Privacy Policy — bookto checkout
Version 2.1 — 11 June 2026
1. Who we are
ianka fleerackers Comm. V. (hereafter "we", "us", or "our") is a Belgian limited partnership (commanditaire vennootschap) with registered offices at Nieuwstraat 84, 2880 Bornem, Belgium, and enterprise / VAT number BE 0824.677.865.
We operate checkout.bookto.eu as checkout infrastructure for merchants to sell their own products. Our role under the GDPR differs depending on who you are:
- If you are a merchant who signs up to use our tool, we are the data controller of your account and tool usage data.
- If you are an end customer completing a checkout through a merchant using our tool, the merchant is the data controller; we act as a data processor under a Data Processing Agreement with that merchant. You should consult the privacy policy of the merchant you are purchasing from.
This policy applies to checkout.bookto.eu. For the privacy policy covering the bookto.eu marketing site, see bookto.eu Privacy Policy.
For any question about your personal data, or to exercise the rights described in section 8, contact us at legal@bookto.eu. You may write in English or Dutch; we will respond in the language you used.
2. Scope
This policy applies to all personal data we process through checkout.bookto.eu, whether as controller (merchant accounts) or as processor (end-customer data during checkouts).
It does not cover third-party websites you may reach by following an external link — once you leave, the privacy practices of the destination apply.
If you are an end customer seeking information about how your data is used, please consult the privacy policy of the merchant you purchased from. If you cannot locate it, you may contact us at legal@bookto.eu and we will help connect you with the correct merchant.
3. What personal data we collect
If you are a merchant (account holder on the tool)
When you sign up for a merchant account, we process your email address, a role and approval flag that determine what you can do in the dashboard, and any additional profile information you choose to provide. Authentication is handled via magic links — no password is stored. Your account is hosted in our Supabase environment (see section 5).
We also store any product information you create — product names, descriptions, prices, and the payment links you generate. Regardless of whether this data formally qualifies as personal data under GDPR (which depends on your legal form as a merchant), we treat it with the same care and under the same protections described in this policy.
Newsletter (optional). When you sign up for a trial or a merchant account, you may choose to receive the bookto newsletter. Only if you tick the optional consent box do we add your email address (and first name if you provide it) to our mailing list, managed through Kit (ConvertKit) — the same list described in the bookto.eu Privacy Policy. This is entirely separate from your account: subscribing is never required to use the tool, and you can unsubscribe at any time via the link in every email without affecting your account.
If you correspond with us by email
If you email us (for example at legal@bookto.eu) about your account or the tool, we receive your email address, your name if included in your signature, and the content of your correspondence. Emails are processed through Microsoft 365 (see section 5).
Processor note: end-customer data during checkouts
When an end customer completes a checkout via a merchant using our tool, we store on the merchant's behalf the customer's name, email address, billing address (street, postal code, city, country, optional address line 2), and VAT number if provided — linked to the specific order in our Supabase database (see section 5). The merchant is the data controller for this data; we process it only on their instructions under our DPA.
The payment transaction itself — card details, bank account information, bank authentication — is handled directly by Mollie, our payment processor (see section 5). Neither we nor the merchant see or store the customer's payment instrument data. We receive only a transaction reference, a status (succeeded, failed, refunded), and the amount — enough to match the payment to the order.
What we do not collect on this site
- No card numbers, CVC codes, or bank account numbers — these never reach our servers or any merchant.
- No analytics or tracking cookies — checkout.bookto.eu is an authenticated application, not a public marketing site.
- No social media tracking pixels or advertising identifiers.
- No video embed cookies — this site has no YouTube or Vimeo embeds.
- No special categories of personal data under article 9 GDPR.
4. Why we process your data and on which legal basis
Under the GDPR (article 6), we may only process personal data if we have a valid legal basis.
Managing your merchant account. When you create and use a merchant account, we process your email address, profile information, and tool activity to provide you access to the service. Legal basis: performance of a contract under article 6(1)(b) GDPR — the contract being your use of the tool under our terms of service.
Processing payments on behalf of merchants. We process end-customer name, email, billing address, VAT number, and payment transaction data as a processor on behalf of the merchant who is selling. The merchant, as controller, relies on article 6(1)(b) GDPR (performance of the sale contract with their customer). Our role is governed by a Data Processing Agreement with each merchant. Payment data (card numbers, CVC, bank credentials) is always handled directly by Mollie — never by us.
Sending you our newsletter (optional). If you opt in when signing up for a trial or account, we process your email address — and first name if provided — to send you the bookto newsletter. Legal basis: your consent under article 6(1)(a) GDPR, given by ticking the optional box at signup. Subscribing is never a condition of using the Services, and you may withdraw your consent at any time by unsubscribing.
Meeting our legal obligations. Belgian accounting and tax law (articles III.86 and following of the Belgian Code of Economic Law) requires us to retain invoicing and transaction records for seven years. For this purpose, we process the data necessary — typically names, billing addresses, VAT numbers, and transaction amounts. Legal basis: compliance with a legal obligation under article 6(1)(c) GDPR. This obligation can override an erasure request for the duration of the retention period (see sections 7 and 8).
Responding to your messages. When you contact us, we process your name, email address, and message content to reply. Legal basis: performance of a contract under article 6(1)(b) GDPR for service-related inquiries, or your consent under article 6(1)(a) GDPR for general correspondence.
Keeping the site secure and functioning. Our hosting provider (Vercel) and backend (Supabase) process technical data to keep the tool available and prevent abuse. Legal basis: our legitimate interest in operating secure infrastructure under article 6(1)(f) GDPR.
5. Who we share your data with
We do not sell, rent, or trade your personal data. We share it only with service providers who process it on our behalf, bound by a data processing agreement.
| Service provider | Purpose | Data processed | Location | Transfer safeguards |
|---|---|---|---|---|
| Microsoft 365 — Microsoft Ireland Operations Ltd. | Email content, name, email address | EU (EU Data Boundary) | Standard Contractual Clauses for limited support from outside the EU | |
| Vercel Inc. | Application hosting | Technical request data | EU region (Frankfurt). US-based parent entity. | Standard Contractual Clauses; EU-US Data Privacy Framework |
| Supabase Inc. | Database, authentication, data storage | Merchant account data (email, role, profile), product information, order data (name, email, billing address, VAT number, transaction references) | EU region (Frankfurt). US-based parent entity. | Standard Contractual Clauses |
| Mollie B.V. | Payment processing (independent controller for the payment transaction) | Payment details entered directly with Mollie (card number, CVC, bank credentials) — never reach our servers. Transaction reference, status, and amount returned to us. | Netherlands (EU) | None required |
| Resend Inc. | Transactional email (order confirmations, sale notifications) | Buyer name, email address, order details | United States | Standard Contractual Clauses; EU-US Data Privacy Framework |
| Kit (ConvertKit Inc.) | Newsletter email for merchants who opt in; post-payment email automations (when activated by merchant) | Merchant email address and first name (newsletter); buyer email address and product tags (automations) | United States | Standard Contractual Clauses; EU-US Data Privacy Framework |
| Onfact | Invoice generation (when activated by merchant) | Buyer name, billing address, VAT number, transaction amount | Belgium (EU) | None required |
Public authorities. In exceptional cases we may be required to disclose personal data to public authorities (court order, law enforcement, tax audit). We only do so when legally obliged and limit disclosure to what is strictly required.
6. International transfers of personal data
Where possible, we keep your personal data within the European Economic Area. Microsoft 365, Vercel EU regions, Supabase EU regions, Mollie, and Onfact store your data in the EU by default.
For services with US-based parent entities — Vercel, Supabase, Resend, Kit — operational routing may involve the United States. We rely on Standard Contractual Clauses (article 46 GDPR) signed with each provider, and on the EU-US Data Privacy Framework certification where the provider is certified. We monitor the status of the framework. If it is invalidated or replaced, we continue to rely on Standard Contractual Clauses.
You have the right to request a copy of the specific safeguards we rely on. Contact us at legal@bookto.eu.
7. How long we keep your data
Merchant accounts. As long as your account is active, plus 12 months after account deactivation to handle any final billing, support, or legal matters. After that, account data is deleted, except for the parts we are required to keep for accounting (see below).
Newsletter subscribers. If you opted in to our newsletter, we keep your email address on our mailing list for as long as your subscription is active. When you unsubscribe, it is removed within 30 days. Kit may retain anonymised analytics data after removal. This is independent of your merchant account: unsubscribing does not affect your account, and deleting your account does not by itself remove you from the newsletter.
Order and transaction data. Retained for 7 years under Belgian accounting and tax law (articles III.86 and following of the Belgian Code of Economic Law). This obligation overrides an earlier erasure request for transaction records but is strictly limited to names, billing addresses, VAT numbers, transaction amounts, and transaction references.
Email correspondence. Up to 2 years after our last exchange, after which correspondence is deleted unless it relates to an active or anticipated legal matter.
Technical logs. Vercel and Supabase logs are retained for up to 90 days for security, debugging, and abuse prevention.
Legal holds. In case of an actual or anticipated legal dispute, regulatory investigation, or law enforcement request, we may retain otherwise-deletable data as long as strictly necessary. You will be informed if the law permits.
8. Your rights
The GDPR gives you strong rights over your personal data. You can exercise any of them free of charge, and we will respond within 30 days. For complex requests we may extend this period by up to two additional months under article 12(3) GDPR; if we do, we will tell you within the first month and explain why.
Right of access (article 15). Ask whether we process data about you and receive a copy with information about purposes, categories, recipients, and retention.
Right to rectification (article 16). Ask us to correct or complete inaccurate or incomplete data.
Right to erasure (article 17). Ask us to delete your personal data. We will do so unless we are required or entitled to keep it — in particular, the 7-year accounting retention described in section 7 will override an erasure request for transaction records for the duration of that period.
Right to restriction of processing (article 18). In certain situations, ask us to pause processing instead of deleting.
Right to data portability (article 20). Receive data you provided, in a structured, commonly used, machine-readable format, or ask us to transmit it to another controller.
Right to object (article 21). Object to processing based on our legitimate interest.
Right to withdraw consent (article 7(3)). Withdraw consent at any time. Withdrawal does not affect the lawfulness of processing before the withdrawal.
Right to lodge a complaint (article 77). File a complaint with the Belgian Gegevensbeschermingsautoriteit (see section 9).
How to exercise your rights
Contact us at legal@bookto.eu. We do not ask for a copy of your ID. We confirm your identity proportionately — usually by replying from the email address we have on file for you, or by asking a limited verification question if we have reasonable doubt. We follow the guidance of the European Data Protection Board: identity verification must be proportionate and must not create unnecessary barriers.
If you are an end customer
Your rights are primarily against the merchant, who is the controller for your data. If you need our help locating the right merchant, contact us at legal@bookto.eu and we will assist.
If we cannot act on your request — for example because we must keep the data under a legal obligation — we will explain why in our response.
9. Supervisory authority, changes, and contact
Supervisory authority
If you believe we have not handled your personal data correctly, you have the right to file a complaint with the Belgian data protection authority:
Gegevensbeschermingsautoriteit (GBA) / Autorité de protection des données (APD) Drukpersstraat 35, 1000 Brussels, Belgium Phone: +32 (0)2 274 48 00 Email: contact@apd-gba.be — Website: www.gegevensbeschermingsautoriteit.be
You also retain the right to seek a judicial remedy before the competent civil court.
Changes to this policy
We may update this policy from time to time. When we do, we update the version number and date at the top. For changes that affect how we process your data materially, we notify registered merchants in advance and ask for fresh consent where required.
Contact
For any question about this policy, contact us at legal@bookto.eu in English or Dutch.
ianka fleerackers Comm. V. · Nieuwstraat 84, 2880 Bornem, Belgium · VAT BE 0824.677.865