Privacy Policy
Last updated: 28 April 2026
Introduction
This Privacy Policy explains how Jolo Vita (KvK: 87189437), operating as Bulk Contact Manager ("we", "us", or "our"), collects, uses, and protects personal data.
1. Our Role: Controller vs. Processor
To comply with the General Data Protection Regulation (GDPR), we distinguish between two types of data:
- Customer Account Data: Information about you (the user) necessary to create your account. For this data, Jolo Vita acts as the Data Controller.
- Xero Tenant Data: The contacts, invoices, and organizational data synchronized from your Xero account. For this data, you are the Data Controller, and we act exclusively as the Data Processor. This relationship is governed by our Data Processing Agreement (DPA).
2. Information We Collect (As a Controller)
When you connect to our Service, we collect:
- Account Data: Your email address, name, Xero Tenant ID, and OAuth access/refresh tokens. Legal Basis: Performance of a Contract.
- Support Data: Information you provide when contacting our support desk. Legal Basis: Legitimate Interest.
3. Information We Process (As a Processor)
To provide the filtering, calculating, and bulk-updating features of the Service, we temporarily cache:
- Cached Xero Data: Contact details (names, addresses, tax numbers, phone numbers, contact group memberships) and basic invoice metadata (invoice dates, contact IDs).
- Security: This data is encrypted at rest using AES-256-GCM and transmitted exclusively via TLS 1.3. We do not sync or store financial amounts, line items, or bank transactions.
4. Cookies and Local Storage
We use strictly necessary cookies and local browser storage solely to provide the core functionality of the Service. These include session cookies required to maintain your secure authentication state with Xero and tokens to prevent cross-site request forgery (CSRF) attacks. Because these technologies are strictly necessary to operate the application securely, they do not require prior consent. We do not use third-party tracking, advertising, or marketing cookies.
5. Information Sharing & Sub-processors
We do not sell, rent, or trade your personal information. We share data only with strictly vetted third-party sub-processors required to operate our infrastructure (e.g., EU-based cloud hosting and transactional email providers).
If a sub-processor is located outside the European Economic Area (EEA), we ensure data transfers are protected by Standard Contractual Clauses (SCCs) or the EU-US Data Privacy Framework. A complete list of our sub-processors is available in our DPA.
6. Data Retention
- Xero Tenant Data: Cached Xero data is retained only as long as your Xero organization remains connected. If you revoke our access via your Xero dashboard or terminate your account, all associated cached contact and transaction data is permanently deleted from our active databases immediately.
- Account Data: We retain your basic account data for as long as your account is active, or as required to comply with Dutch tax and legal obligations.
7. Your Privacy Rights
Under the GDPR, you have the right to:
- Access, correct, update, or request deletion of your personal data.
- Object to or restrict the processing of your personal data.
- Request data portability.
Exercising Your Rights
To exercise these rights regarding your Account Data, email us at privacy@bulkcontactmanager.com. We will respond within 30 days. Please note that if you wish to exercise rights regarding data within your Xero Tenant Data (e.g., a contact wishing to be forgotten), you must execute this action directly within the Bulk Contact Manager app or your Xero dashboard.
8. Right to Complain
If you believe we are processing your personal data in violation of the GDPR, you have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) or your local supervisory authority.
9. Contact Information
- Data Controller: Jolo Vita
- KvK Number: 87189437
- Registered in: The Netherlands
- Email: privacy@bulkcontactmanager.com