Privacy

How we handle your data.

This page sets out how TIF Synergy collects, uses, retains and protects the personal data submitted through this website and our enquiry channels. It is written under the EU General Data Protection Regulation (Regulation (EU) 2016/679, GDPR) and the Dutch Implementation Act (Uitvoeringswet AVG, UAVG).

Last updated: 15 July 2026.

Data controller

Who is responsible for your data.

The data controller for personal data submitted through this website is Blauw Belastingen B.V., a private company incorporated in the Netherlands, registered with the Dutch Chamber of Commerce (KvK) under number 58905375, VAT number NL853231886B01, with registered office at Oudezijds Achterburgwal 173, 1012 DJ Amsterdam, the Netherlands. Blauw Belastingen B.V. trades as TIF Synergy. TIF Synergy operates in the Netherlands and in Ireland (through TIF Synergy Ireland Limited) and principally within the European Union, the United Kingdom and the United States. Where TIF Synergy operates through more than one legal entity, Blauw Belastingen B.V. is the controller responsible for personal data submitted through this website; references to "TIF Synergy" or "the firm" in this notice are references to that entity. TIF Synergy's principals are tax advisers registered with the Nederlandse Orde van Belastingadviseurs (NOB), the Dutch professional body for tax advisers.

For any matter relating to your personal data (including questions, data-subject rights requests, or complaints), write to info@tifsynergy.com. We treat data-protection enquiries with priority and aim to respond within two working days.

Quick reference

  • Controller
    Blauw Belastingen B.V. (trading as TIF Synergy), KvK 58905375, VAT NL853231886B01, Oudezijds Achterburgwal 173, 1012 DJ Amsterdam
  • Contact
    info@tifsynergy.com
  • Lawful basis
    GDPR Article 6(1)(f): legitimate interest in responding to inbound enquiries. GDPR Article 6(1)(a): consent, for TIF Weekly and product updates via the launch form
  • Retention
    24 months for non-converted enquiries; launch-registration data until launch, unsubscribe or deletion request; newsletter data until unsubscribe
What we collect

The data we receive, and only that.

When you complete the contact form on this site, the following personal data is collected and stored:

  • Information you provide

    Your name, email address, the organisation you represent (optional), the topic of your enquiry, and the free-text message you send. We capture only what you choose to type into the form.

  • Technical metadata

    Your IP address, browser user-agent string, and the HTTP Origin / Referer headers attached to your request. These are used to detect spam, abuse and automated submissions; they are not used for marketing or profiling.

  • Submission timestamp

    The date and time at which the form was submitted, used to triage enquiries and to apply rate limits that protect the form from abuse.

  • Launch-registration data

    If you register your interest through the launch-registration form on our launch page, we collect your name, email address and, if you choose to provide it, a phone number. We use these details to notify you when the Suite goes live and, where a phone number is given, to arrange a call, on the basis of our legitimate interest in responding to the interest you have registered (GDPR Article 6(1)(f)). If you opt in via the marketing consent box on the form, we also use your email address to send you TIF Weekly, our weekly digest of tax law and policy developments, and occasional product updates about the Suite. That marketing is carried out only on the basis of your consent (GDPR Article 6(1)(a)), which you can withdraw at any time without affecting the lawfulness of processing before withdrawal. We retain launch-registration data until the Suite launches or until you unsubscribe or ask us to delete it, whichever comes first, and newsletter subscription data until you unsubscribe. We do not use your details for any other purpose and do not share them with third parties.

We run privacy-first, cookieless analytics on this site using Microsoft Azure Application Insights, configured so that it sets no cookies and reads nothing from your device (see "Website analytics" below). We do not run advertising trackers, social-media pixels, or third-party tag managers, and we do not use analytics data to profile you or to track you across other sites. We do not set cookies on the marketing pages. The only cookies set anywhere on the site are functional session cookies inside the Suite portal at /suite, which exist only when you are signed in and are required for the Suite to function.

Website analytics

How we measure use of this site.

We use Microsoft Azure Application Insights to understand how this website is used, so that we can improve it. The analytics are cookieless: the tool sets no cookies, writes nothing to your browser or device storage, and reads nothing back from it. It is first-party analytics running in our own Microsoft Azure tenant in the West Europe region; we do not share the data with any advertising network and we do not use it to profile you or to track you across other websites.

The analytics collect aggregated, non-identifying usage data such as the pages visited, referring page, approximate load performance, and general browser and device type. Your IP address is processed transiently by Azure to derive an approximate (country or city-level) location and to guard against abuse, and is then masked so that the full IP address is not stored. We do not attempt to identify individual visitors from this data.

We process this analytics data on the basis of our legitimate interest under GDPR Article 6(1)(f) in understanding and improving how our site performs. We have weighed that interest against your interests and rights and consider the impact minimal: the analytics are cookieless, IP-masked, not used for profiling or cross-site tracking, confined to our own tenant, and limited to aggregate measurement. Because the analytics set nothing on and read nothing from your device, they do not require your consent under Article 11.7a of the Dutch Telecommunications Act (the cookie rule); we still give you the information here and the right to object below.

Analytics telemetry is retained for 90 days and is then deleted automatically. You have the right to object to this processing at any time under Article 21 GDPR; write to info@tifsynergy.com and we will stop processing your data for analytics.

Why we hold it

Lawful basis and purposes.

We process the personal data you submit on the basis of our legitimate interest under GDPR Article 6(1)(f) in responding to an enquiry that you have initiated. We do not require your consent to do this because you have made the enquiry yourself; processing the contents of that enquiry is what allows us to reply.

We use the data submitted through the contact form only to:

We do not use contact-form enquiry data for marketing, profiling, automated decision-making or to train AI models. Launch-registration data is used for marketing only where you have given consent on the launch form, as described above. We do not sell or share your data with third parties for their own use.

Retention

How long we keep it.

Personal data collected through the contact form is retained for 24 months from the date of submission, after which it is deleted from our active systems and from any backups within the standard backup-rotation period. This period reflects the typical B2B sales-cycle length for professional-services engagements (where follow-ups commonly recur at the next budget cycle) and gives effect to the storage-limitation principle in Article 5(1)(e) GDPR.

Exception: if your enquiry becomes a client engagement, your data is then held under the terms of that engagement (typically a signed engagement letter). The seven-year retention obligation for administrative records under article 52, paragraph 4, of the Dutch General State Taxes Act (Algemene wet inzake rijksbelastingen) constitutes a legal retention obligation within the meaning of Article 17(3)(b) GDPR and therefore overrides the 24-month default for any record falling within its scope.

You can ask us to delete your data sooner. See "Your rights" below.

Who has access

Where your data is processed.

Enquiry submissions are stored in the European Union (Microsoft Azure, West Europe region) and are accessible only to authorised personnel under role-based access controls. We do not transfer enquiry data outside the EU/EEA in the ordinary course of business.

We use the following processors (sub-processors), each governed by appropriate data-processing terms:

Where a processor is located outside the EU/EEA, the transfer is covered by the Standard Contractual Clauses adopted under Commission Implementing Decision (EU) 2021/914 of 4 June 2021, together with, where applicable, supplementary technical and organisational measures consistent with the Schrems II judgment of the Court of Justice of the European Union (Case C-311/18, 16 July 2020).

Client-tenant deployments. Where TIF Synergy delivers a system that is deployed into the client's own Microsoft Azure tenant, the personal data processed by that system resides in the client's tenant, not in TIF Synergy's. In those engagements, the client is the controller (and where applicable the processor) for the data the system processes; TIF Synergy acts as the implementer and, after handover, only as an advisor on request. The engagement letter sets out the allocation of controller / processor responsibilities for the duration of the work.

Your rights

Your rights under GDPR.

As a data subject under the GDPR, you have the following rights regarding personal data we hold about you:

To exercise any of these rights, write to info@tifsynergy.com. We will respond within one month, as required by Article 12(3) GDPR; the period may be extended by a further two months for complex requests, in which case we will tell you within the first month and explain why.

Security

How your data is protected.

Personal data submitted through the contact form is transmitted over HTTPS (TLS 1.2 or higher), stored encrypted at rest in Microsoft Azure, and accessible only to authorised personnel under role-based access controls.

Our infrastructure follows the principles set out in Article 32 GDPR: confidentiality, integrity, availability and resilience of processing systems.

Where the TIF Suite is operated by TIF Synergy as a service, it runs on Microsoft Azure in the West Europe region. Azure carries ISO/IEC 27001, SOC 1/2/3 and GDPR-aligned attestations at the infrastructure layer; the TIF Synergy application layer above it inherits those controls, with additional controls implemented at the application level: role-based access, audit-write-first contracts, BSN / PII redaction at the write boundary, and JWT-shared SSO across the Suite. TIF Synergy is not itself ISO 27001 or SOC 2 certified at the firm level; the platform certifications referenced are those of Microsoft Azure as the underlying infrastructure provider.

In the event of a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify the Autoriteit Persoonsgegevens within 72 hours and, where the risk is high, will notify affected data subjects directly without undue delay (Articles 33 and 34 GDPR).

Changes to this policy

If we update the policy.

We may update this page when our processing activities change, for example if we add a new processor, change retention defaults, or alter the lawful basis for a category of processing. Any material change will be reflected in the "Last updated" date at the top of this page; substantive changes that affect previously-collected data will be communicated separately where required.

Questions?

Write to info@tifsynergy.com with any data-protection question.