Privacy Statement
Your personal data is handled and secured with care. We comply in all cases with the General Data Protection Regulation (GDPR).
Montisoro records your data to inform you about relevant developments. Under no circumstances is permission granted to other companies or institutions to use your data.
We are fully transparent about the data we use and record. No fine print, no hidden agenda.
We never share your data with other parties for commercial purposes. Not today. Not tomorrow. Not under any circumstance.
Recording personal data and special categories of personal data is necessary for the performance of an agreement in the field of guiding and developing individuals, whether or not employed by an organization.
Each processing activity serves one clear purpose. We never collect more than we need for it.
Data is stored on servers within the European Union (AWS, EU region), encrypted in transit and at rest. Access is strictly limited to authorised staff, with authentication and two-factor verification. With Casey AI the case manager stays in charge — there are no solely automated decisions with legal effect.
We never share this data with other parties for commercial purposes.
Consent is given freely and unambiguously, as the person concerned is informed in advance about which data we wish to receive and why.
Independent of context, jurisdiction or agreement, these three rights always remain yours.
The person concerned always has the right to see how we use the data. One email is enough, no form, no barrier.
The person concerned has the right to erasure: the complete deletion of personal data. We carry this out without questions.
For every new processing activity we explain in advance which data we wish to receive and why, so that consent always remains free and unambiguous.
For every type of interaction we know exactly what we record and why.
You complete the fit check; we send you the result and report by email.
You calculate your absence cost; the substantiated report is emailed to you.
You book a diagnostic call via the scheduler. We use your data only to confirm and prepare the appointment.
On behalf of the employer we manage files during incapacity for work. Health data is strictly shielded and processed only on the proper legal basis.
Our site runs without tracking, advertising or marketing cookies. Here's exactly what we do and don't do.
No tracking, advertising or marketing cookies. The site works entirely without cookies that follow your behaviour or build a profile, so you don't need to accept anything to use it.
Today we use no optional cookies, so there is nothing to manage. Should we ever introduce them, we will first ask your consent via a cookie banner.
We measure visits with our own cookieless counter. Per page view we record only: the page visited, the external referring website, your language, your device type (mobile/tablet/desktop) and the screen width.
No IP address, no cookie, no fingerprint. We respect your browser's Do-Not-Track setting.
To make the site work we keep a few preferences locally in your browser (not cookies): your cookie preference, your language and your progress in the calculator, fit check or booking planner.
This data stays on your device and is never used to track you.
We process on the basis of: contract (art. 6.1.b) for the fit check, calculator and booking; legal obligation (art. 6.1.c) for reintegration; and legitimate interest (art. 6.1.f) for our cookieless website measurement. Health data is processed only on your explicit consent or the exemptions for employment and social-security law (art. 9.2.b/h GDPR).
Absence and reintegration files contain health data. In Storm these are strictly shielded and viewed only by authorised case managers. The medical assessment stays with the occupational physician.
File data is kept for the duration of the agreement and any legally required retention period thereafter. Lead and contact data is kept for a maximum of 24 months after your last contact.
Each under a data-processing agreement: AWS (hosting, EU), Supabase (database, EU), Microsoft 365 (email & calendar) and transactional email services (Mandrill, Amazon SES, Resend).
Within the EU in principle. Where a sub-processor processes outside the EU, this happens under the standard contractual clauses (SCCs).
The controller is Montisoro BV, Tisseltstraat 25, 1880 Ramsdonk (BE0733840137), at hello@montisoro.com. You may lodge a complaint with the Belgian Data Protection Authority (Drukpersstraat 35, 1000 Brussels — contact@apd-gba.be). On a data breach with risk, we notify the DPA within 72 hours.