Site Overlay

Data Protection and Privacy Policy

Asset Mechanics seeks to secure your privacy in the best possible way and to handle your data confidentially. When we need to proces (personal) data we take into account the current legislation. In this Data Protection and Privacy Policy we explain what information we can collect, use and store and what rights you have.

Who we are

This website is owned by Asset Mechanics, located in Amsterdam, The Netherlands. We are a risk solution and consultancy company that helps organisations to know and understand its risks to be able to make better decisions. You can find more information about us on

Personal data

The content on this website is accessible without registering as a user and without submitting any information to us.

If you have a license for our API-service you will be able to submit your data request through the API. These requests do not contain nor transmit personal data (such as a name or e-mail address), but instead contain a license key and other ID’s to identify your request. This information is collected, stored and used solely for the purposes stated at the time of submission. These purposes include the calculation of the risks and reporting the results back to you. We keep the data only as long as necessary for those purposes and as specified in the client agreements or for other legitimate purposes that may apply.

Transfer of data abroad

We host our website and API-service on servers within the EU and take measures to protect your data in alignment with EU data protection laws such as GDPR and our own data protection policies.

If you are located outside the EU and use our API-service you consent to cross-border data transfers.


Although we do not place cookies ourselves., we do allow Google Analytics 4 to place analytical cookies that are stored on or retrieved from your mobile phone, tablet, or computer hard drive. This helps us to know how users interact with our services. We use this information to improve our website and API-services. We do not identify individual visitors through Google Analytics and only obtain the aggregated amount of users per country or per browser platform. The latest version from Google Analytics 4 is compliant with EU data privacy legislation and anonymises IP addresses. This service uses the following cookies:

_ga, _gid and _gatgoogle analyticscollect information how visitors use our website

For more information we refer to the privacy policy from Google Analytics.

Embedded content from other websites

Blog articles on this site may occasionally include embedded content (e.g. videos from YouTube, images, or external articles, etc.). Embedded content from other websites behaves in the exact same way as if the visitor has visited the other website.

These websites may collect data about you, use cookies, embed additional third-party tracking, and monitor your interaction with that embedded content, including tracking your interaction with the embedded content if you have an account and are logged in to that website.

Data storage

We do not collect, store or track individual users that are browsing our website pages.

If you have a license and use our api services we collect and store your data to be able to calculate the risks and to provide you with detailed (historical) analytics and reports. We also apply logging and audit trails on all api processes to ensure proper operations of the api services.

If you use a third-party application to connect to our api services then we refer to the data protection and privacy policy of that third-party application

Who we share your data with

The API-service works autonomously without user intervention. Occasionally our technical support specialists need to perform tasks related to the operation and maintenance of the system that require access to the data. We continuously align our processes with up-to-date best practises on operational excellence and security in the cloud. This also means we keep audit cloud trails and have confidentiality agreements in place with our technical specialists to minimise risk of undue access to data.

We do not give your data to anyone else unless (1) we need to do so in order to provide the service requested by you. For example: the application that you use to communicate with our API might be owned by a third party and therefore we would share your data with that party as well. Or in another example: you could request or allow to include your data in aggregate sector benchmark analyses. Your data would then be part of reports that would be shared with multiple users. (2) it is in response to a request from law enforcement authorities; or (3) it is needed to detect and prevent fraud for security or technical issues. By using our api-services, you consent to our disclosing of your data to third parties for these purposes only.

How long we retain your data

Data that you provide to us through our api services will be retained for the period as specified in your client contract. For example, some clients might want to retain their data for a longer period to enable advanced or historical reporting or to meet legal requirements. Other clients that do not have these requirements might want to use shorter retention periods. Data that is older than the agreed retention period will be automatically archived.

What rights you have over your data

Whenever we process your data, we take reasonable steps to ensure that your data is kept accurate and up-to-date for the purposes for which it was collected. Within the EU GDPR legislation you have the following rights regarding the personal data you have submitted to us:

  • You can request information about the collection and use of your data;
  • You can request to access, block, or erase your data, or to correct it if it is incomplete or inaccurate;
  • Where you have legitimate grounds for doing so, you can object to the processing of your data and request us not to process further your data.

These requests can be send to Authentication and verification will be applied before granting your request.

Where we send your data

We send the requested data back to the application that you used to connect to us. Risk reports are send to the e-mail address(es) that you provided to us.

Your contact information

We do not collect contact information from our website.

Additional information

How we protect your data

The data centers that we use are compliant with ISO 27001, ISO 27017, ISO 27018, ISO 9001, FINMA ISAE 3000, C5, SOC 1, 2 and 3 and comply with the Global Financial Services Regulatory Principles.

We continuously align our processes to up-to-date best practises with regards to operational excellence and security in the cloud. One example is that we encrypt the data at rest and in transit. We also implement cloud guidelines that are provided by umbrella organisations of our clients like e.g. VNG for municipalities in the Netherlands.

What data breach procedures we have in place

When there is a data breach our cloud specialists will investigate the breach to assess the impact so that we can provide full transparency to all potentially affected clients on the risk and impact of the breach.

What third parties we receive data from

For our api-services we use datasets from different sources to be able you calculate your risks

What automated decision making and/or profiling we do with user data

We do not engage in automated decisions or to do client profiling as we do not collect user data..