Privacy Policy
LAST UPDATED: 11 JUNE 2026
GNS ("we", "us", "our") operates Netto, a bookkeeping platform for self-employed individuals and small businesses in the Netherlands. This Privacy Policy explains how we collect, use, share, and protect your personal data when you use our service, and describes your rights under the General Data Protection Regulation (GDPR) and its Dutch implementation (UAVG).
1. Data controller
Keurenplein 41, Box A8517
1069 CD Amsterdam, Netherlands
KvK (Chamber of Commerce): 88576116
Email: privacy@netto.so
2. Data we collect
We collect the following categories of personal data:
| Category | Examples |
|---|---|
| Account data | Name, email address, hashed password, account preferences, language setting |
| Business data | Business name, KvK number, BTW/VAT number, IBAN, business address, billing address |
| Financial records | Invoices, quotes, expenses, receipts, bank transactions, income and cost figures |
| Bank connection data | Account identifiers, transaction history, and balance — retrieved via Enable Banking (open banking). We never store your online banking credentials. |
| AI-processed data | Receipt images submitted for AI-assisted expense categorisation. Images are processed and discarded; only extracted metadata (amount, category, date, merchant) is stored. |
| Communication data | Support messages and emails exchanged with our team |
| Technical data | IP address, browser type, device type, pages visited, session duration, error logs |
3. How we use your data
We use your data to:
- Create and manage your account and subscription
- Provide core bookkeeping features: invoicing, expense tracking, VAT (BTW) calculation, bank reconciliation, and financial reporting
- Generate and deliver PDF invoices and quotes to your customers
- Connect to your bank account via Enable Banking to retrieve transaction data for reconciliation
- Process subscription payments via Mollie
- Send service emails: account confirmations, payment receipts, and critical service notifications
- Provide AI-assisted receipt scanning and transaction categorisation
- Detect and prevent fraud, abuse, and security incidents
- Comply with Dutch tax-law record-keeping obligations (Article 52 AWR)
- Improve and develop the service using aggregated, anonymised usage data
4. Legal basis for processing (GDPR Art. 6)
| Basis | Applied to |
|---|---|
| Performance of a contract (Art. 6(1)(b)) | Providing all core service features, billing, and bank connection |
| Legal obligation (Art. 6(1)(c)) | Retaining financial records for 7 years as required by Dutch tax law (AWR) |
| Legitimate interest (Art. 6(1)(f)) | Security monitoring, fraud prevention, aggregated analytics, support communication |
| Consent (Art. 6(1)(a)) | Marketing emails and optional product updates — withdraw at any time |
5. Third-party processors
We share your data only with processors who help us deliver the service, all bound by data processing agreements. We do not sell your personal data.
| Processor | Purpose | Location |
|---|---|---|
| Cloud infrastructure provider | Application hosting, database, authentication, and file storage | EU |
| Enable Banking | Open banking — account information retrieval (licensed AISP under PSD2) | EU (Finland), regulated by Finnish FSA |
| Mollie | Subscription and payment processing | Netherlands, regulated by DNB |
| AI processing provider | AI-assisted features: receipt scanning, expense categorisation, bookkeeping assistant | EU / USA (SCCs in place where applicable) |
| Transactional email provider | Service and transactional emails | EU |
Where processors operate outside the EU/EEA, we ensure appropriate safeguards are in place, such as the European Commission's Standard Contractual Clauses (SCCs) or adequacy decisions.
6. Enable Banking — open banking
The bank reconciliation feature uses Enable Banking, an Account Information Service Provider (AISP) licensed and supervised under the EU Payment Services Directive 2 (PSD2). When you connect your bank account:
- You are redirected to your own bank's authentication environment — we never see your banking credentials.
- Enable Banking retrieves your account transaction history and balance under your explicit consent.
- Retrieved transaction data is stored in your Netto account to enable reconciliation.
- You can revoke the bank connection at any time from your Settings page, which immediately terminates Enable Banking's access.
Enable Banking's own privacy policy applies to their processing. For more information, visit enablebanking.com/privacy.
7. Mollie — payment processing
Subscription billing is handled by Mollie B.V., a licensed payment institution regulated by De Nederlandsche Bank (DNB). When you pay for a Netto subscription, your payment data is processed directly by Mollie under their own terms. We receive only confirmation of payment outcome. Mollie's privacy policy: mollie.com/en/privacy.
8. Data retention
- Active account data — retained for the duration of your subscription.
- Financial records — retained for 7 years after the relevant financial year, as required by Article 52 AWR (Dutch tax administration act).
- Closed account — non-financial personal data (name, email, preferences) is deleted within 90 days of account closure.
- AI-processed receipt images — deleted immediately after metadata extraction; not retained.
- Technical logs — retained for up to 90 days.
9. Your rights under GDPR
To exercise any of the following rights, contact us at privacy@netto.so. We will respond within 30 days.
- Right of access — Request a copy of the personal data we hold about you.
- Right to rectification — Ask us to correct inaccurate or incomplete data.
- Right to erasure — Request deletion of your data, subject to legal retention obligations.
- Right to data portability — Receive your financial data in a machine-readable format (CSV/JSON export available directly in the app).
- Right to restrict processing — Ask us to pause certain processing while a dispute is resolved.
- Right to object — Object to processing based on legitimate interest.
- Right to withdraw consent — Withdraw any consent you have given (e.g., marketing emails) at any time.
- Right to lodge a complaint — File a complaint with the Dutch supervisory authority: Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl).
10. Security
We implement appropriate technical and organisational measures including TLS encryption in transit, encryption at rest, row-level security in our database, role-based access controls, and regular security reviews. In the event of a personal data breach likely to result in risk to your rights, we will notify the Autoriteit Persoonsgegevens within 72 hours and inform affected users without undue delay.
11. Cookies
Netto uses strictly necessary cookies to maintain your authenticated session and functional cookies to remember your preferences (language, theme). We do not use third-party advertising or tracking cookies. You can manage preferences via the cookie banner shown on your first visit.
12. Changes to this policy
We may update this policy from time to time. For material changes we will notify you by email and update the date at the top of this page. Continued use of the service after the effective date constitutes acceptance.