Privacy notice — Boilerplate
Version: 2026-06-10 — effective from 2026-06-10
This is the English version of our Dutch privacy notice (privacy-policy-nl.md). In case of discrepancies, the Dutch version is leading.
1. Who we are
Boilerplate, established at Add registered address before launch, registered at the Dutch Chamber of Commerce (KvK) under number Add KvK number before launch, is the controller for the processing described in this notice.
- Contact: [email protected]
- Data Protection Officer: Not appointed for template — [email protected]
2. What data we process
| Category | Examples | Purpose |
|---|---|---|
| Identification | Name, email, phone | Account, orders |
| Address | Shipping + billing address | Shipping, invoicing |
| Payment | Tokenised PSP reference (we never store card numbers) | Payment via Mollie |
| Authentication | Password (bcrypt hash), 2FA secret | Sign-in |
| Communication | Support messages, marketing preference | Customer service, marketing (with consent) |
| Technical | IP (HMAC), device type, page visits | Security, fraud prevention, anonymous analytics |
3. Legal bases
| Purpose | Basis (GDPR Art. 6) |
|---|---|
| Performance of contract | 6(1)(b) |
| Legal obligation (7-year fiscal retention) | 6(1)(c) |
| Marketing email / newsletter | 6(1)(a) — explicit, revocable consent |
| Security + fraud prevention | 6(1)(f) — legitimate interest |
4. Retention
| Category | Retention |
|---|---|
| Account data | Until account deletion; anonymised afterwards for fiscal purposes |
| Orders + invoices | 7 years (Dutch tax law) |
| Marketing consent | Until withdrawn; consent log kept 7 years (evidence) |
| Application logs | 30 days |
| Backups | 30 daily + 12 monthly + 5 yearly (encrypted) |
Backups may contain data that has been anonymised in production. On the next restore the anonymisation is re-run against the restored copy. See ADR 0012 in our technical documentation.
5. Recipients
| Processor | Purpose | Region | DPA on file |
|---|---|---|---|
| Hetzner | Hosting | EU (Nürnberg / Falkenstein) | Yes |
| Cloudflare | DNS, CDN, WAF | EU edge for EU users (Data Localisation Suite) | Yes |
| Mollie | Payments | NL/EU | Yes |
| MyParcel | Shipping | NL | Yes |
| Resend | Transactional + marketing email | Resend EU tier | Yes |
| none (Sentry EU / Flare EU) | Error tracking | EU | Yes |
We do not sell your data. We share only what's necessary for the purposes listed.
6. Transfers outside the EEA
None — all default processors are in the EU.
7. Your rights
- Access (Art. 15): click "Download my data" in account settings. You receive an encrypted JSON export within 30 days.
- Rectification (Art. 16): edit in your account settings.
- Erasure (Art. 17): click "Delete account". We delete your profile immediately; data with fiscal retention is anonymised after 30 days.
- Restriction (Art. 18) — request via email.
- Object (Art. 21) — request via email.
- Portability (Art. 20) — same JSON export as access.
- Withdraw consent (Art. 7(3)) — link in every marketing email
- "unsubscribe" in account settings.
- Complain to supervisory authority — Autoriteit Persoonsgegevens (NL), Postbus 93374, 2509 AJ Den Haag, or your habitual residence's authority.
We respond within 30 days.
8. Security
We maintain among other measures:
- TLS 1.3 for all traffic.
- AES-256 encryption on sensitive columns.
- HMAC-SHA-256 lookups for searchable PII.
- Mandatory 2FA for all staff.
- Quarterly penetration tests + annual audits.
- Scheduled rotation of every secret (see our internal secrets-rotation runbook).
In the event of a breach we notify the Autoriteit Persoonsgegevens within 72 hours per Art. 33 GDPR, and notify affected subjects per Art. 34 GDPR when required.
9. Cookies
See our cookie policy. We set only functional cookies without consent; all others (analytics, marketing) require explicit consent via our cookie banner.
10. Changes
We may update this notice. Material changes are notified to logged-in users by email.
11. Contact
Questions? Email [email protected] or write to Add registered address before launch.