Privacy Policy
Last updated: Nov 12, 2025
1. General
This privacy policy describes how BRBX BV (“Recommand”) collects, processes, and protects personal data.
Recommand is located at Nieuwdorp 5, 3990 Peer, Belgium, and registered in the Belgian Crossroads Bank for Enterprises under number 1012.081.766.
Recommand acts:
- as a data controller for personal data processed through its websites and customer accounts;
- and as a data processor for personal data contained in electronic documents that customers send or receive via the Peppol network.
Recommand processes personal data in accordance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and other applicable legislation.
To the extent that Recommand processes personal data for security, logging, monitoring, and abuse detection purposes, it acts as a data controller based on its legitimate interest in ensuring the security, continuity, and improvement of its services.
2. Scope
This policy applies to:
- the websites recommand.eu and app.recommand.eu;
- the use of the Recommand application, API, and related services;
- any contact with Recommand via email, forms, or newsletters.
3. Categories of Personal Data
a) Website and communication data
When visiting our website or contacting us, the following data may be processed:
- name, first name, company name, email address, and message content;
- newsletter or beta program subscriptions;
- technical information via cookies or consent-based analytics (such as page visits, browser type, device or session ID);
- communication and marketing preferences.
b) Account and usage data (application / API)
When you create an account or use our API, we process, among other things:
- identification and contact details (name, email address, password hash, team or company profile);
- access and authorization data (roles, API keys, memberships);
- billing and payment information (company name, address, VAT number, payment status, transaction IDs);
- usage and log data (creation and modification timestamps, transmitted documents, billing events);
- document and transfer metadata (sender, recipient, document type, direction, timestamp).
c) Peppol documents
Documents processed through our Peppol infrastructure (invoices, credit notes, orders, etc.) may contain personal data such as:
- names, addresses, and contact details of buyers or sellers;
- business or VAT numbers (including for sole proprietors);
- delivery and payment information;
- free-text fields or attachments containing personal data.
Recommand processes this data solely to technically enable the transmission, receipt, and archiving of documents via the Peppol network.
4. Purposes and Legal Bases
Recommand processes personal data for the following purposes:
| Purpose | Legal Basis |
|---|---|
| Provision and management of accounts and API services | Performance of a contract |
| Billing and payment | Legal obligation & performance of a contract |
| Customer support and communication | Legitimate interest |
| Security, logging, error analysis | Legitimate interest |
| Compliance with legal or Peppol network obligations | Legal obligation |
| Newsletters or marketing communication (opt-in) | Consent |
| Usage analysis (after cookie consent) | Consent |
5. Retention periods
Recommand does not retain personal data longer than necessary for the purposes for which it is processed, taking into account legal obligations. The following guidelines apply:
User and account data
Retained for as long as the account is active and up to 1 year after termination, unless longer retention is required for the establishment, exercise, or defense of legal claims.
Billing and accounting data
Invoices and accounting documents processed by Recommand as data controller (such as customer invoices, payment data, and accounting exports) are kept for 10 years after the end of the relevant financial year, in accordance with statutory accounting obligations.
Peppol documents and transmission logs (for active customers)
Peppol documents (invoices, credit notes, orders, etc.) and associated transmission and receipt logs are retained for at least 1 year for active customers to enable redelivery, audit, and support. Longer retention periods may be agreed contractually under enterprise agreements.
After termination of services
After termination of the agreement, operational data in the portal (including Peppol documents visible through the application) remain available for up to 90 days for the customer to export them. Thereafter, these data are deleted or anonymized, without prejudice to the retention of technical logs, backups, and billing/accounting data as described above.
Website logs and cookies
Website logs and cookie data are retained in accordance with the specific retention periods in the Cookie Policy (with a maximum of 13 months for consent-based cookies).
6. Sharing of Personal Data
Recommand only shares personal data with carefully selected subcontractors (sub-processors) necessary for delivering its services.
The current list of sub-processors is available at: recommand.eu/subprocessors
These sub-processors may include:
- cloud and hosting providers
- payment service providers
- email services
- analytics services
- marketing and advertising tools
Sub-processors are contractually bound to confidentiality and GDPR compliance. Personal data are not sold or shared with third parties for their own purposes.
7. International Transfers
When a service provider is located outside the European Economic Area, Recommand ensures appropriate safeguards in accordance with Article 46 GDPR, such as EU Standard Contractual Clauses.
8. Data Security
Recommand implements appropriate technical and organizational measures, including:
- encryption of data in transit (TLS/mTLS) and at rest;
- hashed passwords and secure key and certificate rotation;
- role- and team-based access control (“least privilege”);
- structured logging, audit trails, and monitoring;
- regular backups and recovery testing;
- secure hosting within the EEA;
- continuous software updates and dependency management;
- minimization of personal data.
9. Data Subject Rights
You have the right at any time to:
- request access to your personal data processed by Recommand;
- correct inaccurate data;
- request deletion (“right to be forgotten”);
- restrict or object to certain processing activities;
- withdraw your consent (e.g., for marketing);
- transfer your data to another service provider.
You can exercise these rights by sending a request to privacy@recommand.eu. Recommand will respond within 30 days.
If you believe your rights are being violated, you may file a complaint with the Belgian Data Protection Authority (www.gegevensbeschermingsautoriteit.be).
10. Cookies and tracking
The Recommand website uses functional cookies and, only after consent, analytical and marketing cookies. More information about cookie usage and the management of your preferences can be found in the Cookie Policy, available at recommand.eu/cookie-policy.
11. Processor Role
When customers use the Peppol API or related services, Recommand processes personal data solely on behalf of the customer, in accordance with the Data Processing Agreement (DPA). Recommand has no control over the content of documents sent or received via the Peppol network.
12. Changes
Recommand reserves the right to amend this policy if its processing activities or legal obligations change. The most recent version is always available at recommand.eu/privacy and includes the date of the last update.
13. Contact
Recommand (BRBX BV)
Nieuwdorp 5, 3990 Peer, Belgium
Email: privacy@recommand.eu
Website: recommand.eu