Legal
Privacy Policy
Last updated: 23 February 2026
Introduction
SculptClub ("we", "us", "our"), located at Egelantiersgracht 424, 1015 RR Amsterdam, is responsible for the processing of personal data as described in this privacy policy. We respect your privacy and process personal data in accordance with the General Data Protection Regulation (GDPR). This policy explains what data we collect, why, how we use it and what rights you have.
1. What Data Do We Collect?
1.1 Contact Information
Name, email address, phone number — when you make a booking, contact us or sign up for our services.
1.2 Booking Data
Date, time and type of booked sessions, cancellation history and preferences — via our booking system (Acuity Scheduling).
1.3 Payment Data
Transaction information and payment confirmations. We do not store credit card or bank details. Payments are processed by our payment processor (Stripe). iDEAL payments are processed via Apple Pay.
1.4 Website Usage
IP address, browser type, pages visited, referring websites and session duration — via cookies and analytics tools. See our Cookie Policy for more information.
1.5 Communication
Content of messages you send us via email, WhatsApp or contact forms.
2. How Do We Use Your Data?
We process your data for the following purposes:
- Service delivery: processing bookings, sending confirmations and door codes, and delivering our services.
- Communication: answering questions and sending relevant information about your bookings.
- Improvement: analysing website usage to improve our services and user experience.
- Marketing: sending promotional messages, only with your explicit consent. You can unsubscribe at any time.
- Legal obligations: complying with tax and administrative requirements.
- Security: ensuring the safety of our studio and visitors.
3. Legal Basis for Processing
- Performance of a contract: for processing bookings and delivering services.
- Legitimate interest: for improving our services and ensuring security.
- Consent: for sending marketing messages and placing analytical cookies.
- Legal obligation: for complying with tax and administrative requirements.
4. Sharing with Third Parties
We only share your data with service providers necessary for our business operations:
- Acuity Scheduling: booking management (US, EU standard contractual clauses).
- Stripe: payment processing (PCI DSS compliant).
- Google Analytics 4: website analytics (anonymised data).
- Meta (Facebook): advertising effectiveness (via Pixel, anonymised).
- Microsoft Clarity: session recordings and heatmaps (anonymised, no personal data captured).
- Hosting providers: for hosting our website (Vercel).
We never sell your personal data to third parties. All service providers are contractually obligated to protect your data.
5. Cookies
Our website uses cookies. For detailed information about which cookies we use and how you can manage them, please refer to our Cookie Policy.
6. Your Rights
Under the GDPR, you have the following rights:
- Right of access: you can request which data we process about you.
- Right to rectification: you can have incorrect data corrected.
- Right to erasure:you can request deletion of your data ("right to be forgotten").
- Right to data portability: you can request to receive your data in a structured, commonly used format.
- Right to restriction: you can request restriction of the processing of your data.
- Right to object: you can object to the processing of your data.
- Right to withdraw consent: if processing is based on consent, you can withdraw it at any time.
To exercise your rights, contact us at contact@sculptclub.nl. We will respond to your request within 30 days.
7. Data Retention
- Booking data: 2 years after last booking.
- Financial records: 7 years (legal obligation).
- Marketing preferences: until withdrawal of consent.
- Website analytics data: 26 months (Google Analytics default).
- CCTV footage: maximum 4 weeks.
8. CCTV
CCTV may be present in the common areas of the building. This is necessary for the security of the premises and the safety of our visitors. There are no cameras in the training room. Footage is retained for a maximum of 4 weeks and is only accessible to authorised personnel. The legal basis for this is our legitimate interest (security).
9. Data Security
We take appropriate technical and organisational measures to protect your personal data against unauthorised access, loss or misuse. This includes SSL encryption, secure servers and restricted access to data.
10. Complaints
If you have a complaint about how we process your personal data, please contact us first. If we cannot resolve the issue together, you have the right to file a complaint with the Dutch Data Protection Authority (autoriteitpersoonsgegevens.nl).
11. Contact
For questions about this privacy policy or to exercise your rights: