Oris Invoiceby ORIS Intelligence
Start free
🇳🇱 Netherlands home
Netherlands · NL

Privacy Policy

How we collect, use, store, and share personal information when you use Oris Invoice. Aligned with the local data-protection regime listed below.

Aligned with: GDPR + UAVG·Effective: April 29, 2026

Not legal advice. This page is a templated baseline aligned with GDPR + UAVG. It does not constitute independent legal advice and has not been reviewed by counsel for your specific circumstances. For questions or to request the executed PDF version, email legal@orisinvoice.com.

1. Who we are

Oris Invoice is operated by ORIS Intelligence Pvt Ltd. For users resident in the Netherlands, this Privacy Policy is governed by GDPR + UAVG (Uitvoeringswet Algemene verordening gegevensbescherming). The competent supervisory authority is the Autoriteit Persoonsgegevens (AP).

2. What personal data we collect

We collect: account identifiers (name, email, phone), organisation tax registration data (BTW-nummer, KvK number), invoice and customer master data, payment metadata, and standard system telemetry. We do not collect special-category data (GDPR Art. 9) unless you upload it.

3. Lawful basis and purpose

We process personal data on the basis of (a) GDPR Art. 6(1)(b) — contract; (b) GDPR Art. 6(1)(c) — legal obligation under Dutch tax and accounting law; (c) GDPR Art. 6(1)(f) — legitimate interest in security; (d) GDPR Art. 6(1)(a) — consent for non-essential analytics.

4. Sub-processors and international transfers

Vetted list of sub-processors available on request. Primary data hosting in eu-west-1 (Ireland) for users resident in the Netherlands. Cross-border transfers rely on Adequacy Decisions or EU SCCs (2021/914) plus Transfer Impact Assessment per Schrems II.

5. Retention

Account and invoice data retained for the longer of (a) subscription duration plus 30 days, or (b) the 7-year statutory retention under Dutch tax law. Audit logs retained on INSERT-only basis. Backups retained 35 days.

6. Your rights (GDPR Art. 15–22)

Access (Art. 15), rectification (Art. 16), erasure (Art. 17, subject to retention overrides), restriction (Art. 18), objection (Art. 21), portability (Art. 20), or complaint with the Autoriteit Persoonsgegevens. Submit to privacy@orisinvoice.com — we respond within 30 days.

7. Security

AES-256-GCM at rest. Bank account numbers, BTW-nummers and other sensitive fields individually encrypted at the column level with KMS-managed keys. PostgreSQL Row-Level Security keyed on org context. SOC 2 Type II + ISO 27001-aligned ISMS.

8. Cookies and analytics

Essential cookies for authentication only. Optional analytics cookies disabled by default; require consent. No cross-site tracking pixels; no sale of user data to advertisers.

9. Children's data

Oris is a B2B service not directed at individuals under 16 (GDPR Art. 8 + UAVG). We do not knowingly collect personal data from children.

10. Contact and updates

Privacy: privacy@orisinvoice.com. DPO: dpo@orisinvoice.com. Material changes posted 30 days before effective.