Skip to content
Nodio

Privacy Policy

Last updated: 14 April 2026

1. Data controller

The controller of personal data collected via the Asbl-vzw-easy platform is:

nodio.be
Email: [email protected]
Website: https://nodio.be

This policy complies with the General Data Protection Regulation (GDPR — Regulation EU 2016/679) and with the Belgian law of 30 July 2018 on the protection of natural persons with regard to the processing of personal data.

2. Data collected

We collect and process the following categories of data:

2.1 Account identification data

  • Email address
  • First and last name
  • Username
  • Language preferences

2.2 Organization data

  • Association name
  • Enterprise number (KBO/BCE)
  • Registered office address
  • Legal form and date of incorporation
  • Corporate purpose

2.3 Director and officer data

  • First and last name
  • Home address
  • Date of birth
  • National register number (NISS) — stored securely and encrypted, used exclusively for UBO declarations and official forms
  • Nationality
  • Role and mandate dates

2.4 Billing data

  • Payment information (processed exclusively by a certified payment provider; we never store your banking data)
  • Subscription and invoice history

2.5 Technical data

  • IP address
  • Browser type and operating system
  • Pages accessed and access timestamps

3. Legal basis for processing

We process your data on the following legal bases:

  • Performance of the contract (Art. 6.1.b GDPR): processing is necessary to provide our compliance automation services.
  • Legal obligation (Art. 6.1.c GDPR): some data are processed to meet our legal obligations (invoicing, tax obligations).
  • Legitimate interest (Art. 6.1.f GDPR): improving our services, platform security, fraud prevention.
  • Consent (Art. 6.1.a GDPR): for marketing communications and non-essential cookies.

4. Purposes of processing

  • Providing and managing our ASBL/VZW compliance services
  • Generating official forms and declarations
  • Managing your user account and subscriptions
  • Processing payments and invoicing
  • Service-related communication (notifications, compliance alerts)
  • Improving and developing the platform
  • Compliance with our legal and regulatory obligations

5. Retention period

  • Account data: kept for the entire duration of your subscription, then for 30 days after account closure to allow reactivation.
  • Organization and director data: kept for the duration of the subscription. After user deletion, data are archived (soft delete) for 90 days and then permanently deleted.
  • Billing data: kept for 7 years in accordance with Belgian accounting and tax obligations.
  • Technical data (logs): kept for a maximum of 12 months.
  • NISS numbers: deleted within 30 days of the removal of the director concerned or account closure.

6. Your rights

In accordance with the GDPR, you have the following rights regarding your personal data:

  • Right of access (Art. 15): you can obtain confirmation that your data are being processed and receive a copy.
  • Right to rectification (Art. 16): you can request the correction of inaccurate or incomplete data.
  • Right to erasure (Art. 17): you can request the deletion of your data, subject to our legal retention obligations.
  • Right to portability (Art. 20): you can receive your data in a structured and commonly used format.
  • Right to object (Art. 21): you can object to the processing of your data for legitimate reasons.
  • Right to restriction of processing (Art. 18): you can request the restriction of processing in certain circumstances.
  • Right to withdraw consent: where processing is based on consent, you may withdraw it at any time.

To exercise these rights, contact us at [email protected]. We will respond to your request within 30 days.

7. Cookies

The Platform uses the following cookies:

  • Essential cookies: necessary for the operation of the platform (authentication session, language preferences). They do not require your consent.
  • Analytical cookies: used to understand platform usage and improve our services. Subject to your consent.

You can manage your cookie preferences through your browser settings or by clicking below.

8. Processors and data transfers

For the operation of the Platform, we rely on the following processors. Each is bound by a Data Processing Agreement (DPA) compliant with Article 28 GDPR:

ProcessorRoleCountrySafeguards
Supabase Inc.Database + authenticationEU (Frankfurt)DPA + EU hosting
Vercel Inc.Frontend hostingUnited StatesDPF + SCC
Stripe Payments Europe Ltd.PaymentsIrelandDPA + SCC
Resend (Resend Inc.)Transactional emailUnited StatesDPF + SCC
Functional Software Inc. (Sentry)Error monitoringUnited StatesDPF + SCC
Redis Labs Inc.Cache / rate limitingEU (Frankfurt)DPA + EU hosting

Appropriate safeguards (Standard Contractual Clauses — SCC, Data Privacy Framework — DPF) are in place for any data transfer outside the European Economic Area.

8a. Data Protection Impact Assessment (DPIA)

The Platform processes sensitive categories of data (national register number — NISS — and ultimate beneficial owner — UBO — data). In accordance with Article 35 GDPR, a data protection impact assessment is conducted before the launch of these features and updated regularly. The conclusions of this assessment guide the design of the technical and organisational measures applied.

8b. Data breach notification

In the event of a personal data breach likely to create a risk to your rights and freedoms, Nodio will notify the Data Protection Authority (APD/GBA) within 72 hours of becoming aware of it (Article 33 GDPR). If the breach is likely to result in a high risk, the affected individuals will be informed directly and without undue delay (Article 34 GDPR).

9. Data security

We implement appropriate technical and organisational measures to protect your data, including:

  • Encryption of data in transit (TLS/HTTPS)
  • Encryption of data at rest
  • Role-based access control (Row Level Security)
  • Secure authentication
  • Regular backups
  • Separate storage of sensitive data (NISS, addresses)

10. Data Protection Officer (DPO)

For any question relating to the protection of your personal data, you can contact our Data Protection Officer:

Email: [email protected]

11. Supervisory authority

If you believe that the processing of your personal data constitutes a breach of the GDPR, you have the right to lodge a complaint with the Belgian Data Protection Authority:

Data Protection Authority (APD/GBA)
Rue de la Presse 35 / Drukpersstraat 35, 1000 Brussels
Tel.: +32 (0)2 274 48 00
Email: [email protected]
Website: www.dataprotectionauthority.be

12. Changes to the policy

We reserve the right to modify this policy at any time. Any substantial change will be notified by email or by a notification in the Platform. The date of last update is indicated at the top of this document.