Privacy Policy

Last updated: April 2026

1. Who we are

Simezu is developed and operated by Atypisch, a sole-trader (eenmanszaak) registered in the Netherlands. Atypisch is the data controller for personal data processed through Simezu.

Contact: support@atypisch.nl

2. What data we collect

  • Account data: name, email address, password hash (Argon2id)
  • Payment profile: billing details, payment method tokens (provider-side), subscription status
  • Session data: JWT tokens, refresh tokens, device / user-agent, IP address
  • Usage logs: IP address (rate limiting, security), API token usage, audit events
  • Communication: email addresses used to send transactional emails (magic links, verification, notifications)

3. Why we collect it (legal basis)

  • Contract performance (Art. 6(1)(b) GDPR): authentication, session management, payment processing, and connected-app access control are necessary to provide the service you signed up for.
  • Legitimate interest (Art. 6(1)(f) GDPR): security logging, rate limiting, and abuse prevention are in both our and your legitimate interest.
  • Legal obligation (Art. 6(1)(c) GDPR): payment records are retained as required by applicable financial and tax law.

4. How long we keep it

  • Active sessions: as configured (default 14 days for access tokens, 90 days for refresh tokens)
  • Security and usage logs: [LOG_RETENTION_DAYS] days
  • Payment records: as required by applicable law (minimum 7 years under Dutch accounting rules)
  • Account data: retained for as long as your account is active; deleted within 30 days of account deletion request

5. Your rights (GDPR)

Under the GDPR you have the right to:

  • Access (Art. 15): request a copy of your personal data
  • Rectification (Art. 16): correct inaccurate data
  • Erasure (Art. 17): request deletion of your data ("right to be forgotten")
  • Portability (Art. 20): receive your data in a structured, machine-readable format
  • Objection (Art. 21): object to processing based on legitimate interest
  • Restriction (Art. 18): request that processing be restricted in certain circumstances

To exercise these rights, contact us at support@atypisch.nl. We will respond within 30 days.

You also have the right to lodge a complaint with the Dutch supervisory authority: Autoriteit Persoonsgegevens.

6. What we do not do

  • We do not sell your personal data to third parties.
  • We do not use your data for advertising purposes.
  • We do not use third-party analytics trackers (no Google Analytics, no Meta Pixel, etc.).
  • Simezu is self-hosted — data does not leave your own infrastructure.

7. Cookies

We use strictly necessary cookies for authentication and session management. See our Cookie Policy for details.

8. Changes to this policy

We may update this policy from time to time. Material changes will be communicated via email or a notice in the dashboard.