Privacy Policy
Effective date: 12 June 2026
Table of Contents
Overview
This Privacy Policy explains how Expat Bubble B.V. ("ExB", "we", "us") stores and shares personal data when you use expatbubble.nl (the "Platform") and related services. It describes your rights under the GDPR and how to exercise them.
We may from time to time update this policy. Please make sure to regularly visit this policy in order to stay up to date.
Scope and Roles
Controller: ExB is the controller for Platform operations including registration, booking facilitation, invoicing, payments, messaging storage, marketing and platform safety.
Professional as controller: the Platform allows professionals to offer their products or services to Clients. Once you, the Client, have entered into contact with a professional, the professional acts as controller for their own communications with the Client. For that professional's role as data controller, reference is made to the privacy policy of the respective professional.
Categories of Personal Data and Purposes
We, as data controller, process the following categories of personal data for the purposes listed:
Clients
| Processing activity | Categories of personal data | Legal basis |
|---|---|---|
| Handling your account | Name, email, phone, address, bank account, login credentials, services used, service details, dates, prices, invoices and payment status | Performance of a contract or legitimate interests (offering our services, improving our services, providing customer service). |
| Communication | Messages between Client and Professional, support tickets and other forms of correspondence | Performance of a contract or legitimate interests (offering our services, improving our services, providing customer service). |
| Customer service and support | Correspondence, complaint details, evidence, photos or the like | Legitimate interests: (i) following up on questions, complaints and claims; (ii) providing information on relevant products or services; (iii) verifying identity; (iv) enhancing security and protecting your information. |
Professionals
| Processing activity | Categories of personal data | Legal basis |
|---|---|---|
| Handling your account | Name, email, phone, address, Chamber of Commerce number, VAT number, bank account, login credentials, services provided, service details, dates, prices, invoices and payment status | Performance of a contract or legitimate interests (offering our services, improving our services, providing customer service). |
| Communications | Messages between Client and Professional, support tickets and other forms of correspondence | Performance of a contract or legitimate interests (offering our services, improving our services, providing customer service, verifying identity, enhancing security). |
| Invoicing and administrative services | Name, bank account, services used, service details, dates, prices, invoices and payment status | Performance of a contract or legitimate interests (offering our services, improving our services, providing customer service). |
| Customer service and support | Correspondence, complaint details, evidence, photos or the like | Legitimate interests: (i) following up on questions, complaints and claims; (ii) providing information on relevant products or services; (iii) verifying identity; (iv) enhancing security and protecting your information. |
Website Visitors
| Processing activity | Categories of personal data | Legal basis |
|---|---|---|
| Cookies | Please see Section 4 | See Section 4 |
Others
| Processing activity | Categories of personal data | Legal basis |
|---|---|---|
| Newsletter | Your name and email address, preferences for receiving information (frequency and categories) | Consent (newsletters and marketing emails). Legitimate interest for marketing regarding similar products or services previously ordered. You may always unsubscribe via the link in our emails. |
| Other general purposes | Any information necessary for the relevant purpose of processing | Legal obligation or legitimate interests (carrying out regular business activities, protecting our interests in case of conflicts). Purposes include: (i) following requests of public authorities; (ii) conducting criminal investigations; (iii) protecting third-party rights; (iv) statistical or academic research; (v) other circumstances stipulated by relevant law. |
Data Minimisation, Accuracy and Retention
We have the following retention terms in place:
| Activity | Retention term |
|---|---|
| Handling your account | We store your personal data for a period of 6 months after deletion of your account. In case of any incidents, disputes, conflicts or the like, we may prolong the storage period until the matter has been resolved. |
| Communication | As above. |
| Customer service and support | As above. |
| Invoicing and administrative services | As above. |
| Newsletter | As above. |
| Other general purposes | As above. |
International Transfers
If we transfer personal data outside the EEA we will implement appropriate safeguards such as EU Standard Contractual Clauses or rely on an adequacy decision. We document transfer impact assessments where required.
Security Measures
We have implemented appropriate technical and organisational measures including encryption in transit and at rest where feasible, access controls, logging, vulnerability management, secure development practices and incident response procedures. We review measures periodically.
Data Subject Rights
In relation to our processing of your personal data, you have the following privacy rights. For more information, please refer to the European Commission's webpage on data subject rights.
- Right to withdraw consent: In so far as our processing of your personal data is based on your consent, you have the right to withdraw consent at any time.
- Right of access: You have the right to request access to your personal data. This enables you to receive a copy of the personal data we hold about you (but not necessarily the documents themselves). We will also provide you with further specifics of our processing of your personal data.
- Right to rectification: You have the right to request rectification of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected.
- Right to erasure: You have the right to request erasure of your personal data where: (i) the personal data are no longer necessary; (ii) you have withdrawn your consent; (iii) you have objected to the processing; (iv) the personal data have been unlawfully processed; (v) erasure is required by law; or (vi) data collected in relation to information society services. Exceptions apply where processing is necessary for freedom of expression, legal compliance, public health, archiving, or legal claims.
- Right to object: You have the right to object to processing based on legitimate interests. For direct marketing purposes, we will always honour your request. For other purposes, we will cease processing unless we have compelling legitimate grounds overriding your interests or related to legal claims.
- Right to restriction: You have the right to request restriction of processing in case: (i) accuracy is contested during verification; (ii) processing is unlawful and you request restriction instead of erasure; (iii) we no longer need the data but you need it for legal claims; or (iv) you have objected to processing during verification.
- Right to data portability: You have the right to receive your personal data in a structured, commonly used, machine-readable format, or to have it transferred to a third party of your choice. This applies where processing is based on consent or a contract and is carried out by automated means.
- Automated decision-making: You have the right not to be subject to a decision based solely on automated processing. We do not make use of automated decision-making that produces legal or similarly significant effects without human review.
- Right to complaint: You have the right to lodge a complaint with a supervisory authority, in particular in the EU Member State of your habitual residence, place of work or place of an alleged infringement of the GDPR. Please refer to this webpage for an overview of supervisory authorities. We would appreciate the opportunity to deal with your concerns before you approach the supervisory authority.
The exercise of the above-mentioned rights is free of charge and can be carried out by email via the contact details displayed below. If requests are manifestly unfounded or excessive, we will either charge a reasonable fee or refuse to comply.
We may request specific information to confirm your identity before complying. We will respond without undue delay and in principle within one month of receipt, extendable by a further two months in complex cases.
Automated Decisions and Profiling
We may use automated systems to support platform operations (e.g., fraud detection, ranking). We do not make solely automated decisions that produce legal or similarly significant effects without human review.
Children
The Platform is not intended for children under 16. We do not knowingly collect personal data from children. If we become aware of such data, we will delete it unless required to retain it by law.
Contact and Complaints
Controller: Expat Bubble B.V., Tureluur 2, 1873 JW Groet, The Netherlands
Chamber of Commerce number: 42032553
Contact: privacy@expatbubble.nl
Changes to this Policy
We may update this Policy. Material changes will be communicated via the Platform or email.