[email protected]
How we rankClaim listing
The Dutch Directory
Legal

Privacy Policy

Last updated: July 14, 2025

1. Who we are

The Dutch Directory ("we", "us", "our") is operated by Dutch Fluency, based in the Netherlands. We run an independent, editorially-driven directory of Dutch learning options at thedutchdirectory.com.

Contact: [email protected]

2. What data we collect

We collect as little as possible, and only for clear purposes:

2.1 Newsletter subscribers

When you subscribe to our weekly Dutch learning brief, we collect:

  • Your email address
  • The page where you signed up (source)
  • A subscription token (for unsubscribe links)

We use Resend (resend.com) to send welcome and weekly emails. Your email is stored in our database (PostgreSQL, hosted on our own server in Germany at Hetzner). We never share, sell, or rent your email address.

2.2 First-party analytics

To understand how people use the directory and improve it, we collect:

  • Pages viewed (path + query string)
  • Referring website (if you clicked a link to reach us)
  • UTM campaign parameters (if present in the URL)
  • Country-level location (from Cloudflare, city-level is never stored)
  • Device type (mobile or desktop)
  • Browser user-agent string
  • A session identifier stored in your browser's sessionStorage (deleted when you close the tab)

We do not use cookies for analytics. The session identifier is stored in sessionStorage (not a cookie), and it disappears when you close your browser tab. We do not fingerprint your device. We do not track you across websites. We do not use Google Analytics, Facebook Pixel, or any third-party ad tracking services.

2.3 Ask AI queries

When you use the "Ask our AI" feature, your query is sent to Google Discovery Engine. We do not store your queries or associate them with any identifier. See Google's privacy policy for how they handle those requests.

2.4 What we do NOT collect

  • Your name (unless you email us)
  • Your IP address (not stored in any database)
  • Precise location or GPS data
  • Payment information (we do not process payments on this site)
  • Cookies for tracking or advertising purposes

3. Legal basis for processing (GDPR)

For EU/EEA users, we process your data under these lawful bases:

  • Consent (Article 6.1.a): Newsletter subscription and analytics. You give clear consent when you enter your email and click "Subscribe", and when you accept analytics in our cookie banner.
  • Legitimate interest (Article 6.1.f): Essential server logs for security and debugging (automatically deleted after 14 days). We also rely on legitimate interest for basic security measures like rate limiting.

4. Where your data lives

  • Database: PostgreSQL on our own dedicated server at Hetzner (Nuremberg, Germany). We do not use managed cloud databases for personal data.
  • Email delivery: Resend (resend.com), a US-based service with EU data processing agreements. Your email and subscription token are passed to Resend only to send you the emails you subscribed for.
  • CDN: BunnyCDN for static assets (images, CSS). No personal data is served via CDN.

5. How long we keep your data

  • Newsletter email: Until you unsubscribe. When you unsubscribe, your email is marked as inactive and retained for 30 days (to prevent accidental re-subscription), then deleted.
  • Analytics events (dd_events): Retained for 26 months, then deleted on a rolling basis. SessionStorage identifiers are deleted when you close your browser tab.
  • Server access logs: Retained for 14 days, then automatically rotated.

6. Your rights (GDPR)

If you are in the EU/EEA, you have the right to:

  • Access: Request a copy of the personal data we hold about you.
  • Rectification: Ask us to correct inaccurate data.
  • Erasure: Ask us to delete your data ("right to be forgotten").
  • Restriction: Ask us to limit how we process your data.
  • Portability: Receive your data in a machine-readable format.
  • Objection: Object to processing based on legitimate interest.
  • Withdraw consent: Withdraw consent at any time (unsubscribe from newsletter, clear analytics consent).

To exercise any of these rights, email [email protected]. We respond within 30 days. For more details, see our GDPR Rights page.

You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).

7. Children's privacy

The Dutch Directory is not directed at children under 16. We do not knowingly collect data from children. If you believe a child has provided us with personal data, please contact us.

8. Security

We take security seriously. Our server runs fail2ban, automatic security updates, and rate limiting. All traffic is encrypted via HTTPS (TLS 1.3). We use security headers including Content-Security-Policy, X-Content-Type-Options, and Strict-Transport-Security. Our database is not exposed to the public internet.

9. Changes to this policy

We may update this policy. Material changes will be announced via a notice on the website. The "last updated" date at the top reflects the latest version.

10. Related pages