Log in Get started free
NL

Privacy policy

Last updated: March 3, 2026

1. Data Controller

BolMoneybird, established in Enschede, the Netherlands, is responsible for the processing of personal data as described in this privacy policy. BolMoneybird is a sole proprietorship (eenmanszaak) registered with the Dutch Chamber of Commerce.

  • Company name: BolMoneybird
  • Location: Enschede, the Netherlands
  • Chamber of Commerce (KvK): 71434577
  • Email: privacy@bolmoneybird.nl

2. What Data We Collect

We collect and process the following categories of personal data:

2.1 Registration and account data

  • Full name
  • Email address
  • Password (stored as a bcrypt hash; the password itself is never stored)
  • Company name
  • Chamber of Commerce number

2.2 Billing and payment data

  • Billing address
  • VAT number
  • IBAN bank account number
  • Payment history and subscription details

2.3 API credentials and integrations

  • Bol.com API credentials (client ID and client secret)
  • Moneybird API tokens (OAuth access tokens and refresh tokens)
  • Moneybird administration ID

2.4 Order data (synced from Bol.com)

  • Order numbers and order IDs
  • Order amounts, VAT amounts, and commissions
  • Product details (name, EAN, quantity, price)
  • Order status and shipment details
  • Order dates

2.5 Customer data from orders

  • Customer name (billing and shipping name)
  • Billing and shipping address
  • Customer email address (if available via Bol.com)

2.6 Technical data

  • IP address
  • Browser type and version
  • Operating system and device type
  • Referring URL
  • Page request timestamps

2.7 Usage data

  • Login times and session duration
  • Features used within the application
  • Synchronization history and error reports

2.8 Communication data

  • Messages submitted through the contact form
  • Email correspondence with our support
  • Feedback and bug reports

3. Purposes of Processing

We process your personal data exclusively for the following specific purposes:

3.1 Service delivery

  • Creating, managing, and securing your account
  • Synchronizing Bol.com orders to your Moneybird administration
  • Automatically creating invoices in Moneybird based on Bol.com order data
  • Displaying synchronization status and history

3.2 Billing and payments

  • Processing subscription payments
  • Creating and sending invoices for our services
  • Maintaining payment history

3.3 Communication

  • Sending service-related emails (account confirmation, password reset, sync alerts)
  • Responding to your inquiries and support requests
  • Informing you about important changes to our service or terms

3.4 Improvement and security

  • Analyzing usage patterns to improve our service
  • Detecting and preventing abuse, fraud, and security incidents
  • Resolving technical issues

3.5 Legal obligations

  • Complying with fiscal retention obligations
  • Complying with accounting obligations
  • Cooperating with competent authorities when legally required

4. Legal Bases (Art. 6 GDPR)

We process your personal data based on the following legal grounds under Article 6 of the General Data Protection Regulation:

4.1 Performance of a contract (Art. 6(1)(b) GDPR)

  • Creating and managing your account
  • Providing the synchronization service between Bol.com and Moneybird
  • Processing payments and billing
  • Sending service-related communications

4.2 Legitimate interest (Art. 6(1)(f) GDPR)

  • Improving and optimizing our service
  • Securing our systems and detecting abuse
  • Analyzing usage statistics (anonymized where possible)
  • Maintaining technical logs for troubleshooting

4.3 Legal obligation (Art. 6(1)(c) GDPR)

  • Retaining financial records in accordance with the fiscal retention obligation (7 years)
  • Complying with accounting obligations
  • Cooperating with competent authorities

4.4 Consent (Art. 6(1)(a) GDPR)

  • Where applicable, for additional processing activities for which we specifically request your consent

You may withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out prior to the withdrawal.

5. Data Recipients and Sub-processors

We only share your personal data with third parties when necessary for our service delivery. We never sell your data to third parties. The following parties (may) receive personal data:

5.1 Cloudflare, Inc.

  • Services: Hosting (Cloudflare Workers/Pages), CDN, D1 database, KV storage, DDoS protection
  • Data: All stored data (account data, order data, API tokens), technical data (IP addresses, request data)
  • Location: United States
  • Safeguards: EU-US Data Privacy Framework, EU Standard Contractual Clauses (SCCs), data processing agreement pursuant to Art. 28 GDPR

5.2 EmailIt

  • Services: Transactional email delivery
  • Data: Email address, name, content of service emails
  • Safeguards: Data processing agreement

5.3 Bol.com (bol)

  • Services: Retrieving order data via the Bol.com Retailer API
  • Data: Bol.com API credentials are used to retrieve orders; order data and customer data are received from Bol.com
  • Safeguards: Bol.com processes data as an independent data controller under their own privacy policy

5.4 Moneybird B.V.

  • Services: Creating invoices and contacts via the Moneybird API
  • Data: Customer data from orders (name, address), order amounts, invoice details
  • Safeguards: Moneybird processes data as an independent data controller under their own privacy policy; data processing agreement for API processing

6. International Data Transfers

Your personal data is primarily processed within the European Economic Area (EEA). Insofar as data is transferred to countries outside the EEA, we implement the following safeguards:

  • Cloudflare (US): Transfer based on the EU-US Data Privacy Framework and supplementary EU Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR
  • We regularly assess whether the safeguards for international transfers remain adequate
  • Where possible, processing is limited to data centers within the EU

7. Retention Periods

We do not retain your personal data longer than necessary for the purposes for which it was collected. We apply the following retention periods:

  • Account data (name, email, company details): up to 12 months after account termination, after which it is deleted
  • API credentials (Bol.com credentials, Moneybird tokens): deleted immediately upon disconnection or account termination
  • Order data (order numbers, amounts, customer data): 7 years after the financial year in which the order was placed, in accordance with fiscal retention obligations (Art. 52 AWR)
  • Billing data (IBAN, payment history): 7 years in accordance with fiscal retention obligations
  • Technical logs (IP addresses, request data): maximum 90 days
  • Communication data (emails, contact form): 2 years after the last contact
  • Usage data (session data, feature usage): 12 months

After the retention period expires, data is deleted or anonymized. Data required for an ongoing legal proceeding or a request from a competent authority is retained until the proceeding or request is concluded.

8. Security

We take appropriate technical and organizational measures to protect your personal data against unauthorized access, loss, alteration, or disclosure:

  • Encryption at rest: Sensitive data (API tokens, credentials) is stored encrypted using AES-256 encryption
  • Encryption in transit: All communication is conducted via TLS 1.2+ (HTTPS)
  • Password storage: Passwords are hashed using bcrypt; the original password is never stored
  • Authentication: JWT-based session authentication with secure token renewal
  • API token encryption: Bol.com and Moneybird API tokens are stored encrypted and only decrypted during use
  • Access control: Strict separation of customer data; data access exclusively based on account ownership
  • Infrastructure security: Cloudflare DDoS protection, Web Application Firewall (WAF), and secured edge networks
  • Incident response: Procedures for detecting, reporting, and handling data breaches in accordance with Art. 33 and 34 GDPR

9. Your Rights Under the GDPR

Under the General Data Protection Regulation (GDPR), you have the following rights regarding your personal data:

  • Right of access (Art. 15 GDPR): You may request a copy of the personal data we process about you
  • Right to rectification (Art. 16 GDPR): You may request correction or completion of inaccurate or incomplete data
  • Right to erasure (Art. 17 GDPR): You may request deletion of your personal data, unless we are legally required to retain it
  • Right to restriction of processing (Art. 18 GDPR): You may request that we restrict the processing of your data
  • Right to data portability (Art. 20 GDPR): You may receive your personal data in a structured, commonly used, and machine-readable format and transmit it to another controller
  • Right to object (Art. 21 GDPR): You may object to processing based on legitimate interest
  • Right to withdraw consent (Art. 7(3) GDPR): Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing
  • Right to lodge a complaint: You have the right to lodge a complaint with the Dutch Data Protection Authority (see section 15)

10. Exercising Your Rights

You may exercise your rights by sending a request to:

  • Email: privacy@bolmoneybird.nl

We will respond to your request within 30 days, in accordance with the GDPR. In exceptional cases, this period may be extended by a maximum of 60 days, of which we will inform you. We may ask you to verify your identity before processing your request, to ensure the security of your data.

Exercising your rights is free of charge, unless requests are manifestly unfounded or excessive.

11. Cookies

We use only strictly necessary cookies that are essential for the functioning of the application:

  • Session cookie: An encrypted cookie that maintains your authentication status so you remain logged in. This cookie is deleted when you log out or when your session expires.

We do not use tracking cookies, marketing cookies, or analytics cookies. No third-party cookies are placed. Because we only use strictly necessary cookies, no cookie consent is required under the ePrivacy Directive.

12. Children's Privacy

Our service is intended exclusively for business users aged 18 and older. We do not knowingly collect personal data from individuals under the age of 18. If we discover that we have collected data from a minor, we will delete it immediately. If you believe we are processing data of a minor, please contact us at privacy@bolmoneybird.nl.

13. Automated Decision-Making

We do not use automated decision-making, including profiling, within the meaning of Art. 22 GDPR, that produces legal effects concerning you or similarly significantly affects you. All significant decisions regarding your account are made by humans.

14. Data Protection Impact Assessment (DPIA)

We have conducted a Data Protection Impact Assessment (DPIA) for the core processing of our service, namely the synchronization of Bol.com order data to Moneybird. This assessment confirms that the processing is necessary and proportionate, and that adequate measures have been taken to mitigate risks to data subjects.

15. Changes to This Privacy Policy

We may update this privacy policy from time to time, for example due to new features, changes in legislation, or modified processing activities. In case of significant changes:

  • We will inform you by email prior to the change
  • We will display a prominent notice in the application
  • We will update the "Last updated" date at the top of this policy

The most current version of this privacy policy is always available on this page. We recommend that you review this policy regularly.

16. Contact and Complaints

For questions, comments, or complaints about this privacy policy or the processing of your personal data, you may contact us:

  • Company: BolMoneybird
  • Location: Enschede, the Netherlands
  • Chamber of Commerce (KvK): 71434577
  • Email: privacy@bolmoneybird.nl

If you believe we are not processing your personal data correctly, you have the right to lodge a complaint with the Dutch supervisory authority: