Reesure

Privacy policy

This Privacy Policy explains what personal data Reesure collects, why, and your rights.

Last updated · 8 August 2025

Contents

1.Who we are

ItemDetails
Controller (for this service)Reesure Operations B.V. (KvK 96207094, VAT NL 867513378 B01)
AddressOrteliusstraat 116-1, 1057BG Amsterdam, Netherlands
Privacy e-mailsupport@reesure.com (no formal DPO appointed; handled by the founding team, re-evaluated annually)

Reesure ("we", "us") provides cloud software that automates property-rent collection, payment initiation and reporting for landlords and property managers (together, "Operators").

2.Our role under GDPR

2.1
  • Operator = Data Controller (determines purpose and means of tenant processing).
  • Reesure = Data Processor (processes on the Controller's instructions).
  • Tenant = end-user who pays rent via the Platform; Tenants contract with the Operator, not Reesure.

3.Personal-data inventory & legal bases

3.1
Data categoryElementsSourcePurposeLegal basis (Art. 6)Retention
Tenant detailsName, e-mail, phone, address, payment method token/IBAN, payment statusController / TenantInvoicing, payment initiation, reminders, dashboards(b) Contract performance (via Controller); (f) legitimate interest for fraud preventionUp to 7 years where needed for bookkeeping; otherwise anonymise after 12 months post-lease (§12 & §12a)
Operator detailsCompany name, KvK, VAT, contact name, e-mail, phoneControllerAccount setup, billing, support(b) Contract performance7 years (business records)
UBO/KYC routingUBO identity data collected by StripeController → StripeKYC/payouts handled by Stripe(f) Legitimate interest to pass to Stripe; Stripe acts as its own controller for KYCPer Stripe policy (Reesure does not store copies)
Payment metadataAmount, currency, mandate ID, Stripe charge ID, refunds/returnsStripe APIReconciliation, dispute handling, audit(b) Contract performance; legal retention (see §12a)7 years (or 10 years for immovable-property VAT records)
Technical logsIP, device/browser, API events, error tracesAutomaticSecurity, fraud prevention, abuse control, analytics(f) Legitimate interest5 years (operational security)
Operator marketing preferencesName, e-mail, opt-out flagControllerProduct updates & service notices to Operators(f) Legitimate interest with easy opt-outUntil opt-out

4.What we use data for

4.1

Payments. Initiate SEPA Direct Debit and Pay-by-Link collections via Stripe Payments Europe Ltd.

4.2

Messaging. Send invoices, reminders and dunning notices via MessageBird (e-mail/SMS/WhatsApp).

4.3

Dashboards & BI. Show real-time metrics in-app and optionally feed Power BI.

4.4

Support & security. Investigate issues, prevent fraud, maintain uptime.

4.5

Product improvement. Use anonymised/aggregated metrics to improve features and publish trend reports.

4.6

Future features. AI-assisted recovery and stable-coin payouts may be added.

5.Sub-processors & international transfers

5.1
ProviderFunctionLocation of processingTransfer mechanism
Stripe Payments Europe Ltd.Payments & payout infrastructure; KYC (as its own controller)EEA
MessageBird B.V.Messaging (e-mail/SMS/WhatsApp)EEA
Microsoft AzureHosting (app + DB)West Europe & North Europe
SendGrid (Twilio Inc.)Transactional e-mail relayUSAEU SCCs
HubSpotCRM & PM product-update e-mailEU & USAEU SCCs

Primary data sits in the EEA. Where limited support or e-mail delivery data is processed in the USA (e.g., SendGrid/HubSpot), we use the EU Standard Contractual Clauses and encrypted channels.

6.Cookies & tracking

6.1
CategoryToolsConsent model
EssentialSession ID, CSRF tokenAlways on
AnalyticsGoogle Analytics 4 (via Google Tag Manager)Loaded after consent

A separate Cookie Statement explains categories and how to change preferences.

7.Security measures (Art. 32 GDPR)

7.1
  • AES-256 encryption at rest; TLS 1.2+ in transit
  • Multi-factor authentication for admin accounts
  • Role-based access with least-privilege
  • Daily encrypted backups with off-site replication
  • Quarterly vulnerability scans and annual external penetration test
  • API rate-limiting & automated anomaly detection

7.2Status of safeguards (startup)

We operate a maturing security program. Controls above are in place; we're expanding logging, vendor risk reviews and control testing on a defined roadmap. We prioritise fixes for material risks and update this Policy as capabilities mature.

8.Data breach & incident response

8.1

We monitor 24/7. If a personal-data breach occurs, we will notify the Dutch supervisory authority without undue delay and, where feasible, within 72 hours, and inform affected Controllers (and, if required, Tenants) about the nature, impact and mitigation. (Wording mirrors GDPR; not a contractual SLA.)

9.Data-subject rights

Data subjects should contact their Operator (Controller). Reesure, as Processor, assists Controllers in handling:

9.1
  • Access, rectification, erasure, restriction, objection, portability (Arts. 15–22)
  • We may request reasonable ID verification before processing a request.
  • Controllers can reach us at support@reesure.com; we assist within 30 days.

Complaints can be lodged with the Dutch supervisory authority (Autoriteit Persoonsgegevens).

10.Data retention & deletion

10.1
  • Tenant profile data: kept up to 7 years where necessary to meet bookkeeping obligations tied to transactions; otherwise anonymised after 12 months from lease end.
  • Payment & accounting logs: 7 years basic retention; 10 years for records relating to immovable property/VAT.
  • Technical logs: 5 years for operational security.
  • Operator marketing list: until opt-out.

11.Record-keeping

11.1

Under Dutch law, businesses must retain core administration for at least 7 years and 10 years for records related to immovable property (and some VAT scenarios). These statutory duties may require us to retain certain payment records even after a lease has ended.

12.Changes to this policy

12.1

We may update this Policy from time to time. The latest version is posted in-app and on our website with a new "Last updated" date.