Skip to main content

Privacy Notice

Download PDF

Last updated: May 31, 2026

Overview

This is a B2B privacy notice. In many cases, your organization decides how Account Data is used in the Service, while we process that data on your organization's behalf. This Privacy Notice explains our controller-side processing and how privacy-related requests are handled. Where we process Customer-controlled Account Data on behalf of a Customer organization, that processing is governed by the applicable Agreement and DPA.

Who We Are

For the purposes described in this Privacy Notice, the provider of the Service is:

  • Dutchcode B.V. trading as Firmfact
  • Litserstraat 20, 5275 BV Den Dungen, The Netherlands
  • privacy@firmfact.com

Our Role: Controller And Processor

We Act As Controller For

We act as controller for personal data we use for our own business operations, including:

  • website operation;
  • account registration and account administration;
  • billing, invoicing, collections, and tax records;
  • fraud prevention, abuse prevention, and security administration;
  • sales, support, and contact handling;
  • communications with prospects, customers, and authorized users;
  • relationship management and contractual administration.

We Act As Processor For

We act as processor when Customer uses the Service to process personal data in Customer-controlled Accounts, including:

  • uploaded files and attachments;
  • user-entered business data;
  • Account records created or maintained by Customer;
  • contact records created within the Account;
  • contract, invoice, allocation, and organizational data entered by Customer;
  • personal data contained in customer documents or prompts processed through Service features.

When we act as processor, our processing is governed by the applicable Agreement and DPA.

Our processor role for Customer-controlled Account Data does not turn our own account administration, provider-side billing and collections, relationship management, or general support communications into processor activities. Those provider-side business operations remain controller-side activities under this Privacy Notice.

Differences in plan tier may affect commercial support or service commitments, but do not change the controller / processor role allocation described in this Privacy Notice.

Requests About Customer-Controlled Account Data

If you are an end user, employee, contractor, or contact whose data appears in a Customer-controlled Account, you should contact the relevant Customer organization first. That organization is usually best placed to respond to requests about access, correction, deletion, restriction, or portability of Account Data.

We will support our customers in responding to such requests where required under the DPA or applicable law.

Lawful Bases When We Act As Controller

When we act as controller, we rely on one or more of the following lawful bases under applicable data protection law, depending on the processing activity:

  • Contract performance for account setup, service delivery, authentication, billing, subscription management, and support;
  • Legal obligation for tax, accounting, statutory retention, sanctions, export-control, and regulatory recordkeeping;
  • Legitimate interests for fraud prevention, abuse prevention, service security, operational monitoring, incident management, relationship management, and limited service analytics, where those interests are not overridden by data-subject rights;
  • Consent only where we specifically request it for a separate optional purpose and where it can be withdrawn.

When Customer uses the Service to process personal data in Customer-controlled Accounts, Customer generally determines the purposes, means, and legal basis for that processing. In that context, we act as processor unless the parties expressly agree otherwise.

Categories Of Personal Data

Depending on how the Service is used, we may process the following categories of personal data:

  • account and identity data, such as name, business email address, preferred language, and role information;
  • authentication data, such as encrypted passwords, login records, session identifiers, and SSO-related identifiers;
  • billing and commercial data, such as legal entity name, billing contacts, invoice details, VAT or tax identifiers, and payment-related records;
  • support and relationship data, such as support messages, chat records, requests, and communications with our team;
  • operational and security data, such as IP address, device or browser metadata, system logs, incident records, sender-verification metadata, and security review events;
  • Account Data, such as uploaded files, user-entered business records, contact information, and data contained in documents processed through the Service;
  • AI feature inputs and outputs where Customer uses AI-assisted functionality.

How We Use Personal Data

We use personal data to:

  • provide, operate, secure, and support the Service;
  • manage accounts, subscriptions, invoices, and contractual records;
  • authenticate users and administer access controls, including SSO / OIDC-based sign-in where enabled for the selected plan or applicable Order Form;
  • support customer-administered user lifecycle management, role assignment, and Account-scoped auditability within customer Accounts;
  • detect, prevent, and investigate abuse, fraud, misuse, and security issues;
  • communicate with customers and users about service operation, billing, legal updates, and support matters;
  • maintain service reliability, troubleshoot incidents, and improve performance;
  • comply with legal, regulatory, tax, accounting, and audit obligations.

Where permitted by law, we may also use de-identified and aggregated data for internal service improvement, operational analytics, reliability, capacity planning, and security purposes, provided that the data does not identify a customer or any individual and cannot reasonably be re-identified. We do not use such data to publicly identify or comparatively benchmark a customer without that customer's express written consent.

With a customer's prior written consent, we may identify that customer and use its organization name and logo on our website, in customer lists, and in similar promotional materials. Consent given through the in-product customer reference control in Account settings (available only to account administrators), an applicable Order Form provision, or written confirmation by an authorized customer representative satisfies this requirement. The lawful basis for this processing is consent under Article 6(1)(a) GDPR; we process only the organization name, logo, and related reference metadata necessary to display the reference. Consent can be withdrawn at any time through the same in-product control or on reasonable prior written notice; after withdrawal we cease new use within a reasonable period (typically within 30 days of confirmed withdrawal), except for materials already in circulation that cannot reasonably be recalled.

AI Features And Processing Boundaries

Where Customer uses AI-assisted functionality:

  • we process prompts, uploaded files, extracted text, and related outputs only to provide the requested feature;
  • Customer retains ownership of Account Data and Customer-specific outputs, subject to the Agreement;
  • Customer remains responsible for reviewing outputs before using them for legal, compliance, operational, or business decisions;
  • we do not use Account Data to train third-party or general-purpose AI models unless the parties expressly agree otherwise in writing.

EU AI Act posture. For AI-assisted functionality offered through the Service, Firmfact acts as a deployer of AI systems under Regulation (EU) 2024/1689 (the EU AI Act) and not as a provider of general-purpose AI models. Foundation-model provider obligations, including those applicable to general-purpose AI model providers, rest with the relevant upstream AI subprocessor. The Service is not designed to carry out, and is not used by Firmfact to carry out, practices prohibited under Article 5 of the EU AI Act.

Cookies, Browser Storage, Monitoring, And Analytics

We do not use advertising cookies, marketing pixels, cross-site tracking, or behavioral profiling for marketing purposes.

We do use limited operational, reliability, and security monitoring that is necessary to run the Service responsibly.

This may include:

  • essential session cookies and CSRF protection;
  • temporary authentication and SSO state handling;
  • browser-stored interface preferences such as theme or sidebar state;
  • operational logging and error monitoring;
  • infrastructure and security telemetry used to detect incidents and maintain platform reliability.

In a narrow factual sense:

  • Cloudflare may process IP addresses and request metadata for traffic delivery, abuse prevention, caching, and edge security functions;
  • Sentry may process diagnostic and security event data, including application errors and browser-reported policy violations, to help us detect and investigate operational and security issues.

These tools are not used for marketing, advertising, or cross-site behavioral analytics.

Where consent is legally required for non-essential cookies or similar technologies, we will request it before activating those technologies. Essential security, session-management, and fraud-prevention technologies remain in use because they are necessary to operate the Service.

SSO And Identity Providers

When Customer enables SSO / OIDC-based sign-in, where available for the selected plan or applicable Order Form, authentication-related identifiers and sign-in metadata may be processed as described in this Notice.

This may include:

  • user email address and display name received from the identity provider;
  • provider identifiers and tenant or domain metadata;
  • login timestamps, IP address, and session records;
  • encrypted session or refresh tokens where needed for the configured flow.

Customer administrators are responsible for provisioning and deprovisioning users, assigning appropriate Account roles, and configuring their own identity provider and related access policies. Customer is also responsible for the availability and configuration of Customer's own identity provider. The identity provider's own privacy practices are governed by that provider and Customer's relationship with it.

Email-Based Ingestion And Sender Security

Where Customer enables email-based ingestion or submission workflows, we may process sender verification data, allow-list or block-list entries, routing metadata, message headers, and related security review events to protect customer Accounts, reduce abuse, and route inbound content correctly.

These controls are used for operational security and abuse prevention. They do not by themselves expand the scope of Account Data exported through ordinary Account export tools.

Data Sharing And Subprocessors

We may share personal data with subprocessors and service providers acting on our instructions and subject to contractual controls, including providers used for hosting, security, monitoring, email delivery, document or AI-related processing, billing, and related operational functions. Depending on the context, these recipients may act as our processors, our sub-processors when we act on behalf of a Customer, our own controller-side operational vendors, or independent recipients where disclosure is legally required.

Key controller-side and operational vendors currently include:

  • Cloudflare Ireland Ltd. for traffic delivery, abuse prevention, caching, and edge security;
  • Sentry / Functional Software GmbH for diagnostic, monitoring, and security-event handling;
  • Lettermint for transactional email delivery;
  • Moneybird B.V. (Zwolle, The Netherlands) for invoicing and billing administration under our Dutch statutory accounting obligations; and
  • any additional payment provider used for the relevant subscription workflow, identified in the sub-processors register where applicable.

Where Customer uses AI-assisted functionality, Account Data may also be processed by Mistral AI SAS (Paris, France) acting as a processor of Customer Personal Data strictly to provide the requested feature. Processor-side AI vendors, together with current hosting and other processor-side subprocessors, are maintained in our sub-processors register (available from the Security Documents area), which is the authoritative list for processor-side recipients.

We may also disclose personal data:

  • where required by law, regulation, court order, or binding governmental request;
  • in connection with a merger, acquisition, financing, reorganization, or sale of business assets;
  • where necessary to protect rights, investigate misuse, or respond to security incidents.

We do not sell personal data.

Development tools used for source control, CI/CD, and issue tracking are kept outside ordinary customer personal data flows. In particular, customer personal data is not intentionally sent to GitHub.

Data Residency And International Transfers

Primary production infrastructure and Customer-controlled Account Data hosting are based in Hetzner data centres in Germany, with specific functional processing performed primarily by EU-based subprocessors listed in the DPA and processor-side subprocessor register. The controller-side and operational vendors identified in this Privacy Notice are maintained separately from that processor-side register because their role depends on the context of the processing. Current vendor details, roles, and regions may also be provided through our enterprise diligence materials on request.

If personal data is transferred outside the EU / EEA, we will implement the safeguards required by applicable law, such as the European Commission's Standard Contractual Clauses together with any supplementary measures that are reasonably required.

Retention, Export, And Deletion

We retain personal data for as long as reasonably necessary to provide the Service and fulfill the purposes described in this Privacy Notice, subject to legal, contractual, and operational retention requirements.

Deleting a user profile, removing Account access, or disabling a user account does not necessarily delete controller-side billing, account-administration, support, security, tax, audit, or legal-retention records. Those records may continue to be retained for the periods described below where required for contract administration, dispute resolution, legal compliance, security, or defence of claims.

We retain provider-side operational records only for as long as needed for the purposes described in this Notice, including security, support, billing, compliance, and service administration.

As a general guide:

  • support and account-administration records may be retained for up to 24 months after account closure;
  • operational security logs are generally retained for up to 180 days, unless a longer period is required for a documented security investigation, legal hold, or compliance obligation;
  • Customer Personal Data processed on behalf of a customer is returned or deleted under the Agreement and DPA, subject to backup rotation, legal retention obligations, and narrowly scoped retained records.

Some categories of data, such as configurable chat or inbox retention content, may be retained according to the settings made available in the Service.

If backup data is restored for disaster recovery, integrity verification, or security remediation, the restored data remains subject to the same access restrictions and is re-deleted or allowed to age out under the applicable backup retention cycle once the restoration purpose is complete.

Deletion and retention exceptions under this Privacy Notice are intended to align with the Terms and the DPA.

Where we process personal data on behalf of a customer, the applicable data-processing terms are governed by the DPA and not by plan tier, except to the extent a specific feature is not enabled for the relevant Subscription.

Data Portability And Access

Customer administrators may use the export tools made available in the Service to obtain a machine-readable Account export of Customer-controlled Account Data, subject to documented technical and operational limits. The standard export package includes a current-state snapshot of Account Data, the Account Audit Trail for the selected export scope, referenced files, and manifest/checksum metadata, using the standard formats made available by the Service for the relevant data type, including CSV and JSON where supported.

Standard export tools are not designed to export every internal provider-side record. Provider-side security logs, abuse-prevention records, infrastructure telemetry, and similar internal security materials may be retained separately and are not part of the standard customer export package unless expressly stated otherwise in an Order Form.

Where service access is temporarily restricted for billing reasons, we use commercially reasonable efforts to preserve export capability for up to 30 days, unless doing so would create a security or legal risk. Completed export artifacts may remain available for secure authenticated re-download during that period subject to retention settings and any applicable legal or security constraints. We provide standard offboarding support including continued access to the export package during the applicable offboarding period and reasonable remote coordination for handover of completed export artifacts. More specific export or offboarding commitments in an Order Form or the DPA will prevail where applicable.

Security

We use commercially reasonable technical and organizational safeguards appropriate to the nature of the Service and our risk profile, including measures relating to encryption in transit, access management, backups, monitoring, vulnerability management, and incident response.

Additional details about our security practices may be made available through our customer diligence materials or contractual documentation.

No method of transmission or storage is completely secure, but we work to reduce risk and respond appropriately to incidents.

Personal Data Breaches

Where we act as controller, we will handle personal data breaches in accordance with applicable law.

Where we act as processor for Customer-controlled Account Data, we will notify Customer without undue delay after becoming aware of a personal data breach affecting Account Data and provide the information and cooperation required under the DPA and applicable law.

Children And Minors

The Service is designed for business users and is not directed to children. We do not knowingly collect personal data directly from children in a consumer context. If you believe personal data has been submitted to us inappropriately, contact us using the details below.

Your Rights

Depending on applicable law and our role in the processing, you may have rights including:

  • access;
  • rectification;
  • erasure;
  • restriction;
  • objection;
  • portability;
  • withdrawal of consent, where processing is based on consent;
  • complaint to a supervisory authority.

Your rights may vary depending on whether we act as controller or processor for the relevant data. We do not make solely automated decisions with legal or similarly significant effects about you.

If we act as controller for the relevant data, you may contact us directly using the details below.

If the request relates to Customer-controlled Account Data, please contact the relevant Customer organization first.

If you are in the Netherlands, you may also lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens). If you are located elsewhere, you may lodge a complaint with the supervisory authority in your usual place of residence, work, or the place of the alleged infringement, where applicable.

Changes To This Privacy Notice

We may update the Privacy Notice from time to time. For a paid subscription, the version accepted at the start of the then-current subscription term will remain in effect during that term, except for changes required by law or changes that do not materially reduce Customer's rights or increase Customer's obligations. We will provide at least 30 days' prior notice by email and/or in-product notice for material adverse changes, and any such change will apply no earlier than renewal unless Customer expressly agrees earlier. Non-material changes may be posted with an updated effective date.

Contact

For privacy questions or requests: