Legal

Privacy Policy

Effective 1 January 2026 · Last updated 14 May 2026

We respect your privacy. This policy explains what data Fontiex collects, why we collect it, your rights under GDPR/AVG, and how to exercise them.

🔒

No data sold

We never sell your data to advertisers or brokers

🍪

No ad cookies

Only session cookies required for login

🗑️

Right to delete

Request deletion of your personal data anytime

🇳🇱

GDPR / AVG

Dutch law applies — supervised by Autoriteit Persoonsgegevens

1. Who We Are

Fontiex is a membership and services platform operated by Dutch Bangal, registered in the Netherlands. Registered address: 8911 KM Leeuwarden, The Netherlands. KVK number: 89312678. References to "we", "us", or "our" in this policy refer to Dutch Bangal acting as data controller for the Fontiex platform. For all privacy-related matters, contact us at privacy@fontiex.com.

2. Data We Collect

We collect information you provide directly when registering or using Fontiex: your name, email address, date of birth, nationality, country of residence, and FIN identifier. When you top up FNX credits, Stripe processes your payment details — we do not store card numbers. For KYC purposes, we collect your document type and number, and bank account details (which vary by country). We also collect data generated by your use of the Platform: FNX credit balance and transaction history, booking history, login timestamps and session data, IP address and device/browser information for security purposes. We do not collect sensitive special-category data (health, biometric, political opinions, religion, or ethnicity) beyond what you voluntarily provide during KYC.

3. How We Use Your Data

We use your personal data to: create and manage your FIN account and FAI number; process FNX credit top-ups and service bookings; send transactional communications (booking confirmations, payment receipts, security alerts, account notices); comply with applicable legal obligations including AML, KYC, and Dutch tax and accounting requirements (Wet op het financieel toezicht, Wwft); improve the Platform using aggregated and anonymised analytics; and detect and prevent fraud, abuse, and security threats. We do not use your data for advertising, profiling for commercial purposes, or automated individual decision-making that produces legal or similarly significant effects without your explicit consent.

4. Legal Basis for Processing (GDPR / AVG)

As a Dutch-registered entity, Fontiex processes personal data in accordance with the General Data Protection Regulation (GDPR) and the Dutch Uitvoeringswet AVG. Our lawful bases are: (a) Contract performance (Art. 6(1)(b)) — to deliver the Fontiex membership services you signed up for; (b) Legal obligation (Art. 6(1)(c)) — KYC, AML, and statutory accounting/tax record-keeping; (c) Legitimate interests (Art. 6(1)(f)) — platform security, fraud prevention, service improvement, and abuse detection, where these do not override your fundamental rights; (d) Consent (Art. 6(1)(a)) — for optional marketing communications, which you may withdraw at any time without affecting your account.

5. Data Sharing & Processors

We share your data only where necessary. Our data processors include: Supabase (database and authentication infrastructure, EU-hosted); Stripe (payment processing — governed by Stripe's own privacy policy and PCI DSS compliant); Wise (international payment processing where applicable). We share limited booking-relevant data (e.g., your name) with service partners solely to fulfil your booking. We do not sell, rent, or trade your personal data to any third party. We do not share data with advertisers or data brokers. We may disclose data where required by a binding legal obligation, court order, or request from a Dutch or EU law enforcement authority.

6. Data Retention

We retain your account and transaction data for the duration of your membership and, after account closure, for the refund window applicable to your plan tier: 6 months (Free), 2 years (Starter), 5 years (Pro), 10 years (Enterprise). Financial transaction records — including FNX top-up and payment records — are retained for 7 years in accordance with Dutch bookkeeping law (Boekhouding, art. 2:10 BW). KYC records are retained for 5 years after the end of the relationship, as required under the Wwft (Wet ter voorkoming van witwassen en financieren van terrorisme). You may request deletion of non-financial personal data by contacting privacy@fontiex.com; we will respond within 30 days, subject to our legal retention obligations.

7. Your Rights (AVG / GDPR)

Under the GDPR and AVG, you have the following rights regarding your personal data: Access (Art. 15) — request a copy of the data we hold about you; Rectification (Art. 16) — request correction of inaccurate data; Erasure (Art. 17) — request deletion, subject to legal retention requirements; Portability (Art. 20) — receive your data in a structured, machine-readable format; Objection (Art. 21) — object to processing based on legitimate interests; Restriction (Art. 18) — request that we limit processing in certain circumstances; Withdrawal of consent — at any time, for consent-based processing, without affecting prior processing. To exercise any right, email privacy@fontiex.com with subject "Data Rights Request — [Your FIN]". We will respond within 30 days. If you are unhappy with our response, you have the right to lodge a complaint with the Dutch data protection authority: Autoriteit Persoonsgegevens, autoriteitpersoonsgegevens.nl.

8. Cookies & Tracking

Fontiex uses only strictly necessary cookies to maintain your authenticated session after login. We do not use advertising cookies, third-party tracking pixels, or behavioural profiling tools. If we introduce any non-essential cookies in the future, we will request your consent in accordance with the Dutch Telecommunicatiewet and GDPR. You may disable cookies in your browser settings, but this will prevent you from remaining logged in to the Platform.

9. Security

We implement industry-standard technical and organisational security measures, including: TLS encryption for all data in transit; encrypted credential storage via Supabase Auth; row-level security (RLS) on all database tables ensuring members can only access their own data; automatic session timeout after 5 minutes of inactivity; access controls limiting staff access to personal data on a need-to-know basis. No system can guarantee absolute security. If you believe your account has been compromised, contact security@fontiex.com immediately. In the event of a personal data breach, we will notify the Autoriteit Persoonsgegevens within 72 hours and affected members without undue delay, as required by GDPR Art. 33–34.

10. International Data Transfers

Your data is primarily processed within the European Economic Area (EEA) via Supabase's EU-hosted infrastructure. Where data is transferred outside the EEA (e.g., to Stripe's US-based services), we ensure appropriate safeguards are in place pursuant to GDPR Chapter V, including Standard Contractual Clauses (SCCs) where required. By using the Platform, you acknowledge these transfers as necessary to provide the service.

11. Children

The Fontiex Platform is not directed at persons under the age of 18. We do not knowingly collect personal data from minors. If you believe a child under 18 has registered an account, please notify us at privacy@fontiex.com and we will promptly delete the account and associated data.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Where changes are material, we will notify you by email and by notice on the Platform at least 14 days before the changes take effect. The effective date at the top of this page will always reflect the current version. Minor corrections or clarifications may be made without notice.

13. Contact & Complaints

For any privacy-related questions or to exercise your data rights: privacy@fontiex.com. Postal address: Dutch Bangal, 8911 KM Leeuwarden, The Netherlands. KVK: 89312678. If you believe we have not handled your data lawfully, you may lodge a complaint with the Dutch data protection authority: Autoriteit Persoonsgegevens, PO Box 93374, 2509 AJ Den Haag — autoriteitpersoonsgegevens.nl. EU members may also use the EU ODR platform at ec.europa.eu/consumers/odr.

Refund PolicyTerms & ConditionsBack to home