Direct naar inhoud
TrekTastes
Voor ondernemers Download de app EN NL

Privacy Policy

Version 1.1 · Last updated: 2026-07-03

Dit privacybeleid is op dit moment alleen in het Engels beschikbaar. Vragen over je gegevens? Mail ons gerust: privacy@trektastes.com

Op deze pagina

  1. 1. Who we are
  2. 2. What data we collect
  3. 3. Why we process it (purposes and legal bases)
  4. 4. Who receives your data
  5. 5. International transfers
  6. 6. How long we keep your data
  7. 7. Your rights
  8. 8. Changes to this policy

TrekTastes is committed to protecting your personal data in compliance with the General Data Protection Regulation (GDPR) and the Dutch AVG. This Privacy Policy explains what data we collect, why we collect it, who receives it, and your rights as a data subject.

The “In short” notes are plain-language summaries for readability only — the full policy text below each summary is what applies.

1. Who we are

In short: Arkstasis (trading as TrekTastes), a sole proprietorship in Amsterdam, KvK 42057592, is the data controller. Contact: privacy@trektastes.com.

Arkstasis (eenmanszaak), Amsterdam, the Netherlands, KvK no. 42057592, operating the TrekTastes platform, is the data controller for the processing described in this policy. Contact: privacy@trektastes.com.

2. What data we collect

In short: Your account and order details, an optional phone number, and — if you save a card — a token with only the card brand and last four digits (never the full number). Live location for nearby events isn't stored. No crash reports or analytics leave our systems; the website sets no cookies.
  • Account & orders: name, email address, contact details, phone number (optional), order history and, for cards you choose to save, a payment-method token with the card brand and last four digits (we never store full card numbers or CVV codes; iDEAL payments cannot be saved).
  • Location: your device location is used when you browse nearby events — it is sent to our own server to compute results and is not stored and not used for profiling.
  • Technical data: device type, OS version, IP address — for security and fraud prevention, processed on our own infrastructure.
  • Support communications: messages you exchange with our support team (audit trail stores content hashes, not message bodies; push notifications never contain message content).

Crash reports & usage analytics: none leave our systems. The app does not currently send crash reports or usage analytics to any third party. If we introduce these, we will update this policy first and, where required, ask your permission in the app. Our website (trektastes.com) sets no cookies and runs no analytics.

3. Why we process it (purposes and legal bases)

In short: We use your data to run the service (contract), keep it secure and fraud-free (legitimate interest), meet legal record-keeping duties, and — only with consent — for any future marketing. An automated guard may temporarily block suspicious cancellation patterns.

We process your data on the following legal bases under GDPR art. 6:

  • Providing your account, showing events (including transient location processing), fulfilling and managing orders, and support — contract (art. 6(1)(b)).
  • Fraud detection and prevention, platform security, and first-party operational logging — legitimate interests (art. 6(1)(f)).
  • Retaining financial and administrative records — legal obligation (art. 6(1)(c)).
  • Marketing communications, reserved for future features (none are sent today) — consent (art. 6(1)(a)).

Automated decision-making: we operate an automated cancellation velocity guard that can temporarily block or flag order cancellations when abuse patterns are detected (fail-closed in production). No other automated decisions with significant effects are made.

4. Who receives your data

In short: Only the Vendor (independent controller), Stripe (payments via the Vendor's account), the Expo push relay (transport only), our hosting provider, and authorities where legally required. We never sell your data.
  • The Vendor you order from — receives your order details and order number to prepare and hand over your order. Vendors are independent businesses and act as independent data controllers for fulfilling your purchase.
  • Stripe — payment processing (PCI DSS Level 1). Payments are processed through the Vendor's Stripe account (the Vendor is the merchant of record); Stripe's EU entity also processes certain data as an independent controller — see Stripe's privacy policy.
  • Expo push-notification relay — transport only; notification payloads deliberately carry no message content.
  • Our hosting provider — the infrastructure on which our self-hosted platform runs.
  • Authorities — where we are legally required (e.g. tax administration).

We do not sell your personal data.

5. International transfers

In short: Almost everything stays on our EU server. The only data leaving the EU is push-notification transport (Expo, US) and encrypted-only off-site backups — under adequacy decisions or Standard Contractual Clauses.

The only cross-border flows today are: the Expo push relay (United States — transport only, no message content) and off-site backups to an external provider, which receive only AES-256/GPG-encrypted artifacts. For these we rely on an adequacy decision (e.g. the EU–US Data Privacy Framework for certified providers) or the European Commission's Standard Contractual Clauses. Everything else is processed on our own self-hosted EU server. Copies of safeguards: privacy@trektastes.com.

6. How long we keep your data

In short: Account data while your account exists; orders archived after 12 months; financial records kept 10 years (Dutch fiscal rules); notification logs purged within 90–180 days. You can ask for deletion anytime, subject to legal retention.
  • Account data: for the duration of your account; on deletion, our GDPR erasure process covers all user-linked tables (machine-enforced coverage), except records we must keep by law.
  • Orders: active orders are archived after 12 months; archived orders are staged for PII anonymisation and stored encrypted.
  • Financial/order records: retained for 10 years in line with Dutch fiscal retention obligations.
  • Notification delivery logs: push delivery attempts purged after 90 days; notification records after 180 days.

You may request deletion at any time; statutory retention obligations may prevent full immediate deletion.

7. Your rights

In short: You can access, correct, delete, restrict, port or object to your data, and withdraw consent — via Manage Account or privacy@trektastes.com. You can also complain to the Dutch DPA.

Under GDPR you have the right to: access your data (art. 15); correct inaccurate data (art. 16); delete your data (art. 17); restrict processing (art. 18); data portability (art. 20); object to processing (art. 21); and withdraw any consent at any time. To exercise your rights, use Manage Account in the app or contact privacy@trektastes.com. You may also lodge a complaint with the Dutch DPA, the Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl).

8. Changes to this policy

In short: We'll flag material changes before they take effect and keep previous versions available on request.

We will announce material changes before they take effect and keep previous versions available on request.

Data Controller: Arkstasis (eenmanszaak) — Amsterdam, the Netherlands · KvK 42057592 — operating the TrekTastes platform

Privacy enquiries: privacy@trektastes.com

Foodfestivals & straatmarkten in Amsterdam.

Download in de App Store ONTDEK HET OP Google Play

TrekTastes

Voor ondernemers Privacy Voorwaarden

Support

support@trektastes.com
© 2026 TrekTastes Gemaakt in Amsterdam