Version 1.0 — 21 April 2026
ianka fleerackers Comm. V. (hereafter “we”, “us”, or “our”) is a Belgian limited partnership (commanditaire vennootschap) with registered offices at Nieuwstraat 84, 2880 Bornem, Belgium, and enterprise / VAT number BE 0824.677.865.
We operate checkout.bookto.eu as checkout infrastructure for merchants to sell their own products. Our role under the GDPR differs depending on who you are:
This policy applies to checkout.bookto.eu. We also operate several other websites under the same legal entity (bookto.eu, press.bookto.eu, iankafleerackers.com, ownyourstory.be, istoires.eu, bravenewhuman.com), each with its own privacy policy.
For any question about your personal data, or to exercise the rights described in section 8, contact us at legal@bookto.eu. You may write in English or Dutch; we will respond in the language you used.
This policy applies to all personal data we process through checkout.bookto.eu, whether as controller (merchant accounts) or as processor (end-customer data during checkouts).
It does not cover third-party websites you may reach by following an external link — once you leave, the privacy practices of the destination apply.
If you are an end customer seeking information about how your data is used, please consult the privacy policy of the merchant you purchased from. If you cannot locate it, you may contact us at legal@bookto.eu and we will help connect you with the correct merchant.
When you sign up for a merchant account, we process your email address, a role and approval flag that determine what you can do in the dashboard, and any additional profile informationyou choose to provide. Authentication is handled via magic links — no password is stored. Your account is hosted in our Supabase environment (see section 5).
We also store any product informationyou create — product names, descriptions, prices, and the payment links you generate. Regardless of whether this data formally qualifies as personal data under GDPR (which depends on your legal form as a merchant), we treat it with the same care and under the same protections described in this policy.
If you email us (for example at legal@bookto.eu) about your account or the tool, we receive your email address, your name if included in your signature, and the content of your correspondence. Emails are processed through Microsoft 365 (see section 5).
Through Google Analytics 4 we receive your IP address in pseudonymised form, browser type and version, operating system, the pages you visit, and the approximate region inferred from your IP address. The specific cookies used are listed in our cookie policy.
When an end customer completes a checkout via a merchant using our tool, we store on the merchant’s behalf the customer’s name, email address, billing address (street, postal code, city, country, optional address line 2), and VAT numberif provided — linked to the specific order in our Supabase database (see section 5). The merchant is the data controller for this data; we process it only on their instructions under our DPA.
The payment transaction itself — card details, bank account information, bank authentication — is handled directly by Mollie, our payment processor (see section 5). Neither we nor the merchant see or store the customer’s payment instrument data.We receive only a transaction reference, a status (succeeded, failed, refunded), and the amount — enough to match the payment to the order.
Under the GDPR (article 6), we may only process personal data if we have a valid legal basis.
Managing your merchant account. When you create and use a merchant account, we process your email address, profile information, and tool activity to provide you access to the service. Legal basis: performance of a contractunder article 6(1)(b) GDPR — the contract being your use of the tool under our terms of service.
Processing payments on behalf of merchants. We process end-customer name, email, billing address, VAT number, and payment transaction data as a processoron behalf of the merchant who is selling. The merchant, as controller, relies on article 6(1)(b) GDPR (performance of the sale contract with their customer). Our role is governed by a Data Processing Agreement with each merchant. Payment data (card numbers, CVC, bank credentials) is always handled directly by Mollie — never by us.
Meeting our legal obligations. Belgian accounting and tax law (articles III.86 and following of the Belgian Code of Economic Law) requires us to retain invoicing and transaction records for seven years. For this purpose, we process the data necessary — typically names, billing addresses, VAT numbers, and transaction amounts. Legal basis: compliance with a legal obligation under article 6(1)(c) GDPR. This obligation can override an erasure request for the duration of the retention period (see sections 7 and 8).
Responding to your messages. When you contact us, we process your name, email address, and message content to reply. Legal basis: performance of a contract under article 6(1)(b) GDPR for service-related inquiries, or your consent under article 6(1)(a) GDPR for general correspondence.
Analytics and site improvement. We use Google Analytics 4 to understand how visitors use the site. Legal basis: your consent under article 6(1)(a) GDPR, given (or declined) through the cookie banner.
Marketing and advertising (currently not active). We do not currently operate marketing or advertising pixels from Meta, LinkedIn, TikTok, or any similar platform. If we activate such tools, the legal basis will be your consent under article 6(1)(a) GDPR, requested separately through our cookie banner. This policy will be updated before any such tool is activated.
Keeping the site secure and functioning. Our hosting provider (Vercel) and backend (Supabase) process technical data to keep the tool available and prevent abuse. Legal basis: our legitimate interest in operating secure infrastructure under article 6(1)(f) GDPR.
We do not sell, rent, or trade your personal data. We share it only with service providers who process it on our behalf, bound by a data processing agreement.
| Service provider | Purpose | Data processed | Location | Transfer safeguards |
|---|---|---|---|---|
| Microsoft 365 Microsoft Ireland Operations Ltd. | Email content, name, email address | EU (EU Data Boundary) | Standard Contractual Clauses for limited support from outside the EU | |
| Vercel Inc. | Application hosting | Technical request data | EU region (Frankfurt). US-based parent entity. | Standard Contractual Clauses; EU-US Data Privacy Framework |
| Supabase Inc. | Database, authentication, data storage | Merchant account data (email, role, profile), product information, order data (name, email, billing address, VAT number, transaction references) | EU region (Frankfurt). US-based parent entity. | Standard Contractual Clauses |
| Mollie B.V. | Payment processing (independent controller for the payment transaction) | Payment details entered directly with Mollie (card number, CVC, bank credentials) — never reach our servers. Transaction reference, status, and amount returned to us. | Netherlands (EU) | None required |
| Resend Inc. | Transactional email (order confirmations, sale notifications) | Buyer name, email address, order details | United States | Standard Contractual Clauses; EU-US Data Privacy Framework |
| Kit (ConvertKit Inc.) | Post-payment email automations (when activated by merchant) | Buyer email address, product tags | United States | Standard Contractual Clauses; EU-US Data Privacy Framework |
| Google Analytics 4 Google Ireland Ltd. / Google LLC | Analytics (active only with consent) | Pseudonymised IP address, browser, operating system, pages visited, approximate region | EU for EU users; technical processing in United States | Standard Contractual Clauses; EU-US Data Privacy Framework; Google Consent Mode v2 |
Public authorities. In exceptional cases we may be required to disclose personal data to public authorities (court order, law enforcement, tax audit). We only do so when legally obliged and limit disclosure to what is strictly required.
Where possible, we keep your personal data within the European Economic Area. Microsoft 365, Vercel EU regions, Supabase EU regions, and Mollie store your data in the EU by default.
For services with US-based parent entities — Vercel, Supabase, Resend, Kit, Google Analytics — operational routing may involve the United States. We rely on Standard Contractual Clauses (article 46 GDPR) signed with each provider, and on the EU-US Data Privacy Framework certification where the provider is certified. We monitor the status of the framework. If it is invalidated or replaced, we continue to rely on Standard Contractual Clauses.
You have the right to request a copy of the specific safeguards we rely on. Contact us at legal@bookto.eu.
Merchant accounts. As long as your account is active, plus 12 months after account deactivation to handle any final billing, support, or legal matters. After that, account data is deleted, except for the parts we are required to keep for accounting (see below).
Order and transaction data. Retained for 7 years under Belgian accounting and tax law (articles III.86 and following of the Belgian Code of Economic Law). This obligation overrides an earlier erasure request for transaction records but is strictly limited to names, billing addresses, VAT numbers, transaction amounts, and transaction references.
Email correspondence. Up to 2 years after our last exchange, after which correspondence is deleted unless it relates to an active or anticipated legal matter.
Analytics data. Google Analytics 4 data is retained for 14 months, after which Google deletes event-level data.
Technical logs. Vercel and Supabase logs are retained for up to 90 days for security, debugging, and abuse prevention.
Legal holds. In case of an actual or anticipated legal dispute, regulatory investigation, or law enforcement request, we may retain otherwise-deletable data as long as strictly necessary. You will be informed if the law permits.
The GDPR gives you strong rights over your personal data. You can exercise any of them free of charge, and we will respond within 30 days. For complex requests we may extend this period by up to two additional months under article 12(3) GDPR; if we do, we will tell you within the first month and explain why.
Right of access (article 15). Ask whether we process data about you and receive a copy with information about purposes, categories, recipients, and retention.
Right to rectification (article 16). Ask us to correct or complete inaccurate or incomplete data.
Right to erasure (article 17).Ask us to delete your personal data. We will do so unless we are required or entitled to keep it — in particular, the 7-year accounting retention described in section 7 will override an erasure request for transaction records for the duration of that period.
Right to restriction of processing (article 18). In certain situations, ask us to pause processing instead of deleting.
Right to data portability (article 20). Receive data you provided, in a structured, commonly used, machine-readable format, or ask us to transmit it to another controller.
Right to object (article 21). Object to processing based on our legitimate interest.
Right to withdraw consent (article 7(3)). Withdraw consent at any time. Withdrawal does not affect the lawfulness of processing before the withdrawal.
Right to lodge a complaint (article 77). File a complaint with the Belgian Gegevensbeschermingsautoriteit (see section 9).
Contact us at legal@bookto.eu. We do not ask for a copy of your ID. We confirm your identity proportionately — usually by replying from the email address we have on file for you, or by asking a limited verification question if we have reasonable doubt. We follow the guidance of the European Data Protection Board: identity verification must be proportionate and must not create unnecessary barriers.
Your rights are primarily against the merchant, who is the controller for your data. If you need our help locating the right merchant, contact us at legal@bookto.eu and we will assist.
If we cannot act on your request — for example because we must keep the data under a legal obligation — we will explain why in our response.
If you believe we have not handled your personal data correctly, you have the right to file a complaint with the Belgian data protection authority:
Gegevensbeschermingsautoriteit (GBA) / Autorité de protection des données (APD)
Drukpersstraat 35, 1000 Brussels, Belgium
Phone: +32 (0)2 274 48 00
Email: contact@apd-gba.be
Website: www.gegevensbeschermingsautoriteit.be
You also retain the right to seek a judicial remedy before the competent civil court.
We may update this policy from time to time. When we do, we update the version number and date at the top. For changes that affect how we process your data materially, we notify registered merchants in advance and ask for fresh consent where required.
For any question about this policy, contact us at legal@bookto.eu in English or Dutch.
ianka fleerackers Comm. V. · Nieuwstraat 84, 2880 Bornem, Belgium · VAT BE 0824.677.865