Skip to content
dienstennl.com
Legal

Privacy policy

Last updated: April 25, 2026

1. Introduction

dienstennl.com ("we", "us", "our") takes the protection of your personal data seriously. This privacy policy explains which data we collect, why we collect it, and how we handle it.

This policy applies to all services we provide through dienstennl.com.

WinkOffice is the controller for processing activities we determine ourselves. You can contact us at support@dienstennl.com.

2. Which data do we collect?

2.1 Visitors without an account

  • Technical data such as IP address, user agent, device and browser details, visited URLs, referrer, timestamps, error reports, and server logs
  • Cookie and storage preferences, necessary session cookies, and security cookies
  • A random rate-limit session cookie ("dnlsid") used when contact details are revealed
  • Public listing interactions such as listing views, contact reveals, and website, phone, or WhatsApp clicks
  • Google Analytics 4 and Google Tag Manager data, only after you consent to analytics or marketing storage
  • Aggregated cookieless usage statistics through Plausible Analytics
  • Error and performance data through Sentry, with text masked and media blocked in any error replays

2.2 Business owners with an account

  • Name, email address, phone number, account status, role, and session data
  • Authentication data through AWS Cognito and Auth.js
  • Business and profile details such as business name, KVK number, address, postal code, website, public email, phone number, WhatsApp number, opening hours, categories, service areas, description, social links, and rates
  • Uploaded photos and metadata such as file name, file type, file size, storage key, moderation status, and rights attestation
  • Category, service-area, reactivation, deletion, moderation, verification, and support requests, including reasons, status, review notes, and decisions
  • Records showing that you accepted terms or policies, including version and timestamp

2.3 Public business listings and unclaimed stubs

  • Publicly available business data from online and business sources, such as business name, place or municipality, public business category, website, public business contact details, and source references
  • Import and source metadata such as source URL, source ID, first-seen date, source rank, and import fingerprint
  • For unclaimed listings, we show only business name and place/municipality by default
  • Data needed for verification, correction, restriction, claim, or removal requests

2.4 Contact and support requests

  • Name, email address, phone number, and the content of your message or report
  • For reports: report type, listing, source locale, description, status, and handling data
  • For lead forms or callback requests, where available: name, email address, phone number, preferred contact method, requested service, and message
  • Cloudflare Turnstile token and technical signals needed to prevent spam and abuse

2.5 Payments and subscriptions

  • Checkout payment and invoice data is processed by Paddle as merchant of record. We do not store full card or bank details.
  • We may receive or store data needed for activation and administration, such as customer ID, email, legal or billing name, billing country, billing address, VAT number, subscription ID, plan, price ID, period, status, discount data, and relevant webhook data.

3. Why do we use your data?

PurposeLegal basis
Operate the website, search function, public listings, and contact optionsLegitimate interests and, where applicable, contract performance
Provide accounts, claims, verification, dashboard features, and subscriptionsContract performance or pre-contractual steps
Process payments, invoices, VAT, administration, and subscription statusContract performance and legal obligations
Collect, limit, correct, and keep public business data up to dateLegitimate interests, with data minimisation and objection/removal routes
Handle support, reports, deletion requests, and legal requestsLegitimate interests, legal obligations, and legal claims
Security, abuse prevention, rate limiting, fraud prevention, and debuggingLegitimate interests
Use Google Analytics 4 and Google Tag ManagerConsent
Use Plausible and limited first-party statistics for service improvementLegitimate interests, where privacy-friendly and limited

Data about legal entities is normally not personal data. For sole traders, partnerships, small businesses, and business contacts, business data can be personal data if it identifies a natural person. For that data, we use only what is needed for a limited business directory, verification, correction, security, and transparency.

We do not publish BSNs, birth dates, birth places, non-public home addresses, protected visiting addresses, private phone numbers, private email addresses, or special-category or criminal personal data on unclaimed listings. If we discover that an unclaimed listing contains privacy-sensitive or unnecessary personal data, we restrict, correct, or remove it.

We do not sell public-source data as a dataset and do not use it for unsolicited electronic marketing or telemarketing. We may use public business contact details to verify a listing, claim, correction, removal request, or business information where necessary and legally allowed.

We do not make solely automated decisions that have legal or similarly significant effects. Search and ranking order may be influenced by factors such as relevance, municipality, tier, Premium priority, and profile completeness.

4. Public sources, sole traders, and unclaimed stubs

We use public-source data only for the limited purpose of an accurate directory, claim verification, correction, and transparency. Public availability is not treated as unlimited permission to republish.

For unclaimed stubs, our product rule is to publish only minimal unclaimed stubs for B.V. companies whose trade name does not clearly or directly identify a natural person as the business. Sole traders, zzp-style businesses, vofs, maatschappen, cvs, foundations, associations, cooperatives, N.V.s, unknown legal forms, and trade names that clearly or directly identify a natural person are not published as unclaimed stubs without owner confirmation.

We do not publish phone numbers, email addresses, websites, addresses, KVK numbers, VAT IDs, opening hours, descriptions, photos, or enriched profile data on unclaimed stubs. We display those details only after an owner or authorized representative has confirmed or claimed the listing.

We use KVK and VAT data only where legally allowed, for example to verify a claim, authority, or business detail. We do not use Handelsregister data in breach of applicable terms and do not build a searchable database for onward disclosure of Handelsregister data.

5. Recipients and service providers

We share personal data only where needed for the service, security, payment, support, law, or legal claims. Key recipients and providers are:

  • Amazon Web Services (AWS): hosting, database, authentication, storage, CDN, email delivery, logging, and security. Our primary AWS region is eu-central-1 (Frankfurt), with global CDN and support processing where technically needed.
  • Paddle: checkout, payment, invoicing, VAT handling, subscriptions, and customer portal. Paddle acts as merchant of record and may be an independent controller for payment data.
  • Google Tag Manager and Google Analytics 4: website analytics and tag management, only after consent.
  • Plausible Analytics: cookieless, aggregated website analytics.
  • Cloudflare Turnstile: spam and bot protection on forms.
  • Sentry: error monitoring, performance, and technical debugging.
  • Verified or claimed businesses: when you use a lead form, callback request, phone link, WhatsApp link, or website link to contact a listed business. That business is independently responsible for its later handling of your data.
  • Advisers, authorities, or courts: where needed for law, administration, security, disputes, or legal claims.

6. Transfers outside the EEA

We try to process personal data within the European Economic Area where practical. Some providers, such as AWS, Paddle, Google, Cloudflare, or Sentry, may process or support data outside the EEA. Where this happens, we use appropriate safeguards such as EU Standard Contractual Clauses, applicable adequacy decisions, the EU-US Data Privacy Framework where applicable, additional security measures, and processor or data-sharing agreements.

7. Retention periods

  • Account and dashboard data: while the account or listing is active and up to 24 months after that, unless longer retention is needed for administration, security, disputes, or legal obligations.
  • Unclaimed listings: as long as needed for an accurate and limited business directory, unless correction, restriction, or removal is required
  • Public-source metadata: as long as needed to verify source, correction, objection, or removal.
  • Lead forms and callback requests: up to 12 months; where technically supported, hidden from the owner earlier after 90 days.
  • Contact, support, claim, verification, deletion, and report requests: as long as needed for handling and then up to 24 months, unless a dispute, legal duty, or security reason requires longer.
  • Listing statistics such as listing views, contact reveals, and contact clicks: up to 12 months.
  • Technical server, security, and error logs: normally up to 90 days, unless needed longer for security, debugging, fraud investigation, or legal claims.
  • The random rate-limit cookie "dnlsid" lasts up to 30 days. Cookie preferences in localStorage remain until you change or clear them.
  • Payment, invoice, and tax administration: 7 years, or longer where tax law requires.
  • Uploaded photos and profile content: while the listing is active or while needed for moderation, rights evidence, security, or disputes. Removed or rejected content is deleted or kept out of publication according to our technical deletion processes and backup/CDN timing.

8. Your rights

Under GDPR, you have rights of access, rectification, erasure, restriction, portability, and objection. You can also withdraw consent where processing is based on consent, and you have the right to lodge a complaint with the Dutch Data Protection Authority.

You can exercise these rights by contacting support@dienstennl.com. We respond within one month. If a request is complex or we receive many requests, we may extend that period as allowed by GDPR.

If you are a sole trader, small business, or business contact whose business details are also personal data, you may use the same address to object or request correction/removal. We may ask for proof that you are authorized for the relevant business.

If you object to processing based on legitimate interests, we reassess your specific situation. We stop or restrict processing unless compelling legitimate grounds override your interests, rights, and freedoms, or processing is needed for legal claims.

9. Security

We take appropriate technical and organizational measures to protect your data, including encryption in transit and at rest, access control, role-based authorization, logging, rate limiting, secure upload processes, token hashing, supplier agreements, and regular security reviews.

10. Cookies and similar technologies

We use necessary cookies and localStorage for operation, security, and preferences. Google Analytics and Google Tag Manager load only after you consent to analytics or marketing storage. You can change your preferences at any time through "Cookie settings" in the footer. For more information, see our cookie policy.

11. Changes

We may update this privacy policy from time to time. The latest version is always available on this page.

12. Contact

Questions about this privacy policy? Contact support@dienstennl.com.

WinkOffice, Vincent van Goghweg 18, 1506JC Zaandam, the Netherlands.

You can also lodge a complaint with the Dutch Data Protection Authority at autoriteitpersoonsgegevens.nl.

Privacy policy | dienstennl.com