Privacy Policy

1. What Data We Collect

We collect personal data through your interaction with our website and intake form. The data collected includes:

Application Form Data

When you submit an application or intake form, we collect:

• Full name
• Email address
• Phone number
• Date of birth
• Nationality
• Employment details (employer, job title, start date)
• Gross salary
• Educational background
• Previous country of residence

Website Data

When you visit our website, we may collect:

• IP address
• Browser type and version
• Operating system
• Pages visited and time spent on page
• Referral source

Payment Data

When you make a payment, we collect transaction details through Stripe (our payment processor). We do not directly store your credit card information.

2. Legal Basis for Data Processing

We process your personal data based on:

• Contract Performance: Processing necessary to prepare and submit your 30% ruling application and provide our services.
• Legitimate Interest: To improve our website, prevent fraud, and maintain business records.
• Legal Obligation: Where required by Dutch tax law or other applicable regulations.

3. Why We Collect Your Data

We collect and use your data for the following purposes:

• To prepare, verify, and submit your 30% ruling application to the Belastingdienst (Dutch tax authority)
• To communicate with you about your application status and our services
• To process payments and send invoices
• To provide customer support and respond to inquiries
• To improve our website, services, and user experience
• To comply with legal and tax obligations
• To prevent fraud and ensure security

4. How Long We Keep Your Data

We retain your personal data for different periods depending on the data type:

• Application Data: 7 years, as required by Dutch tax law (Wet op de loonbelasting 1964). After 7 years, data is securely deleted.
• Payment Records: 7 years, as required for accounting and tax compliance.
• Website Analytics: Up to 2 years, unless you request deletion earlier.
• Email Communications: Retained for customer service purposes; you may request deletion at any time.

If your application is rejected or you do not proceed with the service, we will offer to delete your data unless we are required to retain it by law.

5. Third-Party Processors

We share your data with the following third parties who act as data processors under GDPR Article 28:

Formspree (Form Submission)

Your form data is submitted through Formspree (formspree.io), which temporarily processes the data to deliver it to our email. Formspree is compliant with GDPR and EU-US data transfer mechanisms. Formspree Privacy Policy

Stripe (Payments)

Payment processing is handled by Stripe, which securely processes your payment information and complies with PCI DSS standards. Stripe does not receive your full card details; payment data is tokenized. Stripe Privacy Policy

Cloudflare (Website Hosting)

Our website is hosted on Cloudflare Pages. Cloudflare may process IP addresses and browser data for security and performance purposes. Cloudflare Privacy Policy

Belastingdienst (Dutch Tax Authority)

When you authorize us to submit your 30% ruling application, your data will be shared with the Belastingdienst as required by law. This is a legal obligation, not optional.

All processors have committed to protecting your data under data processing agreements compliant with GDPR.

6. International Data Transfers

Most of your data is processed within the EU. However, some service providers (such as Stripe and Cloudflare) may process data in the United States. These companies rely on appropriate safeguards such as Standard Contractual Clauses or adequacy decisions to ensure GDPR compliance.

We do not intentionally transfer personal data outside the EU except where necessary for service provision.

7. Your Data Rights

Under GDPR, you have the following rights:

Right of Access

You can request a copy of all personal data we hold about you.

Right of Rectification

You can request that we correct inaccurate or incomplete data.

Right of Erasure

You can request deletion of your data, subject to legal retention requirements (e.g., the 7-year tax law retention period).

Right of Data Portability

You can request your data in a portable, machine-readable format (e.g., CSV).

Right to Restrict Processing

You can request that we limit how we use your data in certain circumstances.

Right to Object

You can object to our processing of your data for certain purposes, particularly marketing or profiling.

Right to Lodge a Complaint

If you believe we are not complying with data protection laws, you can file a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens / AP).

To exercise any of these rights, contact us at [email protected] with your request and proof of identity.

8. Security & Data Protection

We take data security seriously. We implement the following measures:

• HTTPS encryption for all website traffic
• Secure form submission through Formspree
• Restricted access to personal data (only authorized personnel)
• Regular security audits and updates
• Secure deletion of data after retention periods expire

While we implement strong security measures, no online service is 100% secure. We recommend you use strong passwords and keep your login credentials confidential.

9. Cookies & Tracking

Our website uses minimal cookies. We only use functional cookies necessary for the website to operate correctly. We do not use cookies for tracking, profiling, or marketing purposes.

• Functional Cookies: Help the website function properly and remember your preferences.
• No Tracking: We do not use Google Analytics, Facebook Pixel, or similar tracking tools that would require your consent.
• No Selling Data: We never sell, rent, or share your personal data with third parties for marketing purposes.

10. Children's Privacy

Our services are intended for adults (18 years and older). We do not knowingly collect personal data from children under 18. If we become aware that a child has submitted data, we will delete it promptly. Parents or guardians who believe a child has provided us with information should contact us immediately at [email protected].

11. Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements, or other factors. If we make material changes, we will notify you by email or through a prominent notice on our website. Your continued use of our services after changes constitutes your acceptance of the updated policy.

Last Updated: April 14, 2026

12. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

• Email: [email protected]
• Website: www.dutch30percentruling.com

We will respond to your inquiry within 30 days.