Privacy Policy

1. Introduction

Welcome to CafeWork. We respect your privacy and are committed to protecting your personal data. This privacy policy will inform you about how we look after your personal data when you use our platform and tell you about your privacy rights.

2. Data We Collect

We collect and process the following types of personal data:

• Identity Data: Name, email address, profile picture
• Account Data: Username, password (encrypted), authentication tokens
• Transaction Data: Booking history, payment details, wallet balance
• Usage Data: Session times, cafe visits, feature usage
• Technical Data: IP address, device information, browser type
• Location Data: Approximate location for nearby cafe discovery

3. How We Use Your Data

We use your personal data for the following purposes:

• To provide and manage your account and bookings
• To process payments and manage your wallet balance
• To personalize your experience and recommend cafes
• To communicate with you about your bookings and account
• To improve our services and develop new features
• To ensure security and prevent fraud
• To comply with legal obligations

4. Legal Basis for Processing

Under GDPR, we process your data based on:

• Contract Performance: To fulfill our service agreement with you
• Legitimate Interest: To improve our services and prevent fraud
• Legal Obligation: To comply with tax and financial regulations
• Consent: For marketing communications (you can opt out anytime)

5. Data Sharing

We may share your data with:

• Partner Cafes: Name and booking details for your reservations
• Payment Processors: Stripe for secure payment processing
• Service Providers: Email services (Resend), hosting (Vercel), database (Supabase)
• Legal Authorities: When required by law

We never sell your personal data to third parties.

6. Data Security

We implement appropriate technical and organizational measures to protect your data:

• Encryption in transit (HTTPS/TLS) and at rest
• Secure authentication using industry-standard protocols (OAuth, JWT)
• Regular security audits and updates
• Access controls and monitoring
• PCI DSS compliant payment processing via Stripe

7. Your Rights

Under GDPR and Dutch data protection law, you have the right to:

• Access: Request a copy of your personal data
• Rectification: Correct inaccurate or incomplete data
• Erasure: Request deletion of your data ("right to be forgotten")
• Restriction: Limit how we process your data
• Portability: Receive your data in a machine-readable format
• Objection: Object to processing based on legitimate interests
• Withdraw Consent: Opt out of marketing at any time

To exercise these rights, contact us at privacy@cafework.nl

8. Data Retention

We retain your data only as long as necessary:

• Active Accounts: For the duration of your account plus 30 days
• Transaction Data: 7 years (Dutch tax law requirement)
• Marketing Data: Until you unsubscribe or 2 years of inactivity
• Deleted Accounts: Anonymized within 30 days of deletion request

9. International Transfers

Your data may be transferred outside the EU/EEA to our service providers (e.g., cloud hosting). We ensure appropriate safeguards are in place through:

• Standard Contractual Clauses (SCCs)
• Privacy Shield or adequacy decisions
• Data Processing Agreements with all processors

10. Children's Privacy

Our service is not directed to individuals under 16. We do not knowingly collect data from children. If you believe we have collected data from a child, please contact us immediately.

11. Changes to This Policy

We may update this policy from time to time. We will notify you of significant changes via email or through the platform. Please review this policy periodically.

12. Contact Us

For questions about this privacy policy or to exercise your rights:

You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) if you believe your data protection rights have been violated.