Privacy Policy

Version 2.0 – October 2, 2025

Yepyr B.V. - Stadionstraat 11 C11 - 4815 NC Breda - Netherlands.

BARP is a trade name of Yepyr B.V., having its registered office in Breda (KvK 93769792. VAT NL866521641B01). Yepyr B.V. is the processing controller (Controller) within the meaning of the General Data Protection Regulation (AVG). Yepyr B.V. has appointed a Data Protection Officer (DPO).

Questions or requests should be directed to:

Email: dpo@yepyr.com

In writing: Yepyr B.V., Stadionstraat 11 C11, 4815 NC Breda, the Netherlands.

1. To whom does this statement apply?

This Privacy Policy applies to:

• Users of the BARP platform (SaaS).
• Website visitors to barp.io.
• Newsletter subscribers and marketing contacts.

2. What data do we process?

Account and usage data (BARP SaaS).

• Name, e-mail, organization, login information.
• Log files, usage statistics and settings within the platform.
• This data is necessary for providing the services of Yepyr B.V. and BARP, security, support, and monitoring in accordance with legitimate interest and the execution of the agreement.

Purposes: providing the service, security, billing, support.

Basis: performance of the contract, legitimate interest.

Billing information

• Name, address, VAT number, payment information.

Purposes: administration and billing.

Basis: legal obligation, performance of the contract.

Website and cookie data

• IP address (anonymized), device information, cookie IDs, preferences.

Purposes: technically necessary operation, statistics, personalization.

Basis: legitimate interest (essential cookies) or consent (analytical/marketing cookies).

Management: via cookie settings. BARP uses CookieYes for automatic scanning, classification and consent management.

Consent can be withdrawn at any time via the cookie settings on our website or within the platform.

Marketing & communication

• Name, email, newsletter preferences, open/click behavior (via tracking pixels).

Purposes: to inform about updates, events, news.

Basis: consent or legitimate interest (in the case of an existing customer relationship).

3. With whom do we share data?

• Employees of Yepyr B.V. under a duty of confidentiality.
• Service providers working on our behalf:
  • Microsoft 365 for email, documents; data at rest in EU.
  • Cloudflare for DNS management and spam and bot protection via Turnstile; no content processing of personal data.
  • Google Analytics applied only on the website https://barp.io and only after Consent with IP anonymization.
  • CookieYes for cookie and consent management; based in the United Kingdom.
• Other hosting and core systems are processed exclusively within the EU.
• Legal authorities if required.

We never sell personal data.

Important: Data that users enter into the BARP platform (SaaS) is not shared with Google Analytics or other third-party marketing services. This data remains within the EU infrastructure of our hosting providers.

4. Storage and transfer

We store data preferably within the EU. If transfer to third countries takes place (e.g. by using global cloud services), we apply appropriate safeguards, such as Standard Contractual Clauses or the EU-US Data Privacy Framework. This applies, for example, to Microsoft 365 (communication and documents) and Google Analytics (only for website use).

For cookie and consent management, we use CookieYes, a service provider based in the UK. The European Commission has issued an adequacy decision for the UK, allowing the transfer of personal data to the UK under the AVG.

For BARP platform services (SaaS):

• The hosting and core systems run exclusively with European providers based in the EU and with no parent company in third countries.
• As a result, this data is not subject to the U.S. Cloud Act and remains fully protected under only European Union laws and regulations. This keeps all SaaS data under exclusive EU law (AVG, NIS2, etc.).
• Log files, monitoring data, and security information are retained for a maximum of 12 months and then anonymized or deleted.
• After termination of the service, all customer data is deleted within a maximum of 90 days, unless otherwise agreed.

5. Security

We take appropriate technical and organizational measures to protect personal data from loss, misuse and unauthorized access. In doing so, we use internationally recognized standards and guidelines as a starting point, including ISO/IEC 27001 (information security), NIST and the OWASP guidelines for application security. Although Yepyr B.V. is not currently certified, our internal processes and controls align with these standards to the extent possible.

Specifically, this includes:

• Secure access with TLS, MFA/2FA.
• Strict access control and logging including "least privilege" and auditing.
• Incident and data breach procedures in accordance with AVG.
• Backup and recovery facilities including testing procedures.
• Security in software development with a focus on secure coding and OWASP principles.
• Periodic risk assessments and pen tests where relevant.
• Processor agreements with all vendors.
• We continuously evaluate and improve these measures.

6. Retention periods

• Account data: as long as the agreement runs + max. 12 months.
• Billing data: 7 years (tax retention requirement).
• Marketing data: until you opt out or object.
• Cookie data: in accordance with retention periods as stated in the cookie policy.

7. Your Rights

1. You have the right to access, correct, delete, restrict, transfer and object. For further information see the Personal Data Authority.
2. You may exercise your rights through the contact information listed in this Privacy Policy.
3. You also have the right to file a complaint with the Personal Data Authority.

8. Changes

We may update this Privacy Policy. The most current version is always available at https://barp.io/juridische-informatie/privacyverklaring.

9. Profiling and Automated Decision-Making

BARP does not use automated decision-making or profiling based on personal data that has legal effects on users.