Privacy Policy

Last updated: 26 juni 2026

FactuurMakenOnline.nl ("we") respects your privacy and processes personal data in accordance with the General Data Protection Regulation (GDPR). This policy explains what data we collect, why, and what rights you have.

What data we process

  • Account data: name, e-mail address, password (stored encrypted with bcrypt)
  • Company data: company name, Chamber of Commerce (KVK) number, VAT number, address, IBAN
  • Customer and invoice data that you enter or import yourself for the purposes of your own administration
  • WeFact API key (if you use the import function): stored encrypted in our database; not readable by our staff and used exclusively to retrieve your own WeFact data on your behalf
  • Bank account data (if you connect a bank account): IBAN number, account holder name, account balance, and transaction data including amounts, dates, descriptions, and counterparty names/IBANs — retrieved via GoCardless (Nordigen) using your explicit PSD2 authorisation. We store only the data needed for matching against your invoices; raw transaction data is not retained permanently.
  • Payment data via our payment processor Mollie (we do not store credit card or bank details for subscription payments ourselves)
  • Technical data: IP address, browser type, usage statistics (for security and product improvement)

What we use this data for

  • To provide and manage your account and invoicing service
  • To process payments (via Mollie) and manage subscriptions
  • To retrieve and import your WeFact data at your request
  • To match bank transactions against your invoices (bank reconciliation)
  • To send SMS notifications via Twilio, when that feature is active and you have opted in
  • To support you when you have questions
  • To comply with legal obligations (e.g. the statutory tax record-keeping obligation)

Bank connection (GoCardless / Nordigen)

When you activate the bank connection, we use GoCardless (Nordigen BV, a PSD2-licensed payment institution) to retrieve your bank transaction data. GoCardless acts as a data processor on our behalf. The connection is read-only; no payments can be initiated. The authorisation expires after 90 days. You can revoke the connection at any time in your account settings, after which we will no longer retrieve new transaction data from GoCardless. Previously retrieved transaction matches remain in your account until you delete them. GoCardless's own privacy policy applies to the processing performed by GoCardless; see gocardless.com/privacy.

Sharing with third parties

We only share data with parties that are necessary to provide the service. Data processing agreements are in place with all of these parties. We never sell data to third parties.

  • Mollie — subscription payment processing
  • GoCardless / Nordigen — bank account information retrieval (PSD2, only if you activate the bank connection)
  • Twilio — SMS notifications (in development; only when feature is active and you have opted in)
  • SendGrid — transactional e-mail (invoice delivery, account notifications)
  • Hosting provider — server infrastructure (data stored in the EU)

Retention period

  • Invoice data: retained in accordance with the Dutch statutory tax record-keeping obligation (7 years)
  • Bank transaction data: retrieved on demand; we retain matched results linked to your invoices for as long as your account is active. Raw transaction data not matched to an invoice is not stored permanently.
  • WeFact API key: deleted immediately when you remove your WeFact connection or delete your account
  • Account data: retained for as long as your account is active; after account deletion, personal data is erased within a reasonable period, except for data we are legally required to retain

Your rights

You have the right to access, correct, delete and port your data, and you may object to processing. You can also revoke the bank connection or WeFact API key at any time in your account settings. To exercise your other rights, please contact us via the contact page.

Security

We take appropriate technical and organisational measures to protect your data, including bcrypt password hashing, encryption of sensitive credentials (API keys), TLS/HTTPS for all connections, and strict access controls on our servers.

Contact

Questions about this privacy policy? Get in touch via the contact page.