Privacy Policy

1. Data Controller

The data controller responsible for processing your personal data is:

If you have any questions about this Privacy Policy or our data processing practices, you can contact us at the email address above.

2. Personal Data We Collect

We collect the following categories of personal data when you use our Service:

2.1 Account Information

• Email address
• Name (as provided via Apple Sign-In or manual registration)

2.2 Verification Inputs

When you use TradeCheck to verify a company, we process the data you provide, including:

• Company names
• KvK (Chamber of Commerce) numbers
• VAT (BTW) numbers
• Director names

2.3 Technical Data

• IP address
• Device information (device model, operating system version, unique device identifiers as collected via Expo/React Native)
• App usage analytics (features used, session duration, error reports)

3. Purposes of Processing

We process your personal data for the following purposes:

• Providing the Service: Creating and managing your account, authenticating your identity, and performing company verification checks as requested by you.
• Generating verification reports: Analyzing company data using AI and web search to produce fraud risk assessments and verification reports.
• Transactional communications: Sending you account-related emails such as registration confirmations, password resets, and subscription receipts.
• Service improvement: Analyzing usage patterns and technical data to improve app performance, fix bugs, and develop new features.
• Security and fraud prevention: Protecting our Service and users from unauthorized access, abuse, and fraudulent activity.
• Legal compliance: Fulfilling our legal obligations under applicable law, including responding to lawful requests from authorities.

4. Legal Basis for Processing

We process your personal data on the following legal grounds under the General Data Protection Regulation (GDPR):

• Performance of a contract (Article 6(1)(b) GDPR): Processing your account data and verification inputs is necessary to provide you with the TradeCheck service you have subscribed to. Without this data, we cannot deliver the core functionality of company verification.
• Legitimate interest (Article 6(1)(f) GDPR): We rely on our legitimate interest for processing technical data and usage analytics to maintain service security, prevent abuse, improve service quality, and ensure the stability and performance of our infrastructure. We have conducted a balancing test and determined that these interests do not override your fundamental rights and freedoms.

5. Sub-Processors and Data Sharing

We share your personal data with the following third-party sub-processors solely to the extent necessary to provide and operate the Service. We do not sell your personal data to any third party, ever.

6. International Data Transfers

Some of our sub-processors are located in the United States, which the European Commission has not recognized as providing an adequate level of data protection. To safeguard your data when it is transferred outside the European Economic Area (EEA), we rely on the following transfer mechanisms:

• EU Standard Contractual Clauses (SCCs): We have entered into Standard Contractual Clauses as approved by the European Commission with our US-based sub-processors (Anthropic, SerpAPI, Resend, and Apple) to ensure that your data receives an equivalent level of protection as it would within the EEA.
• EU-based processing where possible: Our primary database and authentication service (Supabase) is hosted in Frankfurt, Germany, and our verification engine (Hetzner) is hosted in Germany. We prioritize keeping your data within the EU wherever feasible.

7. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected:

• Account data (email, name): Retained for as long as your account remains active. Upon account deletion, your account data will be permanently erased within 30 days.
• Verification reports: Retained for 2 years from the date of creation, after which they are automatically deleted. This retention period allows you to access historical reports and supports our legitimate interest in service improvement and dispute resolution.
• Technical and analytics data: Retained in aggregated or anonymized form for up to 12 months for service improvement purposes.

When data is no longer needed, it is securely deleted or anonymized so that it can no longer be linked to you.

8. Your Rights Under the GDPR

As a data subject under the GDPR, you have the following rights regarding your personal data:

• Right of access (Article 15): You have the right to obtain confirmation as to whether your personal data is being processed and, if so, to request a copy of that data.
• Right to rectification (Article 16): You have the right to request the correction of inaccurate personal data and to have incomplete data completed.
• Right to erasure (Article 17): You have the right to request the deletion of your personal data when it is no longer necessary for the purposes for which it was collected, or when you withdraw consent.
• Right to restriction of processing (Article 18): You have the right to request that we restrict the processing of your personal data in certain circumstances, such as when you contest the accuracy of the data.
• Right to object (Article 21): You have the right to object to the processing of your personal data based on our legitimate interest. We will cease processing unless we demonstrate compelling legitimate grounds.
• Right to data portability (Article 20): You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit it to another controller.

To exercise any of these rights, please contact us at support@gettradecheck.com. We will respond to your request within 30 days of receipt. If we need additional time due to the complexity of your request, we will inform you of the extension within the initial 30-day period.

9. Cookies and Tracking

TradeCheck uses only functional and essential cookies that are strictly necessary for the operation of the Service. Specifically:

• Supabase authentication session cookies: These cookies are required to keep you signed in and to maintain your authenticated session. They do not track your behavior across websites or apps.

We do not use any tracking cookies, advertising cookies, or third-party analytics cookies. We do not participate in any advertising networks or cross-site tracking. Because we only use strictly necessary cookies, no cookie consent banner is required under the ePrivacy Directive.

10. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include encryption of data in transit (TLS/SSL) and at rest, access controls limiting data access to authorized personnel only, regular security assessments, and secure authentication mechanisms. While no system can guarantee absolute security, we continuously work to maintain and improve our security practices.

11. No Sale of Personal Data

We do not sell, rent, or trade your personal data to any third party for marketing, advertising, or any other commercial purpose. Your data is shared with sub-processors solely to deliver and operate the TradeCheck service as described in this Privacy Policy.

12. Children's Privacy

TradeCheck is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have inadvertently collected personal data from a person under 18, we will take steps to delete that data as promptly as possible. If you believe that a child under 18 has provided us with personal data, please contact us at support@gettradecheck.com.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. For material changes that significantly affect how we process your personal data, we will notify you by email using the address associated with your account before the changes take effect. We encourage you to review this Privacy Policy periodically. The "Last updated" date at the top of this page indicates when this policy was most recently revised.

14. Complaints

If you believe that our processing of your personal data violates the GDPR, you have the right to lodge a complaint with a supervisory authority. For users in the Netherlands, the relevant authority is:

We would, however, appreciate the opportunity to address your concerns before you contact the supervisory authority. Please reach out to us at support@gettradecheck.com first, and we will do our best to resolve the issue.

15. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our handling of your personal data, please contact us at: