TrekTastes is committed to protecting your personal data in compliance with the General Data Protection Regulation (GDPR) and the Dutch AVG. This Privacy Policy explains what data we collect, why we collect it, who receives it, and your rights as a data subject.
The “In short” notes are plain-language summaries for readability only — the full policy text below each summary is what applies.
1. Who we are
Arkstasis (eenmanszaak), Amsterdam, the Netherlands, KvK no. 42057592, operating the TrekTastes platform, is the data controller for the processing described in this policy. Contact: privacy@trektastes.com.
2. What data we collect
- Account & orders: name, email address, contact details, phone number (optional), order history and, for cards you choose to save, a payment-method token with the card brand and last four digits (we never store full card numbers or CVV codes; iDEAL payments cannot be saved).
- Location: your device location is used when you browse nearby events — it is sent to our own server to compute results and is not stored and not used for profiling.
- Technical data: device type, OS version, IP address — for security and fraud prevention, processed on our own infrastructure.
- Support communications: messages you exchange with our support team (audit trail stores content hashes, not message bodies; push notifications never contain message content).
Crash reports & usage analytics: none leave our systems. The app does not currently send crash reports or usage analytics to any third party. If we introduce these, we will update this policy first and, where required, ask your permission in the app. Our website (trektastes.com) sets no cookies and runs no analytics.
3. Why we process it (purposes and legal bases)
We process your data on the following legal bases under GDPR art. 6:
- Providing your account, showing events (including transient location processing), fulfilling and managing orders, and support — contract (art. 6(1)(b)).
- Fraud detection and prevention, platform security, and first-party operational logging — legitimate interests (art. 6(1)(f)).
- Retaining financial and administrative records — legal obligation (art. 6(1)(c)).
- Marketing communications, reserved for future features (none are sent today) — consent (art. 6(1)(a)).
Automated decision-making: we operate an automated cancellation velocity guard that can temporarily block or flag order cancellations when abuse patterns are detected (fail-closed in production). No other automated decisions with significant effects are made.
4. Who receives your data
- The Vendor you order from — receives your order details and order number to prepare and hand over your order. Vendors are independent businesses and act as independent data controllers for fulfilling your purchase.
- Stripe — payment processing (PCI DSS Level 1). Payments are processed through the Vendor's Stripe account (the Vendor is the merchant of record); Stripe's EU entity also processes certain data as an independent controller — see Stripe's privacy policy.
- Expo push-notification relay — transport only; notification payloads deliberately carry no message content.
- Our hosting provider — the infrastructure on which our self-hosted platform runs.
- Authorities — where we are legally required (e.g. tax administration).
We do not sell your personal data.
5. International transfers
The only cross-border flows today are: the Expo push relay (United States — transport only, no message content) and off-site backups to an external provider, which receive only AES-256/GPG-encrypted artifacts. For these we rely on an adequacy decision (e.g. the EU–US Data Privacy Framework for certified providers) or the European Commission's Standard Contractual Clauses. Everything else is processed on our own self-hosted EU server. Copies of safeguards: privacy@trektastes.com.
6. How long we keep your data
- Account data: for the duration of your account; on deletion, our GDPR erasure process covers all user-linked tables (machine-enforced coverage), except records we must keep by law.
- Orders: active orders are archived after 12 months; archived orders are staged for PII anonymisation and stored encrypted.
- Financial/order records: retained for 10 years in line with Dutch fiscal retention obligations.
- Notification delivery logs: push delivery attempts purged after 90 days; notification records after 180 days.
You may request deletion at any time; statutory retention obligations may prevent full immediate deletion.
7. Your rights
Under GDPR you have the right to: access your data (art. 15); correct inaccurate data (art. 16); delete your data (art. 17); restrict processing (art. 18); data portability (art. 20); object to processing (art. 21); and withdraw any consent at any time. To exercise your rights, use Manage Account in the app or contact privacy@trektastes.com. You may also lodge a complaint with the Dutch DPA, the Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl).
8. Changes to this policy
We will announce material changes before they take effect and keep previous versions available on request.