Privacy Policy

1. Who We Are

Kopplio is operated by Chris Jayden, an Eenmanszaak (sole proprietorship) registered in the Netherlands.

Chris Jayden is the data controller for the personal data described in this policy. We are subject to Regulation (EU) 2016/679 (the General Data Protection Regulation, "GDPR").

2. What Data We Collect

2.1 Account Data

When you create an account we collect: your name, email address, and a hashed password. If you sign in via an OAuth provider we receive only what that provider shares with us (typically name, email, and avatar URL).

2.2 Billing Data

Payments are processed by Stripe. We store your subscription plan and billing status. We do not store full card numbers or raw payment details. Those remain with Stripe under their own privacy policy and PCI DSS compliance.

2.3 Third-Party Connection Data

To provide the sync service, you connect your Stripe and Moneybird accounts via OAuth. We store the OAuth access tokens required to act on your behalf:

• Stripe OAuth token: used to read your Stripe payment events, customer records, invoices, and payout data.
• Moneybird OAuth token: used to create and manage contacts, sales invoices, purchase invoices, and financial mutations in your Moneybird administration.

These tokens are stored encrypted and are used exclusively to operate the sync automation on your behalf. We do not use them for any other purpose.

2.4 Sync Processing Data

In the course of processing your Stripe events and creating the corresponding Moneybird records, Kopplio processes financial data including: Stripe transaction IDs, customer names, customer email addresses, customer countries and VAT numbers, invoice amounts and line items, payout amounts, and transaction fees. This data is used solely to create the correct records in your Moneybird administration and to maintain a sync state (mappings between Stripe and Moneybird record IDs). We retain this sync state to ensure idempotency and to support reconciliation. We do not use your customers' financial data for any purpose beyond providing the sync service.

2.5 Usage & Analytics Data

We collect internal product usage metrics (e.g., number of sync events processed, error rates) for billing, reliability monitoring, and service improvement. These are tied to your account and are not shared with third parties for advertising or marketing purposes.

2.6 Technical Logs

Our servers and hosting provider (Vercel) may log IP addresses, request timestamps, request IDs, and error traces for security, debugging, and abuse prevention. These logs are retained for up to 30 days.

3. Legal Basis for Processing (GDPR)

4. Data Sharing & Third Parties

We do not sell your personal data. We share it only with the following sub-processors, each bound by a Data Processing Agreement (DPA):

• Vercel Inc. (USA): application hosting. Covered by Standard Contractual Clauses.
• Neon Inc. (USA): PostgreSQL database hosting. Stores sync state, record mappings, and organisation configuration. Covered by Standard Contractual Clauses.
• Upstash Inc. (USA): Redis-based job queue and rate limiting. Covered by Standard Contractual Clauses.
• Stripe Inc. (USA): both our payment processor for Kopplio subscriptions and the source of your Stripe financial data accessed via OAuth. Covered by Standard Contractual Clauses and certified under the EU-US Data Privacy Framework.
• Moneybird B.V. (the Netherlands): the accounting platform into which Kopplio writes records on your behalf via OAuth. Based in the EU.
• Bento / Bentonow.com: transactional email delivery (account verification, billing receipts, service notifications). Your email address is shared with Bento for this purpose.
• Google LLC (USA): Google Ads conversion tracking. Uitsluitend geladen na uw toestemming. Verwerking buiten de EER is gedekt door Standard Contractual Clauses en het EU-VS Data Privacy Framework. Zie ook het privacybeleid van Google.

We may disclose personal data if required to do so by law or in response to valid legal process from Dutch or EU authorities.

5. International Data Transfers

Some of our sub-processors are based outside the European Economic Area (EEA), primarily in the United States. Where personal data is transferred outside the EEA, we ensure adequate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission, or reliance on the EU-US Data Privacy Framework where applicable. Moneybird is based in the Netherlands and your data written to Moneybird remains within the EEA.

6. Data Retention

• Account data: Retained for the duration of your account. Upon account deletion, your personal data is deleted or anonymised within 30 days, unless we are required to retain it by law.
• Sync records and mappings: Retained while your account is active to ensure correct operation of the sync. Upon account deletion, sync records are deleted within 30 days, subject to any legal retention obligations.
• OAuth tokens: Deleted upon disconnection of the relevant integration or account deletion.
• Server logs: Retained for up to 30 days.
• Billing records: Retained for 7 years as required by Dutch tax law (Belastingdienst).

7. Your Rights Under GDPR

As a data subject under the GDPR, you have the following rights. To exercise any of them, contact us at support@kopplio.com.

• Right of access (Art. 15): You can request a copy of the personal data we hold about you.
• Right to rectification (Art. 16): You can ask us to correct inaccurate or incomplete data.
• Right to erasure (Art. 17): You can ask us to delete your personal data, subject to legal retention obligations.
• Right to restriction (Art. 18): You can ask us to restrict processing of your data in certain circumstances.
• Right to data portability (Art. 20): You can request your account data in a machine-readable format.
• Right to object (Art. 21): You can object to processing based on legitimate interests.
• Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time without affecting prior processing.

We will respond to requests within 30 days. If you are unsatisfied with our response, you have the right to lodge a complaint with the Dutch supervisory authority:

8. Cookies

8.1 Strikt noodzakelijke cookies

Wij plaatsen een beperkt aantal cookies die noodzakelijk zijn voor de werking van de dienst. Hiervoor is geen toestemming vereist, omdat ze vallen onder de uitzondering voor strikt noodzakelijke cookies (Cookiewet, art. 11.7a lid 3 Tw):

• Sessiecookies: voor authenticatie en het actief houden van uw inlogsessie.
• sidebar_state: slaat uw voorkeur voor de zijbalk (open/dicht) op. Vervalt na 7 dagen.
• mb_pending_oauth: tijdelijke cookie tijdens het koppelen van uw Moneybird-account via OAuth. Wordt direct na afronding verwijderd.

8.2 Advertentie-cookies (Google Ads)

Met uw toestemming plaatsen wij cookies van Google LLC voor conversietracking via Google Ads. Hiermee meten wij hoeveel gratis proefperiodes worden gestart via onze advertenties. Google plaatst de volgende cookies:

• _gcl_aw: registreert welke advertentieklik heeft geleid tot een conversie. Bewaartermijn: 90 dagen.
• _gcl_dc: ondersteunt de conversietracking voor DoubleClick. Bewaartermijn: 90 dagen.

Deze cookies worden uitsluitend geladen nadat u daarvoor toestemming heeft gegeven via de cookiemelding onderaan de pagina. De rechtsgrond is toestemming (Art. 6(1)(a) GDPR). U kunt uw toestemming te allen tijde intrekken via de link "Cookie-instellingen" in de footer van onze website, of door uw browseropslag te wissen. Reeds verleende toestemming blijft van kracht tot het moment van intrekking.

9. Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, or disclosure. These include HTTPS encryption in transit, hashed password storage, encryption of OAuth tokens at rest, and access controls on our infrastructure. However, no method of transmission over the internet is 100% secure.

10. Children

Kopplio is not directed at persons under 18 years of age. We do not knowingly collect personal data from minors. If you believe a minor has provided us with personal data, please contact us and we will delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users by email and update the "Last updated" date at the top of this page. Continued use of the service after the effective date of changes constitutes acceptance of the updated policy.