privacy policy

last updated: march 2026

bagel bagel V.O.F. ("bagel bagel", "we", "us", "our") takes the protection of your personal data seriously. we process personal data in accordance with the General Data Protection Regulation (GDPR / AVG) and other applicable Dutch privacy legislation. this privacy policy explains what personal data we collect, on what legal basis, how we use it, who we share it with, and what your rights are.

by using our website or placing an order, you acknowledge that you have read and understood this privacy policy.

1. who are we?

bagel bagel V.O.F. is the data controller responsible for the processing of your personal data.

registered address: Zwaanshals 430, 3035 KT Rotterdam, the Netherlands
chamber of commerce (KvK): 92927033
VAT number: NL866219511B01
contact: [email protected]

for any questions or requests regarding your personal data, you can reach us at the email address above.

2. what personal data do we collect?

we collect and process personal data only when necessary. the specific data depends on how you interact with us:

a) catering orders

• name, email address, phone number (optional)
• company name and delivery address (if applicable)
• order contents, order history, and payment information
• payment details are processed directly by our payment provider Stripe — we never store your card number, expiry date, or CVC on our own servers

b) orders via delivery platforms

• when you order through platforms such as Uber Eats, we receive your name, delivery address, and order contents in order to prepare your order
• these orders are also subject to the delivery platform's own privacy policy

c) website visitors

• anonymised usage data via Google Analytics (see section 10 on cookies)
• we do not collect IP addresses — Google Analytics is configured with IP anonymisation enabled

d) contact & communication

• name and email address when you contact us via [email protected]
• contents of your messages

3. on what legal basis do we process your data?

under the GDPR, we must have a valid legal basis for each processing activity. we rely on the following:

• performance of a contract (art. 6(1)(b) GDPR): processing your catering order, payment, delivery, and invoicing — this data is necessary to fulfil the agreement between you and bagel bagel
• consent (art. 6(1)(a) GDPR): sending you marketing emails and placing non-essential cookies. you can withdraw your consent at any time
• legitimate interest (art. 6(1)(f) GDPR): operating and securing our website and improving our services. we have assessed that these interests do not override your privacy rights
• legal obligation (art. 6(1)(c) GDPR): retaining order and financial records as required by Dutch tax law (Algemene wet inzake rijksbelastingen)

4. how do we use your data?

we use your personal data for the following purposes:

• processing, confirming, and delivering catering orders
• sending order confirmations, invoices, and delivery reminders
• receiving and preparing orders placed through delivery platforms
• responding to your questions or requests
• analysing anonymised website usage to improve our services
• sending promotional emails — only with your explicit consent
• complying with legal and tax obligations

5. how long do we keep your data?

we do not keep your data longer than necessary. the retention periods below apply:

• order & payment data: 7 years after the order date (required under Dutch tax law)
• invoices & financial records: 7 years (required under Dutch tax law)
• email communication: up to 2 years after our last correspondence
• marketing consent records: until you withdraw consent, plus 1 year for accountability purposes
• promotion entries: up to 12 months after the promotion ends, then deleted
• anonymised analytics data: 14 months (Google Analytics default)

6. third parties & data processors

we never sell, rent, or trade your personal data to third parties. we only share data with trusted service providers (processors) who are strictly necessary to deliver our services. these processors act on our instructions and are contractually bound to protect your data.

payment & invoicing

• Stripe — processes card payments and iDEAL transactions. Stripe is certified PCI-DSS Level 1 and acts as an independent data controller for payment data. privacy policy
• Moneybird — generates and sends invoices for business catering orders. privacy policy

hosting & infrastructure

• Vercel — hosts our website and serves web pages. privacy policy
• Supabase — database hosting and data storage. our database is hosted in the EU (Frankfurt, Germany). privacy policy

communication

• Resend — delivers transactional emails (order confirmations). privacy policy

analytics

• Google Analytics — collects anonymised website usage statistics. IP anonymisation is enabled. no personal data is shared with Google for advertising purposes. privacy policy

delivery platforms

• Uber Eats — delivery order platform. orders placed via Uber Eats are subject to both our and Uber's privacy policy. Uber acts as an independent data controller for customer data on their platform. privacy policy

7. international data transfers

some of our processors are based in the United States (Stripe, Vercel, Resend, Google, Apple). when personal data is transferred outside the European Economic Area (EEA), we ensure adequate protection through one or more of the following safeguards:

• EU Standard Contractual Clauses (SCCs) approved by the European Commission
• the processor's participation in recognised certification frameworks
• an adequacy decision by the European Commission (where applicable)

our primary database is hosted within the EU (Supabase, Frankfurt, Germany).

8. how do we protect your data?

we take appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. these measures include:

• encrypted connections (HTTPS/TLS) for all data in transit
• encrypted database storage at rest
• secure password hashing (bcrypt) — we never store passwords in plain text
• role-based access control for employee accounts
• rate limiting and account lockout on login to prevent brute-force attacks
• regular security updates and monitoring

9. your rights under the GDPR

as a data subject, you have the following rights under the GDPR. you can exercise any of these rights free of charge by emailing [email protected].

• right of access (art. 15): request a copy of the personal data we hold about you
• right to rectification (art. 16): request correction of inaccurate or incomplete data
• right to erasure (art. 17): request deletion of your personal data ("right to be forgotten"), unless we are legally required to retain it
• right to restriction (art. 18): request that we temporarily stop processing your data while a dispute is resolved
• right to data portability (art. 20): receive your personal data in a structured, commonly used, machine-readable format (JSON or CSV)
• right to object (art. 21): object to processing based on legitimate interest, including profiling
• right to withdraw consent (art. 7): withdraw your consent at any time, without affecting the lawfulness of processing carried out before withdrawal

we will respond to your request within 30 days. in exceptional cases, we may extend this by a further 60 days, in which case we will inform you of the reason for the delay.

to verify your identity, we may ask you to confirm your request from the email address associated with your account.

10. cookies & analytics

our website uses a limited number of cookies:

• essential cookies: session cookies required for login functionality and shopping cart. these do not require consent as they are strictly necessary
• analytics cookies (Google Analytics): we use Google Analytics with IP anonymisation enabled to collect anonymised statistics about website visits (pages viewed, time on site, device type). no personally identifiable information is collected. data retention is set to 14 months

we do not use marketing cookies, retargeting pixels, or third-party advertising trackers.

11. automated decision-making

we do not use automated decision-making or profiling that produces legal effects or similarly significantly affects you (as described in art. 22 GDPR). our rewards programme fraud detection system flags potentially suspicious activity for human review but does not automatically make decisions about your account.

12. children's data

our services are not directed at children under the age of 16. we do not knowingly collect personal data from children under 16. if you believe a child has provided us with personal data, please contact us at [email protected] and we will delete it promptly.

13. promotions & marketing

on our website we occasionally run interactive promotions (such as games or contests). to participate, we ask for your first name and email address. this data is used to:

• identify participants and award prizes
• send promotional emails about bagel bagel — only if you explicitly tick the marketing consent checkbox

the marketing consent checkbox is never pre-checked. you can withdraw your consent at any time by emailing [email protected] or by clicking the unsubscribe link in any marketing email.

data retention: promotion entries are kept for up to 12 months after the promotion ends, then deleted. if you opted in to marketing, your name and email are kept until you unsubscribe.

14. complaints

we hope to resolve any concerns directly. if you are not satisfied with our response, you have the right to file a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens):

Autoriteit Persoonsgegevens
Bezuidenhoutseweg 30, 2594 AV Den Haag
autoriteitpersoonsgegevens.nl
telephone: +31 (0)70 888 8500

15. changes to this policy

we may update this privacy policy from time to time to reflect changes in our services, legal requirements, or data practices. when we make material changes, we will update the "last updated" date at the top of this page. the latest version is always available at bagelbagel.nl/privacy.

we encourage you to review this page periodically.