AAdminTools
Draft: This document is awaiting Dutch-AVG lawyer review and final placeholder fill-in. It is published here for transparency during pre-launch; the authoritative version will replace this notice before paying customers are onboarded.

Privacy Policy

DRAFT — needs Dutch-AVG lawyer review before publication. Replace every [FILL: …] placeholder with real data, then have a specialist rewrite the wording. Do NOT publish this version verbatim.

Last updated: [FILL: YYYY-MM-DD] Effective from: [FILL: YYYY-MM-DD]

1. Who we are

This service ("AdminTools" or "the Service") is operated by:

  • Legal entity: [FILL: NythTech B.V.]
  • Registered address: [FILL: street, postal code, city, NL]
  • KvK / Chamber of Commerce number: [FILL: 8-digit KvK number]
  • VAT (BTW) number: [FILL: NLxxxxxxxxxBxx]
  • Data Controller contact: privacy@nythtech.com
  • Supervisory authority: Autoriteit Persoonsgegevens (Dutch DPA), https://autoriteitpersoonsgegevens.nl

We act as the Data Controller for account data and as Data Processor for the financial documents you upload.

2. What we collect

2.1 Account data (Controller)

When you sign up, we collect:

  • Email address (required for login + invoices)
  • Display name
  • Password (stored as a bcrypt hash, cost 12 — never plain text)
  • Optional MFA secret (encrypted at rest)
  • Organisation name(s) you create
  • Subscription / billing metadata (Stripe customer ID, plan, status)
  • IP address and timestamps for security audit logging

Legal basis: contract performance (GDPR Art. 6(1)(b)) — we cannot provide the Service without these.

2.2 Business data (Processor)

When you use the Service to manage receipts, invoices, and bank transactions, you upload data including:

  • Receipt images / PDFs
  • Bank transaction CSVs (account number, balance, payments)
  • Customer records (name, address, VAT ID, contact details)
  • Sales and purchase invoices

You are the Controller of this data. We process it on your behalf under the Data Processing Agreement that's part of these Terms.

2.3 Telemetry

  • Server-side request logs (URL, status, latency, anonymised IP)
  • Background job execution metrics (no payload data)
  • Error reports via Sentry (PII scrubbed before transmission)

We do not use behavioural analytics (Google Analytics, Mixpanel, etc.) and we do not sell, share, or rent your data.

3. Cookies

  • app_token — essential session cookie (HttpOnly, Secure, SameSite=Lax, signed JWT). Required for login. No banner needed under AVG since it's strictly necessary.
  • No tracking, advertising, or analytics cookies.

If you add analytics later, this section requires an explicit consent banner.

4. Sub-processors

We use the following third parties to deliver the Service. Each is bound by a Data Processing Agreement (DPA) and processes only what's necessary for their specific function:

Sub-processorPurposeData sentRegion
Amazon Web Services (AWS)Hosting (ECS Fargate, RDS, S3, EFS)All Service dataEU (eu-west-1)
StripePayment processingEmail, name, card token (PCI-scoped)EU + US
ResendTransactional emailRecipient email + invoice PDFEU
AnthropicReceipt field extraction (cloud AI)Receipt image + filenameUS
OpenAIReceipt field extraction fallbackReceipt image + filenameUS
WeFact (optional, per-org)Accounting integrationCustomer + invoice metadataEU
Exact Online (optional, per-org)Accounting integrationCustomer + invoice metadataEU
GoCardless (optional, per-org)Open banking transaction syncBank account + transactionsEU
SentryError reportingStack traces, request IDs (PII scrubbed)EU

US-based processors (Anthropic, OpenAI, Stripe-US) operate under EU-US Data Privacy Framework certifications. If you require strict EU-only processing, you can configure your account to skip cloud AI extraction (BYOK / Florence-2 paths) and avoid US Stripe routing where applicable.

5. Retention

Data categoryRetention
Financial records (invoices, receipts, transactions)7 years (Dutch bewaarplicht)
Account dataWhile your account is active + 30 days after deletion request
Audit log2 years
Backups30 days rolling
Error logs90 days

Weekly automated purge: any record past its retention cutoff is deleted automatically (gdpr_retention_purge job, every Sunday 04:00 UTC). You can request earlier deletion of non-mandatory data — see Section 7.

6. Security

  • All connections use HTTPS (TLS 1.2+).
  • Database encryption at rest: AES-256-GCM for credentials, scrypt KDF.
  • Optional full-database encryption via SQLCipher.
  • Multi-factor authentication (TOTP) available for all accounts; required for admin roles.
  • Penetration testing / vulnerability scanning: CodeQL SAST, Trivy, Gitleaks, IDOR isolation tests run on every commit.
  • Incident response plan: see docs/security/incident-response-plan.md.
  • Backups stored encrypted, geographically distinct from primary.

7. Your rights (GDPR Articles 15-21)

You can exercise the following rights at any time via your account settings or by emailing privacy@nythtech.com:

  • Access (Art. 15) — download your full data via /api/gdpr/export
  • Rectification (Art. 16) — correct inaccurate personal data
  • Erasure (Art. 17) — delete your account and non-mandatory data
  • Restriction (Art. 18) — pause processing during a dispute
  • Portability (Art. 20) — receive a machine-readable copy
  • Objection (Art. 21) — object to specific processing

Mandatory financial data (bewaarplicht) cannot be deleted before the 7-year retention window expires; we'll restrict access instead.

If we don't resolve your concern, you have the right to lodge a complaint with the Autoriteit Persoonsgegevens.

8. International transfers

US sub-processors (Section 4) operate under the EU-US Data Privacy Framework. Where DPF doesn't apply, transfers happen under Standard Contractual Clauses (SCCs) plus supplementary technical measures (encryption in transit + at rest, minimal data sent).

9. Children

The Service is not intended for users under 16. If you become aware that a child has provided personal data, contact privacy@nythtech.com and we will delete it.

10. Changes to this policy

We'll notify you by email at least 30 days before material changes take effect. Minor clarifications are published with a "Last updated" bump and no email.

11. Contact

  • General privacy questions: privacy@nythtech.com
  • Data Protection Officer (DPO): [FILL: appoint or state "not appointed, contact via privacy@" — only required if processing is at scale or involves systematic monitoring]
  • Dutch DPA: Autoriteit Persoonsgegevens, https://autoriteitpersoonsgegevens.nl