Privacy Policy - PraktijkFlow

At PraktijkFlow, we take your privacy extremely seriously. This privacy policy describes what data we collect, how we use it and what rights you have.

1. Data Controller

PraktijkFlow B.V., located at Herengracht 182, 1016 BR Amsterdam, Netherlands (KvK: 94827362), is responsible for processing your personal data as described in this privacy policy. Questions? Contact us at privacy@praktijkflow.app.

2. What data do we collect?

Account data

Name, email address, phone number, practice name, KvK number, VAT number

Client data

Name, contact details, appointments, session notes, invoices. You are the data controller for the client data you enter in PraktijkFlow.

Technical data

IP address, browser type, device information, usage statistics

3. What do we use your data for?

Providing our services (calendar, reminders, invoicing)
Communication about your account and updates
Customer service and technical support
Improving our services
Complying with legal obligations

4. Legal basis

We process your data based on: performance of the contract, your consent, legal obligations, and/or our legitimate interest (improving our services).

5. Sharing with third parties

We only share your data with:

Hosting providers (Supabase, Vercel), servers in Frankfurt, Germany
MessageBird for WhatsApp and SMS reminders
Lettermint (EU) for email delivery
Mollie for payment processing (if applicable)

We have data processing agreements with all these parties. A complete overview of our sub-processors is available in our Sub-processor Register.

6. Security

We take appropriate technical and organizational measures:

Encryption of data in transit (TLS 1.3) and at rest (AES-256)
Strict access control with Row Level Security
Audit logging of all data changes
EU hosting in accordance with GDPR requirements

7. Retention periods

We do not keep your data longer than necessary:

Account data: up to 2 years after account termination
Invoices: 7 years (legal requirement)
Medical data: 20 years (WGBO requirement for healthcare providers)

8. Your rights

You have the following rights under GDPR:

Right to access your data
Right to correct inaccurate data
Right to erasure (within legal limits)
Right to data portability
Right to object to processing
Right to restriction of processing

To exercise your rights, contact privacy@praktijkflow.app.

9. Cookies

We only use necessary cookies for the functioning of the application. We do not use tracking cookies or advertising cookies. For more information, see our Cookie Policy.

10. International data transfers

Our primary data storage and processing takes place within the European Union (Frankfurt, Germany). Some of our sub-processors may process data outside the EU. In such cases, we ensure appropriate safeguards are in place:

Standard Contractual Clauses (SCCs) approved by the European Commission
Adequacy decisions for countries with an adequate level of protection
Additional technical and organizational measures where necessary

You can request more information about specific data transfers via privacy@praktijkflow.app.

11. Data deletion and retention periods

PraktijkFlow acts as a data processor for client data. The practitioner is the data controller for the client data they enter. Below we explain how data deletion works.

Client erasure requests

Clients (data subjects) may submit a request for erasure of their personal data to their practitioner. The practitioner assesses this request in accordance with GDPR. Note: medical records may only be deleted 20 years after the last treatment under the WGBO (Dutch Medical Treatment Contracts Act), and invoice data must be retained for 7 years for tax authorities. Data not subject to these legal retention periods (such as contact preferences) may be deleted upon request.

When a practitioner archives a client

Archiving hides the client from the active list but preserves all data. This is not deletion. You can restore archived clients at any time. This is intended for clients whose treatment has ended but whose records must still be retained according to legal retention periods.

When a practitioner closes their account

When terminating your account, you have 30 days to export all your data. After that, your personal account data is deleted. Client data (invoices and medical records) remains stored according to legal retention periods and is automatically deleted thereafter.

Automatic deletion after retention periods

PraktijkFlow automatically deletes data after legal retention periods expire: invoice data after 7 years, medical data 20 years after the last treatment date. You will receive advance notification when data is scheduled for deletion.

Retention period overview

Data type	Retention period	Legal basis
Medical data (session notes, treatment plans)	20 years after last treatment	WGBO (art. 7:454 BW)
Invoices and financial data	7 years	Tax legislation
Practitioner account data	Up to 2 years after termination	Legitimate interest
Client contact preferences	Deletable on request	Consent

12. Changes

We may change this privacy policy. For important changes, we will inform you by email.

13. Complaints

Do you have a complaint about our data processing? Please contact us first at privacy@praktijkflow.app. You also have the right to file a complaint with the Autoriteit Persoonsgegevens (Dutch Data Protection Authority).