Privacy Policy

This Privacy Policy explains how Voorcast, operated by Nordnether (based in the Netherlands), processes personal data when you use our website (voorcast.com), our application (app.voorcast.com), or communicate with us. We process personal data in accordance with the EU General Data Protection Regulation (GDPR).

Who is responsible

The controller for personal data we collect about prospects, website visitors, and account holders is Nordnether (Netherlands). For operational data that customers feed into Voorcast through their connected systems (Picqer, Magento, Slack, and similar), Voorcast acts as a processor and the customer remains the controller — as set out in our Data Processing Agreement.

What we process and why

Account data. Name, email address, hashed password, organization membership, and authentication metadata. Legal basis: performance of the contract with you (GDPR Article 6(1)(b)). We store this for as long as your account is active and for 30 days after termination.

Operational data. Product catalog, sales history, supplier data, purchase orders, and inventory state synchronized from your connected systems. Legal basis: performance of the contract with the customer organization. We process this only to deliver the service. Primary copies are deleted within 30 days of subscription end; automated server snapshots taken by our EU hosting provider roll off according to their snapshot retention configuration.

Billing data. Plan, billing email, invoice history. Payment instrument details are handled by our payment processor (Mollie) — we do not store card numbers or bank details. Legal basis: performance of the contract + legal obligation (tax retention, currently 7 years under Dutch law).

Support and communications. Emails you send us and our replies. Legal basis: legitimate interest (GDPR Article 6(1)(f)) in providing support. Retained while operationally useful; deleted on request.

Prospect data. If you contact us via the website (early-access requests, calculator submissions, contact form), we keep your message and the email address you provided. Legal basis: legitimate interest in responding. Deleted on request.

Where data is hosted

All Voorcast application and database infrastructure is hosted in the European Union (Germany), and backups remain in the EU. A small number of named sub-processors (listed on the Security page and in the DPA) operate outside the EU; transfers to those providers are governed by Standard Contractual Clauses or, where applicable, an adequacy decision. See our Security page for details on our hosting and security posture.

Sub-processors

We use a small number of sub-processors to operate the service — most of them EU-resident, with a few US-based providers (notably for AI embeddings, customer-configured notifications, and CDN/WAF) used under Standard Contractual Clauses. The current list is maintained on our Security page. We notify customers in advance of material changes to the sub-processor list and customers have the right to object as set out in the DPA.

Your rights

Under GDPR you have the right to access, rectify, erase, restrict, and port the personal data we hold about you, and to object to certain processing. To exercise any of these rights, email [email protected] — we respond within 30 days. You also have the right to lodge a complaint with your national data protection authority (in the Netherlands, the Autoriteit Persoonsgegevens).

Cookies and analytics

We currently use only functional cookies necessary to operate the site and the application (for example, session and CSRF cookies). We do not run analytics, advertising, or marketing trackers today. If we introduce analytics later, we will update this page first and prefer a privacy-respecting, self-hosted option (such as Umami).

Personal data breaches

If we become aware of a personal data breach, GDPR Article 33 obligations apply. Where the breach is likely to result in a risk to data subjects' rights and freedoms, we notify the relevant supervisory authority (Autoriteit Persoonsgegevens for the Netherlands) within 72 hours where feasible, and we notify affected individuals where the risk is high. Our security posture and the limits of our detection capabilities are described on our Security page.

Children

Voorcast is a B2B service and is not directed to children. We do not knowingly collect personal data from anyone under the age of 16.

Changes to this policy

We update this policy when our processing changes. The Last updated date at the top reflects the most recent revision. Material changes that affect account holders are also communicated by email.

Contact

Privacy questions, requests to exercise rights, or DPA inquiries: [email protected]. We do not currently operate a formal Data Protection Officer at our scale; this address reaches the responsible team directly.