Privacy Policy

1. What Data We Collect

We collect personal data through your interaction with our website and application form. The data collected includes:

Application Form Data

When you complete the application form, we process:

• Full name
• Email address
• Phone number
• Date of birth
• Nationality
• BSN , which you type yourself; the BSN you type is never sent to the document reader and is placed onto your PDF on your own device
• Employment details (employer, job title, start date)
• Gross salary
• Educational background
• Previous country of residence

Website Data

When you visit our website, we may collect:

• IP address
• Browser type and version
• Operating system
• Pages visited and time spent on page
• Referral source

Payment Data

When you make a payment, we collect transaction details through our payment processor. We do not directly store your credit card information.

2. Legal Basis for Data Processing

We process your personal data based on:

• Contract Performance: Processing necessary to prepare and verify your 30% ruling application form and provide our services.
• Legitimate Interest: To improve our website, prevent fraud, and maintain business records.
• Legal Obligation: Where required by Dutch tax law or other applicable regulations.

3. Why We Collect Your Data

We collect and use your data for the following purposes:

• To prepare and verify your 30% ruling application form, which you (or your employer) then submit to the Dutch Tax Authority (Dutch tax authority)
• To communicate with you about your application status and our services
• To process payments and send invoices
• To provide customer support and respond to inquiries
• To improve our website, services, and user experience
• To comply with legal and tax obligations
• To prevent fraud and ensure security

4. How Long We Keep Your Data

We retain your personal data for different periods depending on the data type:

• Application form data and your generated documents: not retained on our servers. Your form data is used to fill the Dutch Tax Authority PDF and generate the cover letter in memory and streamed back to your browser, then discarded. The completed documents are held only in your browser, so save them when they download.
• Uploaded documents: sent only to the EU-hosted AI document reader to pull out a few fields, then discarded. We do not store your uploaded documents afterwards.
• Payment records: 7 years, as required for accounting and tax compliance. These are held by our payment processor and in our accounting records, not as copies of your form data.
• Website analytics: up to 2 years, unless you request deletion earlier.
• Email communications: if you email us, retained for customer service purposes; you may request deletion at any time.

Because we do not store your form data or generated documents, there is nothing on our side to delete after you finish. Your payment record is the only data we keep, for the legally required period.

5. Sub-processors

We use a small set of sub-processors, each engaged under a data processing agreement. We describe them here by function and location. You can request the current list, including the name of each provider, in writing at [email protected].

Site hosting and content delivery

An EU-based hosting and content-delivery provider serves the website and runs the form-filling function. Your form data is processed in memory to fill the PDF and is then discarded.

AI document reading

When you upload documents to autofill the form, they are sent to an EU-hosted document-reading service, which uses a large language model accessed through an EU-resident inference profile (Ireland) to read the application details. The service reads your documents only to extract a few fields and does not retain them after reading; the model is not trained on your data. The BSN you type into the form is never sent to this service: you enter it yourself, and it is written into your PDF on your own device when you download it. If a document you upload happens to contain a BSN (for example a pay slip or identity document), that document is processed only to read it and is not retained.

Address verification

To verify the 150 km eligibility rule, we send the city and country you provide to a third-party geocoding service, which returns approximate coordinates. No other personal data is sent, and the result is cached on our side after the first lookup.

Payments

Payments are handled by an EU-based payment processor under its own controllership for the payment itself. It processes your payment information securely and does not receive your full card details; payment data is tokenized.

Dutch Tax Authority

You (or your employer) submit the prepared application directly to the Dutch Tax Authority; we do not transmit your data to the Dutch Tax Authority on your behalf. The Dutch Tax Authority is therefore not a processor acting under our instructions. It is a public authority that receives the application from you as part of the statutory tax process.

All processors have committed to protecting your data under data processing agreements compliant with GDPR.

6. International Data Transfers

Most of your data is processed within the EU. A small number of providers may process some data outside the EU (for example payment processing). These providers rely on appropriate safeguards such as Standard Contractual Clauses or adequacy decisions to ensure GDPR compliance. Your application form data is processed in the EU and is not sent to them.

We do not intentionally transfer personal data outside the EU except where necessary for service provision.

7. Your Data Rights

Under GDPR, you have the following rights:

Right of Access

You can request a copy of all personal data we hold about you.

Right of Rectification

You can request that we correct inaccurate or incomplete data.

Right of Erasure

You can request deletion of your data, subject to legal retention requirements (e.g., the 7-year tax law retention period).

Right of Data Portability

You can request your data in a portable, machine-readable format (e.g., CSV).

Right to Restrict Processing

You can request that we limit how we use your data in certain circumstances.

Right to Object

You can object to our processing of your data for certain purposes, particularly marketing or profiling.

Right to Lodge a Complaint

If you believe we are not complying with data protection laws, you can file a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens / AP).

To exercise any of these rights, contact us at [email protected] with your request and proof of identity. We respond to data rights requests within 30 days, as required under Article 12 GDPR. There is no charge for a request unless it is manifestly unfounded or excessive.

8. Security & Data Protection

We take data security seriously. We implement the following measures:

• HTTPS encryption for all website traffic
• Form data processed in memory to generate your PDF, then discarded, with no server-side copy kept
• Document reading performed by an EU-based provider; the BSN you type is never sent to it
• Restricted access to personal data (only authorized personnel)
• Regular security audits and updates

While we implement strong security measures, no online service is 100% secure. We recommend you use strong passwords and keep your login credentials confidential.

9. Cookies & Tracking

We use a limited number of cookies and similar technologies. You control the non-essential ones through our cookie banner, and you can change your choice at any time via the "Cookie settings" link in the footer.

• Strictly necessary (no consent required): storage needed for the site to work, to remember your progress in the application form, and to protect our forms against spam and abuse. These are always active.
• Privacy-friendly statistics (no cookies): on some pages we use cookieless website statistics that set no cookies and do not track you across websites.
• Analytics and advertising (only with your consent): we use Google's measurement and advertising tag to understand how visitors find and use the site and to measure our campaigns. It stores nothing on your device and shares no data until you accept it in the cookie banner; until then it runs in consent-denied mode.
• No data sale: we never sell or rent your personal data, and we do not share it with third parties for their own marketing.

10. Children's Privacy

Our services are intended for adults (18 years and older). We do not knowingly collect personal data from children under 18. If we become aware that a child has submitted data, we will delete it promptly. Parents or guardians who believe a child has provided us with information should contact us immediately at [email protected].

11. Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements, or other factors. If we make material changes, we will notify you by email or through a prominent notice on our website. Your continued use of our services after changes constitutes your acceptance of the updated policy.

Last Updated: June 18, 2026

12. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

• Email: [email protected]
• Website: www.dutch30percentruling.com

We will respond to your inquiry within 30 days.