Privacy notice.
1. Controller
J. van Huuksloot Asset Management B.V. ("JvHAM", "we"), registered in the Netherlands under KvK 76675602, with registered office at Herengracht 433, 1017 BR Amsterdam, is the controller of personal data processed via jvham.com. Contact: [email protected].
2. What we collect — inbound enquiries
When you submit the enquiry form we collect: the legal and registration details of the merchant entity, contact details of the named representative (name, role, email, phone), details of the regulated PSP counterparty, the merchant services agreement metadata, an estimate of the amount in dispute, the heads of claim asserted, the documentary completeness of the file, and any free-text information you provide.
Server logs (IP address, user-agent, request path) are processed by our hosting provider for security and operational purposes.
3. Purpose and legal basis — inbound
- Initial fit assessment of the prospective recovery file — legitimate interest (Art. 6(1)(f) GDPR) and, where you have provided the data, performance of pre-contractual steps at your request (Art. 6(1)(b) GDPR).
- Communications with you in response to the enquiry — same basis.
- Anti-spam verification via Cloudflare Turnstile — legitimate interest in protecting the service.
- Compliance with legal obligations — where applicable.
4. Outbound prospect research
The firm operates an outbound research function in connection with the recovery of merchant claims against regulated payment service providers. The function identifies prospective merchants who appear, on public information, to hold accrued claims against a regulated counterparty, and approaches the merchant's directors or senior officers in their public regulated capacity to indicate the firm's potential interest in assessing a recovery engagement.
What we process. Company information (legal entity name, registered office, public register references, regulator filings) — not personal data under the GDPR. Where we identify named directors or senior officers in their public capacity, we record name, public role, public-source URL and the date of capture. We do not process special category data. We do not automate the capture of personal data from social platforms; director records are captured manually from legitimate sources.
Legal basis. Legitimate interest under Article 6(1)(f) GDPR. The firm's interest is in identifying and approaching merchants in connection with regulated activity in which both the merchant and the counterparty are public-facing. The data subjects are recipients in their public regulated capacity, not private capacity. A Legitimate Interest Assessment is maintained internally and is available to data subjects on written request.
Jurisdiction-specific posture. In Germany and Austria, the firm operates a narrower variant of outbound research that adheres to UWG §7 — communications are limited to recipients in publicly disclosed regulated roles, opt-out is presented in the first paragraph of every communication, and persistence following opt-out is treated as a hard violation. In Italy, the firm applies an opt-in posture in keeping with the more conservative national interpretation of B2B electronic communications.
Opt-out and erasure. Every outbound communication contains a one-click opt-out link. You may also submit an opt-out via the unsubscribe page. The unsubscribe page offers three scopes — suppression of the specific outreach in progress, suppression of all outreach from the firm, and full erasure under Article 17 GDPR. Opt-out requests are honoured immediately and recorded indefinitely as proof of compliance, separately from any other prospect data. Erasure requests submitted via data subject requests are processed under the formal procedure on that page.
Retention of outbound prospect records. Where outbound research does not lead to engagement, the prospect record and any associated artefacts are retained for up to twenty-four (24) months from closure of the record, and then deleted. Opt-out records are retained indefinitely as evidence of compliance with the opt-out request.
5. Recipients and processors
We use the following processors:
- Cloudflare, Inc. — hosting, CDN, anti-spam (Turnstile), email routing, and database (D1). Data may be processed in the EU and other regions where Cloudflare operates.
- Resend, Inc. — transactional email delivery.
Data may be disclosed to external counsel, supervisory authorities, courts and tribunals to the extent strictly necessary for the conduct of a recovery file, after a separate Claim Assignment and Recovery Agreement has been executed.
6. International transfers
Where personal data is transferred outside the EEA, transfers are subject to appropriate safeguards under Chapter V GDPR (Standard Contractual Clauses or equivalent).
7. Retention
Enquiry submissions assessed as not a fit are retained for up to twenty-four (24) months from receipt to permit follow-up and to maintain an audit trail. Submissions leading to executed engagement are retained for the duration of the engagement and for seven (7) years thereafter consistent with professional record-keeping obligations.
8. Your rights
Under the GDPR you have the right to access, rectification, erasure, restriction, objection, and data portability in respect of your personal data, subject to applicable exceptions. You also have the right to lodge a complaint with a supervisory authority — in the Netherlands, the Autoriteit Persoonsgegevens.
To exercise any of these rights, follow the formal procedure on the data subject requests page. Requests are acknowledged within seventy-two (72) hours and substantively answered within thirty (30) calendar days.
9. Cookies and tracking
jvham.com operates a category-based consent model. On first visit, a banner is presented allowing you to accept all categories, reject all non-essential categories, or set granular preferences. Your choice is stored in your browser's local storage and can be changed at any time via the control in the page footer.
The categories are:
- Strictly necessary — Cloudflare security cookies and the Turnstile anti-bot challenge. Always on; required for the site to function.
- Analytics — Cloudflare Web Analytics, a cookie-less aggregate measurement of site traffic with no fingerprinting, no profile building, and no cross-site tracking; and Google Analytics 4, which sets first-party cookies (
_gaand similar) to measure how the site is used. Both are off by default and loaded only with your consent. Google Analytics data is processed by Google; see Google's privacy documentation for its processing terms.
We do not use marketing or advertising cookies. Sentry is used for error monitoring on a per-request, cookie-less basis as part of the strictly necessary category.
10. Changes
We may update this notice from time to time. Material changes will be flagged on this page.