Privacy Policy

1. Who We Are

R&Dossier is a WBSO administration platform for Dutch software, SaaS, AI, and technology teams. The platform helps organizations manage WBSO projects, hours, technical evidence, GitHub and Linear integrations, dashboard checks, and auditpack exports.

References to “R&Dossier”, “we”, “us”, or “our” refer to the operator of this service. For questions about this policy or to exercise your rights, please contact us via the contact page.

2. Information We Collect

We collect the following categories of information.

Account and Identity Data

When you create an account, log in, or are invited to an organization, we collect information such as your name, email address, profile image, authentication provider, organization membership, role, and account security settings.

If you log in with Google, we receive basic profile information needed to authenticate your account.

Organization and Invite Data

When you create or join an organization, we process organization names, members, roles, pending invitations, invited email addresses, invitation status, and related timestamps.

WBSO Administration Data

When you use R&Dossier, you may create and store WBSO administration data, including project names, descriptions, technical uncertainties, development activities, project periods, project statuses, approved hours, registered hours, hour notes, project members, evidence items, source links, review statuses, evidence-hour links, dashboard attention points, and export data.

This data may contain personal data where it identifies developers, reviewers, organization members, or other individuals involved in WBSO administration.

Integration Data

If your organization connects GitHub or Linear, we process the data needed to provide those integrations.

For GitHub, this may include installation data, repository metadata, mapped repositories, pull request titles, descriptions, authors, URLs, and timestamps.

For Linear, this may include OAuth connection data, workspace metadata, project metadata, issue titles, descriptions, statuses, URLs, and timestamps.

R&Dossier scans integration data into candidates. Your team decides which candidates become official evidence in the dossier.

Integration credentials and tokens are stored securely and used only to provide the connected integration.

Billing Data

If your organization starts a paid subscription, we process billing-related data such as plan type, subscription status, payment processor identifiers, checkout status, billing portal status, and billing event timestamps.

Payments are handled by our payment provider. We do not store full payment card details.

Authentication and Security Data

To protect user accounts and organizations, we process data such as password hashes, session identifiers, refresh tokens, password reset tokens, two-factor authentication status, recovery code status, remembered-device tokens, login timestamps, IP addresses, and request metadata.

We do not store plaintext passwords.

Usage and Technical Data

We may collect information about how users interact with R&Dossier, including pages visited, features used, actions taken, timestamps, errors, browser type, device information, IP address, referring URL, and request metadata.

This helps us improve the product, prevent abuse, troubleshoot issues, and maintain service reliability.

Communication Data

If you contact us, we process the contact details and message contents you provide so we can respond to your request.

3. Legal Basis for Processing

We process personal data on the following legal grounds:

• Contractual necessity: to provide R&Dossier, including account access, organization management, WBSO administration, integrations, exports, authentication, and billing.
• Legitimate interests: to improve the service, prevent abuse, maintain security, troubleshoot issues, and operate the product.
• Consent: where we rely on consent, such as for optional analytics or non-essential cookies.
• Legal obligation: where processing is necessary to comply with legal, tax, accounting, or regulatory obligations.

4. How We Use Your Data

We use your data to:

• create and manage accounts;
• authenticate users and maintain secure sessions;
• manage organizations, roles, members, and invitations;
• support password reset and two-factor authentication;
• create and manage WBSO projects;
• register and review WBSO hours;
• collect and manage technical evidence;
• connect GitHub and Linear;
• scan pull requests and issues into candidates;
• import selected candidates as evidence;
• link evidence to hour entries;
• show dashboard metrics and attention points;
• generate auditpack exports;
• send transactional emails, including password reset, invite, security, and subscription emails;
• process subscriptions and billing;
• respond to support requests;
• detect and prevent abuse or security incidents;
• improve and develop the product;
• comply with legal obligations.

We do not sell your personal data. We do not use your WBSO administration data, GitHub data, Linear data, or evidence data for advertising.

5. Data Sharing and Third Parties

We do not sell, rent, or trade your personal data.

We may share data with trusted service providers who help us operate R&Dossier, only to the extent necessary for their services. These may include:

• hosting and infrastructure providers;
• database and storage providers;
• authentication providers;
• transactional email providers;
• payment processors;
• analytics providers, if enabled;
• error monitoring and logging providers;
• GitHub and Linear, when you connect those integrations.

We may also disclose data where required by law or where necessary to protect the rights, property, or safety of R&Dossier, our users, or the public.

If R&Dossier is involved in a merger, acquisition, financing, restructuring, or sale of assets, your data may be transferred to the successor entity. Where required, we will notify users of material changes affecting their data.

6. Cookies and Tracking Technologies

We use cookies and similar technologies to operate and secure R&Dossier.

Essential Cookies

Essential cookies are required for the service to function. These may include authentication cookies, session cookies, refresh-token cookies, CSRF protection cookies, two-factor authentication cookies, and remembered-device cookies.

The service cannot operate properly without essential cookies.

Analytics Cookies

With your consent, we may use analytics tools to understand how users interact with the service. Analytics tools may collect page views, event metadata, device information, and similar usage data.

You can control cookies through your browser settings. Disabling essential cookies may prevent the service from working correctly.

7. Data Retention

We retain personal data for as long as needed to provide the service, comply with legal obligations, resolve disputes, maintain security, and enforce our agreements.

Account data is retained while your account is active. If you delete your account, we remove or deactivate the active user account where deletion is available in the product. We may retain limited records where needed for security, abuse prevention, legal, tax, or accounting purposes.

WBSO administration data belongs to the organization workspace. If a user leaves an organization or deletes their personal account, historical organization records such as projects, hours, evidence, and exports may remain available to the organization to preserve administrative continuity.

Integration tokens are retained while the integration is active. When an integration or organization is deleted, active integration credentials are removed from the active database, subject to backup and logging retention.

Billing records are retained as required for accounting, tax, legal, and dispute-resolution purposes.

Support communications and technical logs are retained as long as reasonably needed for support, troubleshooting, security, and business records.

8. Security

We use appropriate technical and organizational measures to protect your data against unauthorized access, loss, destruction, or alteration. These measures may include:

• password hashing;
• secure, HttpOnly cookies;
• CSRF protection;
• role-based access controls;
• organization-level permissions;
• two-factor authentication support;
• secure handling of password reset tokens;
• secure handling of integration tokens;
• rate limits on sensitive routes;
• operational logging and monitoring.

No method of transmission or storage is completely secure. While we work to protect your data, we cannot guarantee absolute security. If you suspect a security incident, please contact us immediately.

9. Your Rights

Depending on your location and applicable law, you may have the following rights:

• right of access;
• right to rectification;
• right to erasure;
• right to restriction of processing;
• right to data portability;
• right to object;
• right to withdraw consent.

To exercise these rights, please contact us via the contact page. We may ask you to verify your identity before fulfilling your request.

If you are located in the European Economic Area, you also have the right to lodge a complaint with your local supervisory authority.

10. International Data Transfers

R&Dossier may use service providers that process data outside your country of residence. Where applicable law requires safeguards for international transfers, we use appropriate transfer mechanisms such as contractual protections, Standard Contractual Clauses, or transfers to countries covered by an adequacy decision.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or product functionality.

When we update this policy, we will change the “Last updated” date. For material changes, we may also notify users by email or through the service.

12. Contact

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us via the contact page.