Rozuro Privacy Statement
Last updated: 19 May 2026
Atypisch, established at Europalaan 2b, 3526 KS Utrecht, the Netherlands (KvK 08092524), is responsible for the processing of personal data as described in this Privacy Statement. Atypisch takes the protection of personal data seriously and complies with the General Data Protection Regulation (GDPR) and the Dutch GDPR Implementation Act.
The Dutch version of this Privacy Statement is binding. In case of conflict, the Dutch version prevails.
1. Who is responsible?
Controller
Atypisch (sole proprietorship) Europalaan 2b, 3526 KS Utrecht, the Netherlands KvK: 08092524 VAT: NL001582477B96 Email: info@atypisch.nl
For privacy questions or to exercise your rights, please contact info@atypisch.nl.
Atypisch is not required to appoint a Data Protection Officer (DPO) under the GDPR.
2. Two roles: when Atypisch is controller and when processor
When using Rozuro, it is important to distinguish between two types of processing:
-
Atypisch as controller — for data Atypisch processes in order to offer Rozuro to the Customer. This concerns the Customer’s own account data, Atypisch’s invoices to the Customer, and usage data. These processings are described in this Privacy Statement.
-
Atypisch as processor — for data the Customer enters into Rozuro (e.g. data of clients, contacts, projects, invoices). The Data Processing Agreement applies. The Customer is the controller for that data.
This Privacy Statement covers only the first category.
3. What personal data do we process?
3.1 Account data
- Name and surname
- Email address
- (Optional) phone number
- Company name, KvK number, VAT number
- Business address
- Password (in encrypted form, managed via Simezu)
- Chosen subscription and subscription history
3.2 Payment data
- Name and billing address
- Email address for invoicing
- Payment method type only (e.g. iDEAL, credit card, SEPA) — Atypisch never receives, processes, or stores actual card numbers, IBANs, security codes, or other raw payment instrument data
- Payment history and invoices (amounts, dates, status, transaction references)
Atypisch is not a payment institution and does not have access to your bank account or card details. All payment-instrument data is collected and processed directly by Simezu (which handles billing flows on behalf of Atypisch) and routed to a regulated payment provider (Mollie, Stripe or PayPal — see section 5 and the Sub-processor list). Simezu and the underlying payment providers run on infrastructure hosted at Nefos in the Netherlands; Atypisch receives back only a payment status, an opaque transaction reference, and the data shown above.
3.3 Usage data
- IP address
- Login time and session duration
- Browser and device information (user-agent)
- Pages and features used
- API calls (for subscriptions with API access)
- Error messages and log files
3.4 Communications
- Content of emails or support requests
- Time and channel of contact
3.5 Customer data (Rozuro as processor)
Data you enter into Rozuro yourself (such as data of your clients, suppliers, invoices, projects, time entries) is processed under the Data Processing Agreement. Atypisch acts as processor for this data and does not use it for its own purposes.
4. Purposes and legal bases
| # | Purpose | Data categories | Legal basis (Art. 6 GDPR) |
|---|---|---|---|
| 1 | Creating and managing your account | Account data | Performance of contract (b) |
| 2 | Delivering the Rozuro service | Account data, usage data | Performance of contract (b) |
| 3 | Authentication and security | Account data, IP address, login logs | Performance of contract (b) and legitimate interest (f) — security |
| 4 | Invoicing and debt collection | Account data, payment data | Performance of contract (b) and legal obligation (c) — fiscal retention |
| 5 | Customer support | Communications data, account data | Performance of contract (b) |
| 6 | Service improvement (debugging, performance) | Usage data, error logs | Legitimate interest (f) — product improvement |
| 7 | Compliance with legal obligations (tax, GDPR requests) | Account data, payment data, invoices | Legal obligation (c) |
| 8 | Service and transactional emails (no marketing) | Email address, account data | Performance of contract (b) |
| 9 | Marketing (newsletters, product updates) | Email address | Consent (a) — opt-in, withdrawable at any time |
5. With whom do we share data?
Atypisch shares personal data only with the parties listed below, only to the extent necessary, and on a valid legal basis. An up-to-date overview is available in our Sub-processor list.
| Party | Role | Establishment | Purpose |
|---|---|---|---|
| Nefos | Hosting provider | Eindhoven, NL | Hosting and storage of Rozuro and all data |
| Simezu | Authentication and payment platform | Eindhoven, NL (hosted at Nefos) | Login, account management, payment processing |
| Mollie B.V. | Payment provider (via Simezu) | Amsterdam, NL | Payment processing |
| Stripe Payments Europe Ltd. | Payment provider (via Simezu) | Dublin, Ireland | Payment processing |
| PayPal (Europe) S.à r.l. et Cie, S.C.A. | Payment provider (via Simezu) | Luxembourg | Payment processing |
All data is stored on Nefos servers in the Netherlands. No structural transfer takes place to countries outside the European Economic Area (EEA). If this changes in the future, transfers will only occur on the basis of appropriate safeguards such as Standard Contractual Clauses (SCCs).
Atypisch has data processing agreements in place with all parties acting as processors.
Atypisch does not sell personal data to third parties and does not share data with third parties for marketing purposes.
Atypisch may share personal data with competent authorities (such as the Dutch Tax Authorities, police, FIU-Netherlands) where required by law.
6. Retention periods
| Data category | Retention |
|---|---|
| Account data (active account) | For the duration of the account |
| Account data after termination | 90 days in soft-deleted status, then anonymised or deleted |
| Invoices and payment administration | 7 years (fiscal retention, Art. 52 AWR) |
| Log files (security, audit) | 12 months |
| Error logs | 90 days |
| Support communications | 2 years after last contact |
| Marketing (if consent) | Until withdrawal of consent, then deleted |
After the retention period, personal data is securely deleted or anonymised so that it can no longer be traced to a person.
7. Security
Atypisch takes appropriate technical and organisational measures to protect personal data against loss, unauthorised access, or misuse. Measures include:
- TLS encryption of all traffic between user and Rozuro;
- HSTS, CSP, and X-Frame-Options security headers;
- Password hashing (managed by Simezu);
- Rate limiting on authentication endpoints to prevent brute-force attacks;
- Strict API-level access controls (per-organisation isolation) to prevent cross-tenant data access;
- Audit logging of security-relevant events;
- Regular security audits;
- Immutability of sent and paid invoices;
- Encrypted back-ups stored at Nefos in the Netherlands.
Despite these measures, no system can be 100% secure. If you discover a vulnerability, please report it via info@atypisch.nl (responsible disclosure).
8. Your rights
Under the GDPR, you have the following rights:
- Access (Art. 15 GDPR)
- Rectification (Art. 16 GDPR)
- Erasure / “right to be forgotten” (Art. 17 GDPR), unless retention is legally required
- Restriction of processing (Art. 18 GDPR)
- Data portability (Art. 20 GDPR)
- Object (Art. 21 GDPR) — to processing based on legitimate interest
- Withdraw consent — for processings based on consent, without affecting earlier processing
You can exercise these rights via info@atypisch.nl. We respond within one month. To prevent misuse, we may ask you to verify your identity.
Complaint: you have the right to file a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at autoriteitpersoonsgegevens.nl.
9. Data breaches
In the event of a data breach posing a risk to the rights and freedoms of data subjects, we will report it to the Dutch Data Protection Authority within 72 hours of discovery and, if there is a high risk, also to the data subjects concerned.
10. Cookies
For information on the use of cookies on Rozuro, see our Cookie Statement.
11. Automated decision-making
Atypisch does not engage in fully automated decision-making or profiling with legal effect or similarly significant effect for the data subject within the meaning of Article 22 GDPR.
12. Changes
Atypisch may amend this Privacy Statement. Material changes will be communicated at least 30 days before they take effect, by email or by notice in Rozuro. The most current version is always available at rozuro.com/legal/privacy.
13. Contact
Atypisch Europalaan 2b, 3526 KS Utrecht, the Netherlands Email: info@atypisch.nl