Reach out, we're nearby
Thank you!
Your submission has been received. We will get back to you as soon as possible.
Effective Date: March 3, 2026
Last Updated: March 23, 2026
Belter B.V. ("Belter", "we", "us", or "our") operates the BelterBox application (the "App"). This Privacy Policy explains how we collect, use, store, and share your personal data when you use the App.
By using the App, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use the App.
Belter B.V.
Kraijenhoffstraat 137D
1018 RG Amsterdam
The Netherlands
Chamber of Commerce (KvK) number: 85394661
Email: info@belterbox.com
Belter is the data controller for the processing of personal data described in this policy.
When you sign in through Microsoft Entra External ID, we receive the following from your identity provider:
- Email address
- Display name, first name, and last name
- Unique user identifier (object ID)
We do not receive or store your password. Authentication is handled entirely by Microsoft Entra.
When you use the App to interact with smart locks, we collect:
- Which lock you attempted to unlock and when
- Whether the unlock was successful or denied
- Encrypted audit trail data generated by the lock hardware
The App uses Bluetooth Low Energy (BLE) to communicate with locks. During this process, the App accesses:
- BLE signal strength of nearby locks
- Lock device identifiers
We do not collect your device's Bluetooth hardware address or pair with your device.
To maintain app stability and resolve technical issues, we collect anonymous diagnostic data including:
- App performance metrics — crash reports, error logs, and response times
- Device metadata — device model and operating system version
- App version — the version of the App you are running
- Anonymous session identifier — a random identifier generated each time you open the App, not linked to your account or device
This data is collected automatically and cannot be used to identify you personally. It is not linked to your account, name, email, or any other personal data. We do not use this data for advertising, profiling, or behavioral analysis.
Diagnostic data is processed by Azure Application Insights (Microsoft Corporation) and stored in the West Europe region. Retention: 90 days.
- Precise or approximate location data
- Contacts, photos, or other on-device content
- Advertising identifiers or tracking data
- Biometric data
Email, name, user ID — Authenticate you and manage your account. Legal basis: contract performance.
Email, name — Provision your access rights with lock hardware. Legal basis: contract performance.
Unlock events & audit trails — Provide access history, security auditing, and troubleshooting. Legal basis: legitimate interest / contract performance.
BLE signal data— Discover and communicate with nearby locks. Legal basis: contract performance.
Last login timestamp — Account security monitoring. Legal basis: legitimate interest.
We do not use your data for advertising, profiling, or automated decision-making.
Diagnostics & performance data — Monitor app stability, diagnose crashes, and improve reliability. Legal basis: legitimate interest (ensuring a functional and reliable service).
Authentication tokens are stored securely in the iOS Keychain or Android Keystore, managed by the Microsoft Authentication Library (MSAL). Tokens are session-based and expire automatically.
Digital key material used for lock communication is held in memory during active use and is not persisted to disk.
No personal data is stored in unprotected local storage.
Your account data and access event history are stored in a secured Azure SQL Database.
All data is encrypted in transit (TLS) and at rest (Azure storage encryption).
Access to the database requires Microsoft Entra ID authentication — no static passwords are used for database access.
Your data is isolated to the tenant (organization) you belong to. Strict server-side controls prevent cross-tenant data access. Only administrators of your organization can view your access event history within that tenant.
We share limited data with the following third-party services, solely to provide the App's functionality:
Microsoft Entra External ID (Microsoft Corporation) — Authentication credentials (handled by Microsoft; we do not see your password). Purpose: user authentication.
Nebula Cloud (SALTO Systems) — Name, email, encrypted unlock event data. Purpose: lock access management, digital key provisioning, audit trail processing.
Azure Cloud Services (Microsoft Corporation) — All backend data (stored in Azure SQL, hosted on Azure App Service). Purpose: backend infrastructure and data storage.
Azure Application Insights (Microsoft Corporation) — Anonymous diagnostic data (crash reports, performance metrics, device model, OS version, app version). Purpose: app stability monitoring and troubleshooting. Data is stored in the West Europe region and is not linked to your identity.
We do not sell your personal data to any third party. We do not share data with advertising networks or data brokers.
Account data: Retained for as long as your account is active. If your account is deactivated by your organization, your profile data is soft-deleted (marked inactive) and may be permanently deleted upon request.
Access event logs: Retained for the duration required by your organization's policies and applicable regulations. Your tenant administrator can advise on the specific retention period.
Authentication tokens: Session-based; automatically expire and are removed by the operating system's secure storage.
Invitation data: Automatically expires after 7 days if not accepted.
Diagnostic data: Retained for 90 days, then automatically deleted.
Depending on your jurisdiction, you may have the following rights regarding your personal data:
Access: Request a copy of the personal data we hold about you.
Rectification: Request correction of inaccurate data. Since your profile is sourced from Microsoft Entra, most corrections should be made in your identity provider account.
Erasure: Request deletion of your personal data, subject to legal retention obligations.
Restriction: Request that we limit processing of your data in certain circumstances.
Portability: Request your data in a structured, machine-readable format.
Objection: Object to processing based on legitimate interests.
To exercise any of these rights, contact us at the address listed in Section 11.
All network communication uses HTTPS/TLS encryption.
Authentication tokens are stored in the iOS Keychain or Android Keystore (hardware-backed secure storage).
Lock audit trails are encrypted by the lock hardware before transmission.
Backend database access is protected by Microsoft Entra ID (no static credentials).
Role-based access controls restrict data visibility to authorized personnel only.
While we implement industry-standard measures to protect your data, no method of electronic transmission or storage is 100% secure.
The App is not intended for use by individuals under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.
We may update this Privacy Policy from time to time. When we make material changes, we will notify you by updating the "Last updated" date at the top of this page and, where appropriate, provide additional notice within the App. Your continued use of the App after changes are published constitutes acceptance of the updated policy.
If you have questions about this Privacy Policy or wish to exercise your data rights, please contact:
Belter B.V.
Amsterdam, The Netherlands
KvK: 85394661
Email: privacy@belterbox.com
Website: https://belterbox.com
If you are unsatisfied with our response, you have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at https://autoriteitpersoonsgegevens.nl.
.jpg)
.jpg)
%201%20(2).avif)
