GDPR & Data Processing

Last updated: 26 March 2026 · Effective from: 26 March 2026

1. Data Controller

The data controller responsible for your personal data is:

Epistemic Group
Netherlands
Email: admin@instantfield.com

As a controller, we determine the purposes and means of processing your personal data when you use InstantField.

2. Legal Basis for Processing

We process personal data on the following legal bases under Article 6 of the GDPR:

Contract performance (Art. 6(1)(b)) — the primary basis for processing your account data, operational data, and billing information. Processing is necessary to provide the InstantField service you have subscribed to.
Legitimate interests (Art. 6(1)(f)) — for server security logging, fraud prevention, and improving the reliability of the Service, where our interests do not override your rights and freedoms.
Legal obligation (Art. 6(1)(c)) — where we are required by law to retain certain records (e.g. financial records for tax purposes).
Consent (Art. 6(1)(a)) — for push notifications on the mobile app, where you have explicitly granted permission.

3. Categories of Personal Data

Data about account administrators and users

Full name
Email address
Role within the organisation (admin, backoffice, field worker)
Language preference
Hashed password (we cannot read your password in plain text)

Data about your clients

InstantField allows you to store client information (names, addresses, contacts). As the data controller of your clients' data, you are responsible for ensuring you have a lawful basis to process and store that data within our platform.

Operational data

Job records, schedules, assignments, and status history
Work reports including notes, timestamps, photos, and signatures submitted by field workers
Location stamps recorded at the time of work report submission
Inventory items and material usage records
Invoices and payment records

Technical data

IP addresses and server access logs (retained up to 90 days)
Device push notification tokens (Android)

4. Data Processors (Sub-processors)

We use the following third-party processors to deliver the Service. All are bound by data processing agreements where required:

Stripe, Inc. (USA) — payment processing. Stripe is certified under the EU–US Data Privacy Framework and processes payment data under their own controller/processor arrangements. Stripe Privacy Policy.
Google LLC / Firebase (USA) — push notifications for the Android app. Google is certified under the EU–US Data Privacy Framework. Only device tokens and notification payloads are shared. Google Privacy Policy.
VPS hosting provider — server infrastructure located within the EU where all customer data is stored and processed.

5. Data Retention

Account and operational data — retained for the duration of your active subscription. Deleted within 30 days of account deletion or subscription termination.
Financial records — retained for 7 years as required by Dutch tax law (Belastingdienst).
Server logs — retained for up to 90 days for security monitoring.
Backups — automated backups may retain data for up to 30 days after deletion from the live system.

6. Your Rights as a Data Subject

Under the GDPR, you have the following rights regarding your personal data:

Right of Access (Art. 15) Request a copy of all personal data we hold about you.

Right to Rectification (Art. 16) Ask us to correct inaccurate or incomplete personal data.

Right to Erasure (Art. 17) Request deletion of your personal data ("right to be forgotten"), subject to legal retention obligations.

Right to Data Portability (Art. 20) Receive your personal data in a structured, commonly used, machine-readable format.

Right to Restriction (Art. 18) Ask us to temporarily stop processing your data while a dispute is resolved.

Right to Object (Art. 21) Object to processing based on legitimate interests.

To exercise any of these rights, email admin@instantfield.com with your request. We will respond within 30 days. We may ask you to verify your identity before processing the request.

7. Data Breaches

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours as required by Article 33 GDPR. If the breach is likely to result in a high risk to your rights, we will also notify you directly without undue delay.

8. International Data Transfers

Your data is primarily stored and processed within the EU. Where data is transferred to third parties outside the EU (Stripe, Google), such transfers are covered by adequacy decisions or the EU–US Data Privacy Framework, ensuring an equivalent level of data protection.

9. Complaints

If you believe we are processing your personal data in violation of the GDPR, you have the right to lodge a complaint with the Dutch data protection authority:

Autoriteit Persoonsgegevens
Website: autoriteitpersoonsgegevens.nl
Phone: +31 (0)88 1805 250

We would always appreciate the opportunity to address your concerns directly before you contact the authority. Please email us first at admin@instantfield.com.

10. Contact

For any GDPR-related requests or questions, contact:

Epistemic Group
Email: admin@instantfield.com
We aim to respond within 5 business days.