Privacy Policy
Last updated: 14 June 2025
1. Who we are
Factyo is an online invoicing service for freelancers and independent contractors, primarily serving the Netherlands. We are the data controller for the personal data you provide us, as defined by the General Data Protection Regulation (GDPR).
Contact: privacy@factyo.com
2. What data we collect
- Account data: full name, email address, password (encrypted)
- Business data: business name, Chamber of Commerce number, VAT number, IBAN, BIC, address
- Invoice data: client details you enter to create invoices
- Payment data: processed by Stripe — we never store full card details
- Usage data: IP address, browser type, pages visited (via Google Analytics, only with your consent)
3. How we use your data
| Purpose | Processing | Legal basis |
|---|---|---|
| Account management | Create and maintain your account | Art. 6(1)(b) GDPR — contract performance |
| Payment processing | Monthly subscription payments via Stripe | Art. 6(1)(b) GDPR — contract performance |
| Email communication | Invoices, OTP codes, system messages | Art. 6(1)(b) GDPR — contract performance |
| Website analytics | Measuring usage to improve the service (GA4) | Art. 6(1)(a) GDPR — consent |
| Legal obligations | Accounting record retention (7 years) | Art. 6(1)(c) GDPR — legal obligation |
4. How long we keep your data
- Account data: for as long as your account is active, plus 2 years after deletion
- Invoice data: 7 years (Dutch Tax Authority retention requirement)
- Payment data: per Stripe's retention policy (typically 5 years)
- Analytics data: maximum 14 months
5. Who we share your data with
| Processor | Purpose | Location |
|---|---|---|
| Stripe, Inc. | Payment processing | US (Standard Contractual Clauses) |
| Google LLC | Website analytics (GA4) | US (Standard Contractual Clauses) |
| Vercel Inc. | Application hosting | US (Standard Contractual Clauses) |
| UploadThing | Logo file storage | US (Standard Contractual Clauses) |
We never sell your personal data to third parties.
6. Your rights under GDPR
- Right of access (Art. 15): request a copy of your personal data
- Right to rectification (Art. 16): correct inaccurate data
- Right to erasure (Art. 17): request deletion ("right to be forgotten")
- Right to restriction (Art. 18): limit how we process your data
- Right to data portability (Art. 20): receive your data in a machine-readable format
- Right to object (Art. 21): object to processing based on legitimate interest
- Right to withdraw consent (Art. 7(3)): withdraw cookie consent at any time
Send requests to privacy@factyo.com. We respond within 30 days. You also have the right to lodge a complaint with the Dutch Data Protection Authority (AP).
7. Cookies
We use functional cookies and, with your consent, analytics cookies. Read our Cookie Policy for details.
8. Security
We apply HTTPS encryption, bcrypt password hashing, and access controls. In the event of a data breach that endangers your rights, we will notify you within 72 hours (Art. 33 and 34 GDPR).
9. Changes
We will notify you by email of any material changes. The most recent version is always available on this page.
Questions? Contact us at privacy@factyo.com