Privacy policy

1. Who are we?

De Rechter Software (hereinafter: "we", "us" or "Stippa") is responsible for the processing of personal data as described in this privacy policy.

De Rechter Software (trading under the name Stippa), sole proprietorship
Molenwater 20, 4511 BN Breskens, the Netherlands
Chamber of Commerce (KvK) number: 98466402
VAT number: NL005332100B80
Email: support@stippa.nl (or support@derechtersoftware.nl)

We act in two roles. With respect to the data of our account holders (the businesses that use Stippa) and their staff, we act as the Controller. With respect to the personal data of the End Clients that an account holder manages through Stippa, we act as the Processor: the account holder determines the purpose and is the Controller, and we process that data solely on behalf of and on the instructions of the account holder. The arrangements regarding this are set out in our data processing agreement.

2. What data do we collect?

We process the following categories of personal data:

Name and email address (upon registration and appointment management)
Phone number (optional, for reminder messages)
Appointment data (date, time, service, staff member, notes)
Payment information (processed via Stripe; we do not store full card details)
Technical data (IP address, browser type, usage logs)
Google Calendar data (only when a staff member connects his or her Google calendar; see section 6 for the full explanation)

3. For what purposes do we use your data, and on what legal basis?

We process each item of data for a specific purpose and on a specific legal basis under Article 6 GDPR:

Scheduling, managing and confirming appointments, on the legal basis of performance of the contract.
Sending reminders and notifications, on the legal basis of performance of the contract.
Processing payments, on the legal basis of performance of the contract and compliance with a legal (tax) obligation.
Synchronising appointments with external calendars (Google Calendar, iCal), on the legal basis of your explicit consent, which you may withdraw at any time.
Securing, maintaining and improving the service, including product analytics and fraud prevention, on the legal basis of our legitimate interest in providing a secure and usable service. We weigh this interest against your privacy and limit the processing to what is necessary for that purpose.
Complying with legal obligations, on the legal basis of a legal obligation.

We share your data only with processors that are strictly necessary for the performance of our service:

Supabase Inc. for database hosting (hosted in the EU)
Vercel Inc. for hosting of the web application
Upstash, Inc. for rate limiting and abuse prevention (transient processing of IP addresses)
Cloudflare, Inc. for bot and abuse protection (Turnstile)
Sentry (Functional Software, Inc.) for error monitoring and application stability
Inngest, Inc. for background job execution, such as sending reminders
Grafana Labs for log management (Loki), only when enabled
Stripe Payments Europe Ltd. and Mollie B.V. for payment processing (Mollie is hosted in the EU)
Resend, Inc. for transactional email delivery (confirmations, reminders and notifications)
Twilio Inc. / WhatsApp Business for optional messaging services
PostHog for product analytics (on our marketing website only after your consent via the cookie banner, and within the application for account holders to improve the service; data is processed on servers within the EU; see section 10)

The following integrations are only enabled when you or a staff member connect them: Google LLC for calendar synchronisation (see section 6) and Moneybird B.V. for an accounting integration.

We never sell your data to third parties. To the extent that personal data is transferred to sub-processors outside the European Economic Area (including the United States, such as with Stripe, Google, Vercel, Resend, Sentry, Cloudflare, Upstash or Inngest), such transfer relies primarily on the EU-US Data Privacy Framework (adequacy decision of the European Commission of 10 July 2023) for parties certified thereunder. As an additional or fallback safeguard, the European Commission's standard contractual clauses apply (Standard Contractual Clauses, implementing decision (EU) 2021/914).

5. Legal basis for processing

As explained in section 3, we process your data on the basis of performance of a contract, a legitimate interest, a legal obligation, or your explicit consent. Where we rely on consent, you may withdraw it at any time; this does not affect the lawfulness of the processing carried out prior to the withdrawal.

6. Google Calendar integration

Stippa offers staff members the option to connect their Google calendar via Google OAuth 2.0. The provisions below explain which Google user data we access, how we use it, with whom we share it, how we store and secure it, and how you can withdraw your consent.

6.1 Which Google data do we access?

When you or a staff member within your organisation chooses to connect a Google calendar, we request only the following OAuth scope: https://www.googleapis.com/auth/calendar.events.readonly. This is a read-only permission; with this permission Stippa cannot create, modify or delete events in your Google calendar. With that permission we access:

The email address of the connected Google account (solely for display in the dashboard, so the staff member can see which account is connected);
Start and end times, status and unique identifiers of events in the primary calendar of the connected Google account within a window of 90 days from the present moment;
We do not read any titles, descriptions, locations or attendee data from your existing Google calendar, only whether a time slot is occupied.

6.2 How do we use this data?

The data is used solely to display occupied time slots from your Google calendar within Stippa, in order to prevent double bookings. Stippa does not write events to your Google calendar; appointments that you manage in Stippa remain solely within Stippa.

We do not share Google user data with any third party. The tokens and calendar data are used solely to communicate with the Google APIs on behalf of the connected user. We never use Google user data for advertising or for any purpose other than those described in this privacy policy.

6.4 How do we store and secure this data?

OAuth access and refresh tokens are encrypted with AES-256-GCM before storage. All communication with Google APIs takes place over TLS 1.2 or higher. The database is hosted within the European Union. Access to tokens is restricted to the automated synchronisation processes; tokens are never viewed by employees of De Rechter Software.

6.5 Retention period and deletion

We retain Google user data for as long as the staff member keeps his or her Google calendar connected to Stippa. When the connection is disconnected via Stippa (Dashboard, Staff, "Calendar synchronisation" tab, "Disconnect"):

the tokens and busy times are immediately deleted from our database;
the Google push notification channel for that connection is stopped;
no further data is retrieved from Google.

You can also withdraw access at any time via your Google account at myaccount.google.com/permissions. In addition, you can submit a deletion request via support@stippa.nl; we process such a request within 30 days.

6.6 Limited Use, advertising and AI/ML training

Stippa's use and transfer of data received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

We do not use data obtained through Google Workspace APIs to develop, improve or train generalised artificial intelligence (AI) or machine learning (ML) models. Nor do we transfer such data to third parties for that purpose. Google user data is not used to display advertising.

7. Retention periods

Personal data is retained for as long as necessary for the purpose for which it was collected, or for as long as legally required:

Appointment and customer data: by default 2 years after the last appointment;
Payment-related data: 7 years (statutory tax retention obligation);
Google Calendar tokens and synchronisation data: until the connection is disconnected (see section 6.5);
Technical log files: a maximum of 90 days;
Audit logs of changes in the dashboard: 2 years, for security and compliance.

8. Your rights

You have the right to:

Access your personal data
Rectification or completion of inaccurate data
Erasure of your data ("right to be forgotten")
Restriction of processing
Portability of data (data portability)
Object to processing based on legitimate interest
Withdraw consent previously given (such as when connecting an external calendar), without this affecting the lawfulness of earlier processing

You can send requests to support@stippa.nl. We respond within 30 days. To prevent misuse, we may ask you to prove your identity. If an account holder processes your data as an End Client, you may direct your request to that account holder; we provide the necessary cooperation as a Processor in that regard.

9. Security

We take appropriate technical and organisational measures to protect your data, including:

Encryption of data in transit (TLS 1.2 or higher) and at rest;
Encryption of sensitive tokens (such as OAuth access and refresh tokens) with AES-256-GCM before storage;
Role-based access control with row-level security in the database;
Regular security assessments and access logging;
A procedure for notifying data breaches to data subjects and the Dutch Data Protection Authority in accordance with the GDPR.

10. Cookies and analytics

We use functional cookies and local storage that are strictly necessary for the operation of the service (session management, login status and preferences). These are always set and cannot be disabled, because the service does not function without them.

On our public marketing website we additionally use PostHog for product analytics, to understand how visitors use the website and to improve it. This analysis is carried out only after you have given your consent via the cookie banner that appears on your first visit. If you refuse, or take no action, no analysis takes place. You can change your choice at any time by clearing the saved preference in your browser.

Within the logged-in application we use PostHog for product analytics at the account level (such as which features are used), on the legal basis of our legitimate interest in improving the service. In this environment there is no session recording, no heatmap registration and no automatic click tracking. During administrative sessions (impersonation by support), analytics is fully disabled.

In addition, via Vercel Speed Insights we collect anonymised performance data (such as load times, browser type, device type and country at country level) to monitor and improve the speed and reliability of the application. No cookies are placed and no personal data or IP addresses are stored; the data cannot be traced back to an individual visitor. No consent is therefore required for this; the processing takes place on the legal basis of our legitimate interest.

All analytics data is processed on servers within the European Union. We do not use advertising cookies and we do not share data with advertising networks.

11. Children

Our service is not intended for use by persons under the age of 16. We do not knowingly collect personal data from children under the age of 16. If you suspect that we have collected such data, please contact us so that we can delete it.

12. Automated decision-making

We do not use automated decision-making or profiling that produces legal effects concerning you or that significantly affects you.

13. Complaints

Do you have a complaint about how we handle your data? Please contact us via support@stippa.nl. You also have the right to lodge a complaint with the Dutch Data Protection Authority via autoriteitpersoonsgegevens.nl. If you are located in another EU Member State, you may also turn to the supervisory authority of your own country.

14. Changes

We may update this privacy policy from time to time. The most recent version is always available on this page. In the event of significant changes, we will inform you by email or through a notification in the application.

1. Who are we?

De Rechter Software (hereinafter: "we", "us" or "Stippa") is responsible for the processing of personal data as described in this privacy policy.

De Rechter Software (trading under the name Stippa), sole proprietorship
Molenwater 20, 4511 BN Breskens, the Netherlands
Chamber of Commerce (KvK) number: 98466402
VAT number: NL005332100B80
Email: support@stippa.nl (or support@derechtersoftware.nl)

2. What data do we collect?

We process the following categories of personal data:

Name and email address (upon registration and appointment management)
Phone number (optional, for reminder messages)
Appointment data (date, time, service, staff member, notes)
Payment information (processed via Stripe; we do not store full card details)
Technical data (IP address, browser type, usage logs)
Google Calendar data (only when a staff member connects his or her Google calendar; see section 6 for the full explanation)

3. For what purposes do we use your data, and on what legal basis?

We process each item of data for a specific purpose and on a specific legal basis under Article 6 GDPR:

Scheduling, managing and confirming appointments, on the legal basis of performance of the contract.
Sending reminders and notifications, on the legal basis of performance of the contract.
Processing payments, on the legal basis of performance of the contract and compliance with a legal (tax) obligation.
Synchronising appointments with external calendars (Google Calendar, iCal), on the legal basis of your explicit consent, which you may withdraw at any time.
Securing, maintaining and improving the service, including product analytics and fraud prevention, on the legal basis of our legitimate interest in providing a secure and usable service. We weigh this interest against your privacy and limit the processing to what is necessary for that purpose.
Complying with legal obligations, on the legal basis of a legal obligation.

We share your data only with processors that are strictly necessary for the performance of our service:

Supabase Inc. for database hosting (hosted in the EU)
Vercel Inc. for hosting of the web application
Upstash, Inc. for rate limiting and abuse prevention (transient processing of IP addresses)
Cloudflare, Inc. for bot and abuse protection (Turnstile)
Sentry (Functional Software, Inc.) for error monitoring and application stability
Inngest, Inc. for background job execution, such as sending reminders
Grafana Labs for log management (Loki), only when enabled
Stripe Payments Europe Ltd. and Mollie B.V. for payment processing (Mollie is hosted in the EU)
Resend, Inc. for transactional email delivery (confirmations, reminders and notifications)
Twilio Inc. / WhatsApp Business for optional messaging services
PostHog for product analytics (on our marketing website only after your consent via the cookie banner, and within the application for account holders to improve the service; data is processed on servers within the EU; see section 10)

The following integrations are only enabled when you or a staff member connect them: Google LLC for calendar synchronisation (see section 6) and Moneybird B.V. for an accounting integration.

5. Legal basis for processing

6. Google Calendar integration

6.1 Which Google data do we access?

The email address of the connected Google account (solely for display in the dashboard, so the staff member can see which account is connected);
Start and end times, status and unique identifiers of events in the primary calendar of the connected Google account within a window of 90 days from the present moment;
We do not read any titles, descriptions, locations or attendee data from your existing Google calendar, only whether a time slot is occupied.

6.2 How do we use this data?

6.4 How do we store and secure this data?

6.5 Retention period and deletion

the tokens and busy times are immediately deleted from our database;
the Google push notification channel for that connection is stopped;
no further data is retrieved from Google.

6.6 Limited Use, advertising and AI/ML training

Stippa's use and transfer of data received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

7. Retention periods

Personal data is retained for as long as necessary for the purpose for which it was collected, or for as long as legally required:

Appointment and customer data: by default 2 years after the last appointment;
Payment-related data: 7 years (statutory tax retention obligation);
Google Calendar tokens and synchronisation data: until the connection is disconnected (see section 6.5);
Technical log files: a maximum of 90 days;
Audit logs of changes in the dashboard: 2 years, for security and compliance.

8. Your rights

You have the right to:

Access your personal data
Rectification or completion of inaccurate data
Erasure of your data ("right to be forgotten")
Restriction of processing
Portability of data (data portability)
Object to processing based on legitimate interest
Withdraw consent previously given (such as when connecting an external calendar), without this affecting the lawfulness of earlier processing

9. Security

We take appropriate technical and organisational measures to protect your data, including:

Encryption of data in transit (TLS 1.2 or higher) and at rest;
Encryption of sensitive tokens (such as OAuth access and refresh tokens) with AES-256-GCM before storage;
Role-based access control with row-level security in the database;
Regular security assessments and access logging;
A procedure for notifying data breaches to data subjects and the Dutch Data Protection Authority in accordance with the GDPR.

10. Cookies and analytics

All analytics data is processed on servers within the European Union. We do not use advertising cookies and we do not share data with advertising networks.

11. Children

12. Automated decision-making

We do not use automated decision-making or profiling that produces legal effects concerning you or that significantly affects you.

Privacy Policy

1. Who are we?

2. What data do we collect?

3. For what purposes do we use your data, and on what legal basis?

5. Legal basis for processing

6. Google Calendar integration

6.1 Which Google data do we access?

6.2 How do we use this data?

6.4 How do we store and secure this data?

6.5 Retention period and deletion

6.6 Limited Use, advertising and AI/ML training

7. Retention periods

8. Your rights

9. Security

10. Cookies and analytics

11. Children

12. Automated decision-making

13. Complaints

14. Changes

Privacy Policy

1. Who are we?

2. What data do we collect?

3. For what purposes do we use your data, and on what legal basis?

5. Legal basis for processing

6. Google Calendar integration

6.1 Which Google data do we access?

6.2 How do we use this data?

6.4 How do we store and secure this data?

6.5 Retention period and deletion

6.6 Limited Use, advertising and AI/ML training

7. Retention periods

8. Your rights

9. Security

10. Cookies and analytics

11. Children

12. Automated decision-making

13. Complaints

14. Changes

Privacy Policy

1. Who are we?

2. What data do we collect?

3. For what purposes do we use your data, and on what legal basis?

4. Sharing with third parties

5. Legal basis for processing

6. Google Calendar integration

6.1 Which Google data do we access?

6.2 How do we use this data?

6.3 With whom do we share this data?

6.4 How do we store and secure this data?

6.5 Retention period and deletion

6.6 Limited Use, advertising and AI/ML training

7. Retention periods

8. Your rights

9. Security

10. Cookies and analytics

11. Children

12. Automated decision-making

13. Complaints

14. Changes

Privacy Policy

1. Who are we?

2. What data do we collect?

3. For what purposes do we use your data, and on what legal basis?

4. Sharing with third parties

5. Legal basis for processing

6. Google Calendar integration

6.1 Which Google data do we access?

6.2 How do we use this data?

6.3 With whom do we share this data?

6.4 How do we store and secure this data?

6.5 Retention period and deletion

6.6 Limited Use, advertising and AI/ML training

7. Retention periods

8. Your rights

9. Security

10. Cookies and analytics

11. Children

12. Automated decision-making

13. Complaints

14. Changes