Skip to content
Afosto

Legal

Privacy Policy

This privacy policy explains how Afosto SaaS B.V. processes personal data when you use our commerce platform, visit afosto.com, or contact us.

Last updated: 2026-04-17

1. Who we are

Afosto SaaS B.V. (Afosto) is the controller of the personal data described in this policy. We are registered in The Netherlands under Chamber of Commerce number 61564702 and VAT number NL854393389B01.

Our registered address is Kieler Bocht 15 C, 9723 JA Groningen, Nederland.

2. What data we process

Depending on how you interact with Afosto we may process:

  • Account data: name, email address, company, role, hashed password.
  • Operational data: orders, customers, products, stock levels and other commerce data you enter or import.
  • Technical data: IP address, browser, device, pages viewed, errors, and performance metrics.
  • Communication data: support tickets, email correspondence, sales calls, and meeting notes.

3. Why we process it

We process personal data to:

  • Deliver, maintain and secure the Afosto platform.
  • Authenticate users and enforce access controls.
  • Provide customer support and respond to inquiries.
  • Comply with legal obligations including tax, accounting, and contractual duties.
  • Improve our product through aggregated usage analytics and error reporting.

Our legal bases are contract performance, legitimate interest (product improvement and fraud prevention), consent (where you opted in, e.g. newsletter) and legal obligation.

4. Who we share data with

We only share data with sub-processors that are contractually bound to GDPR-aligned standards. This includes our cloud infrastructure providers, email delivery provider, error monitoring, and any integration you explicitly enable. We never sell personal data.

5. How long we keep it

Account and operational data is retained for as long as your contract is active. After termination we retain data for up to seven years where required by law (e.g. tax records), and delete or anonymise the remainder on request.

6. Your rights

Under the GDPR you have the right to access, rectify, erase, restrict, port, and object to our processing of your data. You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).

To exercise any of these rights, email us at [email protected].

7. Security

Afosto uses industry-standard encryption in transit and at rest, role-based access control, least-privilege service accounts, and automated vulnerability scanning. Payment data is processed by PCI-DSS compliant partners; we never store raw card numbers.

8. International transfers

Our primary infrastructure is hosted inside the EU. Where sub-processors operate outside the EU, we rely on the European Commission's Standard Contractual Clauses and additional safeguards as appropriate.

9. Updates to this policy

We may update this policy when our product or legal requirements change. Material changes will be communicated through the Afosto Hub or by email before they take effect.

10. Contact

Questions about this policy? Contact us at [email protected].