Toudou Privacy Policy

    Last updated: November 30, 2025

    1. Who is Toudou?

    This privacy policy applies to the processing of personal data by:

    • Toudou
    • Based in Amsterdam, The Netherlands
    • Email: hello@toudou.world
    • Website: https://www.toudou.world

    Toudou is the data controller for personal data collected through our website, app, and services.

    2. Who does this privacy policy apply to?

    This privacy policy applies to:

    • Visitors to our website(s)
    • People who create a Toudou account (both participants and organizers)
    • People who book an outing or purchase/use a gift card through Toudou
    • People who subscribe to our newsletter or contact us

    3. What personal data do we process?

    We only process personal data necessary to provide and improve our service. This may include:

    A. Basic and account data

    • First name and (if provided) last name
    • Email address
    • Password (hashed, not readable by us)
    • Role (participant or organizer)
    • Language and communication preferences

    B. Booking or participation data

    • Date and time of (planned) outings
    • Number of people
    • Preferences and restrictions (e.g., activity type, dietary requirements, accessibility)
    • City or region of the outing
    • Information about the booked activity (type of outing, organizer, price)

    C. Organizer data

    • Company name
    • Name and contact details of contact person
    • Activity/outing descriptions
    • Availability, capacity, and pricing information
    • Payment and payout information (such as IBAN or other payout details)

    D. Payment data

    Payments for outings and gift cards are processed through an external payment provider (such as Mollie). We do not receive complete payment card details (such as full credit card numbers). We do receive:

    • Transaction amount
    • Payment method (e.g., iDEAL, credit card)
    • Payment status
    • Reference or transaction ID

    E. Communication

    • Content of messages you send us via contact form, email, or other channels
    • Feedback, reviews, and survey responses

    F. Website usage data

    • IP address (anonymized or shortened where possible)
    • Device and browser information
    • Pages visited and click behavior

    For statistics, we use a privacy-friendly analytics tool (like Simple Analytics), which works without tracking profiles or marketing cookies.

    We do not process special categories of personal data (such as health data) unless you explicitly share them with us (for example, dietary or mobility requirements). We ask you to only share such information if it's truly necessary for the outing.

    4. For what purposes and legal bases do we use your data?

    We use your data for the following purposes, based on GDPR legal bases:

    A. Contract performance

    • Creating and managing a Toudou account
    • Completing the Surprise Guide
    • Matching with a suitable outing and processing bookings
    • Displaying and managing your bookings and gift cards

    Legal basis: contract performance (Article 6(1)(b) GDPR).

    B. Payments and administration

    • Processing payments for outings and gift cards (via Mollie)
    • Managing payouts to organizers
    • Financial administration and accounting

    Legal basis: contract performance and legal obligation (Article 6(1)(b) and (c) GDPR).

    C. Communication

    • Sending booking confirmations and practical information
    • Answering your questions and providing customer service
    • Sending important updates about your booking or account

    Legal basis: contract performance and legitimate interest (Article 6(1)(b) and (f) GDPR).

    D. Newsletter and marketing (with consent)

    • Sending our newsletter with tips, offers, and news
    • Personalized recommendations

    Legal basis: consent (Article 6(1)(a) GDPR). You can unsubscribe at any time.

    E. Platform improvement and analytics

    • Understanding how our website and services are used
    • Improving user experience and functionality
    • Detecting and preventing technical issues

    Legal basis: legitimate interest (Article 6(1)(f) GDPR).

    F. Legal obligations

    • Complying with legal requirements (e.g., tax, accounting)
    • Responding to legal requests from authorities

    Legal basis: legal obligation (Article 6(1)(c) GDPR).

    5. How long do we keep your data?

    We retain your data no longer than necessary for the purposes described above:

    • Account data: Until you delete your account, or if inactive for more than 3 years
    • Booking data: 7 years for accounting purposes (legal requirement)
    • Payment data: 7 years for accounting purposes
    • Newsletter: Until you unsubscribe
    • Communication: Up to 2 years after last contact
    • Analytics data: Aggregated and anonymized, no time limit

    6. Who do we share your data with?

    We share your data only when necessary:

    A. Organizers/Providers

    When you book an outing, we share necessary information (name, contact details, booking details, preferences) with the organizer to execute the outing.

    B. Service providers

    • Payment provider (Mollie): for processing payments
    • Hosting and infrastructure (Supabase): for storing data
    • Email service: for sending emails
    • Analytics (Simple Analytics): privacy-friendly website statistics

    These parties act as processors under our instructions and may not use your data for their own purposes.

    C. Legal obligations

    We may disclose data if legally required (e.g., to authorities, courts).

    We do not sell your data to third parties.

    7. Your rights

    Under the GDPR, you have the following rights:

    • Right of access: Request a copy of your personal data
    • Right to rectification: Correct inaccurate data
    • Right to erasure: Request deletion of your data (with exceptions for legal obligations)
    • Right to restriction: Temporarily restrict processing in certain cases
    • Right to data portability: Receive your data in a machine-readable format
    • Right to object: Object to processing based on legitimate interest or for direct marketing
    • Right to withdraw consent: If processing is based on consent, you can withdraw it at any time

    To exercise your rights, contact us at hello@toudou.world. We'll respond within one month.

    8. Security

    We take appropriate technical and organizational measures to protect your data against loss, misuse, and unauthorized access:

    • Encrypted connections (HTTPS/SSL)
    • Secure hosting infrastructure
    • Access controls and authentication
    • Regular security updates
    • Hashed passwords

    9. Cookies and tracking

    We use minimal cookies necessary for the website to function:

    • Functional cookies: Required for login, session management, and preferences
    • Analytics: Privacy-friendly analytics (Simple Analytics) without personal tracking

    We do not use advertising or tracking cookies. You can manage cookie preferences in your browser settings.

    10. Changes to this policy

    We may update this privacy policy occasionally. Changes will be posted on this page with an updated "Last updated" date. For significant changes, we may notify you via email.

    11. Questions or complaints?

    If you have questions about this privacy policy or how we handle your data, contact us at:

    • Email: hello@toudou.world
    • Website: https://www.toudou.world/contact

    If you're not satisfied with our response, you can file a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).

    🍪 Cookies & Privacy

    We only use strictly necessary cookies for the website to function. For analytics (like Hotjar) and marketing, we ask your consent. You can always change your preferences.