Legal
Privacy Policy
This privacy policy explains how Afosto SaaS B.V. processes personal data when you use our commerce platform, visit afosto.com, or contact us.
Last updated: 2026-04-17
1. Who we are
Afosto SaaS B.V. (Afosto) is the controller of the personal data described in this policy. We are registered in The Netherlands under Chamber of Commerce number 61564702 and VAT number NL854393389B01.
Our registered address is Kieler Bocht 15 C, 9723 JA Groningen, Nederland.
2. What data we process
Depending on how you interact with Afosto we may process:
- Account data: name, email address, company, role, hashed password.
- Operational data: orders, customers, products, stock levels and other commerce data you enter or import.
- Technical data: IP address, browser, device, pages viewed, errors, and performance metrics.
- Communication data: support tickets, email correspondence, sales calls, and meeting notes.
3. Why we process it
We process personal data to:
- Deliver, maintain and secure the Afosto platform.
- Authenticate users and enforce access controls.
- Provide customer support and respond to inquiries.
- Comply with legal obligations including tax, accounting, and contractual duties.
- Improve our product through aggregated usage analytics and error reporting.
Our legal bases are contract performance, legitimate interest (product improvement and fraud prevention), consent (where you opted in, e.g. newsletter) and legal obligation.
4. Who we share data with
We only share data with sub-processors that are contractually bound to GDPR-aligned standards. This includes our cloud infrastructure providers, email delivery provider, error monitoring, and any integration you explicitly enable. We never sell personal data.
5. How long we keep it
Account and operational data is retained for as long as your contract is active. After termination we retain data for up to seven years where required by law (e.g. tax records), and delete or anonymise the remainder on request.
6. Your rights
Under the GDPR you have the right to access, rectify, erase, restrict, port, and object to our processing of your data. You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).
To exercise any of these rights, email us at [email protected].
7. Security
Afosto uses industry-standard encryption in transit and at rest, role-based access control, least-privilege service accounts, and automated vulnerability scanning. Payment data is processed by PCI-DSS compliant partners; we never store raw card numbers.
8. International transfers
Our primary infrastructure is hosted inside the EU. Where sub-processors operate outside the EU, we rely on the European Commission's Standard Contractual Clauses and additional safeguards as appropriate.
9. Updates to this policy
We may update this policy when our product or legal requirements change. Material changes will be communicated through the Afosto Hub or by email before they take effect.
10. Contact
Questions about this policy? Contact us at [email protected].