Legal
Privacy & your data
What we collect, why we collect it, and how to make us stop. Plain English, no dark patterns — written so you can grasp it in five minutes.
Last updated: 9 June 2026
1. Who we are
Hello Amsterdam ("we", "us") is an independent editorial publication based in Amsterdam, the Netherlands. We are the data controller for the personal data processed via this website. Reach us at our contact page.
2. What we collect
- Account data — your name and email when you sign up (email/password, Google, or Apple), plus consent timestamps (privacy and optional marketing).
- Booking data — the service you book, date, time, party size, status, provider reference, and optional notes. Linked to your account, or to your email if you booked as a guest.
- Usage data — anonymised page views, referrer, country (city-level), device class. Aggregate only.
- Newsletter data — email address you submit voluntarily, plus open/click metadata.
- Contact data — anything you send us by email when you reach out.
- Cookies — consent state, age-verification (18+ for After Dark), and session cookies needed for sign-in.
3. Purposes & legal bases (GDPR)
- Contract (art. 6(1)(b)) — to create and operate your account, process your booking requests, and let you manage them in "My Amsterdam".
- Consent (art. 6(1)(a)) — analytics, non-essential cookies, and marketing emails.
- Legitimate interest (art. 6(1)(f)) — security, fraud and abuse prevention, basic anonymous usage measurement, and rate limiting on guest bookings.
- Legal obligation (art. 6(1)(c)) — keeping limited records to comply with applicable law.
4. Third parties (processors & partners)
- Supabase (hosting, database, authentication) — EU region. Stores account, profile, booking and consent data on our behalf under a Data Processing Agreement.
- Resend (transactional email) — delivers sign-up confirmations, password resets and booking notifications.
- Booking partners — when you start a booking on a partner-powered listing, the relevant data (e.g. date, party size, contact) is shared with that partner so they can confirm the reservation. Examples include TheFork for restaurants and GetYourGuide for attractions. Their own privacy policies apply once you leave our site.
- Analytics provider — anonymised, aggregated traffic measurement.
We do not sell personal data. We only share what is necessary to perform the service.
5. Retention
- Account & profile: until you delete your account.
- Bookings: 24 months after the booking date, then deleted or anonymised.
- Consent timestamps: kept as long as the account exists, to prove the consent was given.
- Newsletter: until you unsubscribe.
- Analytics: 14 months. Contact emails: 24 months. Cookies: as described on the cookie policy.
6. Your rights
Under the GDPR you have the right to access, rectify, erase, restrict or port your data, and to object to processing or withdraw consent. From the My Amsterdam dashboard you can download all your data (JSON export) and permanently delete your account at any time. You can also email us and we will act within 30 days. You may complain to the Dutch DPA (Autoriteit Persoonsgegevens).
7. International transfers
Our primary infrastructure is located in the EU. Where a processor transfers data outside the EEA, we rely on the European Commission's Standard Contractual Clauses.
8. Changes
We update this policy when our practices change. The date at the top reflects the last revision.
In one line
Your data, your call — we keep only what we need, no longer.
