thnx Detailed Privacy Policy

Last Updated: June 2025

Controller Details

The Data Controller is thnx BV

We are the company responsible for handling your personal information.

Address: Gronausestraat 9, 7533 BV, Enschede, Holland

• Registration Number: 74191543

• Email: [email protected]

• Phone: +31-53-4322411

If other companies within the Thnx group process your data, their roles (controller or processor) and contact details are available upon request by contacting [email protected].

Data Protection Officer

Our Data Protection Officer ensures your information is protected and handled correctly:

• Email: [email protected]

• Phone: +31-53-4322411 

The thnx privacy policy is transparent, concise and periodically updated when required to reflect new regulatory requirements. From time to time, we may develop new or offer additional services. They’ll also be subject to this Policy, unless stated otherwise when we introduce them.

Who will use my data?

• Thnx Limited: We are the company managing your information

What do we use it for?

• Registering your tags in our system

• Helping recover your lost items

• Providing security alerts about your tagged items

• Improving our services based on how they're used

What happens when you contact thnx

• We save your contact details

• We keep a record of our conversation

• We use this information to resolve your query

• We might use it to train our team to provide better service

• We'll only use your details for marketing if you specifically agree

What data is stored?

• Your name, email, phone number, social media username.

• Your tag information and registered item

• Your purchase history

• Records of how you use our service

• Tag location data when your tags are scanned.

We only collect and store the minimum amount of data required for the purposes described in this policy.

What data is shared?

• With recovery services: Minimum details needed to return your items

• With payment providers: Only transaction details, never your full payment information

• We do not sell personal information for monetary consideration

• We do not share personal information for cross-context behavioral advertising

Data Usage and Retention

We use your data for the purposes described in the 'What Do We Use It For?' section. We retain your data only as long as necessary to fulfill those purposes, or as required by law.

Following retention periods are selected based on the time to fulfill the purpose and legal necessity details of retention periods for each type of data are available upon request to [email protected]:

• Active accounts: While you're using our service plus 6 months

• Payment information: 7 years

• Marketing Information: Until you change your preferences

Who can access my data?

• Our customer service team: To help with your queries

• Our technical team: To maintain and improve services

• Everyone who accesses your data is specially trained and monitored with 2FA

How is data kept secure?

• Strong encryption: similar to banks/financial services

• Secure servers: Protected by multiple security layers

• Regular security testing: We check our systems frequently

• Strict access controls: Only authorised staff can see your data

• Continuous monitoring: We watch for any suspicious activity

Information You Provide Directly to Us

During Account Registration:

• Name, email address, postal address, phone number

• Password and security preferences

• Age verification confirmation (18+ declaration)

• Marketing communication preferences

When You Register Tags:

• Item descriptions and categories

• Item photographs (optional)

• Custom item names or identifiers

Through Customer Service Interactions:

• Support messages, emails, and chat communications

• Phone call recordings (with prior notice)

• Feedback surveys and reviews

• Complaint details and resolution requests

During Payment Processing:

• Billing address and payment method details

• Transaction preferences and saved payment options

• Purchase history and order confirmations

Information We Collect Automatically

From Your Device and App Usage:

• Device type, operating system, and app version

• IP address and general location (city/country level)

• App navigation patterns and feature usage statistics

• Crash reports and error logs for technical improvement

• Login times and session duration

From Tag Scanning Activity:

• GPS coordinates when tags are scanned (only with permission)

• Time and date of each scan

• Scanning device location (if sharing enabled)

Through Website and Digital Interactions:

• Browser type, language settings, and referring websites

• Pages visited and time spent on each section

• Click patterns and feature engagement metrics

• Cookie and tracking technology data (with consent)

Information We Receive from Third Parties

From Payment Service Providers:

• Transaction verification and fraud prevention data

• Payment method validation information

• Chargeback and dispute notifications

• Financial institution communication (for payment issues only)

From Marketing and Analytics Partners:

• Website traffic sources and referral information

• Advertising campaign performance data

• Email delivery and engagement statistics

• Market research and customer satisfaction surveys

Information from Public Sources (Limited Use)

Publicly Available Business Information:

• Company registration details (for business accounts)

• Public social media profiles (for verification purposes)

• News articles or press mentions (for high-value item authentication)

• Public records (only when required for legal compliance)

Third-Party Data Sharing Permissions

We only collect third-party information when:

• You explicitly authorize the connections

• It's necessary for service delivery (payment processing)

• Required by law (fraud prevention, legal compliance)

Your Control:

• Opt out of marketing data sharing via preference center

• Limit location sharing for tag scans in privacy settings

• Request details about specific third-party sources via [email protected]

Data Combination and Profiling

We may combine information from different sources to:

• Verify your identity and prevent fraud

• Improve item recovery success rates

• Personalize your service experience

• Enhance security and platform safety

Automated Processing: We may use automated systems to detect unusual account activity, optimize recovery routes, and prevent spam. You have the right to request human review of any automated decisions affecting your account.  

You have the following rights and can:

• Ask for a copy of all information we hold about you

• Receive this information within 30 days

• Get this information in a format you can easily read

• Get this service for free (unless you make excessive requests)

• Opt-out of data sales or sharing for advertising purposes

• Limit use of sensitive personal information to necessary purposes only

• Enjoy non-discrimination for exercising privacy rights 

We process your personal data based on one or more lawful bases under applicable data protection laws, including:

• Contract: When necessary to fulfill our agreement with you.

• Legal Obligation: When required by law.

• Legitimate Interests: For our legitimate interests, such as improving services and preventing fraud (see more below).

• Consent: When you give us explicit permission

Details about our Legitimate Interests assessments are available upon request to [email protected]

If you are unsure what lawful basis is in place for each one of our data activities please reach out to [email protected] and we will provide you with a specific response.

What we send:

• New feature announcements

• Special offers

• Partner promotions

• Service updates

How you control it

• By explicitly consenting during the membership sign up

• Easy unsubscribe in every email

• Preference center in your online thnx account

• Customer service can update your choices

• You can also delete and edit personal data directly from the thnx App

The minimum age limit for a thnx membership is 18 years. We do not knowingly collect or use personal data from individuals. If you’re under the Age Limit, do not use memberships, and do not provide any personal data to us.

To ensure compliance with our 18+ age requirement, we employ Self-Declaration during registration where users must confirm they are 18 years or older by checking a mandatory confirmation box

If we discover or suspect that a user is under 18 years of age, the account will be immediately suspended pending verification and we will request proof of age within 14 days. If the user cannot provide satisfactory proof that they are 18 or older, the account will be permanently terminated

Enhanced Privacy Settings

• Privacy settings defaulted to maximum

• Extra verification for changes

• Restricted sharing options

• Limited social features

Parental Controls

• Parent/guardian account access

• Activity monitoring tools

• Control over sharing settings

• Approval required for changes 

Essential Cookies

These cookies are necessary for the website to work:

• Session Cookies

• Keep you logged in

• Remember your language choice

• Maintain security features

• Last for one browser session

Security Cookies

• Protect against fraud

• Verify your identity

• Prevent unauthorized access

• Monitor for suspicious activity

Optional Cookies

You can choose whether to allow these:

Analytics Cookies

• Track which pages you visit

• How long you spend on each page

• Which features you use most

• Your journey through our site

Preference Cookies

• Remember your settings

• Keep your favorites

• Save your choices

• Customize your experience

Marketing Cookies

• Show relevant offers

• Remember your interests

• Measure ad effectiveness

• Control ad frequency

Cookie Controls

You can manage cookies through:

Our cookie banner

• First visit choices

• Preference center access

• Easy opt-out options

• Remember your choices

Browser settings

• Block all cookies

• Allow selected types

• Clear cookie history

• Set cookie preferences

Active Accounts

We keep your data while your account is active:

Core Account Data

• Account details: While active + 6 months

• Why: To maintain your service

• What's included: Profile, preferences, settings

• How to extend/reduce: Account settings

Transaction Records

• Payment info: 7 years

• Why: Legal requirement

• What's included: Purchases, refunds, claims

• Location: Secure financial database

Communication History

• Support messages: 2 years

• Why: Service improvement

• What's included: Emails, chat logs, calls

• Access: Internal support team only

Closed Accounts

After you close your account:

Immediate Actions

• Account deactivation

• Login access removed

• Marketing stops

• App access ends

30-Day Period

• Reactivation possible

• Download options available

• Final deletion warning

Long-term Storage

• Legal records: 7 years

• Financial data: 7 years

• Everything else: Deleted 

Technical Security

We protect your data with:

Encryption

• All data in transit

• Stored information

• Payment details

• Personal identifiers

Access Controls

• Multi-factor authentication

• Role-based access

• Regular permission reviews

• Activity logging

System Security

• Firewalls

• Intrusion detection

• Virus protection

• Regular updates

Physical Security

We protect our equipment and offices with:

Building Security

• 24/7 monitoring

• Access cards

• CCTV coverage

• Security personnel

Server Protection

• Secure data centers

• Environmental controls

• Backup power

• Fire protection

Staff Security

We ensure our team protects your data:

• Training Programs

• Regular updates

• Security awareness

• Privacy requirements

• Incident response

Access Management

• Strict need-to-know basis

• Regular reviews

• Access logging

• Immediate removal when staff leave

Because of the global nature of our business, thnx transfers personal data internationally with thnx group companies, subcontractors and partners when carrying out the activities described in this Policy.

The thnx group transfers data and works hard to minimize any risks to your personal data. You can reach out to [email protected] where they have a detailed plan, for our data protection specialist to walk you through our internal compliance.

Transfer Locations

We send data to:

EEA Countries

• Regular business operations

• Main data centers

• Partner services

• Customer support

Adequate Countries

• Approved by EU/UK

• Equal protection levels

• Regular assessment

• Documented compliance

Protection Measures

We protect international transfers with:

Legal Safeguards

• Standard Contractual Clauses

• Data Protection Agreements

• Regular audits

• Compliance monitoring

Technical Measures

• End-to-end encryption

• Secure transfer protocols

• Access controls

• Transfer logging

Our Legal Duties

As your data controller, we must:

Maintain Accurate Records

• Keep your information up to date

• Correct errors promptly

• Regular data quality checks

• Documentation of all changes

Report Data Breaches

• Within 72 hours to authorities

• Notify affected users promptly

• Explain what happened

• Detail our response measures

Conduct Impact Assessments

• Before new processing activities

• When changing how we use data

• For high-risk operations

• Regular review of existing processes 

Staff Requirements

We ensure our team:

Completes Regular Training

• Privacy law basics

• Security procedures

• Breach response

• Customer data handling

Follow Security Protocols

• Password policies and 2FA

• Clean desk rules

• Screen locking

Secure communication

Everyone Signs Agreements

• Confidentiality contracts

• Data protection policies

• Acceptable use guidelines

• Security commitments

Review Processes

We keep this policy current by:

Regular Reviews

• Every 6 months minimum

• After major service changes

• When laws change

• Following security updates

Update Notifications

• Email alerts for significant changes

• App notifications

• Website announcements

• 30 days notice when possible

What We Update

We regularly review and update

Security Measures

• New protection methods

• Enhanced encryption

• Better access controls

• Improved monitoring

Processing Activities

• New data uses

• Changed procedures

• Partner relationships

• Service improvements

Legal Requirements

• New regulations

• Court decisions

• Official guidance

• Industry standards

Material changes to data sharing practices will include 30 days advance notice

How We Decide

We carefully assess our legitimate interests by:

Purpose Test

• Is there a real need?

• Do we have a clear goal?

• Are there benefits?

• Who gains from this?

Necessity Test

• Is this the least intrusive way?

• Can we achieve this another way?

• Are we using minimum data?

• How long do we need it?

Balancing Test

• What's the impact on you?

• Would you expect this use?

• How does it affect privacy?

• Are there safeguards?

Current Legitimate Interests

Service Improvement

• Analyzing usage patterns

• Identifying problems

• Developing new features

• Enhancing security

Fraud Prevention

• Monitoring for unusual activity

• Preventing misuse

• Protecting users

• Securing systems

Business Development

• Market research

• Product planning

• Partner relationships

• Service expansion

How to Reach Us

General Questions

• Email: [email protected]

• Phone: +31-53-4322411

Urgent Matters

• Security incidents: [email protected]

• Data breaches: [email protected]

• Press enquiries: [email protected]

• Legal notices: [email protected]

• Privacy rights requests (including opt-out requests): [email protected]

Making a Complaint

1. First Step: Internal Resolution

• Contact our DPO

• Explain your concern

• Provide relevant details

• Allow 14 days for response

2. What We'll Do

• Acknowledge within 24 hours

• Investigate thoroughly

• Keep you updated

• Provide written response

3. If You're Not Satisfied

• Request escalation

• Meet with senior staff

• Get detailed explanation

• Discuss alternatives

If you're still not happy, you can complain to: 

• UK Residents

• Information Commissioner's Office (ICO)

• Website: www.ico.org.uk

• Phone: 0303 123 1113

• Address: Wycliffe House Water Lane Wilmslow Cheshire SK9 5AF

• EU Residents

• Your national Data Protection Authority

Response Times

 We aim to:

• Acknowledge complaints within 24 hours

• Provide initial response within 72 hours

• Resolve issues within 14 days

• Keep you informed throughout

Declaration of Compliance

 This policy complies with:

Legal Frameworks

• UK GDPR

• EU GDPR

• Data Protection Act 2018

• E-Privacy Regulations

• Consumer Rights Act

Industry Standards

• ISO 27001 Information Security

• Payment Card Industry (PCI) Standards

• Electronic Commerce Regulations

Regular Verification

We maintain compliance through:

• External audits

• Internal reviews

• Staff training

• Policy updates

• Security testing

California-Specific Consumer Rights

This section provides additional information for California residents regarding their rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA).

Sale or Sharing of Personal Information:

While we are still determining the future plans and whether or not the 'sale' or 'sharing' of personal information under California law could occur, that is something we want to address at the core. We are actively monitoring the situation so we can provide you with as much guidance and transparency as possible. Sale can include sharing data for valuable consideration, while 'sharing' refers to using data for cross-context behavioral advertising. Whilst this assessment is ongoing, for any additional details please contact us at [email protected], details can be discussed with one of our legal representatives if required.

Global Privacy Control (GPC):

We automatically honor Global Privacy Control (GPC) browser signals as opt-out requests for data sales or sharing.

Authorized Agents:

To use an authorized agent, a) the resident must provide the authorized agent with signed written permission to make such requests, b) the resident must verify their own identity directly with us, and c) the authorized agent must provide us with proof of their authorization. California residents can contact [email protected] for a sample authorization form and further details.

Additional Complaints:

For complaints about our privacy practices, California residents may contact the California Privacy Protection Agency at cppa.ca.gov or (916) 738-5600.

All Other Rights:

All other privacy rights described in this policy apply equally to California residents.

Updates and Changes

This is a living document that we regularly review and update. Last updated: June 2025.

Remember, thnx is here to help if you have any questions about how we handle your personal information.