Privacy Policy
Version 1.0 · March 2026
1. Who are we?
OmniAPI is a trade name of Blauwtoffie, a sole trader registered with the Dutch Chamber of Commerce under number 99395800.
We are the data controller within the meaning of the General Data Protection Regulation (GDPR) for the processing of personal data described below.
Contact: privacy@omnizoek.nl
2. What data do we process?
We process only data of our direct users:
- Email address (account creation)
- Firebase UID (internal account identifier)
- Display name (optional, provided by you)
- Account creation timestamp
- Credit balance and usage history (stored in our database)
- Payment details (cardholder, IBAN) — we do not store these; payments are processed by Stripe, Inc. (see § 5)
- API keys (stored as hashed values)
Third-party data is not stored. When you call the OmniAPI with a postcode, licence plate, IBAN or BSN, the API processes that value solely in working memory to generate a response. Once the container returns the answer, the input data is not retained — there is no database, cache or log file that stores the content of your requests.
Technical note: OmniAPI uses an in-memory TTLCache keyed on the lookup key (e.g. postcode + house number), never on the full payload. The container scales to zero automatically; on shutdown the cache is completely discarded.
3. Why do we use your data?
| Account management and authentication | Art. 6(1)(b) GDPR — performance of a contract |
| Credit management and billing | Art. 6(1)(b) — performance of a contract |
| Statutory retention obligation (7 years) | Art. 6(1)(c) — legal obligation |
| Technical security and abuse prevention | Art. 6(1)(f) — legitimate interest |
4. How long do we retain your data?
| Account data | As long as your account is active; max. 3 years after deletion |
| Transaction and invoice data | 7 years (statutory retention — Dutch Tax Authority) |
| API call metadata (Stripe metered events) | Per Stripe retention policy (max. 7 years) |
| In-memory cache (upstream API data) | Max. 24 hours; discarded on container restart |
5. Who do we share your data with?
We disclose your data only to processors with whom we have concluded a Data Processing Agreement (DPA):
| Google Cloud (Firebase Auth, Firestore, Cloud Run) | Authentication, database, compute — EU region (europe-west4) |
| Stripe | Payment processing and metered billing — US (SCCs apply) |
Your data is not sold and is not shared with any other third parties, advertisers or government agencies, unless we are legally obliged to do so.
6. Transfers outside the EEA
Google Cloud stores your data in EU region europe-west4 (Netherlands). Stripe processes payment data in the US under Standard Contractual Clauses (SCCs) pursuant to Art. 46 GDPR.
7. Your rights
Under the GDPR you have the following rights:
- Access — request what data we hold about you
- Rectification — have incorrect data corrected
- Erasure — have your account and associated data deleted
- Restriction — have processing temporarily restricted
- Portability — receive your data in a common format
- Objection — object to processing based on legitimate interest
You can exercise your rights by sending an email to privacy@omnizoek.nl. We will respond within 30 days.
You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).
8. Security
We take appropriate technical and organisational measures to protect your data:
- Encryption in transit (TLS 1.2+) and at rest (Google Cloud default)
- API keys are stored as hashes (SHA-256); plaintext is not retained after issuance
- Firestore security rules restrict access per user (owner isolation)
- Cloud Run services communicate internally; no direct public access to Firestore
9. Cookies and tracking
The website omnizoek.nl does not use tracking cookies or third-party analytics scripts. Only functionally necessary cookies are set by Firebase Authentication (session token).
10. Changes
We may update this privacy policy from time to time. For material changes we will inform you via the email address linked to your account. The date at the top of the page indicates when the policy was last updated.
Questions about this policy? Email privacy@omnizoek.nl.