Privacy Policy

1. Who We Are

Flushiest is a toilet finder and booking platform operated by Bona Agency. We are the data controller responsible for your personal data collected through flushiest.com and related services.

2. What Data We Collect

We collect the following categories of personal data:

Account Data

• Email address
• Password (stored in encrypted form by Supabase — we never see your plain-text password)
• Profile information you choose to provide

Transaction Data

• Ticket purchase history and ticket type
• Amount paid per transaction
• Stripe payment session identifiers (we do not store card numbers — these are handled entirely by Stripe)
• QR code identifiers associated with your tickets

Location Data

• Your approximate location when you use the explore map, if you grant permission (used only to centre the map — not stored)
• The latitude and longitude of map searches (stored anonymously in our search events log to improve the service)

Host Data (if you list a toilet)

• Toilet address and location coordinates
• Pricing information
• Photos you upload
• Availability settings

Usage Data

• Pages visited and actions taken within the platform
• Device type and browser information
• IP address

3. Legal Basis for Processing

Under GDPR, we rely on the following legal bases:

• Contract performance (Article 6(1)(b)) — processing your account data and transaction data is necessary to provide you with the Flushiest service, including issuing tickets and processing payments.
• Legitimate interests (Article 6(1)(f)) — we process anonymised search event data to understand where demand exists and improve the platform. We have balanced this against your privacy interests and concluded it does not override them.
• Consent (Article 6(1)(a)) — we request your consent before accessing your device's location. You may withdraw this at any time through your browser or device settings.
• Legal obligation (Article 6(1)(c)) — we may retain certain transaction records as required by Dutch tax and financial regulations.

4. How We Use Your Data

• To create and manage your account
• To process ticket purchases and issue QR codes
• To send transactional emails (ticket confirmations, account verification, password resets)
• To display the map and show nearby toilets
• To enable hosts to manage their listings
• To handle reviews and community ratings
• To detect and prevent fraud or abuse
• To improve the platform based on anonymised usage patterns
• To comply with legal obligations

5. Third-Party Services

We use the following third-party processors. Each is bound by a data processing agreement and their own privacy policies:

We do not sell your personal data to any third party. We do not use your data for advertising purposes.

6. How Long We Keep Your Data

• Account data — retained for as long as your account is active. Upon deletion we remove your personal data within 30 days.
• Transaction records — retained for 7 years as required by Dutch tax law (Belastingdienst).
• Ticket data — retained for 12 months after the ticket expires or is used.
• Anonymised search events — retained indefinitely as they contain no personal data.
• Location data — not stored beyond the current browser session.

7. Your Rights Under GDPR

As a data subject under GDPR, you have the following rights:

• Right of access (Article 15) — you may request a copy of all personal data we hold about you.
• Right to rectification (Article 16) — you may ask us to correct inaccurate or incomplete data.
• Right to erasure (Article 17) — you may request deletion of your personal data where we have no legal obligation to retain it.
• Right to restriction (Article 18) — you may ask us to restrict processing of your data in certain circumstances.
• Right to data portability (Article 20) — you may request your data in a structured, machine-readable format.
• Right to object (Article 21) — you may object to processing based on legitimate interests.
• Right to withdraw consent — where processing is based on consent (e.g. location), you may withdraw it at any time without affecting prior processing.

To exercise any of these rights, contact us at privacy@flushiest.com. We will respond within 30 days. We may need to verify your identity before processing your request.

8. Right to Lodge a Complaint

If you believe we have not handled your personal data correctly, you have the right to lodge a complaint with the Dutch data protection authority:

9. Cookies

We use the following cookies:

• Authentication cookies — set by Supabase to keep you logged in. These are strictly necessary and cannot be disabled without breaking the service.
• Analytics cookies — we use Google Analytics 4 to understand how visitors use the platform. This data is anonymised. You may opt out via your browser settings or a GA4 opt-out extension.

We do not use advertising or tracking cookies.

10. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, or disclosure. These include encrypted data storage via Supabase, HTTPS for all data in transit, and access controls limiting who can access your data internally. In the event of a data breach that poses a risk to your rights and freedoms, we will notify the Autoriteit Persoonsgegevens within 72 hours and affected users without undue delay.

11. International Data Transfers

Some of our third-party processors (Supabase, Stripe, Mapbox) may process data outside the European Economic Area. Where this occurs, we ensure appropriate safeguards are in place — including Standard Contractual Clauses (SCCs) approved by the European Commission — to protect your data in accordance with GDPR requirements.

12. Changes to This Policy

We may update this policy from time to time. When we make material changes we will notify registered users by email and update the "Last updated" date at the top of this page. Continued use of the platform after changes constitutes acceptance of the updated policy.

13. Contact Us

For any privacy-related questions or to exercise your rights, contact us at: