Compliance Calendar

Cadence: 4× per year. Quarter ends 31 Mar / 30 Jun / 30 Sep / 31 Dec.

Filing deadline: last day of the month following quarter end (typically 30 Apr / 31 Jul / 31 Oct / 31 Jan).

Where: Mijn Belastingdienst Zakelijk portal.

Owner: ED (or accountant once retained).

Notes: EU OSS return is filed separately if registered; cross-border B2C peptide sales may trigger this.

Cadence: 1× per year. Fiscal year aligns with calendar year unless changed.

Filing deadline: within 8 days of adoption by shareholders, max 12 months after fiscal year-end (effectively before 31 Dec for prior year).

Where: KvK online deposit.

Owner: ED + accountant.

Notes: Micro-entity rules apply for TNF Business at current size. Re-evaluate threshold annually.

Cadence: 1× per year.

Filing deadline: typically 1 May (income tax) or 1 Jun (corporate tax) for prior calendar year. Extension via accountant common.

Where: Belastingdienst.

Owner: ED + accountant.

Notes: Provisional assessment may apply mid-year — set aside cash buffer.

Cadence: 1× per year (calendar reminder: 1 Feb).

Action: Review retention policies in privacy.html, audit Supabase for records past their retention window, document findings in docs/dpia-template.md.

Owner: ED.

Notes: Aligns with the Dutch AVG/GDPR accountability principle. Keep written record of the review even if no action taken.

Cadence: Annually, plus on any material processing change.

Action: Re-walk docs/dpia-template.md, confirm processor list (Supabase, Mollie, Resend, Netlify) is current, re-sign.

Owner: ED.

Cadence: 1× per year (calendar reminder: 1 Mar).

Action: Run a clean-browser visit, list every cookie and 3rd-party request, reconcile against cookies.html. Update consent banner copy if drift.

Owner: ED.

Cadence: 1× per year per domain.

Action: Confirm togopeptide.com auto-renew at Hostinger; verify Netlify-managed Let's Encrypt SSL is healthy (90-day rotation handled automatically — only intervene if Netlify alerts).

Owner: ED.

Notes: Domain expiry triggers full DNS outage — set calendar reminder 30 days before.

Cadence: Renewal date driven (set per-policy reminder).

Action: Re-confirm professional liability + product liability + cyber/incident coverage covers current revenue band and product list.

Owner: ED.

Cadence: 4× per year.

Action: Confirm no unexpected key usage in dashboards. Rotate any key suspected of exposure. Review Netlify env-var diff.

Owner: ED.

Notes: Hard rotation only on incident — soft review is the recurring item.

The following are not on a fixed cadence but must be filed within tight windows when triggered:

• Data breach notification — 72 hours to Autoriteit Persoonsgegevens. Runbook: docs/data-breach-notification.md.
• KvK registration changes — within 1 week of a change in directors, address, or activities.
• Bank-account / IBAN change — propagate to Mollie, accountant, KvK, contracts.
• Material processor change (e.g. swap Supabase → other) — re-issue DPA, update privacy.html, refresh DPIA.
• New EU country shipping — confirm OSS-VAT registration, hreflang, country-specific consumer-rights disclosures.

This page is reviewed once per quarter by ED. New recurring obligations get added here within one week of being identified. Removed obligations get archived in git history (never deleted). When a deadline shifts, update the date here first, then propagate to any external calendar tool.

For one-off filings, see the operator notebook (off-site). This page is the long-tail recurring layer only.