 Right to Restrict Processing (Article 18 GDPR)

You can request limited processing in specific circumstances:

Accuracy Disputes: While we verify data accuracy following your challenge
Unlawful Processing: As alternative to erasure when processing is unlawful
Retention Needs: When you need data for legal claims but we no longer require it
Objection Pending: While we assess legitimate grounds following your objection

Restriction Implementation: Data marked for restricted use with automated controls preventing unauthorized processing.

10.5 Right to Data Portability (Article 20 GDPR)

For data processed based on consent or contract performance, you can:

Structured Export: Receive data in machine-readable format (JSON, CSV, XML)
Direct Transfer: Request direct transmission to another service provider (where technically feasible)
Scope Limitation: Applies only to data you provided directly, not derived or inferred data

Technical Process: We provide data exports within 30 days, with technical assistance for transfers to compatible systems.

10.6 Right to Object (Article 21 GDPR)

You can object to processing based on legitimate interests:

General Objection: Object to any processing for legitimate interests, requiring us to demonstrate compelling grounds to continue processing.

Marketing Objection: Absolute right to stop direct marketing communications, implemented immediately upon request.

Profiling Objection: Object to automated decision-making affecting you (currently not applicable to our services).

10.7 Rights Exercise and Response

Multiple Channels Available:

Email: info@mpladvisors.com
Mail: Data Protection Officer, MPL Legal Tech Advisors, Burgemeester Elmersstraat 98, 1655 KK Sijbekarspel, Netherlands
Website: Contact form at https://www.mpladvisors.com/contact

Response Commitments:

Acknowledgment within 3 business days
Full response within 30 days (extendable to 60 days for complex requests)
No charges for reasonable requests (fees may apply for excessive requests)
Clear explanation if requests are declined

11. Policy Updates

11.1 Update Procedures and Notification

We may revise this Privacy Policy to reflect:

Changes in our data processing practices or services
Updates to applicable laws and regulations
Implementation of new technologies or security measures
Feedback from clients and regulatory guidance

Notification Methods:

Website Notice: Prominent banner for 30 days before material changes take effect
Email Notification: Direct communication to registered clients and newsletter subscribers
Version Control: Detailed change log available upon request
Archive Access: Previous policy versions maintained for reference

11.2 Material Changes Requiring Consent

For significant changes that expand processing purposes or introduce new legal bases, we will:

Provide detailed explanation of changes and their impact
Seek fresh consent where required by law
Offer opt-out options for new processing activities
Maintain existing protections for data processed under previous policy versions

You can always access the current policy version at https://www.mpladvisors.com/privacy and request notification of future updates.

12. Contact Information

12.1 Privacy Inquiries and Rights Requests

Primary Contact:
MPL Legal Tech Advisors
Rustoordlaan 40
7211 EZ Eefde, Netherlands
Email: info@mpladvisors.com
Phone: +31642662029

Data Protection Officer: rok@mpladvisors.com

Response Commitments:

Privacy inquiries: Within 48 hours
Rights requests: Within 30 days
Urgent security matters: Within 24 hours
Complex requests: Up to 60 days with regular updates

12.2 Supervisory Authority

If you believe we have not addressed your privacy concerns adequately, you may lodge a complaint with:

Autoriteit Persoonsgegevens (Dutch Data Protection Authority)
Postbus 93374
2509 AJ Den Haag, Netherlands
Website: https://autoriteitpersoonsgegevens.nl
Phone: +31 70 888 8500

You may also contact the supervisory authority in your EU country of residence.

Last Updated: 02.10.2025 · Policy Version: 2.0