Reesure

1. Who We Are

Item	Details
Controller (for this service)	Reesure Operations B.V. (KvK 96207094, VAT NL 867513378 B01)
Address	Singel 542, 1017 AZ Amsterdam, Netherlands
Privacy e-mail	privacy@reesure.com (no formal DPO appointed; handled by the founding team, re-evaluated annually)

Reesure ("we", "us") provides cloud software that automates property-rent collection, payment initiation and reporting for landlords and professional property managers (together, "Property Managers").

Startup note. We're a growing company. Core safeguards listed below are in place; some advanced controls are rolling out on a documented roadmap. See §7a.

2. Our Role Under GDPR

Property Manager = Data Controller (determines purpose and means of tenant processing).
Reesure = Data Processor (processes on the Controller's instructions).
Tenant = end-user who pays rent via the Platform; Tenants contract with the Property Manager, not Reesure.

3. Personal-Data Inventory & Legal Bases

Data category	Elements	Source	Purpose	Legal basis (Art. 6)	Retention
Tenant details	Name, e-mail, phone, address, payment method token/IBAN, payment status	Controller / Tenant	Invoicing, payment initiation, reminders, dashboards	(b) Contract performance (via Controller), (f) legitimate interest for fraud prevention	Up to 7 years where needed for bookkeeping, otherwise anonymise after 12 months post-lease (§12 & §12a).
Property-manager details	Company name, KvK, VAT, contact name, e-mail, phone	Controller	Account setup, billing, support	(b) Contract performance	7 years (business records)
UBO/KYC routing	UBO identity data collected by Stripe	Controller → Stripe	KYC/payouts handled by Stripe	(f) Legitimate interest to pass to Stripe; Stripe acts as its own controller for KYC	Per Stripe policy (Reesure does not store copies).
Payment metadata	Amount, currency, mandate ID, Stripe charge ID, refunds/returns	Stripe API	Reconciliation, dispute handling, audit	(b) Contract performance; legal retention (see §12a)	7 years (or 10 years for immovable-property VAT records).
Technical logs	IP, device/browser, API events, error traces	Automatic	Security, fraud prevention, abuse control, analytics	(f) Legitimate interest	5 years (operational security)
PM marketing preferences	Name, e-mail, opt-out flag	Controller	Product updates & service notices to PMs	(f) Legitimate interest with easy opt-out	Until opt-out

We never sell personal data to third parties.

4. What We Use Data For

Payments. Initiate SEPA Direct Debit and Pay-by-Link collections via Stripe Payments Europe Ltd.
Messaging. Send invoices, reminders and dunning notices via MessageBird (e-mail/SMS/WhatsApp).
Dashboards & BI. Show real-time metrics in-app and optionally feed Power BI.
Support & security. Investigate issues, prevent fraud, maintain uptime.
Product improvement. Use anonymised/aggregated metrics to improve features and publish trend reports.
Future features. AI-assisted recovery and stable-coin payouts may be added; such features will always allow human override and won't take solely automated decisions (§10).

5. Sub-processors & International Transfers

Provider	Function	Location of processing	Transfer mechanism
Stripe Payments Europe Ltd.	Payments & payout infrastructure; KYC (as its own controller)	EEA	—
MessageBird B.V.	Messaging (e-mail/SMS/WhatsApp)	EEA	—
Microsoft Azure	Hosting (app + DB)	West Europe & North Europe	—
SendGrid (Twilio Inc.)	Transactional e-mail relay	USA	EU SCCs
HubSpot	CRM & PM product-update e-mail	EU & USA	EU SCCs

Primary data sits in the EEA. Where limited support or e-mail delivery data is processed in the USA (e.g., SendGrid/HubSpot), we use the EU Standard Contractual Clauses and encrypted channels.

6. Cookies & Tracking

Category	Tools	Consent model
Essential	Session ID, CSRF token	Always on
Analytics	Google Analytics 4 (via Google Tag Manager)	Loaded after consent
Advertising/social	LinkedIn Ads, Meta Pixel, Google Ads (via Tag Manager)	Loaded after consent

A separate Cookie Statement explains categories and how to change preferences.

7. Security Measures (Art. 32 GDPR)

AES-256 encryption at rest; TLS 1.2+ in transit
Multi-factor authentication for admin accounts
Role-based access with least-privilege
Daily encrypted backups with off-site replication
Quarterly vulnerability scans and annual external penetration test
API rate-limiting & automated anomaly detection

7a. Status of Safeguards (Startup)

We operate a maturing security program. Controls above are in place; we're expanding logging, vendor risk reviews and control testing on a defined roadmap. We prioritise fixes for material risks and update this Policy as capabilities mature.

8. Data Breach & Incident Response

We monitor 24/7. If a personal-data breach occurs, we will notify the Dutch supervisory authority without undue delay and, where feasible, within 72 hours, and inform affected Controllers (and, if required, Tenants) about the nature, impact and mitigation. (Wording mirrors GDPR; not a contractual SLA.)

9. Data-Subject Rights

Data subjects should contact their Property Manager (Controller). Reesure, as Processor, assists Controllers in handling:

Access, rectification, erasure, restriction, objection, portability (Arts. 15–22)
We may request reasonable ID verification before processing a request.
Controllers can reach us at privacy@reesure.com; we assist within 30 days.

Complaints can be lodged with the Dutch supervisory authority (Autoriteit Persoonsgegevens).

10. Automated Decision-Making & AI

Reesure does not make decisions that produce legal or similarly significant effects solely by automated means. Future AI features will always provide human override and can be disabled by Controllers.

11. Children

The Platform is not intended for persons under 16 years. We do not knowingly process their data.

12. Data Retention & Deletion

Tenant profile data: kept up to 7 years where necessary to meet bookkeeping obligations tied to transactions; otherwise anonymised after 12 months from lease end.
Payment & accounting logs: 7 years basic retention; 10 years for records relating to immovable property/VAT.
Technical logs: 5 years for operational security.
PM marketing list: until opt-out.

12a. Dutch Record-Keeping (Bookkeeping)

Under Dutch law, businesses must retain core administration for at least 7 years and 10 years for records related to immovable property (and some VAT scenarios). These statutory duties may require us to retain certain payment records even after a lease has ended.

13. Changes to This Policy

We may update this Policy from time to time. The latest version is posted in-app and on our website with a new "Last updated" date.