Privacy Policy
Last updated: 13 May 2026
1. Who we are
Valryn (“we”, “us”, “our”) is operated by Bitquanta, registered at Pieter Calandlaan 765, 1069SC Amsterdam, the Netherlands, KVK number 97672920.
We are the data controller for personal data processed through Valryn. Questions or requests about your data can be sent to support@valryn.nl.
2. What data we collect and why
Account & profile data
Email address, full name, origin country, move date, employment type, visa information, household details (partner, children, pets), employer name, HR contact details.
Legal basis: Performance of contract (providing the service you signed up for).
Uploaded documents
You may upload documents such as passports, employment contracts, and IND letters. These files are stored securely in Supabase Storage (EU region) and are only accessible to you. When you request AI validation or date extraction, the document is sent to Anthropic’s API for analysis and then immediately discarded from memory — the document bytes are never written to disk on our servers and never used to train AI models.
Legal basis: Performance of contract; explicit consent (for AI validation — you must opt in).
AI validation results
The outcome of document validation (pass / warn / fail, issues list) is stored in our database. The original document content is not stored in validation results — only the structured analysis.
Legal basis: Performance of contract; legitimate interest (providing the validation service).
Payment data
We use Stripe to process payments. We do not store your card number, CVV, or full payment details. Stripe provides us with a payment record and your email. Stripe’s privacy policy governs their processing: stripe.com/privacy.
Legal basis: Performance of contract.
Usage data
We track how many times you use AI features (document validation, risk score, checklist generation) to enforce daily rate limits. We do not use analytics trackers or third-party advertising pixels.
Legal basis: Legitimate interest (preventing API abuse).
3. Cookies
We use only strictly necessary cookies set by Supabase Auth to maintain your login session. These cookies are essential for the service to function and do not require consent under the ePrivacy Directive. We do not use advertising cookies, tracking pixels, or third-party analytics cookies.
4. Who we share your data with
| Processor | Purpose | Location |
|---|---|---|
| Supabase | Database, authentication, file storage | EU (AWS eu-west-1) |
| Anthropic | AI document analysis (transient — data not retained) | USA (SCCs apply) |
| Stripe | Payment processing | USA / EU (SCCs apply) |
| Resend | Transactional email (reminders, notifications) | USA (SCCs apply) |
| Railway | Backend API hosting | USA (SCCs apply) |
| Vercel | Frontend hosting | Global CDN |
We do not sell your personal data. We do not share it with third parties for marketing purposes. Transfers to the USA are covered by Standard Contractual Clauses (SCCs) where required.
5. How long we keep your data
- Account and profile data: retained while your account is active and for 30 days after deletion (to allow recovery).
- Uploaded documents: retained while your account is active; deleted immediately when you delete a document or your account.
- Validation results: retained while your account is active; deleted when your account is deleted.
- Payment records: retained for 7 years as required by Dutch tax law (Belastingdienst).
- AI consent records: retained as long as your account exists to demonstrate compliance.
6. Your GDPR rights
As a data subject under GDPR, you have the following rights:
- Access: request a copy of the personal data we hold about you.
- Rectification: correct inaccurate data — most profile fields can be updated directly in the app.
- Erasure: delete your account and all associated data from within the app settings at any time.
- Data portability: request your data in a machine-readable format.
- Restriction: request we restrict processing while a dispute is resolved.
- Objection: object to processing based on legitimate interest.
- Withdraw consent: withdraw AI validation consent at any time from the app settings — this does not affect previous processing.
To exercise any right, email support@valryn.nl. We will respond within 30 days. You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at autoriteitpersoonsgegevens.nl.
7. Security
We take reasonable technical and organisational measures to protect your data, including:
- All data in transit encrypted via TLS.
- Supabase Row Level Security (RLS) — your data is only accessible to your own account.
- Document bytes processed in server memory only; never written to disk.
- Stripe handles all card data — we never see or store raw payment details.
8. Changes to this policy
We may update this policy as the service evolves. Material changes will be communicated via email or an in-app notice. The “last updated” date at the top of this page always reflects the current version.
9. Contact
For privacy questions, data requests, or complaints: support@valryn.nl