PRIVACY POLICY
of ELFAPP technologies (“ELFAPP Technologies”, “ELFAPP”, “we”, “us”, “our”)
Effective date: 1 Jan 2025
Registered office: Keurenplein 41, box E7938 Amsterdam 1069 CD, Noord-Holland
Netherlands
KvK number: 89921313
Email: support@elfapp.nl
Website: https://elfapp.nl
1. Introduction
This Privacy Policy explains how ELFAPP Technologies collects, uses, discloses and protects personal data when you visit our website, use our software, or engage our IT consultancy services. We comply with the General Data Protection Regulation (EU) 2016/679 (GDPR) and the Dutch Implementation Act (UAVG).
2. Who we are and roles under GDPR
When we determine the purposes and means of processing (e.g., managing customer relationships, marketing, billing), we act as data controller.
When we process personal data on behalf of our clients (e.g., hosting, maintaining, or operating client software systems), we act as data processor under a separate DPA.
3. What personal data we collect
We may collect:
Identification data: name, job title, company name.
Contact data: email address, phone number, postal address.
Account data: login details, usage logs, preferences.
Billing data: bank details, VAT numbers, invoice records.
Technical data: IP address, browser type, operating system, device IDs, access times.
Support data: messages, feedback, or technical tickets.
We do not intentionally collect sensitive (“special category”) data unless explicitly required for the service and subject to additional safeguards.
4. How we use your data (purposes & legal basis)
We process personal data only when there is a lawful basis under Article 6 GDPR:
| Purpose | Legal basis |
|---|---|
| To perform a contract or provide requested services | Contract (Art. 6(1)(b)) |
| To manage billing, invoicing, and customer support | Contract & legal obligation |
| To send service updates, notices, or optional newsletters | Legitimate interest or consent |
| To improve our software and website performance | Legitimate interest |
| To comply with legal obligations (tax, bookkeeping, etc.) | Legal obligation (Art. 6(1)(c)) |
5. Retention periods
We keep data only as long as necessary for the purpose collected:
Contractual and billing data: 7 years (legal tax requirement).
Client account and support records: up to 2 years after project completion.
Marketing data: until withdrawal of consent.
After expiry, data are securely deleted or anonymised.
6. Sharing and disclosure
We may share personal data only with:
Our authorised employees and subcontractors (bound by confidentiality).
Trusted service providers (e.g., cloud hosting, payment processors) acting as sub-processors.
Public authorities where required by law.
We never sell personal data.
7. International data transfers
Where we or our sub-processors transfer personal data outside the EEA, we ensure appropriate safeguards under Chapter V GDPR (e.g., EU Standard Contractual Clauses or adequacy decisions).
8. Data security
We maintain technical and organisational measures to protect data from unauthorised access, loss, or disclosure, including encryption, role-based access controls, secure servers, and regular audits.
9. Your rights under the GDPR
You have the right to:
Access and receive a copy of your data.
Rectify inaccurate data.
Erase data (“right to be forgotten”) where permitted.
Restrict or object to processing.
Port data to another controller.
Withdraw consent at any time (for consent-based processing).
Requests may be sent to support@elfapp.nl. We will respond within 30 days.
10. Cookies and tracking
Our website uses functional and analytical cookies to improve performance. For non-essential cookies we request your consent under the Dutch Telecommunications Act (Telecommunicatiewet). See our Cookie Policy for details.
11. Children’s privacy
Our services are not intended for individuals under 16 years of age. We do not knowingly collect personal data from children.
12. Contact and complaints
For questions or concerns regarding this policy or data handling, contact us at:
Email: support@elfapp.nl
Postal address: Keurenplein 41, box E7938 Amsterdam 1069 CD, Noord-Holland
Netherlands
While you can post, it is faster and easier to simply send us an email.
You have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, www.autoriteitpersoonsgegevens.nl).
13. Updates
We may update this Privacy Policy periodically. The latest version will be posted on our website with a new effective date.
Data Processing Agreement (DPA)
between
Client (“Controller”) and ELFAPP Technologies (“Processor”)
Effective date: 1 Jan 2025
1. Subject matter and duration
This DPA governs the processing of personal data by ELFAPP Technologies on behalf of the Client in connection with the software and IT consultancy services described in the main agreement. It remains in force as long as ELFAPP processes personal data for the Client.
2. Nature and purpose of processing
Processing is limited to the performance of services such as: software development, hosting, support, maintenance, data migration, and consultancy activities necessary to deliver the agreed services.
3. Categories of data and data subjects
Typical categories: name, email, user ID, transaction records, and log data.
Data subjects may include the Client’s employees, end-users, or customers.
No special category data will be processed unless explicitly agreed.
4. Processor obligations
ELFAPP Technologies shall:
Process personal data only on documented instructions from the Client.
Keep personal data confidential and ensure that employees are bound by confidentiality agreements.
Implement appropriate technical and organisational security measures (Art. 32 GDPR).
Assist the Client in fulfilling obligations toward data-subject rights and security assessments.
Inform the Client if it believes an instruction violates the GDPR or other law.
5. Sub-processors
The Client authorises ELFAPP Technologies to use sub-processors (e.g., hosting providers, email services) listed in Annex A.
ELFAPP will inform the Client of any intended changes to sub-processors and allow objection on reasonable grounds.
Each sub-processor shall be bound by written terms that provide the same data-protection obligations as this DPA.
6. Security measures
ELFAPP Technologies shall maintain at least the following measures:
Access control and authentication;
Encryption of data in transit and at rest where appropriate;
Regular back-ups and testing;
Patch management and anti-malware protection;
Secure development practices for software.
7. Data breach notification
In the event of a personal-data breach, ELFAPP will notify the Client without undue delay after becoming aware and provide details of the incident, impact, and mitigation measures to enable the Client to notify the Dutch Data Protection Authority (AP) if required.
8. Assistance to Controller
ELFAPP shall assist the Client in meeting obligations under Articles 32–36 GDPR (security, breach notification, DPIA, and consultation with authorities) upon reasonable request.
9. Return or deletion of data
Upon termination of services or on Client request, ELFAPP shall delete or return all personal data (except where retention is required by law) and certify deletion in writing.
10. Audits
The Client has the right to verify compliance through written audit requests once per year. ELFAPP may respond via independent audit reports (e.g., ISO or SOC certifications) to minimise disruption.
11. Liability
Each party’s liability under this DPA is governed by the liability clause in the main agreement.
12. Governing law and jurisdiction
This DPA is governed by Dutch law. Disputes shall be submitted to the competent court of Amsterdam, the Netherlands.
Annex A – Approved Sub-processors
| Sub-processor | Purpose | Location | Safeguards |
|---|---|---|---|
| Heroku, Namecheap, Odoo | Cloud hosting | EU / EEA / US | Standard Contractual Clauses (if outside EEA) |
| Atlassian, Heroku, Google | Infrastructure services | EU / EEA / US | Same as above |
| Namecheap, Google | Email delivery | US | SCCs / Adequacy decision |
Papertrail | Logging / Stream events | EU/ EEA / US | Same as above |