Privacy Policy

How Pal&Ko Thuiszorg processes personal and health data in its apps.

NederlandsEnglish

Version 1.2 · Last updated 17 May 2026

Contents
  1. Data controller
  2. Apps covered
  3. Personal data we process
  4. Purposes and legal bases
  5. Retention periods
  6. Sub-processors
  7. Security
  8. Rights of data subjects
  9. BSN (Dutch citizen number)
  10. Health data
  11. Data breach procedure
  12. Not a medical device
  13. Changes

1. Data controller

Privacy requests and data breach reports can be sent to info@palenkothuiszorg.nl attn. management. The technical contact for the apps is aryan@palenkothuiszorg.nl.

Pal&Ko Thuiszorg currently does not process personal data "on a large scale" within the meaning of GDPR Article 37(1)(c) (EDPB-WP243 guidance) and has therefore not formally appointed a Data Protection Officer. This is reassessed annually; once the threshold is exceeded, a DPO will be appointed and listed on this page.

2. Apps covered

3. Personal data we process

3.1 Staff

3.2 Clients

3.3 What the apps do not collect

4. Purposes and legal bases

ProcessingPurposeLegal basis (GDPR)
Client and medical dataPerformance of the care contractArt. 6(1)(b) and 9(2)(h)
BSN processingStatutory healthcare exchangeWabb (Dutch Healthcare Personal Data Act)
Staff personal data and planningPerformance of the employment contractArt. 6(1)(b)
Payroll administrationLegal obligation (tax)Art. 6(1)(c)
Push notificationsOperational communicationArt. 6(1)(b) and legitimate interest
Audit logCompliance and inspectorate auditsArt. 6(1)(c) and legitimate interest
Route calculationEfficient care planningLegitimate interest (Art. 6(1)(f))
Error detection and app stability (Sentry diagnostics)Crash reporting and 10%-sampled performance metrics for bug fixingLegitimate interest (Art. 6(1)(f)) — security and quality of the healthcare app

5. Retention periods

CategoryPeriodLegal basis
Client and care record (medical data)20 years after last contactWgbo art. 7:454 Dutch Civil Code
Payroll and invoicing7 yearsDutch tax law (AWR art. 52)
Salary administration7 yearsTax
Job applicants (rejected)4 weeks, or 1 year with consentDutch DPA guidance
Notifications1 year (auto-purged)GDPR storage limitation
Leave requests3 years after end dateGDPR storage limitation
Push tokensUp to 90 days after last activity, or on logoutGDPR storage limitation
Sentry diagnostic events (crashes and performance samples)90 days (default Sentry retention), then automatically purgedGDPR storage limitation
Account data after self-deletionImmediate: PII erased · Audit: 7 yearsGDPR Art. 17 and IGJ auditability

6. Sub-processors

ProcessorPurposeLocation
SupabaseDatabase, authentication, storage, realtimeEU (Ireland)
VercelApp hostingEU (Frankfurt)
Apple APNsiOS push notifications (final delivery to the device)USA (under Apple Developer Agreement)
Google FCM (Firebase Cloud Messaging)Push notifications for iOS and Android. On iOS the app uses the Firebase Messaging SDK as a relay to Apple APNs.EU/USA
PDOK Locatieserver (Dutch Land Registry / Ministry of the Interior)Geocoding of addresses to coordinates (full address: street, house number, postcode, city)EU (the Netherlands)
TomTom Routing API (TomTom International B.V.)Travel time and distance calculation based on coordinates only (lat/lng, no address or name)EU (Amsterdam, the Netherlands)
Pal&Ko OSRM fallback (self-hosted DigitalOcean VPS)Fallback routing service when TomTom is unavailable (lat/lng only)EU (Frankfurt, Germany)
Capgo Cloud (Capgo SAS)Version check for in-app updates of JavaScript and asset files. Receives anonymous device ID and app version only; no personal data.EU (France)
Sentry (Functional Software, Inc., via Sentry GmbH)Error detection and performance monitoring: receives crash stack traces, error events and 10%-sampled performance metrics. User context contains only profile ID and role — no email, name, BSN or client data. API keys and authorization headers are actively stripped from fetch/xhr breadcrumbs before transmission. Sentry DPA per sentry.io/legal/dpa.EU (Frankfurt, Germany — ingest.de.sentry.io)

A data processing agreement is in place with these parties or their general processor terms apply. Pal&Ko Thuiszorg does not share data with data brokers, advertising networks, marketing platforms or social media providers.

7. Security

8. Rights of data subjects (GDPR Articles 15–22)

Requests can be sent to info@palenkothuiszorg.nl with subject "GDPR request". We respond within one month. You also have the right to file a complaint with the Dutch Data Protection Authority.

9. BSN (Dutch citizen service number)

Pal&Ko Thuiszorg processes the BSN exclusively for legally mandated healthcare purposes under the Dutch Healthcare Personal Data Act (Wabb) and the Dutch BSN Act. The BSN is not used for other purposes and not shared with third parties beyond the legally permitted exchange with health insurers, the CAK, the CIZ and the Tax Authority.

10. Health data

Health data are processed as a special category of personal data under GDPR Article 9(2)(h): necessary for the purposes of preventive or occupational medicine, medical diagnosis, the provision of healthcare or the management of healthcare systems and services. Processing is performed under the responsibility of a professional bound by professional secrecy under EU or national law (GDPR Article 9(3) in conjunction with Dutch Civil Code Article 7:457).

11. Data breach procedure

Pal&Ko Thuiszorg reports suspected data breaches to the Dutch Data Protection Authority within 72 hours where there is a risk to the rights and freedoms of data subjects. In case of high risk, data subjects are also informed directly. A breach can be reported via info@palenkothuiszorg.nl with subject "Data breach". Complaints about care delivery itself fall under the Wkkgz complaints procedure and are sent to klachten@palenkothuiszorg.nl.

12. Not a medical device

The apps of Pal&Ko Thuiszorg are not medical devices within the meaning of Regulation (EU) 2017/745 (MDR). The information in the apps is intended for planning and organising home care, not for diagnosis, treatment or medical advice. For medical decisions, always consult a qualified healthcare professional.

13. Changes

This policy may be updated when laws, sub-processors or app functionality change. The current version is on this page. Substantive changes are communicated via an in-app notification.