Privacy Policy
Tokens Studio Website
Last Updated: 19-11-2025
1. Who we are:
Tokens Studio is a service operated by Hyma B.V., Lage Gouwe 92, 2801 LJ Gouda, the Netherlands (Chamber of Commerce No. 59750502, “we”, “our”, “us”).
Hyma B.V. acts as:
Data Controller for any personal data that we process.
You can contact our privacy team at privacy@tokens.studio or by post at the address above.
Our lead supervisory authority is the Autoriteit Persoonsgegevens (Dutch Data Protection Authority).
1. About Hyma B.V.
Data Controller: Hyma B.V. (Tokens Studio)
Headquarters: Lage Gouwe 92, 2801 LJ Gouda, Netherlands
Contact: privacy@tokens.studio
2. Scope
This Privacy Policy explains how we collect, use, share, and protect personal data when you visit the www.tokens.studio website.
For privacy information related to our tools and account management features, please see the privacy policy for our plugins or our privacy policy for the Studio platform.
3. What Data We Collect
We collect and process only the minimum amount of personal data necessary to operate our website effectively. We do not retain data longer than required for the purposes outlined in this policy.
Usage data
Examples: Page access, on-site behaviour, IP address, device data and approximate geolocation data
Source: Microsoft Clarity (pseudonymized), and Pirsch (anonymized)
Purpose: analyzing website use and web traffic.
Marketing Data
Examples: LinkedIn member ID, Conversion Data, Retargeting information
Source: Linkedin Insight
Purpose: marketing
4. Legal Bases
Analytics to improve the website: Art. 6(1)(f) legitimate interest
Marketing data: Art. 6(1)(a) consent
Where we rely on legitimate interest, we balance our interests against your rights and reasonable expectations and allow you to object at any time (see Section 13).
5. Our Subprocessors
We use trusted third-party service providers to process data on our behalf.
Our current list of subprocessors is available at:
Subprocessors For The Tokens Studio Website
Any changes to the subprocessors will be updated on that page and the effective date will be revised.
6. Website Analytics and User Experience Improvement
For details on our web analytics tools, please click here:
7. Security Measures
We implement appropriate technical and organizational measures under Art. 32 GDPR, including:
TLS 1.3 encryption in transit, AES-256 at rest
Role-based access controls & MFA for all staff accounts
Continuous vulnerability scanning & penetration tests
EU-based hosting with ISO 27001–certified providers (AWS, GCP)
8. Data Retention
Analytics events: Up to 13 months
9. Cookies & Tracking
We use:
Essential cookies that are required for website functionality and security (Hubspot).
Non-essential analytics cookies (Clarity, LinkedIn) are only activated after you provide consent through our cookie banner.
We respect browser Do-Not-Track signals.
For more information on cookies, please see our Cookies Policy
10. No Sale of Personal Data
We do not sell or rent your personal data to third parties.
11. Automated Decision-Making
We do not use automated decision-making or profiling that produces legal or similarly significant effects under Art. 22 GDPR.
12. Government, Regulatory, and Law Enforcement Requests
We are committed to protecting your privacy while complying with valid legal obligations. When we receive requests for personal data from government agencies, regulators, or law enforcement authorities, we follow strict procedures to ensure GDPR compliance and protect your rights.
Legal Assessment: We review each request for legal validity and verify if the requesting authority has proper jurisdiction. We will assess the request against Article 6.1(c) of GDPR and consult with qualified legal counsel when necessary.
Scope Limitation: In responding to requests from government agencies, regulators, or law enforcement authorities, we will limit the scope of data disclosure to that which is specifically requested and legally required.
Data Subject Notification : In the event that we respond to a request for your data, we will notify you within 30 days, unless there is a statutory confidentiality requirement, or the requesting authority certifies that such a disclosure shall interfere with an active investigation.
13. Your Rights
You have the following rights under GDPR:
Access (Art. 15)
Rectification (Art. 16)
Erasure (“right to be forgotten”, Art. 17)
Restriction of processing (Art. 18)
Data portability (Art. 20)
Objection (Art. 21) — including the right to object to direct marketing
Withdraw consent at any time (Art. 7(3))
Contact privacy@tokens.studio to exercise these rights.
We respond within one month; if necessary, we may extend by up to two additional months for complex requests (you will be notified if so).
If you are not satisfied with the outcome, you may lodge a complaint with the Autoriteit Persoonsgegevens.
14. Data Breach Notification
If a personal data breach poses a risk to your rights and freedoms, we will notify you without undue delay, and within 72 hours of becoming aware of the breach, via email and/or in-app notification.
15. Children
Our services are not directed to individuals under 16 years of age. If we learn that we have collected personal data from anyone under 16, we will delete it promptly.
16. Transfer of Business
If Tokens Studio is involved in a merger, acquisition, or asset sale, your personal data may be transferred. You will be notified before the data becomes subject to a different privacy policy.
17. Changes to This Policy
We may update this Privacy Policy periodically. New versions will be posted on the website with a timestamp.
