Privacy Policy

Last updated: April 2026

1. Data controller

Attentico is the controller responsible for processing personal data as described in this policy. Contact: privacy@attentico.nl.

2. What data we process

We process only data necessary to deliver the service:

  • Account data: name, email address, password (hashed via Supabase Auth)
  • Contact data: names, birthdays, special occasions, personal preferences and wishlists of people you send gifts to
  • Order data: delivery addresses and gift history
  • Payment data: processed via Stripe — we do not store full card details
  • Communication logs: AI-generated card messages and gift suggestions
  • Google Contacts (optional): if you choose to use the Google import, Attentico requests read-only access to your Google Contacts. We import name, email, phone number and birthday only. We do not store your Google account credentials and do not share imported data with third parties.
  • Session data: authentication cookies (functional only, no tracking)

3. Google Contacts — use of API data

Attentico uses the Google People API solely to import your contacts into the Attentico app. We request the scope contacts.readonly. This means we can only read your contacts, not modify or delete them.

  • Imported data is used solely to create contacts in your Attentico account.
  • We do not retain Google OAuth tokens after the import is complete.
  • Your Google data is never used for advertising, profiling, or sold to third parties.
  • Google data is not sent to AI models, analytics tools, or other internal systems.
  • No employee or third party can view your Google data unless you give explicit consent, it is necessary for security investigation, or required by law.
  • You can delete imported contacts at any time via Attentico Settings → Data.
  • You can revoke Attentico's access at any time via your Google account settings: myaccount.google.com/permissions.

Attentico's use and transfer of information received from Google APIs to any other app adheres to the Google API Services User Data Policy, including the Limited Use requirements.

4. Data protection & security

Attentico takes the protection of your personal data seriously. We have implemented the following technical and organisational measures to safeguard your data:

  • Encryption in transit: All communication between your browser and our servers uses HTTPS/TLS 1.3. We enforce HTTP Strict Transport Security (HSTS).
  • Encryption at rest: All data in our database (Supabase/PostgreSQL) is encrypted at rest (AES-256). Passwords are hashed using bcrypt.
  • Access control: We enforce Row Level Security (RLS) on all database tables, ensuring users can only access their own data. API routes are secured with authentication tokens.
  • Minimal data access: Third-party services receive only the minimum data necessary. Google API data is not shared with other processors or used for purposes beyond the contacts import.
  • Security headers: We implement Content Security Policy (CSP), X-Frame-Options, X-Content-Type-Options and Referrer-Policy headers to prevent attacks.
  • Rate limiting: API endpoints are protected with rate limiting to prevent abuse.
  • No AI training: Your data is never used to train AI models. AI processing (Anthropic Claude) happens via API calls that are not retained by the provider for training purposes.
  • Incident response: In case of a data breach, we notify the Dutch Data Protection Authority and affected users within 72 hours, in accordance with GDPR articles 33 and 34.

5. Legal bases (GDPR art. 6)

  • Contractual necessity (art. 6(1)(b)): Account data, contact data, delivery addresses, and payments — necessary to deliver the service.
  • Consent (art. 6(1)(a)): Google Contacts import and optional marketing communications — you may withdraw this consent at any time.
  • Legitimate interest (art. 6(1)(f)): Fraud prevention, security, and service improvement.

6. Processors & third parties

We use the following sub-processors. Data processing agreements are in place with all processors.

ProcessorPurposeLocation
SupabaseDatabase & authenticationEU (Frankfurt)
StripePayment processingEU / VS*
Anthropic (Claude)AI gift suggestions & card messagesVS*
BrevoTransactional emailEU (Parijs)
Google LLCContacts import (read-only, optional)VS*
VercelHosting & edge functionsEU / VS*
Partner webshopsGift orderingNL
Greetz.nlCards (physical & digital)NL

* Transfers to the US take place on the basis of EU Standard Contractual Clauses (SCCs) as adopted by the European Commission.

7. Retention periods

  • Account data: retained while your account is active. After deletion, data is permanently erased within 30 days.
  • Google Contacts import: OAuth tokens are not retained after the import. Imported contact data is retained while your account is active or until you delete it.
  • Payment records: 7 years as required by fiscal retention obligations.
  • AI logs: anonymised after 90 days.
  • Delivery addresses: deleted after order fulfilment, unless saved to your profile.

8. Cookies

Attentico uses only functional cookies that are technically necessary for the service to work (session management and authentication). We do not use analytics, marketing, or tracking cookies. No cookie wall or paywall is linked to cookie consent.

9. Your rights (GDPR)

You have the following rights regarding your personal data:

  • Access (art. 15): request what data we hold about you
  • Rectification (art. 16): correct inaccurate data
  • Erasure (art. 17): delete your account and all associated data — directly via Settings → Data
  • Restriction (art. 18): temporarily restrict processing
  • Portability (art. 20): download your data as CSV via Settings → Data
  • Objection (art. 21): object to processing based on legitimate interest
  • Revoke Google consent: via myaccount.google.com/permissions

Submit your request to privacy@attentico.nl. We will respond within one month.

10. Work customers: data processing agreement

Organisations using Attentico Work process personal data of their employees via our platform. Attentico acts as processor under GDPR in this context. A Data Processing Agreement (DPA) is available on request at legal@attentico.nl.

11. Lodge a complaint

If you have a complaint about how we process your data, you may lodge a complaint with the Dutch Data Protection Authority (AP): autoriteitpersoonsgegevens.nl.

12. Changes

We may update this privacy policy. For significant changes we will notify you by email. The date at the top of this document shows when it was last updated.

13. Contact

privacy@attentico.nl

    Privacy Policy | Attentico