Privacy Policy
Last updated:
afdinger only works if you can trust that your data is safe. Below you'll read which personal data we process, why, with whom we share it, how long we keep it and which rights you have.
1. Who we are and how to reach us
The data controller is Lost Dutchman Labs B.V. in Amsterdam. Privacy questions go to info@afdinger.nl.
- Legal name: Lost Dutchman Labs B.V., trading as afdinger
- Address: Van Baerlestraat 13E, 1071 AM Amsterdam, the Netherlands
- Dutch Chamber of Commerce (KvK) number: 86265741
- VAT number: NL863914895B01
- Privacy contact email: info@afdinger.nl
2. Summary at a glance
The short version. The full paragraphs below carry the detail.
- We process only what is needed to check your quote and negotiate on your behalf.
- We share nothing with suppliers without your express per-quote consent.
- We only load GA4 and Meta Pixel after you have accepted cookies.
- Payments run via Stripe; we never see full card details.
- You have rights to access, correction, deletion and more, email info@afdinger.nl.
- Dutch law and the GDPR apply to this notice.
3. Definitions
- Personal data: any data that relates to you directly or indirectly.
- Processing: anything we do with personal data: collecting, storing, analysing, transferring, deleting.
- GDPR: the General Data Protection Regulation (EU 2016/679).
- Processor / sub-processor: a third party processing personal data on our instructions.
- Quote, Audit, Target Price, Negotiation, Savings, Partner: as defined in our Terms of Service.
4. Scope of this notice
This notice applies to the afdinger app, this website (afdinger.nl), all email communication from @afdinger.nl and the push notifications we send. External sites or services we link to have their own privacy policies.
5. Which personal data we process
A Quote can contain personal data (address, project description, sometimes a name). We treat it with the same care as your account data.
Provided by you
- Account data: email address, possibly your name, and an identifier from Apple or Google sign-in.
- Quote content: the file (PDF / photo / email) and its extraction. This may include personal data such as your name and address, the project address, and the supplier's contact details.
- Customer support communications: emails, in-app messages and any attachments.
Generated or derived by us
- Target Price, Confidence Score and per-line flags (too high, unnecessary, etc.).
- The full transcript of the Negotiation.
- Anonymised usage statistics used to improve the Service.
Automatically collected
- Technical device data (type, OS, browser version, language), required for display and security.
- IP address, only to the extent needed for the Service's operation and security.
- Cookies and similar technologies: see Annex A.
Provided by third parties
- Supplier replies during a Negotiation, received via Postmark.
- Stripe confirmations of successful payments (without full card details).
6. Purposes and legal bases
Per purpose, you can see which data we use, on which GDPR legal basis and which processor is involved.
| Purpose | Data | Legal basis (Art. 6 GDPR) | Processors | Retention |
|---|---|---|---|---|
| Account management | Email, name, login id | Art. 6(1)(b): contract performance | Convex; Apple/Google sign-in | Active + 6 months |
| Quote analysis (Audit) | Quote content, derived data | Art. 6(1)(b): contract performance | Vercel AI, Convex, Google Cloud | 24 months after close |
| Negotiating by email | Supplier contact, transcript | Art. 6(1)(b) + Art. 6(1)(a) per-quote consent | Postmark | 24 months after close |
| Charging the success fee | Payment token, transaction data | Art. 6(1)(b) + Art. 6(1)(c) tax | Stripe | 7 years (tax) |
| Customer support | Email correspondence | Art. 6(1)(f) legitimate interest | Postmark, Convex | 24 months |
| Product improvement (aggregated) | Anonymised usage data | Art. 6(1)(f) legitimate interest | internal | ongoing |
| Marketing analytics | GA4 cookies, Meta pixel | Art. 6(1)(a) consent | Google, Meta | See Annex A |
| Partner referral | Project specs (minimal PII) | Art. 6(1)(a) consent | selected Partners | Until quote concludes |
| Push notifications | Device token | Art. 6(1)(a) consent | Firebase | Until opt-out |
7. Sources of personal data
We receive personal data (a) directly from you when you use the Service, (b) automatically via your device or browser when using the Service, and (c) from third parties such as suppliers (in their replies during a Negotiation) and Stripe (on successful payment).
8. Automated decision-making and AI analysis
Our AI generates analyses; you make the decisions. We do not take automated decisions that legally or significantly affect you.
We use AI to analyse your Quote line by line and calculate a Target Price and a Confidence Score. These outputs are indicative and intended as an aid; the final decision whether to accept a Quote or to have us negotiate is taken by you in the app.
We do not take automated decisions within the meaning of Article 22 GDPR that produce legal effects concerning you or similarly significantly affect you.
9. The negotiation process and emailing on your behalf
A Negotiation starts only after you have expressly indicated in the app that afdinger may send an email to the supplier on your behalf from afdinger@afdinger.nl. We keep a full, transparent transcript in the app of every message sent and received. You can stop the Negotiation at any time.
We share only the information with the supplier that is needed to negotiate about the Quote. Other personal data, such as your payment details or transcripts of earlier negotiations, are never shared with suppliers.
10. Partner network and onward sharing of quote requests
We use the Partner network only at your express request, for example because the original supplier is unwilling or unable to negotiate. We then share the project specifications needed to produce a targeted alternative quote, and as little personal data as possible. Postcode or region may be shared; we try not to share full addresses until you have accepted a Partner offer.
12. Push notifications and in-app messages
We send push notifications via Firebase Cloud Messaging, for example to let you know that a supplier has replied. Push notifications are only sent after you have granted permission on your device. You can withdraw this permission at any time in your device's settings.
13. Sign in with Apple and Google
When you sign in via Apple or Google, we receive from that provider a unique identifier, your email address and (depending on the provider) your name. We store no passwords or other login credentials from these providers. Apple's and Google's own terms and privacy notices apply to that sign-in.
14. Payments via Stripe
We process payments via Stripe Payments Europe Ltd. We receive only the data needed to process and book the transaction: the amount, status, a Stripe token and (for iDEAL/SEPA) the bank details the User enters at Stripe. We do not receive full card numbers, CVCs or your banking login credentials. Stripe operates under its own terms as an independent controller for matters such as fraud prevention and anti-money-laundering obligations.
15. Hosting and infrastructure
Our backend and AI inference run on Google Cloud infrastructure. Where possible we use EU regions for storage and processing.
16. Sub-processors: full list
We work with these parties to deliver the Service. We enter into data processing agreements with all of them and, where needed, EU Standard Contractual Clauses.
| Sub-processor | Purpose | Country / region | Transfer mechanism |
|---|---|---|---|
| Convex (Convex, Inc.) | Realtime database and application server | EU / US | SCCs + supplementary measures |
| Vercel AI (Vercel, Inc.) | AI orchestration for quote analysis | EU / US | SCCs + supplementary measures |
| Stripe Payments Europe Ltd | Payment processing (success fee) | EU (Ireland) / US | SCCs + adequacy where applicable |
| Postmark (ActiveCampaign) | Transactional email (Negotiation) | US | SCCs + supplementary measures |
| Firebase (Google LLC) | Push notifications, mobile backend | EU / US | SCCs + Data Privacy Framework |
| Google Analytics 4 (Google LLC) | Anonymous site analytics (only after consent) | EU / US | SCCs + Data Privacy Framework |
| Meta Pixel (Meta Platforms Ireland Ltd) | Advertising attribution (only after consent) | EU / US | SCCs + Data Privacy Framework |
| Google Cloud (Google Ireland Ltd) | Hosting / compute / storage | EU | Google Cloud standard terms |
| Apple Inc. | Sign in with Apple | EU / US | SCCs + Data Privacy Framework |
| Google LLC | Sign in with Google | EU / US | SCCs + Data Privacy Framework |
| Google LLC | Google Maps iframe in footer (office) | EU / US | SCCs + Data Privacy Framework |
17. Transfers outside the EEA
Some of our sub-processors are based in the United States or transfer data there (including Stripe, Postmark, Vercel AI, Firebase, Google Analytics, Meta). For these transfers we rely on (a) the EU-US Data Privacy Framework for parties certified under it, and/or (b) the European Commission's Standard Contractual Clauses, supplemented with appropriate technical and organisational measures.
18. Security measures
We take appropriate technical and organisational measures to protect personal data, including:
- Encrypted connections (TLS 1.2+) between your device and our services.
- Encryption at rest where our suppliers offer it.
- Multi-factor authentication for internal access.
- Principle of least privilege for staff and systems.
- Logging of access and change actions on production.
- Regular review of access rights and arrangements with sub-processors.
No system is 100% secure. In the unlikely event of a personal data breach that poses a risk to your rights and freedoms, we notify the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) without undue delay and, where required, you as well.
19. Retention periods
| Category | Retention | Reason |
|---|---|---|
| Account data | While account is active + 6 months | Identification and re-opening |
| Quote content and Audit | 24 months after Negotiation closes | Customer support, model improvement, disputes |
| Negotiation transcript | 24 months after Negotiation closes | Evidence and customer support |
| Payment records / invoices | 7 years | Dutch tax retention obligation |
| Customer support correspondence | 24 months | Complaints and disputes |
| Analytics (GA4) | 14 months (GA4 default) | Aggregate analysis |
| Marketing pixel (Meta) | Per Meta default | Conversion attribution |
| Logs (technical/security) | Up to 12 months | Security and troubleshooting |
After a retention period ends, personal data is deleted or anonymised, unless we are legally required to keep it longer.
20. Your rights under the GDPR
Under the GDPR you have a set of rights over your personal data. We honour each request within one month, with the statutory option to extend if it's complex.
- Right of access (Art. 15 GDPR): an overview of the personal data we process about you.
- Right to rectification (Art. 16): correction of inaccurate or incomplete data.
- Right to erasure (Art. 17): deletion of your data, to the extent statutory retention obligations allow.
- Right to restriction (Art. 18): temporarily "freezing" a processing activity.
- Right to data portability (Art. 20): the data you provided to us in a structured format.
- Right to object (Art. 21): against processing based on legitimate interest.
- Right to withdraw consent (Art. 7(3)): for processing based on your consent, without affecting the lawfulness of earlier processing.
21. How you exercise your rights
You can send a request by email to info@afdinger.nl. We respond in principle within one month of receipt. For complex or numerous requests this period may be extended by up to two months; we will inform you of any extension.
To prevent abuse we may ask you to verify your identity, for example by confirming the request from the email address linked to your account. We do not ask for a copy of your passport.
22. Lodging a complaint with the Dutch DPA
If you believe we mishandle your data, you can lodge a complaint with the Dutch supervisory authority, the Autoriteit Persoonsgegevens (https://autoriteitpersoonsgegevens.nl), PO Box 93374, 2509 AJ The Hague, the Netherlands. We appreciate it if you give us a chance to resolve it first via info@afdinger.nl.
23. Minors
The Service is intended for persons aged 18 or older. We do not knowingly process personal data of minors. If you suspect that a minor has inadvertently shared data with us, please contact us at info@afdinger.nl; we will delete that data as soon as possible.
24. Changes to this notice
We may amend this privacy notice to reflect changes to the Service or to laws and regulations. We will inform you of material changes at least 30 days in advance via an in-app notice and/or an email. The "Last updated" date at the top always shows when something last changed.
25. Contact and data protection officer
For all privacy questions you can reach us at info@afdinger.nl. Based on the criteria of Article 37 GDPR we are currently not required to appoint a Data Protection Officer; info@afdinger.nl serves as our central privacy contact point.
Annex B: Request access or deletion
Want to exercise your GDPR rights? Send us an email with the following details; we respond within one month.
- Your name as known in the account
- The email address you registered with at afdinger
- The type of request (access, rectification, erasure, restriction, portability, objection, withdrawal of consent)
- Any clarification (for example which data or which processing your request relates to)
Send your request to info@afdinger.nl. We confirm receipt within three working days.
Questions? Email info@afdinger.nl.