Download
← Back to home

Privacy Policy

Last updated: April 3, 2026

1. Introduction

Welcome to CafeWork. We respect your privacy and are committed to protecting your personal data. This privacy policy will inform you about how we look after your personal data when you use our platform and tell you about your privacy rights.

2. Data We Collect

We collect and process the following types of personal data:

  • Identity Data: Name, email address, profile picture
  • Account Data: Username, password (encrypted), authentication tokens
  • Transaction Data: Booking history, payment details, wallet balance
  • Usage Data: Session times, cafe visits, feature usage
  • Technical Data: IP address, device information, browser type
  • Location Data: Approximate location for nearby cafe discovery

3. How We Use Your Data

We use your personal data for the following purposes:

  • To provide and manage your account and bookings
  • To process payments and manage your wallet balance
  • To personalize your experience and recommend cafes
  • To communicate with you about your bookings and account
  • To improve our services and develop new features
  • To ensure security and prevent fraud
  • To comply with legal obligations

4. Legal Basis for Processing

Under GDPR, we process your data based on:

  • Contract Performance: To fulfill our service agreement with you
  • Legitimate Interest: To improve our services and prevent fraud
  • Legal Obligation: To comply with tax and financial regulations
  • Consent: For marketing communications (you can opt out anytime)

5. Data Sharing & Storage Decision

We may share your data with:

  • Partner Cafes: Name and booking details for your reservations
  • Payment Processors: Stripe for secure payment processing
  • Service Providers: Email services (Resend), hosting (Vercel), database (Supabase)
  • Legal Authorities: When required by law

We never sell your personal data to third parties.

We intentionally minimise the personal data we store directly. Basic profile information such as your email address and name lives in our database because those fields are necessary to operate your account, but more sensitive tokens, authentication flows, and payment credentials remain with trusted partners such as Google, Apple, and Stripe. Those providers already handle secure storage, and we rely on their certifications rather than duplicating sensitive data in-house.

6. Data Security

We implement appropriate technical and organizational measures to protect your data:

  • Encryption in transit (HTTPS/TLS) and at rest
  • Secure authentication using industry-standard protocols (OAuth, JWT)
  • Regular security audits and updates
  • Access controls and monitoring
  • PCI DSS compliant payment processing via Stripe

7. Your Rights

Under GDPR and Dutch data protection law, you have the right to:

  • Access: Request a copy of your personal data
  • Rectification: Correct inaccurate or incomplete data
  • Erasure: Request deletion of your data ("right to be forgotten")
  • Restriction: Limit how we process your data
  • Portability: Receive your data in a machine-readable format
  • Objection: Object to processing based on legitimate interests
  • Withdraw Consent: Opt out of marketing at any time

To exercise these rights, contact us at privacy@cafework.nl

7. Data Inventory

We maintain an internal inventory of the data categories we collect so you can understand what lives in our systems. Here is a high-level overview:

Identity & Account Data

Signed-up user profiles, contact details, preferences, and authentication records used to run accounts and access controls.

Bookings & Payments

Reservations, spot allocations, payment attempts, wallet balances, and refunds related to sessions with partner cafes.

Partner & Cafe Signals

Cafe metadata, amenities, availability, sanitization status, media, and partner account relationships that feed the marketplace listings.

Operational Metrics

Internal analytics, engagement tracking, feature flags, and audit logs used for monitoring, fraud prevention, and product improvements.

We regularly review this inventory and update the policy as new data sources are introduced.

8. Data Retention

We retain your data only as long as necessary:

  • Active Accounts: We keep account data for the lifetime of the account plus 30 days, after which we review whether further retention is strictly necessary.
  • Transaction Data: We aim to retain payment and booking records for at least 7 years to meet Dutch tax requirements, with periodic reviews to determine if anonymization or deletion is appropriate.
  • Marketing Data: Marketing preferences are stored until you unsubscribe or about 2 years of inactivity, whichever comes first.
  • Deleted Accounts: We anonymize user data within 30 days of a verified deletion request, while retaining required legal records (e.g., financial data) in an anonymized form.

9. International Transfers

Your data may be transferred outside the EU/EEA to our service providers (e.g., cloud hosting). We ensure appropriate safeguards are in place through:

  • Standard Contractual Clauses (SCCs)
  • Privacy Shield or adequacy decisions
  • Data Processing Agreements with all processors

10. Children's Privacy

Our service is not directed to individuals under 16. We do not knowingly collect data from children. If you believe we have collected data from a child, please contact us immediately.

11. Changes to This Policy

We may update this policy from time to time. We will notify you of significant changes via email or through the platform. Please review this policy periodically.

12. Contact Us

For questions about this privacy policy or to exercise your rights:

General Requests:
hello@cafework.nl

Privacy Team:
privacy@cafework.nl

Data Protection Officer:
dpo@cafework.nl

You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) if you believe your data protection rights have been violated.