Acroya B.V. trading as SOUS | Last updated: May 2026
This notice explains how SOUS collects and uses your personal data. It applies to visitors to our website, merchants who use the SOUS platform, and end-customers who shop through a SOUS-powered storefront. A full Privacy Policy with complete technical and legal detail is available on request.
1. Who We Are
SOUS is a trading name of Acroya B.V., a company incorporated in the Netherlands. We are the data controller for personal data processed in connection with our website and platform services.
Legal entity – Acroya B.V. (trading as SOUS)
Address – Vijzelstraat 77A, 1017 HG Amsterdam, The Netherlands
Chamber of Commerce – KvK 85080276
Contact – [email protected]
2. Who This Notice Applies To
This notice covers three groups of people:
Website visitors — anyone who browses poweredbysous.com, requests a demo, signs up for our newsletter, or purchases a subscription online.
Merchants — food and beverage businesses that use the SOUS Merchant Portal, including our Spotlight listing management service.
End-customers — individuals who place orders through a merchant's SOUS-powered online shop.
Where SOUS processes end-customer data on behalf of a merchant, the merchant is the data controller for that data and SOUS acts as a processor under a Data Processing Agreement (DPA).
3. What Data We Collect
Website visitors
Contact details you provide (name, email, company, phone) when submitting a form or booking a demo.
Subscription and billing data if you purchase a plan online (payment card processing is handled by our payment provider — we do not store card numbers).
Usage and device data collected automatically: IP address, browser type, pages visited, and similar technical data.
Merchants
Business identity and KYC data collected during onboarding (legal entity name, address, VAT number, KvK number, and identity verification carried out by our payment processor).
Platform and configuration data — product catalogues, pricing, logistics settings, and financial records.
Business listing data for Spotlight subscribers: your business profile (name, address, hours, menus, images) published to directories such as Google Maps, Apple Maps, and TripAdvisor.
End-customers
Order data — name, delivery address, order contents, delivery preferences, and order status.
Payment metadata — transaction references (full payment processing is handled by our payment provider).
Communication preferences — opt-in status for merchant communications.
We do not intentionally collect special category data (such as health or biometric data) or data about children under 16.
4. Why We Process Your Data and Our Legal Basis
To operate and deliver the platform — including processing orders, handling payments, and managing merchant accounts. Legal basis: contract performance (Art. 6(1)(b) GDPR).
To manage business listings (Spotlight) — publishing and synchronising your business profile across directories and managing reviews. Legal basis: contract performance and legitimate interests.
To send newsletters and marketing — only with your opt-in consent. Legal basis: consent (Art. 6(1)(a) GDPR). You can unsubscribe at any time.
For B2B sales outreach — to business contacts in the food and beverage sector. Legal basis: legitimate interests. You can opt out at any time.
For analytics and platform improvement — using aggregated, anonymised data. Non-essential analytics cookies require your consent. Legal basis: consent or legitimate interests.
For security and fraud prevention — protecting the platform and our users. Legal basis: legitimate interests and legal obligation.
To comply with legal obligations — such as tax and accounting requirements. Legal basis: legal obligation (Art. 6(1)(c) GDPR).
5. Who We Share Your Data With
We share personal data only as necessary to deliver our services. We work with trusted service providers in the following categories, all engaged under data protection agreements:
Payment and financial services providers — for payment processing, payouts, and merchant KYC/KYB verification.
Cloud infrastructure and hosting providers — for storing and processing platform data.
Logistics and delivery providers — for fulfilling orders and shipments.
Business directory and review platforms — for publishing and managing your business listings (Spotlight).
AI and analytics tools — for platform performance monitoring and AI-assisted features such as review response suggestions.
Email and communication tools — for transactional and marketing communications.
Security and fraud prevention tools — for DDoS protection, vulnerability scanning, and web security.
A full list of named processors and sub-processors, including their locations and data transfer safeguards, is available in our full Privacy Policy.
We do not sell your personal data. We do not allow third parties to market their products directly to you through our platform without your consent.
6. International Transfers
Some of our service providers are located outside the European Economic Area (EEA), primarily in the United States. Where we transfer personal data outside the EEA, we ensure appropriate safeguards are in place — typically Standard Contractual Clauses (SCCs) approved by the European Commission, or, where applicable, the EU–US Data Privacy Framework adequacy decision. Details are set out in the full Privacy Policy.
7. How Long We Keep Your Data
Website enquiries and demo records: up to 24 months after last contact, or earlier on request.
Merchant account data: for the duration of the contract and 7 years thereafter (statutory accounting and tax obligations).
End-customer order and transaction data: 7 years (tax and consumer law obligations).
Analytics data: 14 months (rolling).
Marketing subscriptions: until you unsubscribe. We retain suppression records to honour opt-outs.
8. Your Rights
Under the GDPR, you have the right to:
Access the personal data we hold about you.
Rectification of inaccurate or incomplete data.
Erasure of your data in certain circumstances.
Restriction of processing in certain circumstances.
Data portability for data you have provided to us, where processing is based on consent or contract.
Object to processing based on legitimate interests, including direct marketing (an absolute right).
Withdraw consent at any time, where processing is based on consent.
To exercise any of these rights, contact us at [email protected]. We will respond within one month.
You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at www.autoriteitpersoonsgegevens.nl, or with your local supervisory authority.
9. Cookies
We use cookies on our website. Strictly necessary cookies are used without your consent. Non-essential cookies (such as analytics) are only activated with your prior consent. Manage your preferences via the Cookie Settings link in our website footer.
10. Changes to This Notice
We may update this notice from time to time. The date at the top shows when it was last revised. Material changes will be highlighted on our website.
11. Contact Us
Email: [email protected]
Post: Acroya B.V. (SOUS), Vijzelstraat 77A, 1017 HG Amsterdam, The Netherlands
Website: www.poweredbysous.com