Privacy Statement

Last updated: [date pending] · Draft version

This statement explains how we process personal data under the GDPR/AVG and Dutch law (Arts. 13–14 GDPR).

1. Data controller

[Handelsnaam], a sole proprietorship (eenmanszaak) owned by [full name], registered at [full physical address] (Netherlands). KvK: [KvK number]. BTW-id: [NL000000000B01]. Privacy contact: [privacy@domain].

2. Purposes and legal basis

• Provide the service and manage the account — performance of a contract.
• Process financial documents and generate insights — performance of a contract.
• Service communications and newsletter — legitimate interest / consent.
• Aggregated usage measurement (Plausible, cookieless) — legitimate interest.
• Security, fraud prevention and legal obligations.

3. Categories of data

• Account data: name, email, language, country.
• Financial data you provide: statements, invoices, properties, mortgages, income, tax documents.
• Technical data: IP address, device, logs.

4. Recipients (processors)

Providers acting as processors (Art. 28 GDPR): hosting [provider], Supabase, Plausible, Stripe and Moneybird (once billing is enabled), and OpenAI/Anthropic for AI processing.

5. Transfers outside the EEA

Some providers (OpenAI, Anthropic, Stripe) may process data outside the EEA under appropriate safeguards: EU Standard Contractual Clauses or the EU-US Data Privacy Framework.

6. Retention

We keep data while the account is active and for applicable legal periods. Detail: [retention table pending].

7. Your rights

Access, rectification, erasure, restriction, portability and objection, and withdrawal of consent, by writing to [privacy@domain].

You may lodge a complaint with the Dutch data protection authority, the Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl).

8. Automated decisions

AI proposes classifications and informational calculations with human confirmation (human-in-the-loop); these are not automated decisions with legal effect nor financial advice.