Privacy policy
Last updated: 08-08-2025
1. Who We Are
| Item | Details |
|---|---|
| Controller (for this service) | Reesure Operations B.V. (KvK 96207094, VAT NL 867513378 B01) |
| Address | Singel 542, 1017 AZ Amsterdam, Netherlands |
| Privacy e-mail | privacy@reesure.com (no formal DPO appointed; handled by the founding team, re-evaluated annually) |
Reesure (“we”, “us”) provides cloud software that automates property-rent collection, payment initiation and reporting for landlords and professional property managers (together, “Property Managers”).
Startup note. We’re a growing company. Core safeguards listed below are in place; some advanced controls are rolling out on a documented roadmap. See §7a.
2. Our Role Under GDPR
- Property Manager = Data Controller (determines purpose and means of tenant processing).
- Reesure = Data Processor (processes on the Controller’s instructions).
- Tenant = end-user who pays rent via the Platform; Tenants contract with the Property Manager, not Reesure.
3. Personal-Data Inventory & Legal Bases
| Data category | Elements | Source | Purpose | Legal basis (Art. 6) | Retention |
|---|---|---|---|---|---|
| Tenant details | Name, e-mail, phone, address, payment method token/IBAN, payment status | Controller / Tenant | Invoicing, payment initiation, reminders, dashboards | (b) Contract performance (via Controller), (f) legitimate interest for fraud prevention | Up to 7 years where needed for bookkeeping, otherwise anonymise after 12 months post-lease (§12 & §12a). |
| Property-manager details | Company name, KvK, VAT, contact name, e-mail, phone | Controller | Account setup, billing, support | (b) Contract performance | 7 years (business records) |
| UBO/KYC routing | UBO identity data collected by Stripe | Controller → Stripe | KYC/payouts handled by Stripe | (f) Legitimate interest to pass to Stripe; Stripe acts as its own controller for KYC | Per Stripe policy (Reesure does not store copies). |
| Payment metadata | Amount, currency, mandate ID, Stripe charge ID, refunds/returns | Stripe API | Reconciliation, dispute handling, audit | (b) Contract performance; legal retention (see §12a) | 7 years (or 10 years for immovable-property VAT records). |
| Technical logs | IP, device/browser, API events, error traces | Automatic | Security, fraud prevention, abuse control, analytics | (f) Legitimate interest | 5 years (operational security) |
| PM marketing preferences | Name, e-mail, opt-out flag | Controller | Product updates & service notices to PMs | (f) Legitimate interest with easy opt-out | Until opt-out |
We
never
4. What We Use Data For
- Payments. Initiate SEPA Direct Debit and Pay-by-Link collections via Stripe Payments Europe Ltd.
- Messaging. Send invoices, reminders and dunning notices via MessageBird (e-mail/SMS/WhatsApp).
- Dashboards & BI. Show real-time metrics in-app and optionally feed Power BI.
- Support & security. Investigate issues, prevent fraud, maintain uptime.
- Product improvement. Use anonymised/aggregated metrics to improve features and publish trend reports.
- Future features. AI-assisted recovery and stable-coin payouts may be added; such features will always allow human override and won’t take solely automated decisions (§10).
5. Sub-processors & International Transfers
| Provider | Function | Location of processing | Transfer mechanism |
|---|---|---|---|
| Stripe Payments Europe Ltd. | Payments & payout infrastructure; KYC (as its own controller) | EEA | — |
| MessageBird B.V. | Messaging (e-mail/SMS/WhatsApp) | EEA | — |
| Microsoft Azure | Hosting (app + DB) | West Europe & North Europe | — |
| SendGrid (Twilio Inc.) | Transactional e-mail relay | USA | EU SCCs |
| HubSpot | CRM & PM product-update e-mail | EU & USA | EU SCCs |
Primary data sits in the EEA. Where limited support or e-mail delivery data is processed in the USA (e.g., SendGrid/HubSpot), we use the EU Standard Contractual Clauses and encrypted channels.
6. Cookies & Tracking
| Category | Tools | Consent model |
|---|---|---|
| Essential | Session ID, CSRF token | Always on |
| Analytics | Google Analytics 4 (via Google Tag Manager) | Loaded after consent |
| Advertising/social | LinkedIn Ads, Meta Pixel, Google Ads (via Tag Manager) | Loaded after consent |
A separate Cookie Statement explains categories and how to change preferences.
7. Security Measures (Art. 32 GDPR)
- AES-256 encryption at rest; TLS 1.2+ in transit
- Multi-factor authentication for admin accounts
- Role-based access with least-privilege
- Daily encrypted backups with off-site replication
- Quarterly vulnerability scans and annual external penetration test
- API rate-limiting & automated anomaly detection
7a. Status of Safeguards (Startup)
We operate a maturing security program. Controls above are in place; we’re expanding logging, vendor risk reviews and control testing on a defined roadmap. We prioritise fixes for material risks and update this Policy as capabilities mature.
8. Data Breach & Incident Response
We monitor 24/7. If a personal-data breach occurs, we will notify the Dutch supervisory authority without undue delay and, where feasible, within 72 hours, and inform affected Controllers (and, if required, Tenants) about the nature, impact and mitigation. (Wording mirrors GDPR; not a contractual SLA.)
9. Data-Subject Rights
Data subjects should contact their Property Manager (Controller). Reesure, as Processor, assists Controllers in handling:
- Access, rectification, erasure, restriction, objection, portability (Arts. 15–22)
- We may request reasonable ID verification before processing a request.
- Controllers can reach us at privacy@reesure.com; we assist within 30 days.
Complaints can be lodged with the Dutch supervisory authority (Autoriteit Persoonsgegevens).
10. Automated Decision-Making & AI
Reesure does not make decisions that produce legal or similarly significant effects solely by automated means. Future AI features will always provide human override and can be disabled by Controllers.
11. Children
The Platform is not intended for persons under 16 years. We do not knowingly process their data.
12. Data Retention & Deletion
- Tenant profile data: kept up to 7 years where necessary to meet bookkeeping obligations tied to transactions; otherwise anonymised after 12 months from lease end.
- Payment & accounting logs: 7 years basic retention; 10 years for records relating to immovable property/VAT.
- Technical logs: 5 years for operational security.
- PM marketing list: until opt-out.
12a. Dutch Record-Keeping (Bookkeeping)
Under Dutch law, businesses must retain core administration for at least 7 years and 10 years for records related to immovable property (and some VAT scenarios). These statutory duties may require us to retain certain payment records even after a lease has ended.
13. Changes to This Policy
We may update this Policy from time to time. The latest version is posted in-app and on our website with a new “Last updated” date.
Build the future
Finance software hasn’t evolved in decades, making it hard for companies of all sizes to manage and deploy their resources effectively without waste.
We’re building finance automation that builds trust, helps companies grow, and frees people from busy work.
Do your best work
Launch your career at Reesure. Join a stellar team built around mentorship, empowerment, and ownership.
Growing without fear, winning the marathon sprint by sprint—these are just a few of the core values that shape us.
Invest in people
With team members across the globe, we regularly gather to connect in person, solve problems and learn from each other.
We offer wellness stipends, education support, flexible PTO, and much more to help you invest in personal growth and stay on top of your game.
