At Sepia Solutions it has never only been about privacy; it has always been -and will always be- about respect. GDPR does not change that in the slightest but in light of GDPR this sentiment is documented explicitly.

It’s a personal thing

We respect our clients, partners, contractors, suppliers, and other various business contacts. So it is only logical that we also respect those individual’s privacy and (contact) details.

We treat personal and contact information the way we would appreciate our personal data being processed too. Yes indeed, we take this personal, so that means that Sepia Solutions …

  • never buys contact data from third parties;
  • never sells personal data to third parties;
  • never sends large amounts of emails via automated means;
  • does not perform (trend) analysis, profiling, or automated decision making using your personal data;
  • only uses limited personal data such as professional contact details and publicly available information;
  • employs the same measures protecting its business data to protect your personal data.

At Sepia Solutions we respect you so we also respect your personal data. All resulting policies, procedures and control measures to process and protect your personal data are basically following “common sense”.

With respect,
Alain Rousseau
on behalf of Sepia Solutions

Privacy statement

Sepia Solutions bv processes personal information in compliance with this privacy statement. For further information, questions or comments on our privacy policy, please send an email to

Personal infromation from whom?

Contact information is being processed from people we do business with or communicate with. This means clients, suppliers, contractors, prospects, partners, but also individuals met at conferences, professional events, training sessions, or even chance meetings, etc. Potentially anyone we interact with on a professional level.

What personal data are we talking about?

Very particularly: name; office address/location; professional phone, fax and email address; and possibly publicly available information (such as a LinkedIn photo and profile URL). This data very explicitly does not include browser history, nationality, data of birth, personal preferences, financial, political, racial or religious information.

Why is this data processed at all?

Well, most importantly to communicate. That is why the data typically only consists of professional contact details not home address, habits, preferences, browser history, etc. Then, for each of the different categories of contacts, there are specific reasons.

  • Clients: to inform them about updates or news related to the GRC software they purchased, to tell them about events or webinars, to provide technical support, to request and generate license files, to process invoices correctly, to communicate about project work, etc.
  • Partners: to contact them, to request information, to order goods, to process invoices, to receive technical assistance, to work together on various initiatives and projects, etc.
  • Suppliers: to order goods or services, to request information, to process orders and invoices correctly.
  • Prospects: to provide the requested proposal or information, to request and generate temporary license files, to (very infrequently and always manually) contact them to follow-up on proposals, to provide them news about events or product developments (i.e. direct marketing).
  • Other: simply to stay in touch so it remains possible to contact these individuals (think about job offers, referals, training opportunities, etc.)

Is this data shared with, or sent to, other organisations?

As a rule, “no”; though sometimes this is necessary in following circumstances:

  • Agreements: Sepia Solutions does not itself develop the magnificent GRC software suites but is the distributor for these software packages. This means that certain agreements (license agreement, SLA, support agreement) may get shared with the software manufacturers. Those agreements may include a name, telephone and/or email address of key contacts at the client organisation (e.g. purchasing offices, legal counsel, etc.).
  • License files: License files are generated by the software manufacturers and they need to know to whom these license files are issued.
  • Technical support: It may be necessary to escalate technical issues reported by clients. While doing so, it is possible that the contact details of the individuals involved (e.g. the user or IT staff) are shared with the software vendor but then only to efficiently provide technical assistance.
  • Invoices: Sepia Solutions has outsourced accounting to an accounting office. If the invoices contain personal contact details, those details could be “seen” by the external accounting office. That said, they do not process the contact details; they process the invoice.

Can you review your personal data, have it updated or deleted?

Yes, of course you can. GDPR makes this mandatory, but you have always had that right because, again, it is just being respectful. Just send a email to with your question or remark.

In the unfortunate and unlikely event that you would not be satisfied with the way such a request was handled, please contact the Belgian Privacy Commission.