Privacy Policy

1. Introduction

Keystone ("we," "our," or "us") is operated by Pim Steijns Eenmanszaak, a sole proprietorship registered in the Netherlands. We are committed to protecting your privacy and ensuring the security of your personal data.

This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our equipment management software and services.

2. Data Controller

Pim Steijns Eenmanszaak
Netherlands
Email: pimsteijns9@gmail.com
KVK: 83464115
BTW: NL003825922B29

Data Protection Officer: We do not currently have a designated Data Protection Officer (DPO) as we do not engage in high-risk processing activities that require mandatory DPO appointment under GDPR Article 37.

3. Information We Collect

3.1 Personal Information

• Name and contact information (email, phone number)
• Company information and business details
• Payment information (processed securely through our payment providers)
• Account credentials and preferences
• Equipment inventory and business data you upload

3.2 Technical Information

• IP address and device information
• Browser type and version
• Usage data and analytics
• Cookies and similar technologies

4. How We Use Your Information

We use your information for the following purposes:

• Providing and maintaining our software services
• Processing payments and managing subscriptions
• Communicating with you about your account and services
• Providing customer support and technical assistance
• Improving our services and developing new features
• Complying with legal obligations
• Sending marketing communications (with your consent)

5. Legal Basis for Processing (GDPR)

We process your personal data based on the following legal grounds:

• Contract: To provide our services and fulfill our obligations
• Legitimate Interest: To improve our services and prevent fraud
• Consent: For marketing communications and optional features
• Legal Obligation: To comply with applicable laws and regulations

6. Data Sharing and Disclosure

We may share your information with:

• Payment processors (Paddle, Stripe) for payment processing
• Cloud service providers (Supabase, Vercel) for hosting and infrastructure
• Analytics providers (Google Analytics, Vercel Analytics) for usage insights
• Legal authorities when required by law
• Service providers who assist in our operations

We do not sell, rent, or trade your personal information to third parties for marketing purposes.

6.1 Subprocessors

We use the following subprocessors to provide our services. All subprocessors are bound by data processing agreements:

• Supabase (United States) - Database hosting and backend services
• Vercel (United States) - Application hosting and CDN
• Paddle (United Kingdom) - Payment processing
• Resend (United States) - Email delivery services
• Google Analytics (United States) - Website analytics

Data transfers to countries outside the EEA are protected by Standard Contractual Clauses (SCCs) and adequacy decisions where applicable.

7. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction.

• Encryption of data in transit (TLS/SSL) and at rest
• Regular security assessments and updates
• Access controls and authentication measures
• Employee training on data protection
• Secure password policies and multi-factor authentication where applicable
• Regular backups and disaster recovery procedures

7.1 Data Breach Notification

In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay and, where feasible, within 72 hours of becoming aware of the breach. We will also notify the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) as required by GDPR.

8. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes outlined in this policy, unless a longer retention period is required by law.

• Account data: Until account deletion or 7 years after last activity
• Payment records: 7 years (legal requirement)
• Analytics data: 26 months
• Support communications: 3 years

9. Your Rights (GDPR)

Under GDPR, you have the following rights:

• Access: Request a copy of your personal data
• Rectification: Correct inaccurate or incomplete data
• Erasure: Request deletion of your personal data ("right to be forgotten")
• Portability: Receive your data in a structured, commonly used, and machine-readable format
• Restriction: Limit how we process your data
• Objection: Object to certain types of processing, including direct marketing
• Withdraw Consent: Withdraw consent for marketing communications at any time

To exercise these rights, contact us at pimsteijns9@gmail.com. We will respond to your request within one month (may be extended by two months for complex requests).

Provision of Data: Providing personal data is necessary for us to provide our services. If you do not provide required data, we may not be able to provide the Service to you.

9.1 Automated Decision-Making and Profiling

We do not use automated decision-making or profiling that produces legal effects concerning you or similarly significantly affects you. All decisions regarding your account and services are made by human operators.

10. Cookies and Tracking

We use cookies and similar technologies to enhance your experience, analyze usage, and provide personalized content.

For detailed information about our use of cookies, please see our Cookie Policy.

11. International Data Transfers

Your data may be transferred to and processed in countries outside the European Economic Area (EEA). We ensure appropriate safeguards are in place through standard contractual clauses and adequacy decisions.

Data Storage Locations:

• Primary database and backend services: United States (Supabase)
• Application hosting: United States (Vercel)
• Payment processing: United Kingdom (Paddle)
• Email services: United States (Resend)

All transfers are protected by Standard Contractual Clauses (SCCs) approved by the European Commission, ensuring your data receives an adequate level of protection.

12. Children's Privacy

Our services are not intended for children under 16 years of age. We do not knowingly collect personal information from children under 16.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by email or through our website.

14. Contact Information

If you have any questions about this Privacy Policy or our data practices, please contact us:

15. Complaints

If you believe we have not handled your personal data in accordance with this policy, you have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens):