Privacy Policy


Last update: June 30, 2020

This is our Privacy Policy. In this document we explain what kind of Personal Data we collect via our Services. We also explain what role we have in the processing of Personal Data, how long we retain them and what rights you have as a data subject.


1. Who we are

We are Wunderbricks Nederland B.V., also trading under the name CIAO (“​Wunderbricks​”). Wunderbricks is an innovative PropTech company offering a wide range of property management services (“​PM Services​”) on a flexible, secure and open platform.

In addition, we offer a workplace reservation service called “CIAO” (Check In And Out). Employees simply reserve a workplace via the CIAO app (“​App​”). Employers (our “​Clients​” and “​Controllers​” – see below) use the CIAO management console (“​Console​”) to indicate which offices, floors, zones and workplaces can be reserved. Teams and employees can easily be added.

The PM services, the App and the Console do not use any location data or distance-tracing bluetooth technology.

You can find more information about our Services on our website (the “​Website​”). The Website, the PM Services, the Console and the App will jointly be referred to as the “​Platform​”, and all

services related to the Platform will be referred to as the “​Services​”.


2. Personal Data and the Privacy Legislation

We are all about respecting your privacy and protecting your Personal Data. We process Personal Data. Personal Data means all information by which a person can be directly or indirectly identified – in line with the definitions of the General Data Protection Regulation (GDPR) and other relevant legislation on the protection of Personal Data (collectively referred to as the Privacy Regulation).


3. Our role as Processor and Controller

Wunderbricks as Processor
As for most Personal Data that is processed within the context of our Services, we act as Processor within the meaning of the Privacy Legislation. This means we process the Personal Data on behalf of our Clients and will not carry out any processing activity without specific instruction of our Clients. In this respect, we sign a Data Processing Agreement with all of our Clients, in which the instructions and our obligations are specified.

Our Clients define the purpose and the means of such processing of Personal Data, which means they act as Controller within the meaning of the Privacy Regulation.

In our role as Processor, we e.g. process the following information: login credentials, team, role and workplace reservations. This data is only used by your employer to gain insight into the number of occupied and available workplaces at your office and to allocate available workspace - and not to track any form of performance.

Wunderbricks as Controller
Apart from the processing of Personal Data on behalf of our Clients, we also collect and process some Personal Data for our own purposes. The Personal Data we process on our own behalf mainly relates to our Clients (employers) and not to their employees. Within this context we act as Controller ourselves within the meaning of the Privacy Regulation.
See chapter 4 for a further explanation of the Personal Data we process as a Controller.


4. What Personal Data do we collect as Controller?

As Controller we collect and process the following Personal Data of our Clients and the Users of our Services:

Personal Data we process of our (potential) Clients:

(Personal) Data Purpose(s) Legal basis

Contact information:

(Company) name, (e-mail) address and other contact information of the Company and the contact person (i.e. name, phone number and email address).

We use this information to contact our (potential) Client regarding the Services we (may) provide them.

We may process these Personal Data of our Clients, because we need these Personal Data to perform our contract with our Clients, i.e. to enable you to use our Services, and to enter into a contract with a potential Client.

Furthermore, we may process these Personal Data of potential Clients, because we have a legitimate interest to do so.

Payment details of our Clients:

Invoice details, bank account number, IBAN and BIC code.

We use these data to:

  • handle, check and administer payments from our Clients;

  • maintain our list of accounts receivable and outstanding invoices;

  • include in our administration on behalf of the tax authorities.

We may process these Personal Data, because we need these Personal Data to perform our contract with our Clients.

We are also obligated to share (some of) these data with the national tax authorities.


Personal Data we process through messages sent via our contact form or to one our email addresses:

(Personal) Data


Legal basis

Your name, e-mail address and other (personal) data you share with us in your message.

We use these data to contact you about your message and/or to provide you information and/or support.

We may process these Personal Data, because we have a legitimate interest in processing these data. We need these data to contact you about your message and/or to provide you support.


Personal Data we process through our social media pages:

(Personal) Data


Legal basis

Information you make public, when you leave a comment or otherwise post something on our social media pages.

We use these data to:

  • Contact you via our social media pages;
  • Process your feedback left on our social media pages.

We may process these Personal Data, because we have a legitimate interest to process these data and you voluntarily made public such information.

Our social media pages are also controlled by the social medium itself. Please check their own privacy policies, to see how each social medium handles your Personal Data:
LinkedIn: ​Privacy Policy
Facebook: ​Data Policy
Twitter: ​Privacy Policy


Personal Data we process through the use of our Services:

(Personal) Data


Legal basis

Technical information: IP-address, functional cookies and technical information (i.e. type of browser and operating system).

We use this information to:

  • analyse (the use of) our Services;

  • solve Service problems;

  • improve our Services;

  • adjust our Services to the device used;

  • flag, report and prevent misuse, fraud and threats of / regarding our Services.

We have a legitimate interest to use technical information, functional cookies and your IP-address, namely to analyse and improve our Services.


5. Cookies

In our App, we use technical cookies. These are cookies that are essential for the operation of our App. They enable you to move around our App and use our features.


6. How long do we keep the Personal Data?

Wunderbricks as Processor
We retain the Personal Data we process on behalf of our Clients for as long as the Client instructs us to do so. As a rule, we delete the retained Personal Data after 1 month. We may however retain the Personal Data for a longer period if our Client explicitly asks for this.

Wunderbricks as Controller
We retain the Personal Data we process as Controller as long as this is necessary for the purposes for which we process them. If we no longer need such Personal Data we delete them, unless we are legally obliged to store them for a longer period.


7. Do we share your Personal Data with others?

Wunderbricks as Processor
We may use Sub-Processors to assist us in our Services. Within this context these Sub-Processors receive Personal Data from us which they process by our order, in accordance with the instructions from the Client, our Controller.
We use, for instance, Sub-Processors for the identification of users when logging in. We enter into a Sub-Data Processing Agreement with all our Sub-Processors. Our use of Sub-Processors is in accordance with the Privacy Regulation.

Wunderbricks as Controller
We may also use (Sub-)Processors to assist us in our Services provided as Controller. We enter into a Data Processing Agreement with all our Processors. Our use of (Sub-)Processors is in accordance with the Privacy Regulation.
In addition, we may share some of the Personal Data processed as Controller with other controllers. For example, we share our financial administration with the tax authorities, because we are legally obliged to do so.

Apart from the above, we will not share your Personal Data with third parties, unless we are legally obliged to do so.


8. Export of Personal Data outside the European Union

We may transmit Personal Data to parties outside the European Union, if one of our (Sub-)Processors is established outside the European Union. The Personal Data will only be transferred to countries and/or parties that provide an adequate level of protection in accordance with the European standards.

The transmission of data outside the European Union will always happen in conformity with the Privacy Legislation (chapter 5 of the GDPR).


9. Data security

We protect all Personal Data we process from unauthorized and unlawful access, change, disclosure, use and destruction. For instance, we take the following technical and organizational measures to protect the Personal Data:

  • we encrypt many of our services using SSL;

  • we review our information collection, storage and processing practices, from time to time to guard our systems against unauthorized access;

  • we restrict access to Personal Data to our employees and all other parties we work with, who are subject to strict contractual confidentiality obligations and may be disciplined or terminated if they fail to meet these obligations;

  • we limit access to the Personal Data for authorized employees on a need-to-know basis;

  • password protection of computers, laptops and other devices;

  • locking of premises and areas where (devices containing) Personal Data are located;

  • annual internal security audits.


10. Links to other websites

You can find (hyper) links on our Website or in our App which link to the websites of partners, providers, advertisers, sponsors, licensors or any other third parties. We have no control of the content or the links which appear on said websites and we are not responsible for the practices of websites linked to. Furthermore, these websites, including their content and links, may constantly change. These websites may have their own privacy policies, user conditions and customer policies. Browsing and interaction on any other website, including websites linked to, are subject to the terms and conditions of such website.


11. Changes of the Privacy Policy

The Privacy Policy may be changed from time to time. Please check our Privacy Policy frequently and take note of any changes. The new Privacy Policy will be effective immediately upon posting on our Website. If we change our Privacy Policy significantly, then we will state so on our Website together with the revised Privacy Policy.


12. Your rights and our contact data

As laid down in the Privacy Legislation, you have the right to:

  • ask the Controller to rectify or update your Personal Data;

  • ask the Controller to remove your Personal Data from its systems;

  • ask the Controller for a copy of the Personal Data processed of you. Such copy may also be transferred to another data controller at your request;

  • withdraw your consent to process your Personal Data. This only affects the processing activities that are based on your consent and does not affect the validity of such processing activities before you have withdrawn your consent;

  • object to the processing of your Personal Data;

  • file a complaint with the Dutch Data Protection Authority, if you believe that your Personal Data is processed unlawfully.

As for the Personal Data we process as Processor, your first contact point for the actions above will be your employer (our Client), acting as Controller. If needed, we will assist your employer in executing the rights stated above. If you approach us with one of the mentioned requests directly, we will forward such request to your employer.


Wunderbricks Nederland B.V.

Anthony Fokkerweg 1
1059 CM Amsterdam
The Netherlands
T: +31 85 0653689

Or use the contact form on our Website.