Privacy policy
Annotated.nl is a publishing venture by Abacus Legal, a Dutch sole-proprietorship (KvK 89289552, Amsterdam). We care about careful data handling and keep our processing as limited as possible. This document describes what personal data we process, why, for how long, and what rights you have.
1. Who is the controller
Abacus Legal — sole proprietorship (eenmanszaak) — KvK 89289552 — Amsterdam, the Netherlands. Privacy contact: office@annotated.nl.
Abacus Legal has not appointed a data protection officer. The scope of processing falls below the thresholds of GDPR article 37; the contact point for your questions is the address above.
2. What data we process
| Category | Examples | Purpose |
|---|---|---|
| Identification | Legal entity name, billing email, VAT (BTW) ID | Performance of the subscription, invoicing |
| Session data | ann_session cookie (strictly necessary) | Maintaining your login session across gdpr.annotated.nl, aiact.annotated.nl, and forthcoming editions |
| Server logs | IP address, user-agent, requested URL, timestamp | Security, debugging, capacity management |
| Payment data | Processed by Mollie B.V. — we receive only status + truncated card/IBAN reference | Settlement of payment |
| Correspondence | Content of your emails to office@annotated.nl | Responding to your request |
We do not process special categories of personal data (article 9 GDPR) or criminal-conviction data (article 10).
3. Legal basis per processing activity
| Processing | Basis (GDPR article 6) |
|---|---|
| Subscription administration | Paragraph 1(b) — performance of contract |
| Invoicing and bookkeeping | Paragraph 1(c) — legal obligation (Wet OB 1968 art. 52; Algemene Wet Rijksbelastingen) |
| Session cookie | Paragraph 1(b) — performance of contract (ePrivacy art. 5(3) carve-out: strictly necessary) |
| Server logs | Paragraph 1(f) — legitimate interest (security and operations) |
| Responding to emails | Paragraph 1(f) — legitimate interest (customer contact) |
4. Sub-processors and joint controllers
| Party | Function | Role | Location |
|---|---|---|---|
| Mollie B.V. | Payment processing | Independent controller for the payment flow | Netherlands |
| Strato AG | Server hosting (VPS) | Processor | Germany |
Fonts (Inter, Source Serif 4, JetBrains Mono) are served from our own server. We do not use external content-delivery networks or third-party font services that would transmit your IP address or other data.
5. International transfers
We do not transfer personal data to countries outside the European Economic Area. Our infrastructure and sub-processors are located within the EEA.
6. Retention periods
| Category | Period |
|---|---|
| Invoices and related administration | 7 years after the end of the calendar year (Algemene Wet Rijksbelastingen art. 52) |
| Account data (organisation, VAT ID, billing email) | Up to 12 months after subscription end, after which deleted or anonymised to the extent permitted by law |
| Session cookie | Until logout or session expiry (maximum 30 days) |
| Server logs | 30 days |
| Email correspondence | Up to 24 months after last contact, unless longer retention is required by law |
7. Your rights
Under the GDPR you have the right to:
- access the personal data we process about you (art. 15);
- request rectification of inaccurate data (art. 16);
- request erasure where compatible with our retention obligations (art. 17);
- have processing restricted (art. 18);
- object to processing based on legitimate interest (art. 21);
- have your data transferred to another controller (art. 20).
You can exercise these rights by emailing office@annotated.nl. We respond within one month. We may ask you to identify yourself before acting on a request.
8. Right to lodge a complaint
You may at any time lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens — Bezuidenhoutseweg 30, The Hague — autoriteitpersoonsgegevens.nl). We appreciate the opportunity to address your concern first.
9. Security
We apply appropriate technical and organisational measures, including transport encryption (TLS), salted-and-hashed password storage, access control on operational systems, and logging of administrative access. No measure is infallible; if you identify a security issue, please contact office@annotated.nl.
10. Changes
We may amend this privacy policy when necessary — for example when we engage a new sub-processor or introduce a new processing activity. Changes are published on this page with a new date under Version.
11. Version
Version 1.0 — effective 13 May 2026.
Version 1.0 · 2026-05-13