NederlandsEnglish
Version 1.0 · Last updated 30 April 2026
1. Data controller
- Pal&Ko Thuiszorg B.V. (Dutch private limited company)
- Stationstraat 51, 6411 NK Heerlen, the Netherlands
- Chamber of Commerce (KVK): 97935050
- Email: info@palenkothuiszorg.nl
Privacy requests and data breach reports can be sent to info@palenkothuiszorg.nl attn. management. The technical contact for the apps is aryan@palenkothuiszorg.nl.
Pal&Ko Thuiszorg currently does not process personal data "on a large scale" within the meaning of GDPR Article 37(1)(c) (EDPB-WP243 guidance) and has therefore not formally appointed a Data Protection Officer. This is reassessed annually; once the threshold is exceeded, a DPO will be appointed and listed on this page.
2. Apps covered
- Pal&Ko Planning
3. Personal data we process
3.1 Staff
- Identity: first and last name, date of birth, gender.
- Contact: email address, phone number, home address.
- Payroll and administration: BSN, IBAN, contract type, hourly wage, mileage rate.
- Professional credentials: BIG registration, AGB codes, qualifications.
- Operational: shifts, hours worked, leave, sick reports, tasks.
- Address coordinates of the home address for route calculation (derived from the entered address via geocoding; no real-time GPS).
- Push notification token (Apple APNs or Google FCM).
- Audit log of mutations performed in the app.
3.2 Clients
- Identity: name, date of birth, BSN, contact details.
- Address and corresponding coordinates for routing (derived via geocoding).
- Health data: care indication, diagnoses, medication, allergies, care notes.
- Insurer, policy number, UZOVI code.
- Emergency contact, GP, informal caregivers.
- IBAN and billing address for PGB-funded care.
3.3 What the apps do not collect
- No IDFA, no Advertising ID and no tracking for advertising purposes.
- No integrations with data brokers, ad networks or social media trackers.
- No access to camera, microphone, real-time GPS, contacts or calendar of the device.
- No automated decision-making with legal effects or similarly significant effects within the meaning of GDPR Article 22. The apps use automated route optimisation to generate scheduling proposals, but these proposals are always reviewed and published by a planner before they take effect.
4. Purposes and legal bases
| Processing | Purpose | Legal basis (GDPR) |
|---|---|---|
| Client and medical data | Performance of the care contract | Art. 6(1)(b) and 9(2)(h) |
| BSN processing | Statutory healthcare exchange | Wabb (Dutch Healthcare Personal Data Act) |
| Staff personal data and planning | Performance of the employment contract | Art. 6(1)(b) |
| Payroll administration | Legal obligation (tax) | Art. 6(1)(c) |
| Push notifications | Operational communication | Art. 6(1)(b) and legitimate interest |
| Audit log | Compliance and inspectorate audits | Art. 6(1)(c) and legitimate interest |
| Route calculation | Efficient care planning | Legitimate interest (Art. 6(1)(f)) |
5. Retention periods
| Category | Period | Legal basis |
|---|---|---|
| Client and care record (medical data) | 20 years after last contact | Wgbo art. 7:454 Dutch Civil Code |
| Payroll and invoicing | 7 years | Dutch tax law (AWR art. 52) |
| Salary administration | 7 years | Tax |
| Job applicants (rejected) | 4 weeks, or 1 year with consent | Dutch DPA guidance |
| Notifications | 1 year (auto-purged) | GDPR storage limitation |
| Leave requests | 3 years after end date | GDPR storage limitation |
| Push tokens | Up to 90 days after last activity, or on logout | GDPR storage limitation |
| Account data after self-deletion | Immediate: PII erased · Audit: 7 years | GDPR Art. 17 and IGJ auditability |
6. Sub-processors
| Processor | Purpose | Location |
|---|---|---|
| Supabase | Database, authentication, storage, realtime | EU (Ireland) |
| Vercel | App hosting | EU (Frankfurt) |
| Apple APNs | iOS push notifications | USA (under Apple Developer Agreement) |
| Google FCM | Android push notifications | EU/USA |
| PDOK Locatieserver (Dutch Land Registry / Ministry of the Interior) | Geocoding of addresses to coordinates (full address: street, house number, postcode, city) | EU (the Netherlands) |
| OpenRouteService (HeiGIT) | Travel time and distance calculation based on coordinates only (lat/lng, no address or name) | EU (Heidelberg, Germany) |
A data processing agreement is in place with these parties or their general processor terms apply. Pal&Ko Thuiszorg does not share data with data brokers, advertising networks, marketing platforms or social media providers.
7. Security
- Encryption in transit using TLS 1.2 or higher.
- Encryption at rest in the database (AES-256, Supabase default).
- Row Level Security per role; staff see only their own data and assigned clients.
- Audit logging of mutations on sensitive tables.
- Native screen and recording protection on iOS (secure canvas) and Android (FLAG_SECURE).
- Annual review of access rights, security measures and sub-processors.
8. Rights of data subjects (GDPR Articles 15–22)
- Access — via Profile → Download my data in the app.
- Rectification — correction of inaccurate data.
- Erasure — where permitted; medical records are subject to mandatory retention under Dutch Wgbo law. For the login account: in the app via Profile → Delete account.
- Restriction of processing.
- Data portability — own data in machine-readable JSON via the app.
- Objection to processing based on legitimate interest.
Requests can be sent to info@palenkothuiszorg.nl with subject "GDPR request". We respond within one month. You also have the right to file a complaint with the Dutch Data Protection Authority.
9. BSN (Dutch citizen service number)
Pal&Ko Thuiszorg processes the BSN exclusively for legally mandated healthcare purposes under the Dutch Healthcare Personal Data Act (Wabb) and the Dutch BSN Act. The BSN is not used for other purposes and not shared with third parties beyond the legally permitted exchange with health insurers, the CAK, the CIZ and the Tax Authority.
10. Health data
Health data are processed as a special category of personal data under GDPR Article 9(2)(h): necessary for the purposes of preventive or occupational medicine, medical diagnosis, the provision of healthcare or the management of healthcare systems and services. Processing is performed under the responsibility of a professional bound by professional secrecy under EU or national law (GDPR Article 9(3) in conjunction with Dutch Civil Code Article 7:457).
11. Data breach procedure
Pal&Ko Thuiszorg reports suspected data breaches to the Dutch Data Protection Authority within 72 hours where there is a risk to the rights and freedoms of data subjects. In case of high risk, data subjects are also informed directly. A breach can be reported via info@palenkothuiszorg.nl with subject "Data breach". Complaints about care delivery itself fall under the Wkkgz complaints procedure and are sent to klachten@palenkothuiszorg.nl.
12. Not a medical device
The apps of Pal&Ko Thuiszorg are not medical devices within the meaning of Regulation (EU) 2017/745 (MDR). The information in the apps is intended for planning and organising home care, not for diagnosis, treatment or medical advice. For medical decisions, always consult a qualified healthcare professional.
13. Changes
This policy may be updated when laws, sub-processors or app functionality change. The current version is on this page. Substantive changes are communicated via an in-app notification.