Privacy Policy
Last updated: February 2026
1. Introduction
ExpatSetup.nl (“we”, “us”, “our”) is committed to protecting the privacy of our users. This Privacy Policy explains how we collect, use, store, and share your personal data when you use our website at expatsetup.nl and its associated services, including calculators, guides, the service provider directory, and newsletter.
We process personal data in accordance with the General Data Protection Regulation (GDPR, EU 2016/679) and applicable Dutch data protection legislation (Uitvoeringswet AVG). By using our services, you acknowledge that you have read and understood this policy.
2. Data controller
The data controller for the processing of your personal data is:
3. What data we collect
We collect only the minimum amount of personal data necessary to provide our services. The specific data depends on how you interact with us:
a) Calculator tools
When you use our calculators (salary, tax, 30% ruling, etc.), all calculations run in your browser. We store anonymized, aggregated usage statistics (e.g., how many times a calculator was used, average salary ranges) to improve our tools. No personally identifiable information is collected from calculator inputs.
b) Newsletter subscription
When you subscribe to our newsletter, we collect your email address. We use a double opt-in process: you must confirm your subscription via a confirmation email before we send you any newsletters. You can unsubscribe at any time via the link in every email.
c) Contact form
When you contact us, we collect your name, email address, and your message. This data is used solely to respond to your inquiry.
d) Quote requests
When you request a quote from a service provider, we collect your name, email address, phone number (if provided), the service type, and a description of your situation. This data is shared with the specific provider(s) you selected so they can respond to your request.
e) Checklist progress
If you choose to save your arrival checklist progress, we collect your email address and your completed checklist items. This allows you to restore your progress on any device via a magic link sent to your email.
f) Service provider accounts
If you register as a service provider, we collect your company name, business email, service category, and subscription tier. Payment is processed securely by Stripe — we do not store credit card numbers or payment details on our servers.
4. Legal basis for processing
We process your personal data based on the following legal grounds under GDPR Article 6:
- Consent (Art. 6(1)(a)): Newsletter subscriptions, checklist save, and quote requests — you provide explicit consent when submitting these forms.
- Contractual necessity (Art. 6(1)(b)): Provider account creation and subscription management — processing is necessary to fulfill our service agreement.
- Legitimate interest (Art. 6(1)(f)): Anonymous analytics and calculator usage statistics — to improve our services and understand aggregate user behavior.
5. How we use your data
- To send you our newsletter (only with your consent)
- To respond to contact form submissions
- To forward quote requests to the service provider(s) you selected
- To save and restore your checklist progress
- To manage provider accounts and subscriptions
- To improve our tools and services through anonymized analytics
- To comply with legal obligations
We never use your data for automated decision-making or profiling.
6. Data sharing and third parties
We do not sell, rent, or trade your personal data. We share data only in the following cases:
- Service providers in our directory: When you submit a quote request, your contact information and message are shared with the specific provider(s) you selected.
- Stripe: Payment processing for provider subscriptions. Stripe acts as an independent data controller for payment data. See Stripe's Privacy Policy.
- Resend: Email delivery for newsletters, confirmations, and magic links. Resend processes data on our behalf as a data processor.
- Vercel: Website hosting. Vercel may process server logs containing IP addresses. See Vercel's Privacy Policy.
- Supabase: Database hosting (PostgreSQL). Data is stored in the EU. Supabase acts as a data processor.
7. Analytics
We use Plausible Analytics, a privacy-friendly analytics tool that:
- Does not use cookies
- Does not collect personal data
- Does not track individual users across sessions
- Is fully GDPR, CCPA, and PECR compliant
- Stores data in the EU
No consent banner is needed for Plausible because it does not process personal data.
8. Cookies and local storage
ExpatSetup.nl does not use tracking cookies. We may use your browser's localStorage for strictly functional purposes:
- Saving your checklist progress locally
- Remembering dismissed prompts
- Storing calculator preferences
This data never leaves your browser unless you explicitly choose to save it (e.g., by entering your email in the checklist save prompt). No third-party cookies are used.
9. Data retention
- Newsletter emails: Retained until you unsubscribe, after which they are deleted within 30 days.
- Contact form messages: Retained for up to 12 months after the last interaction, then deleted.
- Quote requests: Retained for up to 12 months, then anonymized or deleted.
- Checklist progress: Retained for up to 12 months of inactivity, then deleted.
- Provider accounts: Retained for the duration of the subscription, plus 6 months after cancellation for administrative purposes.
- Anonymized analytics: Retained indefinitely (no personal data).
10. Data security
We take appropriate technical and organizational measures to protect your personal data, including:
- All data transmitted over HTTPS (TLS encryption in transit)
- Database encryption at rest
- Access controls — only authorized personnel can access personal data
- Payment data handled exclusively by Stripe (PCI DSS Level 1 compliant)
- Magic-link authentication (no passwords stored)
11. International data transfers
Your data is primarily stored in the European Union. Where data is processed outside the EU (e.g., by service providers such as Vercel or Stripe), we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) or an adequacy decision by the European Commission.
12. Your rights under GDPR
As a data subject, you have the following rights:
- Right of access (Art. 15): Request a copy of the personal data we hold about you.
- Right to rectification (Art. 16): Request correction of inaccurate or incomplete data.
- Right to erasure (Art. 17): Request deletion of your personal data (“right to be forgotten”).
- Right to restrict processing (Art. 18): Request that we limit how we process your data.
- Right to data portability (Art. 20): Receive your data in a structured, machine-readable format.
- Right to object (Art. 21): Object to processing based on legitimate interest.
- Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time (e.g., by unsubscribing from our newsletter).
To exercise any of these rights, email us at privacy@expatsetup.nl. We will respond within 30 days.
13. Complaints
If you believe your data protection rights have been violated, you have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens):
Autoriteit Persoonsgegevens
Website: autoriteitpersoonsgegevens.nl
14. Children's privacy
Our services are not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us at privacy@expatsetup.nl and we will promptly delete it.
15. Changes to this policy
We may update this Privacy Policy from time to time. When we make significant changes, we will notify newsletter subscribers by email and update the “Last updated” date at the top of this page. We encourage you to review this page periodically.
16. Contact
For any questions about this Privacy Policy or how we handle your data, please contact us:
Email: privacy@expatsetup.nl
General: hello@expatsetup.nl