What we collect, why, and how to ask us to forget.

Toy Swap Amsterdam is a small side-project operated by Gokberk Sahin, based in Amsterdam, the Netherlands. Gokberk is the data controller for the personal data described below. Toy Swap Amsterdam isn't yet a registered business; once it is, this page will list the KvK details and postal address here.

For anything privacy-related, write to hello@toyswapamsterdam.com.

When you join the waitlist or add a toy, we store:

• Your email address
• Your neighborhood in Amsterdam
• Your child's age range
• What you're looking for (only if you tell us)
• How you found us (e.g. a referral source, if known)
• The time you gave consent, and whether your email is verified
• An approximate city and country derived from your IP address at signup (stored in ip_city and ip_country) for abuse prevention and rough geographic stats — we never store the raw IP itself
• If you choose to add a toy: title, description, category, age range, condition, and an optional photo (stored in a private bucket, never publicly visible)
• Basic analytics events (page views, form submissions, button clicks) via PostHog. Server-side events use an internal subscriber ID, never your raw email

Under GDPR, we have to tell you the legal reason we're allowed to handle each bit of your data. Ours are:

• Running the waitlist itself — pre-contractual steps at your request (GDPR art. 6(1)(b)). You asked to be on the list; we hold what we need to put you on it, email you about your match, and keep you posted on Toy Swap Amsterdam updates while you're on the list. Unsubscribe any time.
• Analytics via PostHog — your consent (GDPR art. 6(1)(a) and the ePrivacy / Dutch Telecommunicatiewet rules on cookies and similar tracking).
• Security, fraud and abuse prevention — our legitimate interest in keeping the service safe (GDPR art. 6(1)(f)). This covers the approximate-location fields, magic-link token records, and basic rate-limiting.

• Waitlist record: while you're on the list, and up to 12 months after your last activity (opening an email, clicking a magic link, or visiting). After that we delete it or anonymize it for aggregate stats.
• Toy submissions and photos: kept while your waitlist record is active. If you ask us to delete your account, your toy rows and photos go with it.
• Magic-link tokens: expire after 14 days; expired rows are cleared periodically.
• Analytics events in PostHog: kept in identifiable form for up to 12 months, after which they're anonymized or dropped.
• Email delivery logs: retained by Resend under their own retention windows (typically a few days for message content, longer for metadata). See resend.com/legal/privacy-policy.

We don't sell your data. We do use a few trusted services to run the site. Each of them acts as a processor on our behalf, under a data-processing agreement:

• Supabase (database + private file storage) — hosted in the EU region. Stores your waitlist record, toy submissions, and uploaded photos.
• Resend (transactional email) — sends your welcome email and magic-link emails. Resend is US-based and certified under the EU–US Data Privacy Framework; transfers also rely on Standard Contractual Clauses (SCCs).
• PostHog (product analytics) — we use PostHog EU Cloud, hosted in the EU. PostHog Inc. is a US company, so any incidental support access is covered by Standard Contractual Clauses (SCCs).
• Vercel (web hosting / CDN) — handles requests to the site. Vercel may process technical data (IP, user-agent) transiently to serve pages and block abuse.

Your data is stored in the EU wherever we can manage it (Supabase EU, PostHog EU Cloud). Some processors above are US-headquartered. Where data crosses to the US, we rely on the European Commission–approved Standard Contractual Clauses (SCCs), plus the EU–US Data Privacy Framework where the processor is certified. We don't transfer your data outside the EEA for any other purpose.

Under GDPR, you have the right to:

• Access — get a copy of the data we hold about you (art. 15)
• Rectification — fix anything that's wrong (art. 16)
• Erasure — ask us to delete you ("right to be forgotten", art. 17)
• Restriction — ask us to pause processing while we sort something out (art. 18)
• Portability — get your data in a portable format (art. 20)
• Object — object to processing based on legitimate interest (art. 21)
• Withdraw consent — at any time, for anything we do based on consent (art. 7(3)). Withdrawing doesn't affect anything we did before

To exercise any of these, email us (see "How to contact us" below). We'll respond within 30 days.

We don't make automated decisions about you, and we don't profile you. Matches are reviewed by a human before we email you.

We use PostHog (EU Cloud) to count page views and form submissions so we know what's working. Where this involves cookies or similar storage on your device, we only set them with your consent.

Raw email addresses are never sent to PostHog. Server-side events use an internal subscriber UUID as the identifier. Approximate location (city/country) may be inferred from your IP for analytics and abuse prevention.

You can opt out of analytics at any time by clearing cookies for this site or by emailing us to ask.

• Photos of children
• Faces
• Home addresses
• Private documents
• Unsafe or recalled items

Toy uploads are optional. Uploaded photos are stored in a private bucket and are not publicly visible.

• We don't sell your data.
• We don't send your raw email to analytics tools.
• We don't ask for your home address, phone number, or payment info.
• We don't make your toy photos publicly visible.
• We don't make automated decisions or profile you.

Every email we send includes a one-click unsubscribe link in the footer. That stops all Toy Swap emails immediately.

To delete your whole account — waitlist record, toy submissions, and any uploaded photos — email hello@toyswapamsterdam.com with the subject "delete me". We'll confirm once it's done.

Questions, requests, or anything privacy-shaped? Reach us at hello@toyswapamsterdam.com. We're a small team — please give us a few working days.

If you think we've mishandled your data, please tell us first so we can fix it. You also have the right to lodge a complaint with the Dutch data protection authority, Autoriteit Persoonsgegevens: autoriteitpersoonsgegevens.nl.