Privacy policy
Last updated: 28 May 2026
1. Introduction — when this policy applies
This privacy policy describes how we handle the personal data of visitors, members and participants of the Clean Language Nederland platform.
It applies when you:
- take part in one of our events (workshops, trainings, conferences, practice groups, tasters, etc.);
- leave your email address via the Save-the-Date form on an event page;
- subscribe to our newsletter, via the form or your profile management page;
- create a profile and optionally make yourself visible on the Community page or as a participant/facilitator on an event page;
- or share information with us in another way (for example via an email or text-message request) that we store or process.
We work from the assumption that you are the owner of your own data. For every field on your profile you decide for yourself whether it is publicly visible — the default is not public. None of these fields are required, and you can clear them at any time.
2. Who we are
The data controller for the data on this platform is:
Pascal Clarkson, trading as Art o’ Craft Muldersdreef 335 7328 EH Apeldoorn KvK: 08118323
For any questions about your personal data, to exercise your rights (see §8), or for complaints:
Email me at privacy@cleanlanguage.nl
Clean Language Nederland is a community initiative; Art o’ Craft manages the technical infrastructure on behalf of the community and carries the legal responsibility for the data processing on this platform.
3. What personal data we process
We only process the data needed for the platform to function and for the services you actively use. We distinguish the following categories:
Authentication
Via Supabase Auth we process:
- your email address
- the one-time magic link or OTP code you use to log in (passwordless)
So we do not store passwords.
Community profile
When you create a profile on the platform we may store the following data, based on what you choose to enter:
- title or job title
- full name
- organisation + organisation URL
- short description (bio)
- phone number
- LinkedIn URL
- extra link + label of your choice
- profile photo (WebP)
- email address (may differ from your login address)
For each item you decide whether it is publicly visible via My profile. The default is not public.
Community role
The role you fulfil in the community: admin, facilitator or participant. This role determines what you can access on the platform.
Event participation
Per event you attend: the role you fulfil there (participant, facilitator, trainer, organiser, volunteer, etc.), whether you want to appear publicly in the participants list of that event (checkbox on My profile), and the moment of signing up, cancelling and your attendance. This participation record (including sign-up/cancel moments and attendance) is retained as part of the historical overview of an event, even if you delete your profile; it disappears when you fully delete your account.
Save-the-Date
If you leave your email address via the Save-the-Date form on an event page, we store your email address plus the reference to that specific event so we can let you know when the event opens for registration, or if there is other useful information to share about the event.
Pending invitations
When an admin invites you to an event by email, or when you sign up for an event via Ticket Tailor before you have an account, we temporarily record your email address, the invited role, and the source of the invitation. This data is linked to your profile the first time you log in.
Files
profile photosyou have uploaded yourself (maximum 2 MB, WebP/PNG/JPEG)event images: cover photos for events, uploaded by admins
4. Purpose and legal basis of processing
Per category we use the following legal basis under GDPR art. 6:
| Processing | Purpose | Legal basis |
|---|---|---|
| Authentication | Granting access to the platform | Performance of the contract |
| Community profile | Introducing yourself to the community | Performance / consent |
| Community role | Access to admin or facilitator functions | Performance of the contract |
| Event participation | Tracking who takes part in which event | Performance of the contract |
| Visibility of profile elements | Showing on public pages | Consent |
| Save-the-Date | Keeping you informed about a specific event | Consent |
| Pending invitations | Completing the invitation process | Legitimate interest |
| Newsletter / Kit tags | Topical updates per subject | Consent |
| Security checks (Turnstile, bot detection) | Preventing spam and abuse | Legitimate interest |
You can withdraw your consent at any time by changing a setting, deleting your profile, or contacting us at privacy@cleanlanguage.nl.
5. Retention periods
- Account and profile data: retained as long as your account is active. On the My account page you have two options:
- Delete my profile — wipes all your personal profile data (name, photo, bio, links) and removes your name from every participants list. Your account and the (non-public) record that you participated in events remain, so you can set up a profile again later.
- Delete my account — permanently deletes your account and all linked data: your profile, your roles, your event registrations and your Save-the-Date sign-ups. This is irreversible.
- Unconfirmed accounts (expired invitations): if an account has never been confirmed (the magic link in the invitation has never been clicked) and has no profile attached, we delete it automatically 6 months after the last event it was linked to — or, if there is no event link, 6 months after creation. Accounts where only the profile has been deleted but which are confirmed are not included here: in that case you have actively chosen to keep your account.
- Save-the-Date email addresses: retained as long as they are relevant to the event in question (typically until the event has status
past). Deleted earlier on request, and automatically deleted when you delete your account. - Pending invitations: absorbed into your profile the first time you log in. Unaccepted invitations currently remain on file; an expiry term is being worked on.
- Event archive (historical participants lists): retained as part of the historical overview of past events, unless you request individual removal.
On request (via privacy@cleanlanguage.nl) we delete your data within 30 days, unless a statutory retention obligation prevents this.
6. Sharing with third parties
For the platform to function we work with a number of external service providers under their standard processor terms:
Supabase
- Location: Ireland (
eu-west-1) - Role: Database, authentication and file storage for the platform.
- Privacy policy: https://supabase.com/privacy
Data stays within the European Economic Area; no further transfer outside the EEA.
Resend
- Location: United States
- Role: Sending transactional email (magic links, OTP codes, Save-the-Date confirmations, invitations) via Supabase Auth SMTP.
- Privacy policy: https://resend.com/legal/privacy-policy
Transfer to the United States takes place under the EU-US Data Privacy Framework (DPF) and/or Standard Contractual Clauses (SCCs).
Cloudflare
- Location: United States, with edge nodes in the EEA
- Role: Hosting of the platform (Cloudflare Pages), server-side functions (Cloudflare Pages Functions), and bot protection on the login page (Cloudflare Turnstile).
- Privacy policy: https://www.cloudflare.com/privacypolicy/
Transfer to the United States takes place under the EU-US Data Privacy Framework (DPF) and/or Standard Contractual Clauses (SCCs).
Kit (formerly ConvertKit)
- Location: United States
- Role: Managing the newsletter subscriber list and tag system for audience segmentation.
- Privacy policy: https://kit.com/privacy
Transfer to the United States takes place under the EU-US Data Privacy Framework (DPF) and/or Standard Contractual Clauses (SCCs).
Ticket Tailor
- Location: United Kingdom
- Role: Ticket sales for events. On a ticket booking we receive your name, email address and booking data via a webhook, which we link to an event role (or to a pending invitation if you do not yet have an account).
- Privacy policy: https://www.tickettailor.com/privacy/
Transfer to the United Kingdom falls under the European Commission’s adequacy decision for the UK.
Operational service provider without access to personal data
For periodically triggering internal, automated tasks we use cron-job.org (Germany). This service does not process personal data of platform users — only technical requests to our own platform endpoints.
7. Transfers outside the EEA
Some of the providers listed above are based outside the European Economic Area.
For transfers to the United States (Resend, Cloudflare, Kit) we rely on:
- the EU-US Data Privacy Framework (DPF) — the current adequacy regime since July 2023; these parties are DPF-certified; and/or
- Standard Contractual Clauses (SCCs) as an additional legal safeguard.
For transfers to the United Kingdom (Ticket Tailor) we rely on the European Commission’s adequacy decision for the UK.
Supabase and cron-job.org are based within the EEA; no additional safeguards are required there.
8. Your rights as a data subject
Under the GDPR you have the following rights regarding your personal data:
- Right of access — you can request what data we hold about you.
- Right to rectification — incorrect data can be corrected.
- Right to erasure — your data can be erased (the “right to be forgotten”). You can do this yourself via My account: Delete my profile wipes your profile data; Delete my account deletes your account and all linked data in full.
- Right to restriction of processing — for example if you contest the accuracy.
- Right to data portability — receive your data in a structured, commonly used and machine-readable format.
- Right to object to processing based on legitimate interest.
- Right to withdraw consent — for all processing based on consent, at any time.
- Right to lodge a complaint with the Dutch Data Protection Authority.
To make a request, send an email to privacy@cleanlanguage.nl. We will respond within one month.
9. Cookies and local storage
The platform does not use tracking or analytics cookies. We categorise the cookies and local storage into three groups:
Functional (no consent required)
These items are necessary for the platform to work:
- Supabase Auth session in
localStorage(keys with prefixsb-) — keeps you logged in after clicking the magic link. cl_auth_next_pathinlocalStorage— remembers which page you wanted to reach before logging in, so you arrive there after confirmation.cl_build_triggered_atandcl_build_linkinsessionStorage(only during a browser tab session) — show a status message while a platform action is being processed and becomes visible on the public part of the site.cl_locale_preferenceinlocalStorage— remembers your chosen language (NL or EN) so you land in the correct language on your next visit.cl_locale_banner_dismissedinlocalStorage— remembers that you dismissed the “this site is also available in another language” banner, so we don’t show it again.
Security (no consent required)
- Cloudflare
__cf_bm— bot-detection cookie set by Cloudflare as the hosting platform. - Cloudflare Turnstile cookies — set during the captcha verification on the login page; only active during the login action.
Embedded third parties
- Kit newsletter form on
/community— Kit may set its own cookies via their script when their form is loaded. See Kit’s privacy policy for the exact cookies and their purpose.
At this time we do not use any analytics or marketing services (no Google Analytics, Plausible, or Cloudflare Web Analytics). If that changes in the future, we will update this privacy policy before the change goes live.
10. Security
We have taken the following measures to protect your data:
- Passwordless authentication — we work with magic links and one-time codes via your email. No passwords are stored on the platform.
- Row-Level Security (RLS) — access to data in our database is controlled at row level by policy rules on the database itself, not only at application level. This is our primary security boundary; the public API key (“anon key”) that sits in the browser does not by itself grant access to personal data — only to what the RLS rules explicitly expose.
- Server-side secrets stay server-side — the powerful service-role key for our database is only used inside server-side functions and never reaches the browser.
- HTTPS/TLS — all traffic to and from the platform is encrypted via Cloudflare.
- Bot protection on login — Cloudflare Turnstile filters automated attacks on the login form.
11. Changes to this policy
We update this privacy policy when our data processing changes — for example when we add a feature that processes new categories of data, or when we add or remove an external service provider.
The date at the top of this page (“Last updated”) indicates when we last amended this policy. Material changes are announced in advance through the community channels (email, Community page).
12. Contact
For all questions, requests or complaints regarding your personal data:
Email: privacy@cleanlanguage.nl
Post: Art o’ Craft Muldersdreef 335 7328 EH Apeldoorn
We typically respond within one working day, and at the latest within one month for formal GDPR requests.