Skip to main content

Privacy Policy

Last Updated: March 14, 2026

1. Introduction & Controller Identity

This Privacy Policy explains how Stichting Transnationale Universiteit Limburg (“we”, “us”, or “our”) collects, uses, and protects personal data when you visit our website and when you contact us about our educational courses, workshops, and learning resources. Our educational service area is Canada. Our administrative office is located in Maastricht, Netherlands.

For the purposes of the EU General Data Protection Regulation (GDPR) and the Dutch GDPR Implementation Act (Uitvoeringswet AVG), the data controller is:

  • Legal entity: Stichting Transnationale Universiteit Limburg
  • Registered address: Minderbroedersberg 4 B, 6211 LK Maastricht, Netherlands
  • Contact email: [email protected]
  • Telephone: +31 43 388 3500

We do not appoint a Data Protection Officer (DPO) as a matter of course. If that changes, we will update this Privacy Policy and provide the appropriate contact details.

2. Personal Data We Collect

The personal data we collect depends on how you interact with our website. We limit collection to what is relevant for educational inquiries, site security, and (if you consent) analytics and marketing measurement.

  • Identity and contact data: name, email address, and telephone number.
  • Inquiry and form content: messages you submit, program selections, timing preferences, organizational requirements, and other details you choose to include.
  • Technical data: IP address, browser type/version, device type, operating system, language settings, and approximate location inferred from IP (city/region level).
  • Usage data: pages viewed, time on page, referring page, and interaction events such as clicks or form starts.
  • Cookies and identifiers: identifiers stored in cookies or similar technologies as described in Section 4 and in our Cookie Policy.
  • Conversion events: events that indicate a request was sent or a key action occurred (for example, a completed inquiry), used for measurement when consent is given.

We do not intentionally collect special category data (such as health data, religious beliefs, political opinions), financial account details, or government identification numbers through this site. Please do not include such information in your message.

3. Why We Process Personal Data & Legal Bases (GDPR Art. 6)

We process personal data only when there is a lawful basis under GDPR. The main purposes and legal bases are:

  • Responding to inquiries and delivering requested information: to communicate about programs, cohort scheduling, formats, and educational details. Legal basis: GDPR Art. 6(1)(b) (steps prior to entering into a contract) and, where applicable, Art. 6(1)(a) (consent).
  • Analytics and site improvement: to understand usage patterns and improve content and navigation. Legal basis: GDPR Art. 6(1)(a) (consent).
  • Marketing measurement and remarketing: to measure campaign performance, attribute conversions, and build audiences for relevant advertising. Legal basis: GDPR Art. 6(1)(a) (consent).
  • Security and fraud prevention: to protect the website, detect abuse, and maintain service integrity. Legal basis: GDPR Art. 6(1)(f) (legitimate interests).
  • Legal obligations: to comply with applicable legal requirements. Legal basis: GDPR Art. 6(1)(c).

Automated decision-making: We do not engage in automated decision-making or profiling that produces legal or similarly significant effects for individuals (GDPR Art. 22).

4. Cookies & Tracking

Our site uses cookies and similar technologies. Some are essential for basic operation, while others are used only if you provide consent. Categories and examples below align with our Cookie Policy.

Essential cookies (always active)

These are required for the website to function and to remember your cookie choice. They do not require consent. Examples include _site_session and cookie_consent. Retention ranges from session-based up to 12 months, depending on the cookie.

Analytics cookies (consent required)

If you consent, we may use Google Analytics 4 (GA4) to understand how the site is used. We configure GA4 to support privacy best practices such as IP anonymization where available. Typical cookies include _ga and _ga_XXXXXXXXXX. Analytics data retention is typically set to 14 months.

Marketing cookies (consent required)

If you consent, marketing cookies help us measure advertising performance and show relevant information to people who previously interacted with our site. Typical cookies include _gcl_au (Google Ads) and _fbp/_fbc (Meta). These identifiers can be used for remarketing, conversion attribution, and building custom or lookalike audiences.

Beyond cookies, some advertising and analytics implementations may use pixel tags or server-side measurement. Where used, this remains subject to your consent choices.

5. Consent (EEA/UK)

Users in the European Economic Area (EEA) and the United Kingdom receive a consent notice under GDPR/UK GDPR. Analytics and marketing cookies are activated only after explicit, informed, freely given consent (GDPR Art. 6(1)(a)).

Your consent choice is recorded in the cookie_consent browser cookie (typically 12 months). You can withdraw or change consent at any time by clicking “Manage cookie preferences” in the website footer or by clearing cookies in your browser settings. Withdrawal does not affect the lawfulness of processing based on consent before its withdrawal.

6. Sharing With Advertising & Service Partners

We use service providers to operate the site and (when consent is given) to understand performance and measure advertising. We share personal data only as needed for these purposes, and under appropriate contractual safeguards.

  • Google LLC (Google Analytics 4, Google Ads, Tag Manager, remarketing): cookie identifiers, usage data, and conversion events. Privacy policy: https://policies.google.com/privacy
  • Meta Platforms, Inc. (Meta Pixel, Custom/Lookalike Audiences, Conversion API where used): page events, conversions, audience membership signals, and (where implemented) hashed identifiers. Privacy policy: https://www.facebook.com/privacy/policy
  • Cloudflare, Inc. (CDN and security): network and device data, including IP addresses, used for threat detection and performance. Privacy policy: https://www.cloudflare.com/privacypolicy/

We do not sell personal data. These providers may not use site data for their own independent commercial purposes beyond providing services to us, subject to their applicable terms and configurations.

7. International Transfers

Some service providers may process data outside the EEA/UK, including in the United States. Where personal data is transferred internationally, we rely on appropriate safeguards, which may include:

  • EU-U.S. Data Privacy Framework (DPF), where applicable (since July 2023)
  • UK Extension to the EU-U.S. DPF, where applicable
  • Standard Contractual Clauses (EU 2021/914) as a fallback
  • UK International Data Transfer Agreement (IDTA) as a fallback

We also apply practical measures such as data minimization, access controls, and limiting the scope of data shared where possible.

8. Data Retention

We retain personal data only for as long as needed for the purposes described in this Privacy Policy:

  • Contact submissions: up to 2 years from the last interaction, unless a longer period is required to manage an ongoing relationship or to handle legal claims.
  • Analytics data: typically 14 months (subject to the settings of the analytics platform).
  • Marketing cookies: per the cookie lifetime (for example, 90 days for certain marketing cookies).
  • Email correspondence: duration of the relationship plus 1 year, unless we must retain records longer for legitimate purposes.
  • Server and security logs: typically 90 days, unless needed to investigate incidents.
  • Cookie consent record: up to 3 years for audit and compliance purposes.
  • Legal and tax records: as required by applicable laws (often 6–10 years for certain records).

9. Your Rights (GDPR & UK GDPR)

If GDPR applies to your personal data, you may have the right to:

  • Access (Art. 15)
  • Rectification (Art. 16)
  • Erasure (Art. 17)
  • Restriction of processing (Art. 18)
  • Data portability (Art. 20)
  • Object to processing (Art. 21)
  • Withdraw consent at any time (Art. 7(3))
  • Lodge a complaint with a supervisory authority (Art. 77)

To exercise rights, email [email protected]. We generally respond within 30 days. This may be extended by up to 60 days for complex requests, in which case we will explain the reason for the delay.

For guidance on supervisory authorities, you can refer to the European Data Protection Board directory: https://edpb.europa.eu/about-edpb/about-edpb/members_en.

10. Children

This site is not directed at individuals under 16. We do not knowingly collect personal data from minors. If you believe a child under 16 has provided personal data without verifiable parental consent, please contact us and we will delete it promptly.

11. Do Not Track

This website does not respond to Do Not Track (DNT) browser signals. Third-party providers may have their own handling of DNT or similar signals according to their policies and settings.

12. Data Deletion Requests

You may request deletion of your personal data by emailing [email protected] with the subject line “Data Deletion Request”. For security, we may ask you to verify your identity before completing the request. Where deletion is not possible due to legal obligations, we will explain what must be retained and why.

13. Business Transfers

If we are involved in a merger, acquisition, asset sale, financing, restructuring, or insolvency, personal data may be transferred as part of that transaction. If the transfer materially changes how personal data is used, we will provide notice on the website.

14. California (CCPA/CPRA)

While we are established in the Netherlands and our primary privacy framework is GDPR, we may receive visitors from the United States. For transparency, the following describes disclosures relevant to California residents where applicable.

Categories of personal information disclosed in the past 12 months:

  • Identifiers: such as name, email address, IP address, and cookie identifiers, disclosed to service providers and (with consent) advertising partners for measurement.
  • Internet or other electronic network activity: such as pages viewed and interactions, disclosed to analytics and advertising providers with consent.
  • Inferences: such as interests inferred from site interactions, used for advertising measurement and audience building when consent is given.

We do not sell personal information as defined by CCPA. We may share data for cross-context behavioral advertising when you consent to marketing cookies; California residents may opt out by using our cookie preferences panel.

California residents may have rights to know, delete, correct, and opt out of sale/sharing, and to not be discriminated against for exercising privacy rights. Requests can be submitted by emailing [email protected] with the subject “California Privacy Request”. We will verify identity as required and may request additional information to process the request.

15. Virginia (VCDPA)

Virginia residents may have rights to access, correct, delete, and obtain a copy of personal data, and to opt out of targeted advertising. Requests can be submitted by emailing [email protected] with the subject “Virginia Privacy Request”.

We do not sell personal data or engage in profiling that produces legal or similarly significant effects. If we decline to take action on a request, you may appeal by emailing with the subject “Appeal of Refusal — Privacy Request”. We will respond within 60 days.

16. Nevada

Nevada residents may submit a verified opt-out request by emailing [email protected] with the subject “Nevada Do Not Sell Request”. We do not currently sell personal information under Nevada Revised Statutes Chapter 603A.

17. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or service providers. If we make material changes, we will provide a notice on the website at least 14 days before the changes take effect where appropriate. The “Last Updated” date at the top of this page will be revised whenever this policy changes.

18. Contact

For questions or requests related to privacy, please contact:

If your inquiry relates to cookies specifically, please also review our Cookie Policy.

Privacy questions

If you have a question about this policy, your rights, or how cookie consent works, email us and include enough detail for us to locate your request. We respond using the contact details you provide.

Email our team