Privacy Policy

    Your trust matters. Here's how we protect your data.

    Last updated: March 4, 2026 · Effective: March 7, 2026

    1. Who We Are

    The Dinner Club is operated by The Dinner Club, registered in Amsterdam, the Netherlands (KvK number: 95477233). We connect hosts who offer home-cooked dinner experiences with guests looking for meaningful social dining. As the data controller, we are responsible for deciding how we hold and use personal information about you.

    This Privacy Policy explains how we collect, use, and protect your personal data in compliance with the General Data Protection Regulation (GDPR), the Dutch Uitvoeringswet AVG (UAVG), and other applicable data protection laws.

    We will never sell your personal data to third parties.

    For privacy-related questions or requests, contact us at hello@thedinnerclub.eu.

    2. Information We Collect

    Account Information

    When you create an account, we collect your name, email address, phone number, and profile photo. If you sign up through Google or Apple, we receive your basic profile information from those services.

    Profile and Dietary Information

    You may choose to share dietary restrictions, allergies, cuisine preferences, and personal interests. This information helps hosts accommodate you and is shared with hosts when you are approved for a dinner. Sharing this is optional, but if you have allergies, we strongly encourage you to provide this information for your own safety.

    Location Data

    When a booking is confirmed, we share the host's address with the approved guest. We may also use your general location to show you relevant dinners nearby. Host addresses are never visible before a booking is confirmed.

    Booking and Review Content

    We collect data related to your bookings, including dinner listings you create or attend, booking requests, approval or decline actions, and any reviews or ratings you leave.

    Messages

    If you communicate with other users through our platform, we collect the content of those messages to facilitate the conversation and for safety and moderation purposes.

    Verification Data

    For identity verification, we may collect a copy of your government-issued ID. This is securely processed by our verification partner and stored only as long as needed — typically deleted within 30 days of successful verification.

    Payment and Voucher Information

    Guest payment details are processed directly by Stripe. We never store your full credit card number. We receive only the last four digits and card type for reference. For hosts, we share limited personal information (such as name and email address) with our voucher provider in order to deliver supermarket vouchers as compensation for hosting.

    Automatically Collected Information

    When you use our platform, we automatically collect device information, browser type, IP address, pages you visit, actions you take, and referring URLs. We use this to improve our services and maintain security.

    3. How We Use Your Information

    We use your personal data to:

    Create and manage your account.

    Connect you with hosts or guests and facilitate bookings.

    Share the host's address with approved guests after a booking is confirmed.

    Process guest payments through Stripe.

    Deliver supermarket vouchers to hosts through our voucher provider.

    Send booking confirmations, updates, and safety-related notifications.

    Verify your identity for safety purposes.

    Facilitate reviews and ratings.

    Provide customer support.

    Personalise your experience, including dinner recommendations based on your preferences and location.

    Improve our platform through analytics.

    Prevent fraud and maintain security.

    Comply with legal and tax obligations, including Dutch fiscal reporting requirements.

    5. How We Share Your Information

    With Other Users

    When you are approved for a dinner, the host can see your name, profile photo, and any dietary information you have provided. Confirmed guests receive the host's address. Host addresses are never visible before a booking is confirmed and must not be shared with others.

    With Service Providers

    We work with trusted third-party service providers who process data on our behalf. Each provider only receives the data they need and is contractually bound to protect it. We have Data Processing Agreements (DPAs) in place with all service providers who process personal data on our behalf, as required by Article 28 GDPR.

    Our current service providers include:

    Stripe — payment processing (processes guest payment details, hosts' payout information)

    Supermarket voucher delivery for hosts (receives host name, email, voucher amount)

    Supabase — database infrastructure and authentication (stores account data, booking data, messages)

    Google — social login (receives and provides basic profile data when you sign in with Google)

    Apple — social login (receives and provides basic profile data when you sign in with Apple)

    Resend — transactional emails such as booking confirmations and policy updates

    Google Analytics — essential tracking, views per page

    For Legal Reasons

    We may disclose your information if required by law, in response to a valid court order or binding request from a Dutch or EU authority, or to protect the rights, safety, or security of our users or the public.

    6. Data Retention

    We retain your data only as long as necessary for the purposes described in this policy, or as required by law. Specific retention periods:

    Account data: Retained while your account is active, then for 3 years after account deletion (to handle any outstanding claims or disputes).

    Booking history and payment records: 7 years after the transaction (required by Dutch fiscal retention obligation under Article 52 AWR).

    Reviews: May be anonymised rather than deleted if you close your account. Anonymised reviews are no longer personal data.

    Verification documents: Deleted within 30 days of successful verification.

    Messages: Retained for 2 years after the message is sent (for safety and dispute resolution).

    Support communications: Retained for 2 years after resolution.

    Automatically collected data (logs, analytics): Retained for a maximum of 26 months.

    When data is no longer needed, it is securely deleted or anonymised so it can no longer identify you.

    7. Your Rights (GDPR)

    As a user in the EU, you have the following rights under the GDPR:

    Right of access — request a copy of the personal data we hold about you.

    Right to rectification — request correction of inaccurate or incomplete data.

    Right to erasure — request deletion of your data, subject to legal retention obligations.

    Right to restriction — request that we limit how we use your data in certain circumstances.

    Right to data portability — request your data in a structured, commonly used, machine-readable format.

    Right to object — object to processing based on legitimate interests, including profiling and direct marketing.

    Right to withdraw consent — withdraw consent at any time where processing is based on consent, without affecting the lawfulness of prior processing.

    To exercise any of these rights, email hello@thedinnerclub.eu. We will acknowledge your request within 5 business days and respond fully within 30 days. If your request is complex, we may extend this by a further 60 days and will inform you of the extension.

    You also have the right to lodge a complaint with the Dutch Data Protection Authority: Autoriteit Persoonsgegevens — autoriteitpersoonsgegevens.nl — Phone: +31 (0)70 888 8500.

    8. Cookies and Tracking

    We currently use only strictly necessary cookies for login, authentication, and core platform functionality. These cookies are required for The Dinner Club to work and cannot be disabled.

    If we introduce analytics or marketing cookies in the future, they will be opt-in only and we will update this policy accordingly.

    You can manage your cookie preferences through your browser settings.

    9. Data Security

    We protect your data with:

    Encryption in transit (TLS/HTTPS) and at rest.

    Role-based access controls, ensuring only authorised personnel can access personal data.

    Regular security reviews and vulnerability assessments.

    Secure hosting through Supabase, which maintains SOC 2 Type II compliance.

    Incident response procedures to detect, report, and address data breaches in accordance with GDPR Article 33 (notification to the Autoriteit Persoonsgegevens within 72 hours where required) and Article 34 (notification to affected users where the breach poses a high risk).

    We encourage you to use a strong, unique password. If you suspect unauthorised access to your account, contact us immediately at hello@thedinnerclub.eu.

    10. International Data Transfers

    Your data is primarily stored within the European Union (Supabase's EU region).

    Some of our service providers process data in the United States. When personal data is transferred outside the EU/EEA, it is protected by one or more of the following safeguards:

    EU-US Data Privacy Framework (DPF): Stripe is certified under the EU-US Data Privacy Framework, which was granted an adequacy decision by the European Commission in July 2023.

    Standard Contractual Clauses (SCCs): Where a provider is not covered by an adequacy decision or the DPF, we rely on Standard Contractual Clauses approved by the European Commission.

    Adequacy decisions: For transfers to countries the European Commission has determined provide an adequate level of data protection.

    You may request a copy of the relevant transfer safeguards by contacting hello@thedinnerclub.eu.

    11. Children's Privacy

    The Dinner Club is intended for users aged 18 and over. We do not knowingly collect personal data from anyone under 18. If we become aware that we have collected data from a minor, we will delete it promptly. If you believe a minor has provided us with personal data, please contact hello@thedinnerclub.eu.

    12. Automated Decision-Making

    We do not use automated decision-making or profiling that produces legal or similarly significant effects on you, as described in Article 22 GDPR. Dinner recommendations are based on general preferences (such as cuisine type) and location. These are personalisation features, not automated decisions with legal effect.

    13. Changes to This Policy

    We may update this Privacy Policy from time to time. For material changes — such as new categories of data collection, new service providers, or changes to your rights — we will notify you at least 14 days in advance by email or through a notice on our platform, and clearly indicate what has changed.

    Minor corrections or clarifications (such as fixing a typo or updating a cookie name) may be made without advance notice. The "Last updated" date at the top of this page always reflects the most recent version.

    14. Contact Us

    For any privacy-related questions, data requests, or concerns:

    The Dinner Club, Amsterdam, the Netherlands. KvK number: 95477233.

    General and privacy inquiries: hello@thedinnerclub.eu.

    We will acknowledge your request within 5 business days and respond fully within 30 days.