Zzppy

Privacy Policy

Last updated: March 13, 2026

1. Information We Collect

Information You Provide

  • Account information (name, email address, password)
  • Business profile details (company name, KVK number, BTW number, address, IBAN)
  • Client information (name, company, contact details)
  • Invoice data (line items, amounts, payment terms)
  • Expense records (amounts, categories, descriptions)
  • Uploaded documents (receipts, invoice PDFs)

Automatically Collected Information

  • Authentication session data
  • Basic usage analytics (page views, device type) via privacy-friendly, cookie-free analytics

2. Legal Basis for Processing (GDPR Article 6)

We process your personal data under the following legal bases:

  • Contract (Article 6(1)(b)) — To provide and maintain the bookkeeping service you have requested, including invoice generation, expense tracking, and BTW-aangifte summaries.
  • Legal Obligation (Article 6(1)(c)) — To comply with the 7-year financial record retention required by Dutch tax law (fiscale bewaarplicht, AWR Art. 52).
  • Legitimate Interest (Article 6(1)(f)) — For privacy-friendly, aggregated analytics to monitor service performance and reliability. No individual tracking is performed.

3. How We Use Your Information

We use your information to:

  • Provide bookkeeping, invoicing, and expense tracking services
  • Generate invoices and PDF documents
  • Calculate BTW-aangifte summaries
  • Produce annual financial summaries
  • Authenticate your account and maintain security

4. Information Sharing

We do not sell your personal or financial information. We may share information only:

  • When required by Dutch or EU law (e.g., Belastingdienst requests)
  • With service providers who help us operate the platform (see Section 7)
  • In connection with a business transfer or acquisition

5. Data Security

We implement appropriate security measures to protect your financial and personal information, including:

  • Encrypted connections (HTTPS/TLS) for all data transmission
  • Private, access-controlled storage for uploaded documents (receipts, invoices)
  • Authentication-gated access to all financial data
  • Per-user data isolation — you can only access your own records
  • Passwords hashed with bcrypt (never stored in plaintext)

No internet transmission is 100% secure, and we cannot guarantee absolute security.

6. Data Retention

We retain your information as long as your account is active. When you delete your account, we will delete your personal information and all associated data.

Important: Dutch tax law (fiscale bewaarplicht) requires that financial records — including invoices, expense records, and supporting documents — be retained for 7 years. You are responsible for maintaining your own copies of financial records before deleting your account. We recommend using the data export feature in your account settings before deletion.

7. Third-Party Services (Sub-processors)

Our platform uses the following third-party services:

  • Moopy — OAuth authentication provider (optional sign-in method)
  • Neon — Database hosting (PostgreSQL, EU region)
  • Vercel — Application hosting, deployment, and document storage

We have Data Processing Agreements (DPAs) in place with our sub-processors where required by GDPR Article 28, including Standard Contractual Clauses (SCCs) for any data transfers outside the EU/EEA. Each service has its own privacy policy. We only share the minimum necessary information with these services.

For copies of our DPAs, contact hello@zzppy.nl

8. Account Linking (OAuth)

If you sign in using Moopy (OAuth), we will link your Moopy account to any existing Zzppy account with the same email address. This allows you to use either sign-in method interchangeably. If you do not wish for accounts to be linked, use a different email address.

9. Children's Privacy

Zzppy is a business tool not intended for users under 18 years of age. We do not knowingly collect personal information from children under 18.

10. Data Breach Notification

In the event of a personal data breach, we will notify the Autoriteit Persoonsgegevens within 72 hours as required by GDPR Article 33. If the breach poses a high risk to your rights and freedoms, we will also notify you directly as required by GDPR Article 34.

11. Your Rights (GDPR / AVG)

Under the General Data Protection Regulation (GDPR) and the Dutch Uitvoeringswet AVG, you have the following rights:

  • Right to Access — Request a copy of all your personal data
  • Right to Rectification — Update your information through your settings
  • Right to Deletion — Delete your account and personal data via Settings > Account
  • Right to Data Portability — Export your data in JSON format via Settings > Account
  • Right to Object — Object to processing of your personal data
  • Right to Withdraw Consent — Change your preferences at any time
  • Right to Lodge a Complaint — File a complaint with the Autoriteit Persoonsgegevens

You can exercise your right to deletion and data portability directly from your Settings > Account page. For all other requests, contact us at the address below. We will respond to data subject requests within 30 calendar days. For complex requests, we may extend this period by up to 2 months with prior notice.

12. Changes to Privacy Policy

We may update this privacy policy from time to time. We will notify users of significant changes via email or platform notification.

13. Contact Us

If you have questions about this Privacy Policy or wish to exercise your privacy rights, please contact us at hello@zzppy.nl