← Back to home
GDPR Compliance
Transparency about how we collect, store, and use your personal data under GDPR regulations.
Data Processing Overview
As required by the General Data Protection Regulation (GDPR), we provide complete transparency about what personal data we collect, why we collect it, how long we keep it, and who has access to it.
| Data Category | Data Points Collected | Purpose | Legal Basis | Retention Period |
|---|---|---|---|---|
| Identity Data | • Name • Email address • Profile picture | Account creation and identification | Contract Performance | Account lifetime + 30 days |
| Authentication Data | • Password (encrypted) • OAuth tokens • Session tokens • Push notification tokens | Secure account access and notifications | Contract Performance | Account lifetime |
| Financial Data | • Wallet balance • Transaction history • Payment intents • Stripe customer ID • Refund records | Process payments, manage credits, handle refunds | Contract Performance + Legal Obligation | 7 years (tax law) |
| Booking Data | • Booking ID • Cafe/spot selection • Start and end times • Booking status • Total cost | Manage reservations and session tracking | Contract Performance | 7 years (financial records) |
| Usage Data | • Cafe visits • Session durations • Feature usage • App interactions | Improve service, personalize experience, loyalty rewards | Legitimate Interest | 2 years |
| Technical Data | • IP address • Device type • Browser version • Operating system | Security, fraud prevention, technical support | Legitimate Interest | 90 days |
| Location Data | • Approximate location • City/region • Nearby cafes | Show nearby cafes and relevant recommendations | Consent (opt-in) | Session only (not stored) |
| Communication Data | • Email preferences • Support messages • Notification settings | Send booking confirmations, updates, support responses | Contract Performance + Consent | Account lifetime |
| Partner Data (Cafe Owners) | • Business name • Cafe details • Bank account (IBAN) • Team members • Revenue data | Manage cafe listings, process payouts, analytics | Contract Performance + Legal Obligation | 7 years (tax law) |
| Analytics Data | • Aggregated usage metrics • Performance data • Error logs | Improve platform performance and user experience | Legitimate Interest | 1 year (anonymized) |
Third-Party Data Processors
- •Stripe: Payment processing (PCI DSS compliant)
- •Supabase: Database and authentication
- •Vercel: Platform hosting and CDN
- •Resend: Transactional emails
All processors have signed Data Processing Agreements (DPAs) and comply with GDPR.
Your GDPR Rights
- ✓Right to Access: Get a copy of your data
- ✓Right to Rectification: Correct inaccurate data
- ✓Right to Erasure: Delete your account and data
- ✓Right to Portability: Export your data
- ✓Right to Object: Opt out of processing
Exercise your rights: privacy@cafework.nl
Data Deletion Process
When you request account deletion, the following process occurs:
- We verify your identity for security purposes
- Your wallet balance must be zero (request refund first if needed)
- Active bookings are canceled
- Personal identifiable information is anonymized within 30 days
- Financial transaction records are retained for 7 years (legal requirement) but anonymized
- You receive confirmation via email once deletion is complete
Contact Our Data Protection Officer
For questions about data processing, GDPR compliance, or to exercise your rights:
Email: dpo@cafework.nl
Response Time: Within 30 days (as required by GDPR)
Supervisory Authority: Autoriteit Persoonsgegevens (Dutch DPA)