Privacy statement

Revised 24th of October 2023

The Dutch Internet Standards Platform respects your privacy and strives to minimize the collection and processing of your personal data. With this privacy statement, we would like to inform you about what personal data we collect when you use our website and other services on Internet.nl and how we process this data. Your rights are covered by the applicable laws, mainly the European General Data Protection Regulation (GDPR) and the Dutch Telecommunications Act.

What data will be collected?

Website (Internet.nl)

Application

When you are using Internet.nl we collect the following data which is necessary for the functioning of the website.

  • IP address of your client (remote host) which made the request to our web server:

    • When a connection test is performed, only your anonymized IP address and anonymized reverse name are stored in the application database and shown in the connection test report that is available for the user via a permalink.
    • In any other cases your (full or anonymized) IP address is not stored in the application database.
  • Domain names that you provided to perform email or website tests:

    • Domain names are stored in the application database. They will be shown in the test reports available for the user via a permalink and could be shown in the Hall of Fame.
    • Only the domain name is stored, but not the 'local-part' (i.e. the part before @example.nl) of a provided email address.

Server logs

For debugging connection issues and for solving (security) incidents we keep the below data in our web server logs.

  • IP address of the client (remote host) which made the request to our web server;
  • The time that the request was received;
  • User-Agent HTTP request header that your client browser reported about itself;
  • Status code that the server sends back to your client;
  • Size of the object returned to your client;
  • Error message with regard to processing the request.

User analytics

We put analytical cookies on your device to analyze the use of our website. We run Matomo (formerly Piwik) on our own web server. Matomo is one of the most privacy-friendly analytical tools currently available. The statistics generated with these cookies are used only to improve our website.

We collect the following data:

  • IP address (anonymized);
  • Very rough location of the user based on anonymized IP address;
  • Date and time;
  • Title of the page being viewed;
  • URL of the page being viewed;
  • URL of the page that was viewed prior to the current page;
  • Screen resolution;
  • Time in local timezone;
  • Files that were clicked and downloaded;
  • Link clicks to an outside domain;
  • Pages generation time;
  • Main Language of the browser;
  • User Agent of the browser.

Because the impact of these analytical cookies on your privacy is very limited in light of the GDPR and Section 11.7a of the Dutch Telecommunication Act, you do not need to give your consent for this. If you do not want us to track your device, we recommend that you turn on the Do Not Track function in your browser. Matomo will not track users that use the Do Not Track function (see this page on Matomo.org). For more information about Do Not Track and how to turn it on in your browser, see the website All About Do Not Track.

Email (@internet.nl)

When you send emails to question@internet.nl we collect the following data:

  • Email address used and other mail header data (like time);
  • Any other personal data that the sender put in the mail.

What third-party services are used?

WHOIS

In the website and email test, the registrar of the tested domain is queried via WHOIS. For this purpose, a query of the IANA WHOIS Service and of the WHOIS Service of the respective TLD registry (e.g. the WHOIS Service of SIDN) is done using the WHOIS protocol (plain text on TCP port 43).

Team Cymru

  • In the RPKI test component of the website and email test, for each IP address found, the corresponding BGP Origin ASN is queried using Team Cymru's "IP to ASN Mapping Service".
  • In the connection test, for the IP addresses of your client and of your DNS provider, the ASN Description (for the purpose of naming the ISP and DNS provider) is queried using Team Cymru's "IP to ASN Mapping Service".

IP addresses are anonymized as much as possible prior to the query (for IPv4 on a /24, for IPv6 on a /48). The query takes place via DNS on UDP port 53.

Reverse DNS

In the connection test, the reverse name for the non-anonymized IP address of your client is queried (via "in-addr.arpa" and "ip6.arpa") using our local DNS resolver.

Sentry

We use Sentry to log crashes and similar bugs in tests and pages. For this, we may send Sentry the domain being tested, any information collected in the test, and the HTTP headers of the request. We do not include the IP address of your client in the information we send to Sentry. Information is only submitted on test or page crashes. No information is shared about performed tests or requested pages that do not result in crashes.

Public DNS resolvers

The Internet.nl dashboard checks whether a given domain name returns valid DNS responses and is testable using the following public DNS resolvers: CZ.NIC, Quad9 and dns0.eu.

What measures are in place to secure the collected data?

Access and third parties

Our services are running on servers that are hosted by Prolocation (single test website and batch test API) and by TransIP (dashboard). ECP is in charge of operating the mailbox. Collected data and received information may be shared with other members of the Internet Standards Platform only to answer questions, to solve issues or to improve our services.

Except for the services listed under "What third-party services are used?", no third party services are used (like external analytics tooling or web fonts). We do not in any way pass on personal data collected by us to third parties (i.e. outside the Internet Standards Platform), unless we are legally obliged to do so (for example, if the authorities with a legal basis request data from us).

Technical measures

We have implemented a.o. the following technical measures to secure your personal data:

  • Modern, secure standards are in place. We comply with our own tests. E.g. our web server offers an encrypted connection (HTTPS) and the domain is signed (DNSSEC). Note that the connection test partially uses HTTP (instead of HTTPS). This is because this test also checks whether the visitor's web browser can connect directly to an IP address, and unfortunately certificates for IP addresses are very uncommon. Nevertheless, we plan to improve this;
  • Software on our servers is updated regularly;
  • Our engineers use strong authentication to access the servers.

In case you find a vulnerability, despite of our efforts, please act in accordance with our responsible disclosure policy.

Anonymization

  • Application: The anonymization of the IP address of your client means that at least the last 16 bits of each IPv4 address and the last 96 bits of each IPv6 address are discarded and replaced with zero's before storing in the application database (e.g. visible is only 198.51.0.0 or 2001:db8::). Besides we anonymize the found reverse name by masking the first one or more labels. By anonymizing the IP address and reverse name we make sure that it is usually nearly impossible to relate these directly to a person anymore, even not with the other associated data collected. IP addresses belonging to web servers, mail servers or name servers will not be anonymized, because we consider this data to be public data which is published in DNS. The same goes for domain names; we also consider this to be public data.
  • User analytics: At least 16 bits for IPv4 and 80 bits for IPv6 are discarded and replaced with zero's before storing an IP address in our analytics tooling (e.g. visible is only 198.51.0.0 or 2001:db81:85a3::).

Data retention period

  • Application: Because the anonymized visiting IP address and associated collected data can not be directly related to a person, we do not maintain a specific retention period for the data stored in our application database.
  • Server logs: Data collected in our server logs will be deleted after three calendar months.
  • User analytics: Individual visitor data (including the anonymized IP address) in our analytics tooling will be deleted after 90 days.
  • Email: Processing emails is a core activity of The Dutch Internet Standards Platform. Based on the requirements set by the Dutch Tax and Customs Administration, email correspondence will be deleted after seven years.

Inspection, correction and deletion of data

Pursuant to the European General Data Protection Regulation (GDPR), you have the right of access to your personal data upon request and, if necessary, to amend it or have it deleted. Please contact us in case you wish to do so. Because we keep your full IP address only temporarily in our server logs, you might need to supply us with additional information, such as about your device and browser as well as the date and time of your visit, for us to be able to honour your request.

Update privacy statement

We may change our privacy statement. We will announce this change on our website. Older versions of our privacy statement will be stored in our archive. Send us an email if you want to consult it.