Last updated: April 2026
This policy covers both visitors to our website and individuals whose data is processed through the OnboardZero platform. It is written to comply with the EU General Data Protection Regulation (GDPR / AVG) and the Dutch Uitvoeringswet AVG (UAVG).
OnboardZero is operated by [YOUR COMPANY NAME] B.V., registered at the Dutch Chamber of Commerce (KVK) under number [YOUR KVK NUMBER], with registered address at [YOUR COMPANY ADDRESS], the Netherlands.
We provide a digital onboarding platform that allows HR teams to collect and manage contractor and employee data in compliance with Dutch employment and tax law. For privacy questions, contact us at privacy@onboardzero.com.
We have not appointed a formal Data Protection Officer (DPO) as OnboardZero does not meet the thresholds for mandatory DPO appointment under GDPR Article 37. The privacy contact above serves as your point of contact for all data-related enquiries.
OnboardZero operates in two distinct capacities depending on context:
Data Controller— for our own platform users
When an HR manager signs up, logs in, or manages their account, OnboardZero determines the purpose and means of processing that person's data. We are the controller and this policy applies directly.
Data Processor— for employee and contractor data
When an HR team uses our platform to onboard contractors or employees, the employing company is the data controller. OnboardZero acts only on their instructions. The employer is responsible for providing a valid legal basis for processing their workers' personal data. Our Data Processing Agreement (DPA) governs this relationship — read the DPA here.
A. HR platform users (account holders / data controllers):
B. Contractors and employees (onboarding data subjects):
We do not collect special categories of data (Art. 9 GDPR) such as health, racial or ethnic origin, religious beliefs, or biometric data, unless explicitly required by an employer and with a documented lawful basis.
We process each type of data on a specific legal basis:
| Data type | Legal basis | Article |
|---|---|---|
| HR user account data | Performance of a contract | Art. 6(1)(b) |
| Billing information | Performance of a contract | Art. 6(1)(b) |
| Security logs / IP addresses | Legitimate interests (fraud prevention, platform security) | Art. 6(1)(f) |
| Onboarding data (name, address, etc.) | Performance of a contract (employment / engagement) | Art. 6(1)(b) |
| BSN (citizen service number) | Legal obligation — Dutch tax and payroll law (Wet LB 1964, Art. 28); UAVG Art. 46 | Art. 6(1)(c) |
| IBAN bank account number | Performance of a contract (salary payment) | Art. 6(1)(b) |
| Wet DBA risk score | Legitimate interests (legal compliance assessment) | Art. 6(1)(f) |
| Cookies (functional) | Legitimate interests / strictly necessary | Art. 6(1)(f) |
| Marketing communications | Consent | Art. 6(1)(a) |
Note on BSN: The BSN is a restricted identifier under Dutch law (UAVG Art. 46). OnboardZero processes it only when required by the employing company for Dutch payroll or tax administration. It is stored encrypted and never shared outside the payroll / tax processing chain.
All personal data is stored on servers located within the European Union. Our primary database runs on Supabase (PostgreSQL), hosted on AWS eu-west-1 (Ireland).
We share personal data only with the sub-processors listed below, each bound by a data processing agreement and Standard Contractual Clauses (SCCs) where data is transferred outside the EEA.
| Sub-processor | Purpose | Data location | Transfer basis |
|---|---|---|---|
| Supabase Inc. (USA) | Database & authentication | EU — AWS eu-west-1 | EU SCCs |
| Stripe Inc. (USA) | Payment processing (billing only) | EU | EU SCCs |
| Resend Inc. (USA) | Transactional email | EU — AWS eu-west-1 | EU SCCs |
| Sentry (Functional Software, USA) | Error monitoring — no PII logged | EU | EU SCCs |
| Upstash Inc. (USA) | Rate limiting — IP addresses only | EU region | EU SCCs |
| Personio GmbH (Germany) | HR system sync — optional, customer-configured | EU | Intra-EU — no transfer |
Standard Contractual Clauses (SCCs) are EU Commission-approved contractual mechanisms that require non-EU processors to provide GDPR-equivalent protections. We do not sell personal data to any third party.
OnboardZero includes a Wet DBA compliance checker that helps HR teams assess whether a contractor engagement qualifies as independent self-employment (ZZP) under Dutch law (Wet deregulering beoordeling arbeidsrelaties).
When a contractor completes the Wet DBA questionnaire, the platform automatically computes a risk score (0–8) and assigns a risk classification (low / medium / high). This is a form of automated processing under GDPR Article 22.
What you should know about this score:
| Data type | Retention period |
|---|---|
| HR user account data | Duration of subscription + 30 days after cancellation |
| Employee / contractor onboarding data | Duration of HR team's subscription + 30 days |
| Billing records | 7 years (Dutch fiscal law — Bewaarplicht) |
| Security and access logs | 90 days |
| Error monitoring data (Sentry) | 30 days |
| Anonymised audit records | Indefinite — no personal identifiers retained |
When the retention period expires, personal data is permanently and irreversibly deleted or anonymised. Personal identifiers are removed; non-identifiable statistical records may be kept for compliance and audit purposes.
OnboardZero uses only strictly necessary and functional cookies. We do not use advertising, analytics, or tracking cookies.
| Name | Type | Purpose | Expires |
|---|---|---|---|
| sb-* | Strictly necessary | Authentication session (set by Supabase). Required to keep you logged in. | Session / 1 hour |
| oz_cookie_consent | Functional | Stores your cookie consent preference in localStorage. Prevents the banner from reappearing on subsequent visits. | Persistent |
Strictly necessary cookies do not require prior consent under the Dutch Telecommunicatiewet (Tw Art. 11.7a). You can clear all cookies and localStorage data at any time via your browser settings; this will log you out of the platform.
As a data subject, you have the following rights. We respond to all requests within one month (extendable by two further months for complex requests, with prior notice).
Right of access (Art. 15)
Request a copy of all personal data we hold about you, including the categories processed, the purposes, and who it has been shared with.
Right to rectification (Art. 16)
Ask us to correct inaccurate or complete incomplete personal data without undue delay.
Right to erasure (Art. 17)
Request deletion of your personal data. We may retain a non-identifiable anonymised audit record as required by law.
Right to restriction (Art. 18)
Ask us to pause processing while a dispute about accuracy or lawfulness is resolved.
Right to portability (Art. 20)
Receive your data in a structured, machine-readable format (JSON or CSV) so you can transfer it to another service.
Right to object (Art. 21)
Object to processing based on legitimate interests or for direct marketing at any time. We must stop unless we can demonstrate compelling legitimate grounds.
Right regarding automated decisions (Art. 22)
Request human review of the Wet DBA risk score, contest the outcome, and provide your own context. The score must not be the sole basis for a consequential decision.
Right to withdraw consent
Where processing is based on consent (e.g. marketing emails), withdraw it at any time. This does not affect the lawfulness of processing before withdrawal.
To exercise any right, email privacy@onboardzero.com with your name, email address, and a description of your request. We may ask for proof of identity before processing sensitive requests.
Despite our security measures, no system can guarantee absolute protection. In the event of a personal data breach:
To report a suspected security issue, email security@onboardzero.com.
If you believe we have not handled your personal data correctly, please contact us first at privacy@onboardzero.com — we aim to resolve all concerns within 30 days.
You also have the right to lodge a complaint directly with the Dutch supervisory authority at any time:
Autoriteit Persoonsgegevens (AP)
Website: autoriteitpersoonsgegevens.nl
Postal address: Hoge Nieuwstraat 8, 2514 EL Den Haag, the Netherlands
If your company uses OnboardZero to process personal data on behalf of your employees or contractors, a Data Processing Agreement (verwerkersovereenkomst) governs our obligations as your processor under GDPR Article 28. This agreement specifies the subject matter, duration, nature, and purpose of the processing, the type of personal data involved, and the rights and obligations of both parties.
We review and update this Privacy Policy periodically. The date at the top of this page reflects the most recent revision. For material changes— such as new categories of data collected, new sub-processors, or changes to data subject rights — we will notify registered HR users by email at least 14 days before the change takes effect.
Continued use of the platform after a change constitutes acceptance of the updated policy.