Privacy Policy

Last updated: March 10, 2026

1. Introduction

GetDeposit ("we", "us", "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and share your personal data when you use our platform at getdeposit.io and related services (the "Service").

This policy applies to all users, including Company administrators, employees, and Customers. By using the Service, you consent to the practices described in this policy.

2. Data Controller

GetDeposit is the data controller for the personal data processed through the Service. If you have questions about how your data is handled, you can contact us at privacy-bvisfjag@getdeposit.io.

3. Data We Collect

3.1 Account Data

When you create an account, we collect:

  • First name and last name
  • Email address
  • Password (stored securely using bcrypt hashing)
  • Language preference

3.2 Company Data

When a Company registers, we additionally collect:

  • Company name and logo
  • Business address and billing address
  • Telephone number and email
  • VAT number
  • Currency preference

3.3 Customer (Booker) Data

When a deposit is created for a customer, the Company provides:

  • Customer first name, last name, and email
  • Company name (optional)
  • Booking reference code and dates

3.4 Payment Data

Payments are processed by Stripe. We do not store full credit card numbers or CVVs on our servers. We store only Stripe identifiers (e.g., PaymentIntent IDs, Customer IDs) necessary to manage deposits and subscriptions. For details on how Stripe handles your payment data, please refer to Stripe's Privacy Policy.

3.5 Media & Photos

Users and Customers may upload photos to document the state of objects or properties. We store these files securely and associate them with the relevant deposit. Uploaded media includes the file itself, its original filename, file type, and file size.

3.6 Usage & Technical Data

We may automatically collect:

  • IP address and browser type
  • Device information and operating system
  • Pages visited and actions taken within the Service
  • Timestamps of access and interactions
  • Analytics data collected via Google Analytics (see Section 9)

4. How We Use Your Data

We use personal data to:

  • Provide the Service — manage accounts, process deposits, facilitate payments, and deliver notifications.
  • Communicate with you — send transactional emails (deposit codes, payment confirmations, audit results), account-related notifications, and service updates.
  • Improve the Service — analyze usage patterns, diagnose issues, and develop new features.
  • Comply with legal obligations — fulfill tax, accounting, and regulatory requirements.
  • Prevent fraud and abuse — detect and respond to security incidents.

5. Legal Basis for Processing (GDPR)

We process personal data based on the following legal grounds:

  • Contract performance — processing necessary to provide the Service you have signed up for.
  • Legitimate interest — improving the Service, preventing fraud, and ensuring security.
  • Legal obligation — compliance with applicable laws and regulations.
  • Consent — where you have given explicit consent (e.g., marketing communications). You can withdraw consent at any time.

6. Data Sharing

We share personal data only in the following circumstances:

  • Stripe — for payment processing and Company onboarding via Stripe Connect.
  • Amazon Web Services (AWS) — for hosting, file storage (S3), email delivery (SES), content delivery (CloudFront), and compute services. Data is processed within the EU region.
  • Between Company and Customer — deposit-related information (names, photos, audit results) is shared between the Company that created the deposit and the Customer it belongs to.
  • Legal requirements — if required by law, regulation, legal process, or governmental request.
  • Google Analytics (Google LLC) — for website analytics and usage statistics. Google may process data outside the EEA under Standard Contractual Clauses. See Google's Privacy Policy.

We do not sell your personal data to third parties.

7. Data Retention

We retain personal data for as long as your account is active or as needed to provide the Service. When you delete your account, we mark it as deleted and retain only the minimum data required for legal, accounting, and regulatory purposes.

7.1 Transaction & Financial Records

We are legally required to retain certain transaction-related data even after account deletion. This includes:

  • Deposit amounts, payment dates, and refund or deduction details
  • Stripe payment identifiers (PaymentIntent IDs)
  • Invoices, subscription history, and billing records
  • Audit trail entries (actions taken, timestamps, and associated user names)
  • Audit results, including damage assessments and deduction amounts

These records may be retained for up to 7 years after the transaction date to comply with Dutch tax law (Algemene wet inzake rijksbelastingen), EU anti-money laundering regulations, and general financial record-keeping obligations.

7.2 Other Personal Data

Account data (name, email, preferences) is retained for the lifetime of your account. Upon account deletion, personally identifiable details are anonymized or removed, except where retention is required as described above.

Uploaded media associated with completed deposits may be deleted after a reasonable retention period or upon request, provided no legal obligation requires us to keep it.

8. Data Security

We implement appropriate technical and organizational measures to protect your data, including:

  • Encrypted data transmission (HTTPS/TLS)
  • Secure password storage using bcrypt hashing
  • Access controls and authentication (JWT tokens, MFA support)
  • Secure file storage with signed URLs
  • Regular security reviews

While we strive to protect your data, no method of transmission or storage is 100% secure, and we cannot guarantee absolute security.

9. Cookies & Analytics

We use the following cookies and similar technologies:

9.1 Strictly Necessary

  • Authentication cookie — a secure, httpOnly cookie containing a refresh token to keep you signed in. This is strictly necessary for the Service to function.
  • Language preference — stored in your browser's local storage to remember your chosen language.

9.2 Analytics (Google Analytics)

We use Google Analytics 4 (GA4), provided by Google LLC, to understand how visitors interact with our website. Google Analytics uses cookies to collect anonymized usage data, including:

  • Pages visited and navigation paths
  • Session duration and bounce rate
  • Approximate geographic location (country/city level, derived from anonymized IP)
  • Device type, browser, and operating system
  • Referral source (how you arrived at our site)

The following cookies may be set by Google Analytics:

  • _ga — distinguishes unique visitors. Expires after 2 years.
  • _ga_* — maintains session state. Expires after 2 years.

IP anonymization is enabled, meaning your full IP address is never stored by Google. We have configured Google Analytics to not share data with other Google services. For more information, see How Google uses data from sites that use its services. You can opt out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on.

We do not use advertising cookies or share analytics data with advertisers.

10. Your Rights

Under the GDPR, you have the right to:

  • Access — request a copy of your personal data.
  • Rectification — correct inaccurate or incomplete data.
  • Erasure — request deletion of your personal data ("right to be forgotten").
  • Restriction — restrict the processing of your data in certain circumstances.
  • Portability — receive your data in a structured, machine-readable format.
  • Objection — object to processing based on legitimate interest.
  • Withdraw consent — where processing is based on consent.

To exercise any of these rights, contact us at privacy-bvisfjag@getdeposit.io. We will respond within 30 days.

11. International Transfers

Your data is primarily stored and processed within the European Economic Area (EEA). Where data is transferred outside the EEA (e.g., to Stripe's US-based infrastructure), we ensure appropriate safeguards are in place, such as Standard Contractual Clauses.

12. Children's Privacy

The Service is not intended for individuals under 18 years of age. We do not knowingly collect personal data from children. If we become aware that we have collected data from a minor, we will take steps to delete it promptly.

13. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or through the Service at least 30 days before the changes take effect. The "Last updated" date at the top of this page reflects the most recent revision.

14. Contact

If you have questions or concerns about this Privacy Policy, please contact us at:

GetDeposit
Email: privacy-bvisfjag@getdeposit.io