Privacy Policy

1. Who we are

RunClubs (runclubs.nl) is a platform for discovering and joining run clubs and community runs in the Netherlands. RunClubs.nl is a trade name (handelsnaam) of Uncode, operated by Rick Bossenbroek.

2. What data we collect

We collect only what we need to run the platform:

• Account data: name, email address, profile photo, and username when you sign up via Clerk (our authentication provider).
• Profile data: city, bio, running experience, preferred distance, and other preferences you choose to add.
• Participation data: which runs and clubs you join, referral codes, and badges earned.
• Payment data: if you subscribe to RunClubs Pro, Mollie (our payment provider) processes your payment details. We store your Mollie customer ID, subscription status, and plan type. We do not store credit card numbers or bank details.
• Newsletter: first name and email address when you subscribe via Brevo.

3. Legal basis for processing

We process your data based on:

• Contract performance (Art. 6(1)(b) GDPR): to provide and maintain your account, process subscriptions, and deliver the platform services.
• Consent (Art. 6(1)(a) GDPR): for optional features like newsletter subscriptions and notification preferences. You can withdraw consent at any time.
• Legitimate interest (Art. 6(1)(f) GDPR): for platform security, fraud prevention, and improving the service based on aggregated usage patterns.

4. Why we collect it

• To create and manage your account.
• To let you discover, join, and organize runs and clubs.
• To show your public runner profile to the community.
• To process Pro subscription payments.
• To send you the newsletter you subscribed to.
• To improve the platform based on aggregated, anonymous usage patterns.

We do not sell your data. We do not use your data for advertising. We do not engage in profiling for automated decision-making.

5. Third-party services (data processors)

We share data with a limited number of trusted services that process data on our behalf. We have data processing agreements (verwerkersovereenkomsten) in place where required.

• Clerk: authentication and session management. Processes your email, name, and profile photo. Based in the US, EU Standard Contractual Clauses apply.
• Supabase: our database, hosted in the EU (Frankfurt). Stores all platform data.
• Vercel: hosting and serverless functions. Based in the US, EU Standard Contractual Clauses apply.
• Mollie: payment processing for Pro subscriptions. Based in the Netherlands. Processes payment details under their own controllership for payment-related obligations.
• Brevo: email newsletter delivery. Based in France (EU).
• Simple Analytics: privacy-friendly, cookieless website analytics. Based in the Netherlands. No personal data is collected or shared.

6. International data transfers

Some of our service providers (Clerk, Vercel) are based in the United States. For these transfers, we rely on EU Standard Contractual Clauses (SCCs) to ensure adequate protection of your data. All other providers are based in the EU/EEA.

7. Cookies

We do not use tracking cookies or advertising cookies. Simple Analytics is fully cookieless. Clerk uses essential session cookies required for authentication. These are strictly necessary and do not require consent under the ePrivacy Directive.

8. How long we store data

We keep your data for as long as your account is active. If you delete your account, we remove your personal data within 30 days. Anonymous, aggregated data (e.g., run participation counts) may be retained indefinitely.

• Account data: until account deletion + 30 days.
• Payment records: 7 years after the transaction, as required by Dutch tax law (fiscale bewaarplicht).
• Newsletter subscriptions: until you unsubscribe.

9. Data security

We take appropriate technical and organizational measures to protect your data, including encrypted connections (HTTPS), access controls, and secure authentication via Clerk. Payment data is handled entirely by Mollie and never touches our servers.

10. Your rights (GDPR / AVG)

Under the GDPR, you have the right to:

• Access: request a copy of your personal data.
• Rectification: correct inaccurate data.
• Erasure: request deletion of your data (“right to be forgotten”).
• Restriction: request restricted processing in certain cases.
• Portability: receive your data in a structured, machine-readable format.
• Object: object to processing based on legitimate interest.
• Withdraw consent: at any time, without affecting prior processing.

To exercise any of these rights, email us at rick@runclubs.nl. We will respond within 30 days as required by law.

You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at autoriteitpersoonsgegevens.nl.

11. Children

RunClubs is not intended for users under 16 years of age. We do not knowingly collect personal data from children under 16. If we learn that we have collected data from a child under 16 without parental consent, we will delete it promptly.

12. Changes to this policy

We may update this policy from time to time. Material changes will be communicated via the platform or email. The “last updated” date at the top reflects the most recent revision.

13. Contact

Questions about your privacy? Reach out at rick@runclubs.nl.