Version 1.0 — 10 May 2026
Controller:the merchant who has an active account on checkout.bookto.eu (hereafter “Merchant” or “Controller”).
Processor: ianka fleerackers Comm. V., a Belgian limited partnership (commanditaire vennootschap), registered offices at Nieuwstraat 84, 2880 Bornem, Belgium, enterprise / VAT number BE 0824.677.865 (hereafter “bookto checkout”, “Processor”, “we”, or “us”).
By activating an account on checkout.bookto.eu, the Merchant accepts these processing conditions. The person accepting is deemed authorised to do so on behalf of the Merchant.
2.1. These conditions apply to all Merchant Personal Data processed by bookto checkout in connection with the Services.
2.2. These conditions remain in force until all Merchant Personal Data has been deleted or returned as described in section 11. They expire automatically at that point.
3.1. The Merchant determines which products are sold and which Personal Data is collected from end customers through the checkout. The Merchant is the Controller for this data.
3.2. bookto checkout processes Merchant Personal Data solely for the purpose of providing, maintaining, and improving the Services. We process this data only on behalf of the Merchant and in accordance with the Merchant’s documented instructions, unless otherwise required by applicable law.
3.3. bookto checkout will comply with all applicable data protection laws when processing Merchant Personal Data.
3.4. bookto checkout will promptly inform the Merchant if, in our opinion, an instruction from the Merchant relating to the processing of Merchant Personal Data breaches the GDPR or other applicable data protection law, unless prohibited by law from doing so.
bookto checkout processes the following categories of Merchant Personal Data on behalf of the Merchant:
bookto checkout does not process payment instrument data (card numbers, CVC codes, bank account numbers). These are handled directly by Mollie and never reach our servers.
4.1. bookto checkout implements and maintains appropriate technical and organisational measures to protect Merchant Personal Data, including:
4.2. All persons authorised to process Merchant Personal Data are bound by confidentiality obligations or have a legal obligation of confidentiality.
4.3. Only persons who need access to Merchant Personal Data to provide and maintain the Services are granted access, and only to the extent necessary.
4.4. bookto checkout is not responsible for Personal Data collected by or through the Merchant outside the Services, nor for Personal Data collected by third-party tools or plug-ins used by the Merchant independently.
5.1. The Merchant grants bookto checkout general written authorisation to engage Sub-processors listed in the table below. bookto checkout will inform the Merchant of any intended changes to this list (additions or replacements) at least 14 days in advance via email. The Merchant may object in writing within that period. If the objection cannot be reasonably resolved, either party may terminate the Services.
5.2. bookto checkout ensures that each Sub-processor is bound by data protection obligations no less protective than those in this agreement, in accordance with article 28(4) of the GDPR.
5.3. bookto checkout remains responsible for the acts and omissions of its Sub-processors.
| Sub-processor | Purpose | Location | Transfer safeguards |
|---|---|---|---|
| Supabase Inc. | Database, authentication, data storage | EU region (Frankfurt). US-based parent entity. | Standard Contractual Clauses |
| Mollie B.V. | Payment processing | Netherlands (EU) | None required |
| Vercel Inc. | Application hosting | EU region (Frankfurt). US-based parent entity. | Standard Contractual Clauses; EU-US Data Privacy Framework |
| Resend Inc. | Transactional email (order confirmations) | United States | Standard Contractual Clauses; EU-US Data Privacy Framework |
| Kit (ConvertKit Inc.) | Post-payment email automations (when activated by Merchant) | United States | Standard Contractual Clauses; EU-US Data Privacy Framework |
| Onfact | Invoice generation (when activated by Merchant) | Belgium (EU) | None required |
| GitHub Inc. | Automated database backups (buyer PII excluded) | United States | Standard Contractual Clauses; EU-US Data Privacy Framework |
6.1. Where possible, Merchant Personal Data is stored within the European Economic Area. Supabase and Vercel store data in EU regions (Frankfurt) by default. Mollie and Onfact are based in the EU.
6.2. For Sub-processors with US-based parent entities (Supabase, Vercel, Resend, Kit, GitHub), operational routing may involve the United States. We rely on Standard Contractual Clauses (article 46 GDPR) and, where the provider is certified, the EU-US Data Privacy Framework.
6.3. We monitor the status of the EU-US Data Privacy Framework. If it is invalidated or replaced, we continue to rely on Standard Contractual Clauses.
6.4. The Merchant may request a copy of the specific safeguards in place by contacting legal@bookto.eu.
7.1. bookto checkout will assist the Merchant in fulfilling its obligation to respond to requests from Data Subjects exercising their rights under Chapter III of the GDPR (access, rectification, erasure, restriction, portability, objection).
7.2. If a Data Subject contacts bookto checkout directly regarding Merchant Personal Data, we will direct them to the Merchant without undue delay and inform the Merchant of the request.
7.3. Upon request, bookto checkout will enable the Merchant to access, export, correct, or delete Merchant Personal Data stored in the platform.
8.1. In the event of a Data Breach affecting Merchant Personal Data, bookto checkout will notify the Merchant without undue delay and no later than 48 hours after becoming aware of the breach.
8.2. The notification will include, to the extent available: the nature of the breach, the categories and approximate number of Data Subjects affected, the likely consequences, and the measures taken or proposed to address the breach.
8.3. bookto checkout will take immediate measures to contain the breach and mitigate any adverse effects.
8.4. bookto checkout will assist the Merchant in complying with its obligations to report the breach to a supervisory authority (article 33 GDPR) and to notify Data Subjects (article 34 GDPR), where applicable.
9.1. bookto checkout will assist the Merchant in carrying out data protection impact assessments and prior consultations with supervisory authorities, to the extent required under articles 35 and 36 of the GDPR, in relation to the processing performed under this agreement.
10.1. bookto checkout maintains a register of processing activities carried out on behalf of the Merchant, in accordance with article 30(2) of the GDPR.
10.2. This register will be made available to the Merchant upon written request.
11.1. Upon termination of the Services, or at an earlier time upon written request from the Merchant, bookto checkout will delete all Merchant Personal Data, including existing copies, within 30 days, unless retention is required by applicable law.
11.2. Where Belgian accounting or tax law (articles III.86 and following of the Belgian Code of Economic Law) requires retention of invoicing or transaction records, those records will be retained for 7 years from the transaction date. This retention is limited to names, billing addresses, VAT numbers, transaction amounts, and transaction references.
11.3. Upon written request, bookto checkout will confirm deletion in writing.
12.1. The Merchant, or a qualified third party acting under instruction of the Merchant, has the right to audit bookto checkout’s compliance with this agreement and applicable data protection law, at the Merchant’s expense. The Merchant will provide at least 30 days written notice.
12.2. bookto checkout may satisfy audit requests by providing relevant documentation, certifications, or reports, in lieu of on-site access, where this is sufficient to demonstrate compliance.
12.3. Audits will be conducted during normal business hours, in a manner that minimises disruption, and will not exceed once per calendar year unless required by a supervisory authority.
13.1. Each party is liable for damage caused by processing that infringes the GDPR, in accordance with article 82 of the GDPR.
13.2. bookto checkout’s aggregate liability under this agreement — excluding liability that cannot be limited under applicable law — is limited to the fees paid by the Merchant in the 12 months preceding the event giving rise to the claim.
13.3. bookto checkout is not liable for damage caused by processing that occurs outside the Services, or by third-party tools or plug-ins used by the Merchant independently.
14.1. This agreement and its interpretation are governed exclusively by Belgian law.
14.2. Any dispute arising from or in connection with this agreement will be submitted to the courts of Mechelen, Belgium, unless the parties agree otherwise in writing.
15.1. bookto checkout may update these conditions from time to time. Material changes will be communicated to the Merchant at least 30 days in advance via email. Continued use of the Services after the notice period constitutes acceptance.
15.2. Should any provision of this agreement be deemed invalid or unenforceable, the remaining provisions remain in full force. The invalid provision will be amended to the minimum extent necessary to make it valid and enforceable while preserving the intent of the parties.
For any question about this agreement, contact us at legal@bookto.eu in English or Dutch.
ianka fleerackers Comm. V. · Nieuwstraat 84, 2880 Bornem, Belgium · VAT BE 0824.677.865