Last updated: June 2026
This Privacy Policy applies to all (mobile) websites, (mobile) applications, and platform services of Whoppah B.V. (“Whoppah,” “we,” or “us”). This document explains how we process personal data in accordance with the General Data Protection Regulation (GDPR).
We reserve the right to modify this Privacy Policy. Please check back regularly for updates.
1. Who are we?Whoppah B.V.
De Entree 230
1101 EE Amsterdam
Netherlands
✉ support@whoppah.nl
We process the following data when you create an account:
First and last name (contract performance)
Email address (contract performance)
Address (contract performance)
Phone number (contract performance)
Date of birth (optional; required for selling due to Stripe/DAC7 regulations)
Bank account number (optional; required for selling)
Optional: profile picture, interests, preferences (consent)
We collect:
IP address (legitimate interest – security & analytics)
Device and browser type (legitimate interest)
Location data (consent)
This data is processed under our legitimate interest to maintain platform security and performance.
2.3 Contact momentsIf you contact us (via email, chat, etc.), we use your data to respond to your query (contract performance / legitimate interest).
2.4 Marketing & communicationIf you have an account, we may inform you about updates or relevant promotions (legitimate interest). You can unsubscribe at any time via the link in our emails.
2.5 AI-assisted customer support and automated processingTo answer your questions quickly, we use artificial intelligence (AI) to help handle messages sent to our customer-support channels (for example by email or via the contact form). The AI classifies and prioritises your message, retrieves relevant information, and drafts a reply. Some replies may be sent automatically within strict safeguards; for anything sensitive, or whenever you ask, a member of our team handles your message.
AI provider. The AI runs on Google Cloud (Vertex AI), which acts as our processor. Your messages are processed within the European Union (region europe-west4, the Netherlands) and are not used to train Google's models.
Data minimisation. Before your message is sent to the AI, we remove direct identifiers such as email addresses, phone numbers and IBANs where possible, so the AI works with the content of your question rather than your identifiers.
Your rights. We do not take decisions producing legal or similarly significant effects about you by solely automated means (Article 22 GDPR). You can object to AI-assisted processing and ask for a human at any time (Article 21 GDPR) by writing to support@whoppah.nl.
International transfers. Personal data is processed within the European Economic Area. Where a processor operates outside the EEA, we rely on the European Commission's Standard Contractual Clauses.
To receive payouts, a Stripe connection is required. Stripe is legally required to verify users under anti-money laundering laws.
Depending on your situation, we may collect:
Name
Date of birth
Country of residence
(If needed) country of birth
(If needed) copy of ID
(For business sellers) company documents
Stripe may request additional information as part of their KYC process, such as proof of address or bank statements. This data is only used for verification and payout.
See Stripe’s Privacy Policy for more.
If you exceed 30 sales or €30,000/year, we must report:
Full name
Date and place of birth
Address
BSN or Tax ID (if applicable)
This data is only shared to fulfill legal obligations.
We share address (and if needed, phone/email) with:
Brenger
Wuunder
Magic Movers
Only data necessary for delivery is shared, under a data processing agreement.
4.2 IT, communications & hosting providersWe use external providers for hosting, databases, messaging, and security:
Iterable – marketing communications
Postmark – transactional emails
Firebase – app analytics and push notifications
Spotler Message – WhatsApp Business and SMS
Some may operate outside the EEA (e.g. USA). In such cases, we use Standard Contractual Clauses (SCCs) or rely on adequacy decisions under the GDPR, and sign processing agreements where applicable.
4.3 Other third partiesData may be shared:
With Stripe (payouts & verification)
With fraud prevention tools (legitimate interest)
With legal authorities (if required)
With social platforms if you log in via social media
We use cookies and similar technologies to:
Enable website functionality
Collect analytics
Store your preferences
Serve personalized ads
We ask for your consent for analytical and marketing cookies. You can change your preferences anytime in the cookie settings.
We implement technical and organizational security measures:
Encryption (SSL)
Secure databases
Access control
Logging & monitoring
Two-factor authentication for admins
Account data: until you delete your account
After deletion: erased within 30 days (unless legally required)
Transaction/DAC7 data: up to 10 years
Reviews/ads: may be stored anonymously
You have the right to:
Access
Correction
Deletion
Data portability
Object to processing
You can manage this via your account or contact us at ✉ support@whoppah.nl. We respond within 1 month.
Your username
Your (optional) profile picture
Reviews
Listings
We moderate chats to prevent abuse or fraud. This is stated in the chat interface.
9.2 ProfilingWe use your activity to show personalized recommendations. This is based on legitimate interest and has no legal consequences for you.
9.3 After account deletionData is deleted. Some reviews may be kept anonymously.
We may update this privacy policy. Major changes will be announced actively.
Questions or complaints?
✉ support@whoppah.nl
Dutch law applies.
Whoppah B.V., Amsterdam, June 2026