Privacy policy

Last updated: 7 July 2026

1. Who we are

DossifAI (dossifai.nl) is a client due diligence (KYC) platform for notary offices, law firms and other organisations with AML obligations. Questions about this policy or your data? Email us at support@dossifai.nl.

2. Two roles: controller and processor

For the data of our own customers — account details, company details, billing and website usage — we are the data controller.

For the dossier data our customers process in the platform about their clients (questionnaire answers, uploaded documents), we act as a processor: the customer decides the purpose, we only process on their instructions. A data processing agreement is available to every customer on request via support@dossifai.nl.

3. What data we process

Depending on how you interact with us, we process:

  • Account data: name, email address, password (encrypted), role within your organisation.
  • Company and billing data: company name, invoicing and payment details (handled by Stripe; we never store card numbers ourselves).
  • Dossier data on behalf of our customers: identity and background information about their clients, completed questionnaires, documents and assessments.
  • Contact and demo forms: name, email address, company name and your message.
  • Technical data needed to run the service securely (such as logs).

4. Purposes and legal bases

We use data to provide and improve the service (performance of the contract), to invoice and meet tax obligations (legal obligation), to prevent abuse and secure the service (legitimate interest), and to answer your questions. We never sell data and never use it for advertising.

5. Subprocessors

We rely on a small set of carefully chosen providers to run the platform:

  • Vercel — application hosting.
  • Supabase — database, authentication and document storage.
  • Stripe — subscriptions and payments.
  • Resend — email delivery.
  • OpenAI — only when your organisation has enabled AI features, to analyse dossier content. AI output is always reviewed by a human.

6. Retention

Account data is kept for the duration of the agreement. Dossier data is kept for as long as our customer decides; AML dossiers typically carry a statutory five-year retention duty. Billing records are kept for seven years (tax law). The platform includes a GDPR erasure facility to delete client data on request, subject to statutory retention duties.

7. Security

Data is encrypted in transit (TLS) and stored in European data centres where possible. Access is segregated per organisation and per role; documents are only reachable through secured, expiring links. We apply the principle of least access.

8. Your rights

You have the right to access, rectify, erase, restrict, port and object. Email support@dossifai.nl — we respond within 30 days. If your request concerns a dossier one of our customers keeps about you, we forward your request to that organisation (they are the controller). You can also lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).

9. Cookies

We only use functional cookies needed to sign in and make the service work. See the cookie policy.

10. Changes

We may update this policy as the service or legislation evolves. The current version always lives on this page; we notify customers by email about material changes.