Legal
Privacy statement
We respect your privacy. This page explains which personal data we process, why we process it, and the rights you have under the General Data Protection Regulation (GDPR).
Last updated · May 19, 2026
1. Who we are
The data controller is Legame Studio, Chamber of Commerce [KvK Number], registered at [Street], [Postal code] [City], Netherlands.
For all privacy questions: privacy@legame.nl.
2. What data we process and why
2.1 Visitors to legame.nl
| Data | Purpose | Basis (GDPR Art. 6) | Retention |
|---|---|---|---|
| IP address (truncated) | Security, bot protection | Legitimate interest | 14 days |
| Cookies (see §6) | Functionality, preferences | Consent / necessary | Per cookie |
| Error reports (Sentry) | Detect + fix bugs | Legitimate interest | 90 days |
2.2 Account holders (our customers — restaurant operators)
| Data | Purpose | Basis | Retention |
|---|---|---|---|
| Name, email (sign-in via Clerk) | Account, contract execution | Contract | Contract duration + 7 years (tax obligation) |
| Phone number | Contact, support | Legitimate interest | Contract duration + 7 years |
| Business details (trading name, KvK, VAT, address) | Invoicing | Legal obligation (VAT) | 7 years |
| Password (hash) or OAuth token | Authentication via Clerk | Contract | Until account deletion |
| Domain name + DNS records | Delivery of custom domain (SSL included) | Contract | Until account deletion |
| Your site content (photos, menu, copy, hours, location photo) | Service delivery | Contract | Until account deletion + 30 days backup |
| Support conversations with legame | Support, dispute resolution | Contract + legitimate interest | 3 years |
| Payment data (invoice data, last 4 digits, expiry — full card number NEVER stored with us) | Invoicing | Contract + tax obligation | 7 years (invoices) |
| Login logs, error reports (Sentry) | Security, debugging | Legitimate interest | 90 days |
| Visitor analytics for your site (Standard+, Premium) | Delivery of the analytics feature | Contract | 25 months, then aggregated |
2.3 Guests of customer sites — we act as processor
When a visitor (guest) of a legame-hosted restaurant site makes a reservation, fills in a contact form, or sends a message, we process that data as processor (GDPR Art. 28) on behalf of our customer (the restaurant operator).
| Data a guest leaves | Controller | Basis toward the guest |
|---|---|---|
| Name, email, phone, date, party size (reservation) | The customer (restaurant) | Consent + contract execution (the guest requests the table) |
| Message content (free text) | The customer (restaurant) | Consent |
| IP address on submit (anti-spam) | Legame (legitimate interest) | Security |
Our customers set out their own responsibilities in their own privacy statement on their site. We provide a template for that (see /help).
A Data Processing Agreement (DPA) is automatically part of our Terms of Service. A separate signed copy is available on request.
3. Recipients of your data (sub-processors)
We share data with carefully selected sub-processors. The current list is on /sub-processors. At the time of writing:
| Sub-processor | Function | Location | Transfer safeguard |
|---|---|---|---|
| Clerk Inc. | Authentication, user management | USA | SCCs (2021/914), DPA |
| Vercel Inc. | Hosting, edge functions, deployment | USA / EU edge | SCCs, DPA |
| Resend Inc. | Transactional email (verification, reservation confirmation, support replies) | USA / EU | SCCs, DPA |
| Cloudflare Inc. | CDN, R2 storage (photos, ZIP exports), Turnstile bot protection | USA / global | SCCs, DPA |
| Functional Software Inc. (Sentry) | Error reporting, performance monitoring | USA / EU | SCCs, DPA |
| Spline Inc. | 3D asset CDN (no personal data, scene files only) | USA | Public hosting, no personal data |
Payment processing: {TBD: Mollie B.V. or Stripe Inc.} — subscription payments. DPA with the provider; with Stripe also SCCs because of US incorporation.
Visitor statistics: {TBD: Plausible Analytics, Vercel Analytics, or in-house} — statistics for legame.nl and customer sites (Standard+, Premium). DPA + SCCs where applicable.
Transfers outside the EEA take place exclusively under Standard Contractual Clauses (Module 2 or 3) or an adequacy decision (where applicable).
4. Your rights
Under the GDPR you have the right to:
- Access your personal data (Art. 15);
- Rectification when data is incorrect (Art. 16);
- Erasure (Art. 17 — “right to be forgotten”);
- Restriction of processing (Art. 18);
- Portability — a copy in a structured format (Art. 20);
- Object to processing based on legitimate interest (Art. 21);
- Withdraw consent when processing relies on it;
- Lodge a complaint with the Dutch Data Protection Authority: autoriteitpersoonsgegevens.nl.
To exercise your rights: email privacy@legame.nl. We respond within four weeks (Art. 12(3) GDPR).
5. Security
We protect your data with, among other measures:
- TLS 1.3 for all traffic (HSTS enforced);
- Content Security Policy (frame-ancestors 'none', strict CSP);
- Encrypted-at-rest storage for all customer content (Cloudflare R2 AES-256);
- Limited access to production systems, with multi-factor authentication.
7. Changes
We may update this statement. For material changes we notify account holders by email and place a banner on legame.nl.