Privacy statement B.V. (hereinafter: “OTF”) is a Doetinchem based company that provides VAT refund services to customers who live outside the European Union and purchase goods within the European Union. To be able to provide its services, OTF uses personal data. OTF is committed to protect and safeguard any personal data it processes.

In this privacy statement OTF informs about what personal data it processes, for which purposes and why. OTF also informs about how, on what legal basis and for how long it processes the personal data and informs about the rights of data subjects (hereinafter: “you”) regarding personal data.


What personal data does OTF process?

With regard to its services, OTF processes the following personal data:

  1. Name and address details;
  2. Email address;
  3. Telephone number;
  4. Nationality;
  5. Bank details.

OTF does not process your sensitive personal data (such as data relating to race ethnic origin, religious beliefs, criminal record, medical, physical or mental health or sexual orientation).


Why does OTF need this data? 

OTF needs this personal data for different purposes. Mainly OTF needs your personal data for its business operations and for the proper performance of its services. OTF also processes your personal data for the following purposes:

  1. Execution of agreements, transactions and services;
  2. Financial administration;
  3. Making and receiving payments;
  4. Sending you a newsletter;
  5. Keep you informed about (new) products and services;
  6. Other marketing purposes;
  7. Developing and improving its services and website;
  8. Complying with legal obligations.


Is this processing legitimate?

OTF only processes your personal data if a valid legal basis exists. OTF processes your personal data on the following legal bases:

  1. The processing is necessary in order to perform an agreement (providing services) with you or in order to take steps at your request prior to entering into an agreement;
  2. You have given consent to the processing;
    1. OTF asks for your consent to process your personal data for specific purposes, such as sending you its newsletter. You have the right to withdraw your consent at any time. 
  3. The processing is necessary for the purposes of the legitimate interests pursued by OTF and these interests outweigh your interests or fundamental rights;
    1. OTF processes your personal data on the basis of a legitimate interest when OTF, for example, uses your contact details to send you unsolicited commercial messages and for maintaining its business relationship after completion of the agreement.
  4. The processing is necessary in order to comply with legal obligations to which OTF is subject;
    1. OTF processes its personal data in order to comply with legal obligations such as administrative obligations for tax purposes or providing information to a public authority or law enforcement agency.


To whom does OTF provide your data? 

OTF may share your personal data in some circumstances with:

  1. The retailer that makes OTF’s services available;
  2. Persons who work for OTF;
  3. Trustworthy business partners, such as data processors; financial service providers.
  4. To facilitate the sending of content/newsletter for marketing purposes;
  5. The Dutch Tax and Customs Administration and other authorities in case of a legal obligation.

OTF processes personal data on servers within the European Economic Area (EEA).


How does OTF protect your personal data? 

At, we prioritize the security and confidentiality of our users' personal data. Our commitment extends to safeguard your information against unauthorized access, disclosure, alteration, or destruction. Here's how we ensure the protection of your data:

Secure Connections and Cryptographic Signatures: We employ state-of-the-art encryption protocols to ensure that all data transferred between your device and our servers occurs over secure connections. Additionally, all data transmissions are cryptographically signed, providing an added layer of security against tampering or interception by malicious actors.

Username/Password Authentication and JWT Tokens: Our login procedure utilizes a username/password-based authentication system. Upon successful authentication, we generate fine-grained JSON Web Tokens (JWT) that securely encapsulate user session information. These tokens are utilized for subsequent interactions within the platform, ensuring authenticated access to authorized resources while mitigating the risk of unauthorized access.

Encryption of Private Data and API Keys at Rest: We implement robust encryption mechanisms to protect all private data and API keys stored within our systems while at rest. This encryption ensures that even if unauthorized access to our storage infrastructure were to occur, the underlying data remains unintelligible and inaccessible to unauthorized entities. Furthermore, decryption keys necessary to access this encrypted data are securely stored at our cloud provider, utilizing industry best practices to prevent unauthorized access or compromise.

OTF will only process your personal data that is necessary in relation to the purposes for which OTF processes them. On a regular basis OTF reviews its personal data collection, storage, and protection practices, including physical security measures, to protect your personal data as much as possible. In case of an incident, OTF will report this incident to Dutch Data Protection Authority.


How long does OTF retain your personal data?

The personal data that you submit to OTF will only be retained as long as required and necessary for the purposes for which the data was collected and to establish, exercise and defend its legal position in the event of claims or disputes. OTF will take reasonable steps to destroy or de-identify your personal data if it is no longer needed for the purposes. You can send a written request to destroy personal to OTF by email ( After the request is accepted, your personal data will be destroyed.


Your rights with regard to your personal data 

According to the GDPR you have the right to request an overview of your personal data processed by OTF. You also have the right to request rectification and erasure of these data. Other rights you have are the right to object to and request for restriction of the processing of your personal data. In addition, you have the right to revoke your consent given for the data processing and the right to receive your personal data or have this transmitted to any organisation pointed out by you, in a structured, commonly used, and machine-readable format.

OTF will deal with a request in connection with the exercise of one of above mentioned rights in the way as prescribed by the GDPR. You can send OTF a written request by email ( if you want to exercise one (or more) of these rights. Please include a partially obscured identity document. This tells OTF the request comes from you. You should in any case obscure your passport picture, the strip of numbers at the bottom of the passport, the passport number, and the citizen service number. OTF will respond to your request as soon as possible, but in any case, within four weeks.

Aforementioned rights are not absolute rights. This means that these rights do not apply under all circumstances, and OTF is not obliged to honour your request.

OTF also wishes to point out that you can address any complaints about the processing of your personal data by OTF to the Dutch Data Protection Authority (

Questions, complaints, and contactIf you have any questions, wish to exercise any of the aforementioned rights or if you have a complaint about OTF’s use of your personal data, please send OTF an email ( In addition, you can reach OTF using the below contact details: B.V.
Terborgseweg 102
7005 BC Doetinchem
The Netherlands



OTF reserves the right to change this privacy statement at any time, for example when the law changes or OTF starts performing new processing activities.

This statement was amended on 25 March 2024 for the last time.