Privacy Policy
Effective date: 23 February 2026
Version: 1.0
At Dytto, we are committed to protecting your privacy and handling your personal data responsibly. This Privacy Policy explains how we collect, use, and safeguard your information when you interact with our website, software, and related services.
By accessing or using Dytto, you acknowledge that you have read and understood this Privacy Policy. Our processing of personal data is governed by the General Data Protection Regulation (GDPR) and other applicable European data protection laws.
1. Who We Are
Dytto BV is registered with the Crossroads Bank for Enterprises (Kruispuntbank van Ondernemingen) under number 1030.588.178.
Registered address: Brusselsesteenweg 6, 9050 Ghent, Belgium
Data Protection Contact: Niels Van Driessche — niels@dytto.ai
2. What Data We Collect
We collect different types of data depending on how you interact with Dytto.
Website visitors (dytto.ai)
Basic analytics data such as page views, referral source, browser type, and approximate location, collected through our website platform (Framer) and any integrated analytics tools.
Information you voluntarily provide through contact forms, newsletter sign-ups, or demo requests (e.g., name, email address, company name).
Software users (Dytto platform)
Account information: name, email address, company details, and login credentials.
Usage data: features used, session duration, and interaction logs to improve service quality.
Client data: as an AI assistant for accountants, Dytto processes data that you — the accountant — provide about your clients. This may include financial and accounting records, documents, business-contact details, and other information related to your professional activities.
3. Purpose and Legal Basis for Processing
Under Article 6 of the GDPR, we process personal data only when we have a valid legal basis. The table below maps each processing purpose to its legal basis.
Purpose | Legal basis | Example data |
|---|---|---|
Providing the Dytto platform and services | Contractual necessity | Account details, client accounting data |
Account creation and authentication | Contractual necessity | Name, email, login credentials |
Customer support | Contractual necessity | Contact details, support correspondence |
Security, fraud prevention, and abuse detection | Legitimate interest | IP addresses, access logs, usage patterns |
Product improvement and analytics | Legitimate interest | Aggregated usage data, feature interaction logs |
Website analytics | Legitimate interest or consent | Page views, referral source, browser type |
Marketing communications | Consent | Email address, name |
Legal and regulatory compliance | Legal obligation | Financial records, tax-related data |
Where processing is based on consent, you may withdraw that consent at any time. Withdrawal applies only to the period following the withdrawal and does not affect the lawfulness of the processing that took place before it.
Where processing is based on legitimate interest, Dytto performs a balancing assessment to ensure our interests do not override your fundamental rights and freedoms.
4. AI Processing
Dytto uses artificial intelligence to provide its core service — assisting accountants with their work. This means:
Data you input into the Dytto platform may be processed by AI models to generate insights, suggestions, or outputs relevant to your accounting tasks.
AI processing is carried out through third-party large language model (LLM) providers. These providers are bound by data processing agreements and are listed on our sub-processor list (see Section 7).
We apply data minimization principles: only the data necessary for the specific task is sent to AI providers.
We do not use your data or your clients' data to train AI models, unless explicitly agreed upon in a separate agreement.
AI-generated outputs are intended as assistance and should be reviewed by qualified professionals before being relied upon.
5. Automated Decision-Making
Dytto does not make decisions that produce legal effects or similarly significant effects on you based solely on automated processing, including profiling, as described in Article 22 of the GDPR. Our AI features are assistive in nature — all decisions based on AI-generated outputs remain the responsibility of the human professional using the platform.
6. Data Controller and Data Processor
Dytto BV acts in different roles depending on the context:
As data controller: Dytto is the data controller for the personal data of website visitors, platform account holders, and prospective customers. We determine the purposes and means of processing this data.
As data processor: When accountants use the Dytto platform to process their clients' data, Dytto acts as the data processor. In this case, the accountant (you) is the data controller for your clients' personal data. You are responsible for informing your clients about how their data is processed and for obtaining any necessary consent. Dytto processes this client data solely on your instructions and for the purposes outlined in our agreement.
A Data Processing Agreement (DPA) is included as part of our customer agreements. If you require a standalone DPA, please contact niels@dytto.ai.
7. Data Sharing and Transfers
We do not sell your personal data. Dytto may share personal data with processors who provide services on behalf of Dytto:
Dytto and its subsidiaries or parent companies, if any (list available upon request at niels@dytto.ai).
External processors, including but not limited to cloud hosting providers, AI/LLM service providers, IT service providers, auditors, and legal advisors. These processors are only authorised to process personal data for the specific tasks assigned to them and are bound by data processing agreements and all relevant data protection legislation.
If a processor outside the European Economic Area is utilised, Dytto ensures appropriate safeguards are in place in accordance with GDPR Article 46, such as Standard Contractual Clauses (SCCs) or transfers to countries covered by an EU adequacy decision.
An up-to-date list of our sub-processors is available upon request at niels@dytto.ai. We will notify customers of any new or replacement sub-processors with a 14-day prior notice period.
8. Data Retention
Data is not kept longer than necessary on servers at established cloud and hosting service providers that comply with GDPR legislation in terms of security and privacy protection.
Dytto retains only data necessary to provide its services. Upon or after termination of the contract, any interested party may request the deletion of all applicable data.
Website visitor data (analytics) is retained for a maximum of 14 months.
Account and usage data is retained for the duration of your contract and deleted within 90 days after termination, unless a longer retention period is required by law.
Client accounting data processed on behalf of customers is deleted or returned in accordance with the applicable Data Processing Agreement.
9. Data Security
We are committed to ensuring the confidentiality, integrity, and availability of your data. We use industry-standard security measures, including:
Encryption at rest and in transit
Multi-factor authentication for administrative access
Role-based access controls with least-privilege principle
Secure logging and monitoring of access to personal data
Secure data storage and backups
Regular security reviews and vulnerability remediation
10. Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, Dytto will:
Notify the relevant supervisory authority (the Belgian Data Protection Authority) without undue delay and, where feasible, within 72 hours of becoming aware of the breach, in accordance with Article 33 of the GDPR.
Notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms, in accordance with Article 34 of the GDPR.
For customers with a Data Processing Agreement, Dytto will notify the data controller (the accountant) within 48 hours of becoming aware of a breach affecting their data, enabling the controller to fulfil its own notification obligations.
11. Cookies and Tracking
Our website (dytto.ai) is built on Framer and uses cookies and similar technologies.
Essential cookies are required for the website to function properly and cannot be disabled.
Analytics cookies collect anonymised usage data to help us understand how visitors interact with our website and improve our services. These cookies are only placed with your consent, in accordance with the ePrivacy Directive. You can manage your cookie preferences through our cookie consent banner when you first visit our website, and you may withdraw your consent at any time by adjusting your browser settings or revisiting the cookie settings.
For more details on Framer's data practices, please refer to Framer's privacy policy.
12. Your Rights
As a user, you can exercise the following rights under the GDPR:
Right of access: You have the right to access the personal data Dytto processes about you and obtain additional information regarding this processing.
Right to rectification: You may request correction of inaccurate or incomplete personal data.
Right to erasure: In certain cases, you may request the deletion of your personal data.
Right to restrict processing: In certain cases, you may request to restrict the processing of your personal data.
Right to data portability: In certain cases, you have the right to have the personal data you provided transferred to another controller, provided this is technically possible.
Right to object: You may object to the processing of your personal data for direct marketing purposes at any time.
You may exercise the above rights by sending a request to niels@dytto.ai. To protect your personal data, we may take reasonable steps to verify your identity before processing your request.
If you believe that the processing of your personal data violates the GDPR, you have the right to lodge a complaint with a supervisory authority — in particular in the EU member state of your habitual residence, place of work, or place of the alleged infringement. In Belgium, the competent authority is the Data Protection Authority (Gegevensbeschermingsautoriteit):
Address: Drukpersstraat / Rue de la Presse 35, 1000 Brussels
Email: contact@apd-gba.be
Phone: +32 2 274 48 00
Website: www.dataprotectionauthority.be
13. Children's Privacy
Dytto's services are designed for business professionals and are not intended for individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have inadvertently collected personal data from a child, we will take steps to delete that data promptly.
14. Third-Party Links
Our platform may contain links to third-party websites or services. We are not responsible for their content or privacy practices and encourage you to review their policies before sharing information.
15. Changes to This Policy
We review this Privacy Policy at least annually or whenever significant changes occur to our data processing practices. The latest version will always be available at dytto.ai/privacy with the effective date and version number clearly stated. Continued use of our services constitutes acceptance of any updates.