Legal

Privacy statement

How Niyrah processes personal data: which data, why, who it is shared with, how long it is kept and which rights you have.

Last updated: 19 July 2026

01Who is responsible?

Niyrah is a trade name of Younes El Kouy. Younes El Kouy is the controller for the personal data processed through niyrah.be, e-mail, phone and Niyrah’s services.

02Who does this statement apply to?

This statement applies to website visitors, contact persons at prospects and clients, suppliers, partners and other business contacts. The website and services are primarily aimed at professional clients and not specifically at minors.

03Which personal data do we process?

Depending on your interaction, we may process:

  • Identification and contact data: name, e-mail address, phone number and role.
  • Business data: company name, website, company details and billing details.
  • Request and project data: selected services, budget indication, desired timing, message content, quotes, contracts, project communication, feedback and delivery information.
  • Form metadata: source page, page path, language/locale, user agent, timestamp, privacy confirmation and a hashed IP value for security and abuse prevention. We do not store a raw IP address in the lead table through the form.
  • Operational follow-up data: the status of a request, internal notes and communication history.
  • Cookie preference: a minimal, versioned choice showing whether optional analytics was accepted or rejected. This preference contains no name, e-mail address, phone number, lead ID or other form content.
  • Technical and analytical data: only after analytics consent, Vercel Web Analytics may process, among other things, timestamp, visited URL and route, referrer, filtered query parameters, coarse geolocation, device type, browser and operating system. According to Vercel this data is processed anonymously and used for aggregated statistics. In addition — likewise only after analytics consent — Google Analytics 4 may process website and usage statistics (page views and a limited set of functional events with only fixed, predefined values), with first-party cookies (_ga, _ga_*) and with all advertising signals permanently disabled (Consent Mode v2). Niyrah sends no names, e-mail addresses, phone numbers, free-form form content, lead IDs or internal lead statuses to Vercel Web Analytics or Google Analytics.
  • Data needed for accounting, payment, legal obligations, dispute management and security.

Please do not send special categories of personal data, medical data, national register numbers, passwords or other sensitive information through the contact form, unless this has been explicitly and securely agreed with Niyrah.

04Why and on which legal basis do we process data?

We process personal data for the following purposes:

  • Answering, qualifying and following up questions and requests: legitimate interest in conducting business communication and, where applicable, taking steps prior to a contract.
  • Preparing quotes, performing contracts, delivering projects and providing support: necessary for the performance of a contract or pre-contractual steps.
  • Invoicing, accounting, tax administration and compliance with legal obligations: legal obligation.
  • Security, abuse prevention, rate limiting, logging and continuity: legitimate interest in protecting systems and services.
  • Remembering your cookie preference: necessary to keep the privacy choice you requested for a limited period.
  • Improving the website through Vercel Web Analytics and Google Analytics 4: your consent. Both analytics services are only loaded after you have explicitly accepted analytics. You can withdraw this consent at any time via “Cookie preferences” in the footer. Withdrawal does not affect the lawfulness of processing that took place before the withdrawal.
  • Marketing or newsletters: only where a valid legal basis exists, usually consent or an existing client relationship within the legal limits. The current contact forms do not automatically subscribe you to marketing.

Where processing relies on legitimate interest, you can object. We then assess your interests, rights and the necessity of the processing.

05Which data is required?

Fields marked as required are needed to handle your request. Without a name and contact details, a full request may not be actionable. The compact form on the homepage can be submitted without a name; internally such a request is technically stored as “Lead zonder naam” (lead without a name), while the e-mail address remains the real follow-up identity.

The required privacy confirmation on the extended form records that you were able to read the privacy statement. This confirmation is not consent for marketing or analytics and does not replace the legal bases on which Niyrah processes your request.

06Who do we share data with?

We do not sell personal data. We use carefully selected service providers that process data only for the agreed services:

  • Vercel: hosting, deployment, technical logs and, only after analytics consent, Vercel Web Analytics.
  • Google (Google Ireland Limited / Google LLC): only after analytics consent, Google Analytics 4 — with permanently disabled advertising signals and no Google Ads link. Transfers to the United States rely, where required, on the EU-US Data Privacy Framework and/or EU standard contractual clauses.
  • Supabase: secure storage of requests and operational follow-up data.
  • Resend: sending and technical delivery of transactional form notifications.
  • Google Workspace: receiving, storing and handling business e-mail and documents.
  • Upstash: temporary rate-limit data to limit spam and abuse; keys are hashed and expire automatically according to the configured limits.
  • Professional advisers, accountants, insurers, subcontractors or public authorities where necessary or legally required.

Data processing agreements are concluded with processors where appropriate. Providers may engage sub-processors under their own contractual safeguards.

07International transfers

Some providers or sub-processors may process personal data outside the European Economic Area, including in the United States. Where required, such transfers rely on an adequacy decision, the EU standard contractual clauses or other legally recognised safeguards. Niyrah assesses providers and enables appropriate region, security and contract settings where available.

08How long do we keep data?

We do not keep data longer than necessary:

  • Non-converted requests and prospect communication: in principle no longer than 24 months after the last meaningful contact, unless longer retention is needed for concrete follow-up or a legal claim.
  • Client, contract and project data: for the duration of the collaboration and afterwards for as long as reasonably needed for warranty, liability, evidence and legal obligations; certain data may be kept for up to 10 years.
  • Invoices and accounting records: for the legally required retention period.
  • Rate-limit data in Upstash: normally no longer than 10 minutes for the IP limit and 1 hour for the e-mail limit.
  • Cookie preference: 6 months at most, unless you delete the cookie earlier, withdraw your choice or a changed consent version requires a new choice.
  • Vercel Web Analytics: according to Vercel, the temporary visitor session is discarded after 24 hours; aggregated statistics remain available according to the chosen Vercel settings and account plan.
  • Transactional e-mail and delivery logs: for as long as needed for delivery, security, troubleshooting and business follow-up, taking into account the settings and retention periods of Resend and Google Workspace.

Data may be kept longer where needed for a dispute, legal obligation, fraud investigation or security incident.

09Cookies, consent and similar technologies

Niyrah uses a consent interface to ask for your choice about optional analytics. Vercel Web Analytics and Google Analytics 4 are not loaded as long as no valid consent exists or when analytics has been rejected. On withdrawal, future analytics events are blocked immediately, the first-party Google Analytics cookies are removed on a best-effort basis and the page reloads.

You can accept analytics, reject it or set your preferences. Rejecting has no effect on access to the website, the contact form or the compact homepage intake. You can adjust or withdraw your choice at any time via “Cookie preferences” in the footer.

Niyrah uses one strictly necessary first-party cookie to remember your choice and the applicable consent version for 6 months at most. This cookie contains no personal data, visitor ID or form content and is not used for tracking.

Supabase, Resend and Upstash are used server-side and are not an optional analytics category. Their operation is not switched on or off by your cookie preference. The full information is available in the separate Cookie statement.

10Security

We take appropriate technical and organisational measures, including restricted access rights, server-side handling of secret keys, encrypted connections, rate limiting, database security, logging and vetted providers. No system is entirely without risk. In the event of a relevant security incident we act in accordance with the applicable notification and information obligations.

11Automated decision-making

Niyrah does not make decisions with legal effects through the website that are based solely on automated processing or profiling. Form data may be used to practically prioritise or manually qualify a request.

12Your rights

To the extent the legal conditions are met, you have the right to:

  • access your personal data;
  • rectification of inaccurate data;
  • erasure of data;
  • restriction of processing;
  • portability;
  • object to processing based on legitimate interest;
  • withdraw consent, without affecting earlier lawful processing;
  • lodge a complaint with the Belgian Data Protection Authority.

Send a request to privacy@niyrah.be. We may ask for reasonable information to verify your identity. We respond within the legal time limit.

13Changes

This statement may be updated when the services, providers, purposes, cookies or legislation change. The date at the top shows the most recent version. Important changes are clearly communicated where appropriate.