English version
1. Introduction
This Privacy Policy explains how ADS Web Services B.V. (KvK 42022140) ("we", "us", "our", the "Controller") collects, uses, discloses, and protects your personal data when you use the CoinVault Pro mobile application, website (aicoincollector.com), and related services (collectively, the "Service").
We act as the data controller within the meaning of Regulation (EU) 2016/679 (the "GDPR") and the Dutch GDPR Implementation Act (Uitvoeringswet AVG).
Company details:
- ADS Web Services B.V.
- Registered office: Amsterdam, the Netherlands
- Chamber of Commerce (KvK) number:
42022140 - VAT (BTW) number:
<BTW_NL_NUMMER> - General contact: info@adswebservices.nl
- Support contact: support@aicoincollector.com
- Privacy contact (internal DPO): privacy@aicoincollector.com
2. Personal data we collect
We collect the following categories of personal data:
- Account data: email address, display name, and (optionally) a profile picture you choose to upload.
- Authentication data: identifiers received from third party sign-in providers (Google, Apple, Microsoft Azure AD, Facebook). We only request the minimum public profile scope (e.g. name, email, unique provider ID). We do not receive or store your password from those providers.
- User content: photographs of coins captured via your device camera, coin collections you create, social posts, comments, likes, follows, marketplace listings, and messages.
- Device and technical data: device identifier, operating system, OS version, app version, language settings, truncated IP address (for geolocation at country/region level only), and crash or diagnostic logs.
- Usage data: number of scans per day, features used, in-app events, session duration, conversion events.
- Payment data: when you subscribe via Stripe, we receive your Stripe customer ID, the last 4 digits of your card, card brand, expiry month/year, billing country, and invoice metadata. We do not store full card numbers. In-app purchases made through Apple App Store or Google Play are processed by Apple/Google; we only receive the transaction receipt and entitlement information.
3. Purposes and legal bases for processing (GDPR Art. 6)
| Purpose | Legal basis |
|---|---|
| Providing the Service: account creation, AI coin recognition, collection management, social features, marketplace, subscription handling | Art. 6(1)(b) – performance of a contract |
| Fraud detection, abuse prevention, security monitoring, product improvement and analytics on aggregate level | Art. 6(1)(f) – legitimate interest |
| Marketing communication, personalised advertising via AdMob, optional product analytics, push notifications for non-essential content | Art. 6(1)(a) – consent (revocable at any time) |
| VAT administration, accounting, AML/CTF obligations, response to lawful authorities' requests | Art. 6(1)(c) – legal obligation |
4. Recipients and sub-processors
We share personal data with carefully selected service providers acting as processors on our behalf. We have signed Data Processing Agreements (DPAs) with each of them in accordance with Art. 28 GDPR.
- Cloudflare, Inc. – CDN, WAF, DNS (EU + US, EU-US Data Privacy Framework certified).
- Hetzner Online GmbH – hosting infrastructure (Germany, ISO/IEC 27001 certified).
- Supabase Inc. – managed PostgreSQL database (EU region – Frankfurt).
- Upstash Inc. – Redis cache / queue (EU region).
- Stripe Payments Europe Ltd – payment processing (Ireland, EU).
- Apple Inc. – Sign in with Apple and In-App Purchases (DPF certified).
- Google LLC – Sign-In, Firebase Auth, Firebase Cloud Messaging (FCM), AdMob, Gemini AI (coin recognition), Analytics (DPF certified).
- Microsoft Corporation – Azure AD sign-in (DPF certified).
- Meta Platforms, Inc. – Facebook Login (DPF certified).
- Numista SAS – numismatic catalogue API (France).
- Resend Inc. – transactional email delivery (Ireland / EU region).
- Functional Software, Inc. (Sentry) – error and crash tracking (EU region).
- PostHog Inc. – product analytics (EU region option).
We do not sell personal data. We do not disclose personal data to other third parties except where required by law, court order, or where strictly necessary to enforce our Terms of Service or protect our rights.
5. Retention periods
- Active account data: retained as long as the account is active.
- After account deletion: 30 days soft-delete window (for account recovery), after which personal data is permanently deleted or irreversibly anonymised.
- Invoices / VAT administration: 7 years (Dutch tax legislation – Art. 52 Algemene wet inzake rijksbelastingen).
- Audit, security and login logs: 12 months.
- Marketing data: until you withdraw consent or after 24 months of inactivity.
6. Your rights under the GDPR
As a data subject you have the following rights, which you can exercise free of charge by emailing support@aicoincollector.com or privacy@aicoincollector.com. We respond within 30 days (extendable by 60 days for complex requests):
- Right of access (Art. 15): request a Data Subject Access Request (DSAR) and receive a copy of your personal data.
- Right to rectification (Art. 16): correct inaccurate data, primarily via in-app settings.
- Right to erasure / "right to be forgotten" (Art. 17): delete your account via Account → Delete account in the app or by email.
- Right to data portability (Art. 20): request a machine readable export of your data at any time via
GET /api/v1/users/me/export, which delivers a ZIP archive. - Right to restriction of processing (Art. 18).
- Right to object (Art. 21), including the absolute right to object to direct marketing.
- Right to withdraw consent (Art. 7(3)): for analytics and advertising at any time, without affecting processing prior to withdrawal.
- Right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, autoriteitpersoonsgegevens.nl), or with the supervisory authority of your habitual residence.
7. Cookies and tracking technologies
- Strictly necessary: session cookie, CSRF token, authentication cookie. These cannot be switched off.
- Functional: language/region preference, UI theme.
- Analytics: PostHog with IP anonymisation. You can opt-out via the in-app privacy settings.
- Advertising: Google AdMob personalised ads. We obtain prior opt-in consent via Google's User Messaging Platform (UMP) consent banner, in line with IAB TCF v2.2. On iOS we additionally comply with Apple's App Tracking Transparency (ATT) framework.
8. Children
The Service is intended for users aged 13 and over, in line with the Google Play Developer Program Policies and the Apple App Store Review Guidelines. In some jurisdictions (including parts of the EU under Art. 8 GDPR), the digital age of consent is 16 and parental consent is required below that age. We do not knowingly collect personal data from children under 13 (or the applicable local age of digital consent). If you are a parent or legal guardian and believe your child has provided us with personal data, please contact support@aicoincollector.com and we will delete the data without undue delay.
9. International data transfers
Some of our sub-processors are located outside the European Economic Area (EEA). Where they are certified under the EU-US Data Privacy Framework (DPF) — which currently applies to Google, Apple, Microsoft, Meta, Stripe and Cloudflare — transfers are based on an adequacy decision of the European Commission (Art. 45 GDPR).
For sub-processors that are not DPF-certified we rely on the Standard Contractual Clauses (SCCs, 2021/914) and, where required, supplementary measures (encryption in transit and at rest, pseudonymisation) based on a Transfer Impact Assessment (TIA).
10. Security
- TLS 1.3 in transit for all API and web traffic.
- AES-256 encryption at rest for databases and S3 storage.
- Row-level security policies in PostgreSQL per user.
- Short-lived JWT access tokens with refresh token rotation and reuse detection.
- bcrypt with high work factor for password hashing.
- Two-factor authentication (2FA) – planned post-launch.
- 24/7 monitoring, vulnerability scanning, and a documented incident response plan including 72-hour data breach notification (Art. 33 GDPR).
11. Updates to this Privacy Policy
We may update this Privacy Policy from time to time. Material changes will be communicated by email and via an in-app banner at least 30 days before they take effect. Continued use of the Service after the effective date constitutes acceptance of the revised Privacy Policy.
12. Contact
ADS Web Services B.V.
Amsterdam, the Netherlands
KvK: 42022140 · BTW: <BTW_NL_NUMMER>
Email: info@adswebservices.nl
Privacy / DPO: privacy@aicoincollector.com
Support: support@aicoincollector.com