Privacy Policy

Controller: MVE Holding BV, trading as Libaros, registered in the Netherlands. Trade name: Libaros. Dutch CoC 58233938 · VAT NL852937039B01. Email: privacy@libaros.com.

We have not appointed a formal Data Protection Officer because we do not meet the GDPR thresholds. MVE Holding BV acts as the primary privacy contact via privacy@libaros.com.

We collect the minimum data needed to operate the service:

• Calculator inputs: gross monthly income, country of residence, family situation, business ownership, real estate ownership. Stored only in a signed token in your browser URL, not on our servers, unless you purchase a report.
• Email address: when you join the waitlist, request a report, or subscribe to our newsletter.
• Billing data (name, street address, postal code, city, country): collected at checkout, used only to issue your invoice and meet our 7-year Dutch tax retention obligation. Stripe collects this directly in its checkout flow; for Mollie we collect it in our form and pass it as payment metadata.
• Payment data: handled entirely by Stripe and Mollie. We receive only confirmation, never your card number.
• Technical data: IP address, browser type, pages visited. Used for security and aggregated analytics only.

We process your data only for these purposes:

• Delivering the Libaros report you ordered
• Issuing your invoice and submitting EU OSS VAT returns to the Dutch tax authority (Belastingdienst) per quarter
• Sending essential service emails (purchase confirmation, report delivery, refunds)
• Sending the monthly newsletter, only if you explicitly opted in
• Aggregated analytics to improve the service, only if you accepted analytics cookies
• Fraud prevention and rate-limiting

Under GDPR Article 6, our legal bases are:

• Contract (Art. 6(1)(b)): when you order a report, we process data necessary to deliver it.
• Consent (Art. 6(1)(a)): for the newsletter and analytics cookies. You can withdraw consent at any time.
• Legitimate interest (Art. 6(1)(f)): for security, fraud prevention, and aggregated technical analytics.
• Legal obligation (Art. 6(1)(c)): tax and accounting records we are required to keep.

We keep data only as long as needed:

• Calculator tokens: 30 days (expires automatically)
• Waitlist email: until you unsubscribe
• Purchase records: 7 years (Dutch tax retention requirement)
• Report PDFs: 5 years (so you can re-download)
• Technical logs: 90 days

We do not sell your data. Under GDPR Article 28 we maintain a Data Processing Agreement with each of these sub-processors. The list below names the processor, what it does for us, and where it is established:

• Supabase, database hosting; EU region (Frankfurt). Stores reports, payments, leads.
• Vercel, website hosting; EU region for EU traffic. Serves the libaros.com application.
• Stripe, card and Apple Pay / Google Pay payments. Ireland (Stripe Payments Europe Ltd.).
• Mollie, iDEAL, Bancontact, Wero payments. Netherlands.
• Resend, transactional emails (purchase confirmation, report delivery). Ireland.
• Beehiiv, newsletter delivery; only if you opted in. United States, covered by EU-US Data Privacy Framework.
• Anthropic, AI report generation. United States, covered by Anthropic's Data Processing Addendum and EU-US Data Privacy Framework.
• Trigger.dev, background job execution (rendering and delivering your report). United States, covered by Trigger.dev's Data Processing Addendum and Standard Contractual Clauses.
• Upstash, Redis cache for rate-limiting; EU region. Only IP addresses are processed.
• Plausible Analytics, privacy-friendly cookieless analytics, EU region; only if you accepted analytics cookies.
• Authorities, when required by law.

Most of our processors are in the EU. Anthropic is in the US, transfers are based on Standard Contractual Clauses and the EU-US Data Privacy Framework adequacy decision.

Under GDPR you have the right to:

• Access your data (Art. 15)
• Correct inaccurate data (Art. 16)
• Delete your data, "right to be forgotten" (Art. 17)
• Restrict processing (Art. 18)
• Receive your data in a portable format (Art. 20)
• Object to processing based on legitimate interest (Art. 21)
• Withdraw consent at any time (Art. 7(3))
• Lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, autoriteitpersoonsgegevens.nl)

We use industry-standard security: encrypted connections (TLS 1.3), encrypted storage, role-based access control, two-factor authentication on admin accounts, regular security audits, and a documented incident response plan. We will notify the Dutch DPA within 72 hours and affected users without undue delay in case of a data breach.

We use a minimum number of cookies. Strictly necessary cookies (language preference, consent state) are always active. Analytics and marketing cookies require explicit consent. See our Cookie Policy for details.

We may update this policy when regulations change or our practices evolve. Material changes will be communicated by email to active customers and by a banner on libaros.com.

Privacy questions: privacy@libaros.com. We aim to respond within 7 business days.