Privacy Statement Qwoater









Qwoater is an application for managing and storing client and staff files, specifically for accountants and administration offices in Europe. Accountant offices, administration offices and their stakeholders who work with Qwoater have access to all kinds of documents regarding staff, annual accounts and client reports. The application stores all sorts of personal data. Protecting the privacy of companies and persons is of essential importance: trust in service is crucial. That is why Qwoater treats all data with the greatest possible care. The requirements, which, among other things, result from the General Data Protection Regulation (GDRP), need to be taken into account.

Processing personal data

In Qwoater, personal data is consulted, edited and stored. In the case of HR services, the employer is legally responsible for processing the employees’ data: the employer determines the goal and the means for processing. The accountant or administration office to whom the HR services were outsourced is legally the processor of the personal data: they process the data for the employer. Qwoater is a sub-processor of this personal data. In other cases, the accountant is the responsible party, and Qwoater is the processor.

For some of the processes, Qwoater is the responsible one – for example, in the context of client-tracked contact information. The privacy law’s given obligations regarding processing personal data form the basis for the responsible party. They need to ensure that the law for processing personal data is met. However, Qwoater also has certain obligations as a (sub-) processor, such as in the field of personal data security. For this reason, Qwoater has closed sub-processor contracts with their clients that state which security requirements need to be met and what will happen in the case of a data breach.

Statistic use

The sub-processor contract allows Qwoater to statistically use the size and types of documents stored within Qwoater. Qwoater performs statistical analyses on this data. This improves the quality of the service and aids in developing informational products. Informational products are used to map trends and developments and facilitate the accounting process. Qwoater only includes non-trackable data in informational products. Qwoater doesn’t perform statistical analyses against the interest of accountants, administration offices or their clients and is extremely careful with the data.


When visiting Qwoater’s website, some visiting data, cookies, are tracked. Cookies are small files placed on a computer, phone or tablet by a website provider. These cookies collect information about the website visit and ensure that the website can be used faster, all while protecting against cyberattacks. Besides giving information, for example, about the location where the website was visited, they deliver monitoring data for the technical workings of the Qwoater web applications.

Marketing automation

This website is linked to the ActiveCampaign software. This software makes it possible to use marketing automation within forms and newsletters. The software uses a first-party cookie for these services. For sending transactional emails, AWS and Twillio Sendgrid are used. Transactional emails are not used for marketing purposes.


Qwoater regularly sends digital newsletters to its customers or relations to inform them about the services Qwoater provides. At the bottom of every newsletter, there is a possibility to unsubscribe or opt out.

Rights of data subjects

Data subjects, the natural entity related to the personal data, can request an overview of the personal data the responsible party processes about them. The personal data Qwoater processes as a sub-processor is the responsibility of the accountant or administration office: requests to see and optionally edit, shield, or delete personal data can be addressed to the responsible party. Requests to see and optionally edit, shield, or delete other personal data can be addressed to the managing board of Qwoater BV, Postbus 152, 5000 AD Tilburg or Incoming requests will be addressed and answered as soon as possible, but no later than within four weeks.

Invalidity Privacy Shield

In July 2020, the European Court declared the Privacy Shield invalid in the so-called Schrems II verdict. The Privacy Shield organised the exchange of personal data between EER and the US within the demands of the GDRP. Like most organisations, Qwoater works with organisations with their headquarters in the US (for example, Google, AWS, and Microsoft). We will keep an eye on the consequences and the measures that need to be taken from the verdict through privacy organisations like the Dutch Data Protection Authority and the European Data Protection Board (EBPD). Next to that, all documents in Qwoater will be kept in the EER and are encrypted with multiple encryption to make sure the content of the documents is not readable in the US. With these measures, the confidentiality of the data in documents is ensured.


This privacy statement can be edited. The most recent version of the privacy statement can always be found on this page. Last edit: 20-04-2022