Privacy Policy
Last updated: March 2026
1. Introduction
BOOQR ("we", "us", "our") processes personal data when you use our booking platform. This privacy policy explains what data we collect, why we collect it, how long we keep it, and what rights you have. We are committed to protecting your privacy in accordance with the General Data Protection Regulation (GDPR) and the Dutch Implementation Act (UAVG).
2. Data Controller
BOOQR B.V. is the data controller for the processing of personal data described in this policy.
- BOOQR B.V.
- Registered in the Netherlands, KVK: 96457503
- BTW-nr: NL863020835B01
- privacy@booqr.nl
3. Contact Details
For questions about this privacy policy or to exercise your data subject rights, you can reach us at:
Email: privacy@booqr.nl
4. Data We Collect
We collect the following categories of personal data:
Guest Booking Data
Name, email address, phone number — collected when you make a reservation.
Payment Data
Transaction references and payment status — processed by our payment provider Pay.nl. We do not store full credit card numbers or bank account details.
Access Credentials
QR codes and SMS verification tokens — generated to grant you access to booked facilities.
Usage Data
Page visits, booking patterns, IP address, browser type, device information — collected via server logs and analytics.
Account Data
Login credentials (hashed password), role, tenant association — for staff and admin accounts.
5. Purposes of Processing
We process your personal data for the following purposes:
- Booking management — to create, confirm, modify, and cancel reservations (legal basis: contract performance).
- Access control — to generate and verify QR codes and SMS tokens for facility entry (legal basis: contract performance).
- Payment processing — to handle payments, invoicing, and refunds (legal basis: contract performance and legal obligation).
- Analytics and improvement — to understand usage patterns and improve our platform (legal basis: legitimate interest).
- Communications — to send booking confirmations, reminders, and service updates (legal basis: contract performance).
- Marketing — only with your explicit consent, which you may withdraw at any time (legal basis: consent).
- Security and fraud prevention — to protect accounts and detect abuse (legal basis: legitimate interest).
6. Legal Bases
We rely on the following legal bases under GDPR Article 6:
- Contract performance (Art. 6(1)(b)) — processing necessary for the booking service you requested.
- Legal obligation (Art. 6(1)(c)) — tax and financial record-keeping requirements.
- Legitimate interest (Art. 6(1)(f)) — analytics, security, and platform improvement.
- Consent (Art. 6(1)(a)) — marketing communications and optional analytics cookies.
7. Recipients and Sub-processors
We share personal data with the following categories of recipients:
| Sub-processor | Purpose | Location |
|---|---|---|
| Pay.nl | Payment processing | Netherlands (EU) |
| Resend | Transactional email delivery | United States |
| OpenAI | AI assistant (tenant admin only) | United States |
| Twilio / CM.com | SMS notifications and access tokens | Netherlands / United States |
| Google Analytics | Website analytics | EU (with EU data residency) |
| Railway | Application hosting and infrastructure | United States |
8. International Transfers
Some of our sub-processors are located outside the European Economic Area (EEA). For these transfers, we ensure adequate protection through:
- Standard Contractual Clauses (SCCs) as approved by the European Commission.
- Adequacy decisions where applicable (e.g., EU-US Data Privacy Framework).
Specifically, data shared with OpenAI and Resend involves transfers to the United States, which are safeguarded by SCCs and supplementary measures.
9. Retention Periods
We retain personal data only as long as necessary for the purpose it was collected:
| Data Category | Retention Period | Reason |
|---|---|---|
| Financial records (invoices, payments) | 7 years | Dutch tax law obligation (AWR) |
| Booking data | 2 years after checkout | Service improvement and dispute resolution |
| Access credentials (QR/SMS tokens) | 48 hours after booking end | No longer needed after facility access |
| Login attempts and audit logs | 90 days | Security monitoring |
| Staff/admin accounts | Duration of employment + 6 months | Account management |
| Analytics data | 26 months | Google Analytics default, anonymized after 14 months |
10. Your Rights
Under the GDPR, you have the following rights regarding your personal data:
- Right of access — request a copy of the personal data we hold about you.
- Right to rectification — request correction of inaccurate or incomplete data.
- Right to erasure — request deletion of your data ("right to be forgotten"), subject to legal retention obligations.
- Right to data portability — receive your data in a structured, machine-readable format (JSON/CSV).
- Right to object — object to processing based on legitimate interest, including profiling.
- Right to restriction — request that we limit the processing of your data.
- Right to withdraw consent — withdraw consent at any time for consent-based processing.
To exercise any of these rights, contact us at privacy@booqr.nl. We will respond within 30 days. If you are not satisfied with our response, you have the right to file a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at www.autoriteitpersoonsgegevens.nl.
11. Automated Decision-Making
We do not use automated decision-making or profiling that produces legal effects or significantly affects you. The AI assistant feature is only available to tenant administrators and does not make automated decisions about individuals.
12. Cookies
We use the following types of cookies:
- Session cookies — essential for authentication and booking flow. These are strictly necessary and do not require consent.
- Analytics cookies (Google Analytics) — used to understand how visitors interact with our website. These are only placed with your consent.
- Preference cookies — to remember your language preference (nl/en). These are strictly necessary for functionality.
You can manage your cookie preferences at any time through your browser settings.
13. Security Measures
We implement appropriate technical and organisational measures to protect your personal data, including: encryption in transit (TLS 1.3), encrypted database connections, HMAC-SHA256 signed access tokens, role-based access control, audit logging, and regular security assessments.
14. Changes to This Policy
We may update this privacy policy from time to time. We will notify you of significant changes by posting a notice on our website. The "last updated" date at the top of this policy indicates when it was last revised.