Saloua El Moussaoui Jewelry Designer Image tooltip: Saloua El Moussaoui Jewelry designer Customer since 2025

Privacy policy

Saloua El Moussaoui Jewelry Designer Image tooltip: Saloua El Moussaoui Jewelry designer Customer since 2025

Last updated: June 24, 2026

OkiOki privacy policy

1. Who are we?

OkiOki (hereinafter: OkiOki, we, us, our) is provided by 33 Reasons NV, with its registered office at Brouwersvliet 4, PO Box 1, 2000 Antwerp, Belgium and registered in the Crossroads Bank for Enterprises under number 0718.718.233. OkiOki, part of the Xerius Group, is the provider of a Belgian digital administration and e-invoicing tool that supports self-employed persons, small companies and accountants in automating and centralising their financial administration.

In the context of these activities, OkiOki processes personal data and acts as a data controller or processor in accordance with the General Data Protection Regulation (hereinafter: GDPR). OkiOki attaches great importance to the protection of privacy and the correct processing of personal data covered by the GDPR.

Through this statement, OkiOki provides an overview of these processing purposes, the recipients to whom we transfer your data, the safeguards OkiOki takes to protect your personal data and the rights you can exercise with regard to OkiOki when we process your personal data.

You can reach us at:
Brouwersvliet 4, box 1
2000 Antwerp, Belgium
hello@okioki.be
privacy@xerius.be

2. Scope

This privacy statement applies to the processing of personal data by OkiOki as data controller in the context of its professional activities. This includes, but is not limited to, the processing of personal data relating to (potential) end customers, accountants, suppliers, service providers and other business contacts with whom OkiOki interacts or maintains a relationship in the course of its service provision and business operations.
In most cases, OkiOki acts as a processor, but in certain cases also as a data controller. We explain this difference below.

2.1. OkiOki as data processor

When OkiOki provides services to its customers, the accountants and the accountants, it processes personal data of end customers, users or other parties involved in these customers, such as suppliers, in certain cases. In this case, OkiOki acts as the data processor, on behalf of and solely on the instructions of this customer, who acts as the data controller.

The processing of these personal data takes place within the limits of the concluded agreement and in accordance with the provisions of the applicable data processing agreement.

For more information about the processing of your personal data in this context (such as the purposes, legal bases, retention periods and the exercise of your rights), please refer to the privacy policy of the customer of OkiOki, who is the data controller.

2.2. OkiOki as data controller

On the other hand, OkiOki itself acts as the data controller for the processing of personal data of:

  • Contact persons at its customers, the accountants and the end customers;
  • Own employees who are responsible for the execution of the service;
  • Suppliers and other external partners;
  • Visitors to our buildings, website or other digital channels.

In such cases, OkiOki itself determines the purposes and means of the processing and processes the personal data in accordance with the applicable legislation.

3. Why do we process your personal data?

3.1. Sales and lead management

3.1.1. What do we do with your personal data?

We collect and process your data for sales and lead management purposes. This means that we communicate with you in a pre-contractual phase with a view to concluding an agreement, making arrangements with you to set up a trial period and ultimately entering into a contract with you.

The legal basis for the processing of your data in the context of our sales and lead management is the necessity for the execution of the agreement in the pre-contractual phase; if no contract is ultimately concluded, we rely on our legitimate interest to carry out sales and lead management at the initiative of the lead.

3.1.2. What kind of data do we process?

Depending on sales and lead management, OkiOki processes, among other things: 

  • Identification data
  • Contact information
  • Professional data
  • Financial data.

3.2. Customer relationship management

3.2.1. What do we do with your data?

When you have a subscription plan with OkiOki, we do everything we can to maintain a good customer relationship with you. This involves following up on, and in certain cases terminating, the contract.
We base this processing of your personal data on the necessity for the performance of the contract.

3.2.2. What data do we process?

In order to manage customer relationships, we process, among other things:

  • Identification data
  • Contact information
  • Professional data.

3.3. Customer onboarding

3.3.1. What do we do with your data?

For customer onboarding, OkiOki processes personal data to create customer accounts, identify users and verify their permissions. In addition, roles and access rights are assigned and administrative and invoicing data are recorded. Where applicable, we link and verify bank account information through secure banking procedures. We also record onboarding interviews, collect user preferences and process information about accountants’ IT partners in order to organise and support our services effectively.

3.3.2. What data do we process?

Depending on customer onboarding, OkiOki processes:

  • Identification data
  • Contact information
  • Professional data
  • Financial statements
  • Preferences
  • Your national identification number.

3.4. Quality 

3.4.1. What do we do with your personal data?

In order to guarantee and optimise the quality of our services, we may process your personal data. We do this, among other things, by recording your feedback via our app, support tickets, questionnaires and feedback sessions via chat, email or phone. We will then collect your feedback and implement it. We will of course keep you informed.
We rely on our legitimate interest to improve the quality of OkiOki’s processing of your personal data.

3.4.2. What data do we process?

To monitor our quality, we process, among other things:

  • Identification data
  • Contact information
  • Any personal data about you that emerges from the feedback you provide to us.

3.5. Support

3.5.1. What do we do with your data?

If you encounter any problems with our app or if you need further support, we process your personal data to this end. For example, we register support requests through our in-app support module, read relevant user data to reproduce the problem, request additional information from you, provide feedback on sub-steps and send updates, workarounds and temporary solutions. Based on this, we also create support change requests and bug tickets for the technical team, ask for additional feedback or confirmation that the problem has been resolved and finally close the support ticket with a summary of the solution.
The legal basis for the processing of your personal data in the context of support is that it is necessary for the performance of the contract.

3.5.2. What data do we process?

In order to provide support, we process:

  • Identification data
  • Contact information
  • Professional data
  • All personal data that emerges from the support information.

3.6. Peppol KYC check

3.6.1. What do we do with your data?

In order to meet our legal obligations regarding identification, verification and compliance in the context of our connection to and use of the Peppol network, we process personal data as part of Know Your Customer (KYC) checks. This includes collecting relevant personal data, verifying this data against external and authentic records, as well as verifying involvement on company sanctions lists. In addition, we collect identification and contact details of legal representatives or authorised representatives, verify their identity and check the validity of mandates and powers of representation. We also process information about the role or function of persons involved within the organisation and perform checks to determine whether these persons appear on sanctions, fraud or other risk lists. This KYC information is verified both at the outset and periodically, insofar as this is required by the applicable legislation or compliance obligations.
This processing of your personal data is based on our legal obligation to verify your identity when registering on the Peppol network.

3.6.2. What data do we process?

As part of the Peppol KYC check, OkiOki processes and more:

  • Identification data
  • Contact information
  • Professional data
  • Financial statements
  • Your national identification number

3.7. Invoicing and payments

3.7.1. What do we do with your data?

OkiOki invoices end customers who pay directly as well as accountants who purchase a licence or use paid services. In this context, we process personal data for the purpose of generating and managing invoices and credit notes as well as for tracking payments.
The legal basis for the processing of personal data is the necessity for the performance of the contract or our legitimate interest in tracking payments.

3.7.2. What data do we process?

As part of our invoicing, we process, among other things:

  • Identification data
  • Contact information
  • Financial statements
  • Licence and product choices.

3.8. Marketing

3.8.1. What do we do with your personal data?

For marketing purposes, OkiOki processes personal data to inform and involve existing customers and users in the use of the platform. Existing customers can receive targeted updates and information about new applications and functionalities within the OkiOki app. Accountants can also be contacted with updates on new features. In addition, OkiOki processes personal data of entrepreneurs who have already created an account (e.g. via a free trial or PEPPOL activation) to send them invitations to take out a paid subscription plan.
We base this processing of personal data on our legitimate interest to market OkiOki and offer long-term subscription plans.

3.8.2. What data do we process?

In order to manage suppliers, we process, among other things:

  • Identification data 
  • Contact information 
  • Professional data 
  • Financial statements
  • Preferences.

3.9. Supplier management

3.9.1. What do we do with your data?

In order to maintain relationships with suppliers and enter into new contracts, we may process personal data relating to suppliers and their contact persons. This includes communication with the supplier and the tracking of payments. 
We base this processing of personal data on the necessity for the performance of the contract and our legitimate interest in maintaining contacts with suppliers, if a contract has not (yet) been concluded.

3.9.2. What data do we process?

In order to manage suppliers, we process, among other things:

  • Identification data 
  • Contact information 
  • Professional data 
  • Financial data.  

4. From whom do we obtain your personal data?

If we have not obtained your personal data directly from you, then we have received it from your employer, from your customer (as an IT service provider) or from your accountant.

5. How long do we keep your personal data?

We do not keep your personal data for longer than is strictly necessary for the purposes for which it was collected and, in any event, no longer than is permitted under the applicable laws and regulations, taking into account the statutory retention periods and any limitation periods.

6. With whom do we share your data?

6.1 Who are the recipients of your personal data?

OkiOki does not sell personal data to third parties. OkiOki also does not pass on personal data to third parties, unless to:

  • The data subject, their relatives, their employer and their authorised representatives;
  • Any legal successors and affiliated companies within the Xerius Group (such as subsidiaries and sister companies) for the same purposes as those mentioned in this privacy statement;
  • Third parties, subcontractors or external service providers in Germany and abroad for the same purposes as those set out in this privacy notice and in accordance with our data processing instructions;
  • Governments, lawyers (for the collection of receivables for unpaid invoices) and judicial institutions and regulators.

6.2. Transfer of your data outside the European Economic Area

For some of our processing activities, we are required to transfer your personal data to a partner or other organisation located outside the European Economic Area (hereinafter: EEA), where the GDPR does not apply.
A number of countries outside the EEA have been assessed as adequate by the European Commission: These countries offer the same adequate level of protection as we know it under the GDPR.
However, we may also transfer your personal data to countries that do not have comparable regulations and where no exceptions for specific situations apply pursuant to Art. 49 GDPR. In that case, we take additional measures (known as 'appropriate safeguards') to ensure your personal data is processed securely in these countries. These measures include:

  • Contractual arrangements between OkiOki and the recipient in the third country, based on the standard contractual clauses for the transfer of personal data outside the EEA, adopted by the European Commission and providing additional protection similar to the GDPR
  • Another mechanism enabling the transfer of personal data outside the EEA in accordance with the relevant data protection legislation.

7. What safeguards do we take to protect your personal data?

OkiOki takes appropriate technical and organisational measures that reflect the state of the art, taking into account the nature, scope, context and purposes of the processing, as well as the risks, varying in likelihood and severity, to the rights and freedoms of data subjects, in order to ensure a level of security appropriate to the risk, and in particular to protect the confidentiality, integrity and availability of the personal data being processed against unauthorised or unlawful processing, loss, destruction or damage.

8. What are your rights?

In accordance with the GDPR, the data subject has certain rights regarding the processing of personal data that they can exercise with regard to OkiOki. If the data subject wishes to exercise their rights, they can send a request to OkiOki at the following e-mail address: privacy@xerius.be. This request must be formulated clearly and as concretely as possible in order to give OkiOki the opportunity to respond as specifically as possible.
If there is any doubt regarding the identity of the individual concerned, OkiOki may request verification of that identity in order to prevent an unauthorised person from exercising that individual’s rights. In this case, OkiOki will contact the data subject and work with them to find the most appropriate way to establish their identity.
OkiOki aims to respond to a request within one month. If this is not possible, OkiOki will inform the person concerned as soon as possible about the option to extend this period by two months. If OkiOki is unable to comply with the request, OkiOki shall inform the data subject of this within a reasonable period of time.
In particular, these rights include:

8.1. Right to be informed

As the data controller, OkiOki is obliged to inform the natural persons concerned whose personal data is processed about this processing. This information must be provided in an accurate, transparent, comprehensible and easily accessible manner, in clear and simple language. In concrete terms, this right can be exercised by consulting this privacy statement. For more information, you can contact OkiOki using the aforementioned details.

8.2. Right of access

When OkiOki processes personal data, the data subject in question has the right to request access to this data, as well as additional information such as the purposes of the processing, the retention period and the origin of the data. The data subject may also request a copy of this data from OkiOki, provided that this request is not obviously unfounded or excessive. The first copy will be provided free of charge, but in the event of a repeated request, OkiOki reserves the right to charge a reasonable fee.

8.3. Right to restriction of processing

The data subject has the right to request OkiOki to restrict the processing of their personal data. In that case, OkiOki will keep this data and only use it for specific, limited purposes. The data subject may exercise this right in the following cases:

  • The data subject contests the accuracy of their data, whereby the data processing will be limited for the period that OkiOki needs to verify the accuracy.
  • The processing is unlawful, but the data subject opposes the erasure of this data and instead requests a restriction of the use of this personal data.
  • OkiOki no longer needs the data for the purposes of the processing, but the data subject needs this data for the establishment, exercise or defence of a legal claim.
  • When the data subject objects to processing, pending verification of whether OkiOki’s legitimate grounds as data controller outweigh your personal interests.
    In the event of a restriction of processing, OkiOki may only process the data in question with the consent of the data subject, for the establishment, exercise or defence of legal claims, for the protection of the rights of another natural or legal entity or for reasons of public interest.

8.4. Right to erasure ('right to be forgotten')

The data subject has the right to ask OkiOki to delete their data in the following cases:

  • The personal data is no longer necessary for the purposes for which it was collected or otherwise processed.
  • The data subject withdraws their consent in cases where the processing is based on their consent and there is no other legal basis for processing.
  • The data subject objects to the processing and their personal interests override OkiOki’s legitimate interests.
  • The personal data has been unlawfully processed.
  • The erasure of the data is necessary to comply with a legal obligation in accordance with European or Belgian law.

In these cases, OkiOki will comply with your request for erasure, unless one of the following situations occurs:

  • The processing is part of the exercise of the right to freedom of expression and information.
  • For reasons of public health interest.
  • To meet the need for archiving in the public interest or for statistical purposes.
  • To comply with a legal obligation to keep the data.
  • To establish, exercise or defend legal claims.

8.5. Right to data portability

If data processing is based on the data subject’s consent or on the necessity for the performance of the contract and this processing is carried out using automated means, the data subject has the right to receive the personal data concerning them that they have provided to OkiOki in a structured, commonly used and machine-readable format. In addition, the data subject has the right to request that OkiOki transfer the data in question to another data controller, provided that this does not infringe on the rights and freedoms of others.

8.6. Right to rectification

If the personal data processed by OkiOki is incomplete or incorrect, OkiOki will take the necessary measures to complete and/or correct it. If OkiOki suspects that certain data is incorrect, OkiOki will contact the data subject to correct the information. The data subject can also contact OkiOki about this via the appropriate channels if they discover an inaccuracy or incompleteness.

8.7. Right to object

If OkiOki invokes the public interest or the legitimate interest for the processing of personal data, the data subject has the right to object to such processing. In this case, OkiOki will no longer process the personal data in question, unless OkiOki can demonstrate compelling legitimate grounds for the processing that override the personal interests, rights and freedoms of the data subject.
When OkiOki processes personal data for direct marketing purposes, the data subject can object to this at any time, free of charge. This is also the case when OkiOki carries out profiling in relation to direct marketing. In this case, OkiOki will always terminate this data processing.

8.8. Right to withdraw consent

If data processing is based on the data subject’s consent, the data subject has the right to withdraw this consent at any time. The withdrawal of consent applies only to the future and does not affect any processing that took place prior to the withdrawal of consent. OkiOki strives to make withdrawing consent as easy as granting it.

8.9. Right to object to automated individual decision-making

The data subject whose personal data OkiOki processes has the right to object to automated individual decision-making, including profiling, if this decision has legal consequences or otherwise significantly affects the data subject.
The data subject may not object to such a decision if:

  • It is necessary in the context of the performance of the agreement;
  • It is permitted on the basis of Union or Belgian law;
  • It is based on the express consent of the data subject.

If the data subject cannot object for the aforementioned reasons, OkiOki provides for human intervention, the possibility for the data subject to express their position and to challenge the decision.
Currently, OkiOki does not use automated, individual decision-making.

8.10. Right to lodge a complaint

The data subject has the right to lodge a complaint with the competent supervisory authority. In Belgium, the competent supervisory authority is the Data Protection Authority. You can easily lodge a complaint using the complaint form on the Data Protection Authority’s website.
If you are dissatisfied with the way OkiOki processes personal data or if you plan to lodge a complaint, OkiOki encourages you to contact us first using the contact information provided above so we can work together to find a solution to this issue quickly.