Privacy Policy

XaaX is a SaaS operations platform developed and operated by OSTeam B.V., registered in the Netherlands. References to "we", "us" or "our" in this policy refer to OSTeam B.V..

For privacy-related questions: hello@osteam.nl

We collect only the data necessary to provide and improve the XaaX service:

• Account data: name, work email address, hashed password, company name.
• Usage data: activity logs, hours logged, projects, CRM entries and other content you or your team create inside XaaX.
• Technical data: IP address (for rate limiting), browser type, access timestamps.
• Billing data: payment method details are processed directly by Mollie B.V. and are never stored on our servers.

We do not collect sensitive personal data (health, religion, political opinions, etc.).

We use your data to:

• Provide, operate and maintain the XaaX platform.
• Send transactional emails (account creation, password reset, trial status, invoices).
• Detect and prevent fraud, abuse or security incidents.
• Comply with our legal obligations.

We do not sell your data. We do not use your data for advertising.

We process your personal data on the following legal bases under GDPR Article 6:

• Contract (Art. 6(1)(b)): processing necessary to perform the subscription agreement with you.
• Legitimate interests (Art. 6(1)(f)): security, fraud prevention, service improvement.
• Legal obligation (Art. 6(1)(c)): tax and financial record-keeping requirements under Dutch law.

We share your data only with the following trusted processors, each operating under GDPR-compliant data processing agreements:

• Active accounts: data is retained for as long as the subscription is active.
• After cancellation: data is retained for 90 days to allow account recovery, then permanently deleted.
• Financial records: invoices and transaction data are kept for 7 years as required by Dutch tax law (Belastingdienst).
• Audit logs: retained for 12 months.

As a data subject under GDPR, you have the right to:

• Access: request a copy of personal data we hold about you.
• Rectification: correct inaccurate data. Most data can be updated directly in your account settings.
• Erasure ("right to be forgotten"): request deletion of your personal data.
• Portability: receive your data in a machine-readable format (JSON/CSV).
• Restriction: request that we limit processing of your data.
• Objection: object to processing based on legitimate interests.

To exercise any of these rights, email hello@osteam.nl. We respond within 30 days. You also have the right to lodge a complaint with the Dutch Data Protection Authority (autoriteitpersoonsgegevens.nl).

We apply industry-standard measures to protect your data: all data is encrypted in transit (TLS 1.2+) and at rest. Passwords are hashed using bcrypt. Access to production systems is limited to authorised personnel.

In the event of a data breach that affects your rights, we will notify you and the relevant authorities within 72 hours as required by GDPR.

XaaX uses only a session cookie required for authentication (NextAuth.js). This cookie is strictly necessary for the service to function and does not require consent under the EU Cookie Directive.

We do not use advertising, tracking or analytics cookies.

We may update this policy when the service changes or legal requirements evolve. Material changes will be communicated by email to the account admin at least 14 days before they take effect.