GDPR: what data we store about your clients, why, and for how long

Clozo's processing of client personal data falls under Art. 6(1)(b) — "necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract". Concretely: you can't issue an invoice to a client without knowing their name, address, and country (EU VAT Directive Art. 226 §5 mandates these); you can't email them a contract without their email; you can't apply reverse charge without their VAT number. Each piece of data has a documented purpose tied to the contract.

The retention period is constrained more by tax law than by GDPR. GDPR's "storage limitation" principle (Art. 5(1)(e)) says data may not be kept longer than necessary; tax law in every EU member state says invoices and supporting records must be kept for ~10 years. Germany: GoBD §147 AO (10 years). Netherlands: Wet OB art. 52 (7 years general, 10 for property records). France: Code de commerce L. 123-22 (10 years). Italy: Art. 2220 Codice Civile (10 years). Spain: Ley 58/2003 General Tributaria art. 70 (4 years general, but VAT documentation typically 10). The intersection: 10 years from the date of the last invoice or contract is the practical retention period Clozo applies.

What this means operationally: - You delete a client. Soft-delete: the client is hidden from your dashboard but the underlying row, plus all proposals/invoices/contracts referencing them, is retained for legal traceability. Hard-delete is not available — a hard-delete would orphan invoices, breaking your tax compliance. - Your client invokes Art. 17 (right to erasure). If they're not in an active contract and there's no tax-retention obligation, you can hard-delete via support escalation. If there's an active or recent (within 10 years) invoice, the lawful-basis-of-processing exception in Art. 17(3)(b) applies — you can refuse erasure and explain why (the EDPB has confirmed this). Clozo logs the response either way. - Your client invokes Art. 15 (right of access). The full record we have on them (name, email, country, address, VAT number, all proposals/invoices, all timeline events, all signature audits) is exportable as a single JSON archive — open a support ticket and we generate one. This is the responsibility you bear as data controller; Clozo is the processor and we provide the tooling.

What we don't store about your clients: - No bank account / IBAN data — clients pay you, but Clozo never sees their account number. SEPA transfers happen out-of-band; Stripe charges run through Stripe and only the last-4 of the card and a tokenised reference reach Clozo. - No biometric data, no health data, no special-category data under Art. 9. - No browser fingerprinting beyond the IP and User-Agent captured at signature time (eIDAS audit trail, article 11.2). - No marketing tracking on the proposal page — no Google Analytics, no Facebook pixel, no third-party trackers reach clients.