1. Who is responsible?
The controller for Sortie is:
DirectCoDe B.V. (operator of Sortie.run)
Inkoperhof 8, 2231 HC Rijnsburg, The Netherlands
CoC 57391076 · VAT NL852560035B01
Email: support@sortie.run · Phone: +31 71 234 0101
For privacy questions or complaints, contact us at support@sortie.run. We respond within five working days.
2. What data do we process?
We only process what's needed to deliver the service. Broadly:
2.1 Account and billing data
- Name, email, phone number and job title of users
- Company name, address, CoC and VAT numbers of the organisation
- Login credentials (email + hashed password) and session cookies
- Payment and invoicing details (handled through our payment provider)
2.2 Operational data inside Sortie
- Customer/stop master data you enter (name, address, phone, email, notes)
- Trips, stops, planning, timestamps and route history
- Location data of vehicles/crew (only during an active trip, based on the consent the employer arranges with the crew member)
- Delivery evidence: signature, photo, scan timestamp
2.3 Logging and infrastructure
- IP address and user-agent in access logs (for security, abuse detection and debugging)
- Timestamps of logins and important actions (audit trail)
- Error messages and performance metrics (to spot problems)
3. Why do we process this data?
| Purpose | Legal basis (GDPR art. 6) |
|---|---|
| Performing the contract — creating accounts, generating plans, recording trips | Contract (1(b)) |
| Invoicing and bookkeeping | Legal obligation (1(c)) |
| Security, fraud prevention, abuse monitoring | Legitimate interest (1(f)) |
| Service emails (outages, changes to terms, invoices) | Contract (1(b)) |
| Product improvement on anonymised data | Legitimate interest (1(f)) |
| Marketing emails about Sortie to existing customers | Legitimate interest (1(f)) — unsubscribe any time |
4. How long do we keep data?
- Account and operational data: for as long as you are an active customer, plus 90 days after to wrap up any export.
- Invoicing and bookkeeping: 7 years (statutory tax retention).
- Access and audit logs: 90 days, then aggregated or deleted.
- Backups: continuous replication — we can restore your data to any moment in the past 7 days, down to the minute. No daily snapshots where intermediate state gets lost.
You can also request deletion at any time — see section 8.
5. Who do we share data with?
Sortie does not sell data and does not pass anything to third parties for advertising purposes. We do engage European-only processors to deliver the service — no US cloud, no Cloud Act exposure, no Privacy Shield headaches:
| Purpose | Processor | Location |
|---|---|---|
| Application server hosting | DirectCoDe B.V. | The Netherlands (EU) |
| Storage of databases and files | Bunny.net | Slovenia (EU) |
| Continuous backups (every 10 seconds, 7-day recovery window) | Bunny.net | Slovenia (EU) |
| Continuity backup (latest version, in case Bunny is unavailable) | Hetzner Online | Germany (EU) |
| CDN and DDoS protection | Bunny.net | Slovenia (EU) |
| Payment processing and direct debit | MultiSafepay | The Netherlands (EU) |
| Sending transactional email | Sweego | France (EU) |
| Financial administration | Exact | The Netherlands (EU) |
We have a data-processing agreement (DPA) in place with all of these parties, covering technical and organisational measures. We do not transfer personal data outside the European Economic Area.
6. Security
- All connections run over a secure HTTPS connection.
- Passwords are stored in encrypted form — we cannot read them.
- Role-based access inside Sortie: not everyone can see everything.
- Continuous backups: every 10 seconds to Bunny.net, with a 7-day recovery window to any moment. On top of that a continuity backup with Hetzner so your data stays reachable even if one provider fails completely.
- In the event of a data breach posing a risk to data subjects, we notify the Dutch Data Protection Authority within 72 hours, and — where required — you.
7. Cookies
Sortie only uses cookies that are needed for the site to work:
- A login cookie, so you don't have to sign in again on every page.
- A security cookie, so no one can secretly trigger actions on your behalf.
- A language cookie, so we remember your language choice.
We do not use tracking cookies or advertising cookies. That's why there is no cookie banner.
8. Your rights
Under the GDPR you have the right to:
- Access the data we hold about you.
- Correct inaccurate or incomplete data.
- Request deletion ("right to be forgotten"), to the extent we have no statutory retention obligation.
- Object to processing based on legitimate interest.
- Restrict processing in the event of a dispute.
- Receive your data in a common format (data portability).
- Withdraw any consent you previously gave, at any time.
Email support@sortie.run with your request. We respond within four weeks.
9. Changes
We may amend this privacy policy. The latest version is always on this page. For material changes we notify signed-in users by email in advance.