Thuiskook

How Thuiskook collects, uses, shares and protects your personal data when you use the Platform, and the rights you have over that data under the GDPR.

About this policy

In short

At Thuiskook we are building a community for real home-cooked food, and that starts with respecting the privacy of everyone in it, the Customers who order, the Chefs who cook, and the Delivery Partners who deliver.

This Privacy Policy explains what personal data we collect, why we collect it, the legal basis for using it, who we share it with, how long we keep it, and the rights you have. It forms part of, and should be read together with, the Thuiskook General Terms and Conditions.

If anything here is unclear, email us at hello@thuiskook.com and a real person will help.

Who we are (the data controller)

Unless stated otherwise, the controller responsible for your personal data is Thuiskook B.V., a company registered in the Netherlands with the Chamber of Commerce (KvK).

Controller: Thuiskook B.V.
KvK (CoC) number: [____]
Registered office: [address], [postal code] [city], the Netherlands
Email: hello@thuiskook.com
Website: www.thuiskook.com

Where a Chef or Delivery Partner independently determines how it uses personal data it receives to fulfil an Order, that Chef or Delivery Partner acts as a separate controller for that use and has its own responsibilities under the GDPR. See Section 6 (Sharing).

1. The personal data we process and why
1. Order-related data sharing across the three delivery options
1. Accounts, reviews, support and research
1. Marketing and communications
1. Cookies and similar technologies
1. Who we share personal data with
1. International transfers
1. How long we keep personal data
1. Automated decision-making and profiling
1. Children
1. How we protect personal data
1. Data breaches
1. Your rights
1. Food-safety incidents and the NVWA
1. Changes to this policy
1. How to contact us and complain

1. The personal data we process and why

Whenever you interact with Thuiskook through the Platform, we collect and process personal data. The table below summarises the main purposes, the data involved, and the legal basis under the GDPR. The categories of data we collect depend on whether you are a Customer, a Chef or a Delivery Partner.

Purpose	Personal data we process	Legal basis (GDPR)
Placing and fulfilling Orders	Name; address and delivery details; contact data (phone, email); Order and transaction data; Order notes; payment data (where the Platform processes payment).	Performance of a contract
Chef & Delivery Partner onboarding and verification	Identity document and photo; KvK number; BTW number; bank/payout details; food-safety and hygiene records (Chefs).	Contract; legal obligation; legitimate interest (fraud prevention)
Customer support and complaints	Name; contact data; Order and transaction data; payment data where relevant; the content of your message.	Contract and/or legal obligation
Reviews and ratings	Name (if submitted); contact data; the review content.	Consent
Marketing and notifications	Name; contact data; Order history; device ID; cookie and technology data.	Consent (or legitimate interest where permitted)
Delivery Partner location	Location data during an active Order delivery (see Section 3).	Performance of a contract / legitimate interest
Fraud prevention and platform safety	Name; Order and transaction data; payment data; device and account signals.	Legitimate interest (and legal obligation)
Analysis and service improvement	Aggregated and pseudonymised usage data; reporting data (no individual profiling in reports).	Legitimate interest
Research and campaigns	Name; contact data; Order data (optional); research or campaign input.	Consent

We will only use your personal data for the purposes described in this policy. If we later want to use it for a different purpose, we will inform you and, where the law requires, obtain your consent first.

2. Order-related data sharing across the three delivery options

To fulfil an Order, the Platform shares the minimum personal data needed between the Customer, the Chef and (where applicable) Thuiskook and a Delivery Partner. The legal basis for this sharing is the performance of your Order contract under the GDPR. What is shared depends on the delivery option chosen at checkout:

2.1 Customer Pickup. The Chef’s pickup address and contact details are shared with the Customer, who uses them only to collect that Order.

2.2 Chef Self-Delivery. The Customer’s name, delivery address, contact number and Order notes are shared with the Chef, who uses them only to deliver that Order.

2.3 Thuiskook Delivery. The Customer’s delivery address and contact information are processed by Thuiskook and the relevant Delivery Partner solely to deliver that Order; the Chef does not receive the full delivery address beyond what is needed to hand over the Order.

Each party that receives personal data to fulfil an Order must use it only for that specific Order, must not keep it longer than necessary, must not use it for marketing or any unrelated purpose, and must apply reasonable security measures. Because you order directly from a Chef, the Chef has its own responsibilities as a controller for the data it receives; questions about how a Chef handles your data can be directed to the Chef, or to us and we will help.

3. Accounts, reviews, support and research

Accounts

3.1 You can create an account to order, cook or deliver. The legal basis for creating and maintaining an account is your consent under the GDPR. You can delete your account at any time from within the Platform or by contacting us; deletion may affect your experience of the Platform. We process your name, contact and address data and, for Chefs and Delivery Partners, the onboarding and verification data described in Section 1.

Reviews

3.2 After an Order you may be invited to review the Chef. The legal basis for processing your review is your consent under the GDPR, which you can withdraw at any time by contacting us. We process the name you submit, your contact data and the review content.

Customer support

3.3 When you contact support, we use the data you provide to answer your question or handle your complaint. The legal basis for this processing is the performance of our contract with you and/or compliance with our legal obligations under the GDPR.

Delivery Partner location

3.4 If you are a Delivery Partner, we collect location data during an active Order delivery within your agreed working hours, including where the app runs in the background, so that Customers can be kept informed and deliveries can be coordinated. The legal basis for this processing is the performance of a contract and our legitimate interest in coordinating deliveries under the GDPR. This applies only to Delivery Partners during active deliveries: we do not track the location of Customers or Chefs. Delivery location data is retained only for as long as necessary for these purposes and then deleted.

Research

3.5 We may invite you to take part in voluntary research, such as surveys, to improve our service. The legal basis for this processing is your consent under the GDPR; we send these with your consent where required, and you can opt out at any time.

4. Marketing and communications

4.1 With your consent, or otherwise where permitted by law, we may send you personalised marketing messages and notifications, for example news, discounts, and updates about new Chefs, by email or push notification. The legal basis for this processing is your consent under the GDPR, or our legitimate interest where the law permits marketing without consent. For this we may process your name, contact data, Order history, device ID and cookie and technology data.

4.2 You can change your preferences or unsubscribe at any time using the link in any message, in your account settings, or by contacting us at hello@thuiskook.com. Opting out of marketing does not stop service messages that are necessary to fulfil your Orders.

5. Cookies and similar technologies

5.1 We use cookies and similar technologies for functional, analytical and marketing purposes. The legal basis differs by category: functional cookies are necessary for the Platform to work and rely on our legitimate interest, while analytical and marketing cookies are used only with your consent where the law requires it. The data processed depends on the category of cookie and on the preferences you set.

5.2 You can set and change your cookie preferences through the cookie controls on the Platform. Where Thuiskook publishes a separate Cookie Statement, it provides further detail and forms part of this policy.

6. Who we share personal data with

We share personal data only where necessary for the purposes in this policy, and we require recipients to protect it appropriately. Depending on the situation, recipients may include:

the relevant Chef, to prepare and (for Chef Self-Delivery) deliver your Order;
Delivery Partners, to carry out Thuiskook Delivery;
regulated payment and card service providers, to process payments and refunds;
technology, hosting and software providers acting as our processors;
professional advisers, and customer-research providers where you have consented;
law enforcement, regulators or government bodies where required by law, court order, or to establish, exercise or defend legal rights, or to protect the vital interests of any person;
the NVWA, in connection with a food-safety incident or investigation (see Section 14); and
a prospective buyer or successor entity in connection with a sale, merger or restructuring of Thuiskook’s business or assets. Processors act on our documented instructions under a data-processing agreement. Chefs and Delivery Partners that decide for themselves how to use Order data they receive act as separate controllers for that use.

7. International transfers

7.1 We aim to keep personal data within the European Economic Area (EEA). Where personal data is transferred outside the EEA, for example to a service provider, we rely on an European Commission adequacy decision where one exists, or otherwise on appropriate safeguards such as the European Commission’s standard contractual clauses, together with any additional measures required. Further detail is available on request.

8. How long we keep personal data

8.1 We keep personal data only for as long as necessary for the purposes we collected it for, including to meet legal, tax, accounting or reporting obligations and to establish or defend legal claims. To decide how long that is, we consider the amount, nature and sensitivity of the data, the potential risk of harm, the purpose, whether we can achieve it another way, and applicable legal requirements.

8.2 Delivery Partner location data collected for an active delivery is kept only for as long as necessary for the purposes in Section 3 and is then deleted. Where we no longer need data in an identifiable form, we may anonymise it and use the anonymised information without further notice.

9. Automated decision-making and profiling

9.1 To operate and improve the Platform, we use some automated processing and profiling, for example, using your address or location to show Chefs available in your area, and automated checks to help prevent fraud, money laundering and other offences. The legal basis for this processing is the performance of our contract with you, our legitimate interest in operating and improving the Platform, and compliance with our legal obligations under the GDPR.

9.2 If an automated decision produces a negative effect for you and you disagree with it, you can contact us and ask us to reassess it, and you have the rights described in Section 13.

10. Children

10.1 The Platform is not intended for, and we do not knowingly collect personal data from, anyone under 16. We cannot always verify age, so we encourage parents and guardians to supervise children’s online activity. If you believe we have collected a child’s data without the necessary consent, contact us and we will delete it.

11. How we protect personal data

11.1 We take personal-data protection seriously and apply appropriate technical and organisational measures to guard against misuse, loss, unauthorised access, unwanted disclosure and unauthorised alteration. We require Chefs, Delivery Partners and our processors to apply reasonable security measures to the data they handle. If you believe your data is not adequately protected, or you suspect misuse, please contact us.

12. Data breaches

12.1 If a personal-data breach occurs, we will assess it and, where required by law, notify the Dutch supervisory authority (Autoriteit Persoonsgegevens) and any affected individuals in accordance with the GDPR. Chefs and Delivery Partners must notify Thuiskook immediately, and in any event within 24 hours, of any actual or suspected breach affecting personal data accessed through the Platform.

13. Your rights

Subject to conditions and exceptions in the GDPR, you have the right to:

access the personal data we hold about you;
have inaccurate data corrected (rectification);
have your data erased in certain circumstances;
restrict, or object to, certain processing;
data portability for data you provided, where applicable;
withdraw consent at any time, without affecting processing already carried out on that basis before withdrawal; and
lodge a complaint with a supervisory authority. 13.1 To exercise any of these rights, contact us at hello@thuiskook.com or through the in-app support function. We will respond within the period required by law. You also have the right to lodge a complaint with the Autoriteit Persoonsgegevens (the Dutch Data Protection Authority); we would appreciate the chance to address your concern first.

14. Food-safety incidents and the NVWA

14.1 Because Thuiskook is a marketplace for home-cooked food, we may need to process and share personal data to handle a suspected food-safety incident or allergic reaction, for example, to investigate a complaint, support the person affected, and where appropriate notify or cooperate with the Netherlands Food and Consumer Product Safety Authority (NVWA). The legal basis for this processing is compliance with our legal obligations and the protection of the vital interests of the people affected under the GDPR. This is in addition to the food-safety reporting duties set out in the Thuiskook General Terms and Conditions.

15. Changes to this policy

15.1 We may update this policy from time to time to reflect legal, technical or business changes. When we do, we will revise the “Last Updated” date and, where the change is significant, take appropriate steps to inform you and, where the law requires, obtain your consent. We encourage you to review this policy periodically.

16. How to contact us and complain

For any question, request or complaint about this policy or your personal data, please contact us:

Thuiskook B.V.

Privacy questions: hello@thuiskook.com
General support: hello@thuiskook.com
Website: www.thuiskook.com
Registered office: [address], [postal code] [city], the Netherlands
KvK no.: [____]
Supervisory authority: Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl)

A note from us

We would genuinely rather hear from you than not. If something about how we handle your data worries you, or if you have an idea for how we could do it better, tell us at hello@thuiskook.com, we read everything.