/>

Privacy Policy

Last updated: 19 June 2026 · Dutchcode B.V. ("Dutchcode", "we"), Den Dungen, Netherlands (KvK 90452151) · Contact: support@bol.ai

Bol.ai converts Bill of Lading documents into structured data. This policy explains what personal data we process when you use bol.ai, why, where it is stored, and the rights you have under the GDPR.

1. Data we process

CategoryExamplesPurpose / legal basis
Account dataEmail address, hashed password, API key hashesProviding the service (contract, art. 6(1)(b))
Documents & extracted dataBills of Lading you upload, email in, or submit via API; the structured fields extracted from them; your correctionsProviding the service (contract). Documents may contain personal data of third parties (e.g. names in shipper/consignee fields); you are responsible for being entitled to process those documents.
Billing dataSubscription status, purchases, usage counts. Card details are processed by Stripe and never touch our servers.Contract and legal (tax) obligations
Technical & error dataIP address (rate limiting), error reports and feedback you submit (Sentry, EU region)Security and service quality (legitimate interest, art. 6(1)(f))

2. Our role: controller and processor

For your account, billing, and technical data, Dutchcode B.V. is the data controller. For the personal data contained inside the documents you submit — for example names and addresses in shipper, consignee, or notify-party fields — you are the controller and we act as your processor under article 28 GDPR. As your processor we:

3. Where your data lives

Documents and extracted data are stored exclusively in the European Union: our database runs in Western Europe and file storage is under EU jurisdiction (Cloudflare R2, EU). Extraction runs on Cloudflare Workers AI; documents are sent to the model on-demand for inference only. Error monitoring uses Sentry's EU (Frankfurt) ingestion region. We do not sell personal data, and your documents are never used to train our models or any third-party provider's models.

4. Third-party services we rely on

We engage the sub-processors below to run the Service. Each receives only the data needed for its role.

ProviderWhat they receivePrivacy policy
Cloudflare, Inc.IP address, browser user-agent, request metadata; documents and extracted data for hosting, storage and AI inferencecloudflare.com/privacypolicy
Stripe, Inc.Email address, billing address, payment method (card data handled solely by Stripe), subscription and purchase metadatastripe.com/privacy
Functional Software, Inc. (Sentry)IP address, browser user-agent, error stack traces and optional feedback text you submitsentry.io/privacy
Resend, Inc.Email address and message content for transactional email (password resets) and founder outreach (marketing, with unsubscribe)resend.com/legal/privacy-policy
Google LLCIP address, browser user-agent (web fonts loaded from fonts.googleapis.com / fonts.gstatic.com)policies.google.com/privacy
Apollo.io (ZenLeads, Inc.)Business contact data (name, title, company, email) when our team searches or imports sales prospects in the admin console — not used in the customer-facing productapollo.io/privacy-policy

We give reasonable advance notice before adding or replacing a sub-processor.

5. Retention

Documents and extractions are retained while your account is active so you can access your history. You can delete individual documents from the app at any time. You can delete your entire account from Account settings in the app (email confirmation and password required) or by emailing support@bol.ai; we delete personal data immediately on self-service deletion. Billing records required for tax law may be retained without personal identifiers. Error data in Sentry is retained for 90 days.

6. Your rights

Under the GDPR you can request access, correction, deletion, restriction, portability, and object to processing based on legitimate interest. Email support@bol.ai. You can also lodge a complaint with the Dutch DPA (Autoriteit Persoonsgegevens, Postbus 93374, 2509 AJ Den Haag).

7. Data breaches

In the event of a personal data breach that is likely to affect your rights, we will notify the Dutch DPA within 72 hours and inform affected users without undue delay, as required by GDPR art. 33–34.

8. Cookies

Bol.ai uses one strictly necessary cookie: the session cookie that keeps you signed in. We set no advertising or cross-site tracking cookies.

9. Changes

We will update this policy as the service evolves and note the date above. Material changes will be announced in the app.