Most Dutch SMBs store business receipts in email threads, messaging apps, and phone photo galleries. None of these are built for GDPR-compliant data management: there is no audit trail for consent, no structured data-retention policy, and no documented record of which processor handles the data. The legal exposure is not theoretical. GDPR Art. 5 requires that personal data be kept no longer than necessary and only for the purpose collected. Art. 7 requires that consent be demonstrable, not just implied. When receipts contain personal data — the name on a hotel bill, a client's company, an employee's travel pattern — the storage tool is a data processor under Art. 28. Choosing a receipt management tool is also a data-processor choice.
This article covers what GDPR actually requires for business receipt storage, what to look for in a compliant tool, and how Rexa approaches EU data residency and consent accountability.
What GDPR requires for business receipt storage
Three articles are directly relevant.
Art. 5 — Data minimisation and storage limitation
Art. 5(1)(c) requires that personal data be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.” Art. 5(1)(e) adds the storage limitation principle: data must be “kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.”
For receipt management, this means: collect the receipt fields you actually need for expense reporting and tax compliance. Set a documented retention period tied to the relevant statute of limitations for tax records in your jurisdiction — seven years under Dutch tax law. Delete or anonymise records beyond that window.
Art. 7 — Conditions for consent
Where processing relies on consent, Art. 7(1) requires that “the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.” The word “demonstrate” is load-bearing: you need an audit trail, not just a policy.
For business tools that handle employee or freelancer receipts, the question is whether the employee's use of the tool constitutes informed consent to the processing of their expense data, and whether that consent is recorded in a verifiable form.
Art. 28 — Processor obligations
Any software tool that processes personal data on your behalf is a processor under Art. 28. You, as the controller, are required to “only use processors providing sufficient guarantees to implement appropriate technical and organisational measures” and to formalise that relationship in a written Data Processing Agreement. Before adopting a receipt management tool, verify that the vendor can provide a DPA, and read the processor sub-chain: who does the vendor use for storage, compute, and background processing?
Evaluating a GDPR-compliant receipt tool
Four criteria are worth evaluating before you commit to a vendor.
Data residency
Where is account data stored at rest? EU data residency for account records does not automatically mean EU processing for compute or background jobs. Your vendor’s sub-processors may be headquartered outside the EU — they must operate under an adequate transfer mechanism. Standard Contractual Clauses are the most common post-Schrems II.
Consent accountability log
Under GDPR Art. 7(1), you must be able to demonstrate consent. Look for an event-level log — not just “the user accepted” — with a stated retention period and server-side writes. A client-side-only cookie preference is not demonstrable under Art. 7.
Data Processing Agreement
Request the DPA before signing up. A vendor without one cannot legally process your personal data under Art. 28. Verify that it covers the full sub-processor chain.
Data retention and deletion policy
Ask specifically: what is the retention period for each data category? What is the deletion timeline after account closure? Is deletion automated, or does it require a manual request?
How Rexa handles EU data residency
Rexa stores customer data in the EU and uses US-headquartered cloud providers under Standard Contractual Clauses for processing.
Here is what that means in practice.
Account data storage
Account data — user records and the consent accountability log — is stored in Postgres in the EU region. Data at rest is encrypted with AES-256 under platform defaults. Data in transit is encrypted over TLS.
Transfer basis for US-headquartered processors
Rexa's application compute and TLS termination run on Vercel; background workers run on Fly.io. Both are US-incorporated companies with EU-region deployments. Customer data flowing through these processors operates under Standard Contractual Clauses, the transfer mechanism recognised under GDPR Art. 46(2)(c) for transfers to third countries without an adequacy decision. A formal SCC and Transfer Impact Assessment register is on the compliance roadmap.
What is not covered today
Uploaded receipt files are accepted at Rexa's upload endpoint. The current prototype accepts the file and returns a receipt object; the file's processing and persistent storage are on the roadmap. The EU data residency claims above — account data in EU Postgres, AES-256 at rest, TLS in transit — apply to your account records and consent log. They do not extend to uploaded receipt files as of today.
If the precise storage destination of receipt files is a compliance requirement for your use case, verify against Rexa's current documentation or contact us directly before uploading sensitive documents. Rexa's legal pages are at rexa.one/legal/privacy and rexa.one/legal/terms.
GDPR consent accountability: what Rexa records
Every consent transition on Rexa — account registration, cookie banner interaction, marketing preference update — is recorded server-side to an accountability log retained for 12 months, in line with GDPR Art. 7(1) demonstrable-consent requirements.
The accountability log captures, per event:
- Event type — banner shown, accept-all, reject-all, customised, withdrawn
- Consent version — the specific version of the terms or cookie notice in force at the time of the event
- Timestamp
- Truncated IP address — /24 for IPv4, /48 for IPv6; the full address is never stored
- User agent
- User ID, if the user is authenticated at the time
Three properties of this log are worth noting for compliance purposes.
First, all writes are server-side. The client cannot author or alter consent log rows. This matters under Art. 7(1): a demonstrable-consent record is only meaningful if it cannot be edited by the party whose consent is recorded.
Second, the log captures the consent version alongside the timestamp. When your privacy policy or cookie notice changes, new consent events record the new version. You can reconstruct from the log alone what version a user agreed to and when.
Third, the 12-month retention window is enforced automatically by a background worker. Rows older than 12 months are deleted. This aligns the log's own storage with the data minimisation and storage limitation principles in Art. 5(1)(c) and (e).
Connecting receipt management to your bookkeeping
Receipt management is not useful in isolation. The workflow is: upload a receipt, match it to a transaction, post the matched entry to your accounting records. For most Dutch SMBs, that accounting record lives in Exact Online.
Rexa is designed to integrate with Exact Online. The current prototype includes an onboarding step for connecting an Exact Online account; the full integration — OAuth token exchange, division discovery, and journal entry creation against your Exact Online general ledger — is on the roadmap.
Once the integration ships, the workflow becomes:
- Upload a receipt
- The receipt is matched to the corresponding transaction
- A coded entry is posted to the relevant division in Exact Online
For SMBs already on Exact Online, this keeps receipt management and bookkeeping in the same chain without a manual export step.
For SMBs on other bookkeeping platforms, Rexa's initial focus is Exact Online given its market share in the Netherlands. Export compatibility with leading bookkeeping platforms is on the longer roadmap.
Frequently asked questions
Does Rexa store data in the EU?
Rexa stores customer data in the EU and uses US-headquartered cloud providers under Standard Contractual Clauses for processing.
Is Rexa GDPR-compliant?
Rexa implements GDPR Art. 7 consent accountability; see our privacy policy.
Does Rexa integrate with Exact Online?
Rexa is designed to integrate with Exact Online; the integration is on the roadmap.
Related
Rexa is in pre-launch. If you are evaluating GDPR-compliant receipt management for your Dutch or EU business, you can join the waitlist to receive a notification when access opens.
Join the Rexa waitlist