Skip to content
Flamenco

Legal

Privacy policy

Effective 4 May 2026. Explains what personal data we collect, why, how long we keep it, and the rights you have under the EU General Data Protection Regulation (GDPR) and the Dutch Implementation Act (UAVG).

1. Data controller

The data controller responsible for personal data processed through this site is Flamenco, a sole proprietorship (eenmanszaak) operated by Alejandro Torres Gayan, with registered address Admiralengracht 158-3, 1057 GH Amsterdam, the Netherlands; Chamber of Commerce (KvK) 88546349. For any privacy-related question or to exercise the rights described below, contact flamenco.import@gmail.com.

Aleluya Technologies LLC, the developer of this site, acts as a data processor under a written processing agreement during the build period and the maintenance month that follows; thereafter, processor access is removed.

2. What we collect, when, and why

We collect only data necessary for the purposes listed below. We do not run third-party advertising trackers, marketing pixels, or social-network embeds.

When you reserve an event seat

Name, email, party size, payment confirmation from Mollie, and the time of check-in if you attend. Lawful basis: performance of the reservation contract (GDPR Art. 6(1)(b)).

When you subscribe to the monthly box

Name, email, delivery address, postal code, the subscription plan you chose, and identifiers issued by Mollie (customer, mandate, and subscription IDs). We do not store bank account or card numbers. Lawful basis: performance of the subscription contract (GDPR Art. 6(1)(b)).

When you join the waitlist

Email and postal code, so we can notify you if our delivery zone reaches your address. Lawful basis: legitimate interest in operating a delivery business that grows by serving expressed demand (GDPR Art. 6(1)(f)). You can ask to be removed at any time.

When we send you a transactional email

Order, reservation, subscription, payment-failure, and self-serve magic-link emails are sent through Resend. Lawful basis: performance of contract (GDPR Art. 6(1)(b)) for delivery and payment notifications; legitimate interest (GDPR Art. 6(1)(f)) for security-related notifications such as magic-link issuance. Resend records open and click events for deliverability monitoring; we do not use this data for marketing.

When you visit the public site

Vercel Analytics records aggregate, cookieless page-view counts and basic performance metrics. No individual visitor is identified or tracked across sessions. Lawful basis: legitimate interest in understanding aggregate traffic to operate the site (GDPR Art. 6(1)(f)).

For fraud prevention and abuse limits

We rate-limit certain endpoints by IP address or by email address (using Upstash Redis, with short retention) and use Vercel BotID on the magic-link and signup forms to detect automated abuse. Lawful basis: legitimate interest in protecting the service and other users (GDPR Art. 6(1)(f)).

3. Subprocessors

We rely on the following processors. Each operates under a written agreement meeting the requirements of GDPR Article 28; transfers outside the EEA, where applicable, are covered by the European Commission's Standard Contractual Clauses.

  • Supabase — database, authentication, and file storage; EU region.
  • Vercel — site hosting, edge delivery, and cookieless analytics; EU region for compute, global CDN.
  • Mollie B.V. — payment processing (iDEAL and SEPA Direct Debit); the Netherlands.
  • Resend — transactional email delivery; United States, under Standard Contractual Clauses.
  • Upstash — short-lived rate-limit counters; EU region.
  • Sentry — error monitoring; EU region. Personal data is filtered out of error reports server-side.

We do not sell personal data and do not share it with third parties beyond the processors above except where required by law.

4. Retention

We keep personal data only as long as needed for the purpose it was collected for, or longer where Dutch fiscal law requires.

  • Waitlist signups — 30 days after signup, then deleted automatically.
  • Magic-link tokens — 24 hours after expiry, then deleted automatically.
  • Pending (unpaid) reservations — 24 hours after expiry, then deleted automatically.
  • Paid reservations and event attendance — 7 years, to satisfy Dutch fiscal record-keeping obligations (Algemene wet inzake rijksbelastingen, Art. 52).
  • Cancelled subscribers — 7 years for the same fiscal reason. After cancellation, name, email, and address are anonymized at the retention boundary while the financial record is preserved.
  • Audit log — 90 days, for operational forensics.

5. Your rights

Under the GDPR you have the following rights regarding your personal data:

  • Access (Art. 15) — to receive a copy of the personal data we hold about you.
  • Rectification (Art. 16) — to have inaccurate data corrected.
  • Erasure (Art. 17) — to have your data deleted, subject to the fiscal-retention exception above (in which case data is anonymized rather than deleted while the legal hold runs).
  • Restriction (Art. 18) — to limit how we process your data pending resolution of a dispute.
  • Portability (Art. 20) — to receive your data in a structured, machine-readable format and transmit it to another controller.
  • Objection (Art. 21) — to object to processing based on legitimate interest. We will stop unless we have overriding legitimate grounds.
  • Withdrawal of consent (Art. 7) — where processing is based on consent, you may withdraw it at any time without affecting prior lawful processing.
  • Not to be subject to automated decisions (Art. 22) — we do not carry out automated decision-making with legal or similarly significant effects.

To exercise any of these rights, email flamenco.import@gmail.com from the address associated with your account. We will respond within thirty days; the period may be extended by up to two further months for complex requests, in which case we will tell you why.

6. Right to complain

If you believe we have processed your personal data unlawfully, you have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at autoriteitpersoonsgegevens.nl, or with the supervisory authority in the EU member state of your residence.

7. Cookies

We use only strictly necessary cookies: a Supabase authentication session cookie for admin and subscriber self-serve sessions, and a short-lived signed cookie that lets a magic-link page survive a browser reload without re-exposing the URL token. Both are essential to the service you have requested and are exempt from consent under Article 5(3) of the ePrivacy Directive.

We do not use marketing cookies, advertising cookies, or third-party analytics cookies, which is why no cookie banner appears.

8. Children

The site is not directed at children under 16, and we do not knowingly collect their personal data. If you believe a child has submitted information through the site, please contact us so we can remove it.

9. Security

Connections to the site are encrypted in transit (HTTPS, HSTS preload). Passwords are not used; admin and subscriber access rely on email-issued magic links and Supabase's session cookies. Service-role database credentials never reach the browser. We log meaningful access and change events in an internal audit log, excluding password fields, magic-link tokens, and payment instrument data.

10. Changes to this policy

We may update this policy as the service evolves or as the law changes. The latest version always lives at this URL with a fresh effective date at the top. Subscribers will be notified by email of material changes at least fourteen days before they take effect.