FITS-LIST

Influencer × Partner Collaborations

Privacy Policy

Effective date: April 2026 — Last updated: April 2026

1. Introduction

Welcome to FITS-LIST ("Platform", "Service", "we", "us", or "our"). FITS-LIST is a platform that connects social media influencers ("Influencers") with restaurants and hospitality businesses ("Partners") for promotional collaborations. We facilitate deal discovery, booking management, visit verification, content proof tracking, and payment processing between these parties.

We are committed to protecting your personal information and your right to privacy in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR" / "AVG" in Dutch), the Dutch Implementation Act for the GDPR (Uitvoeringswet AVG — "UAVG"), the Dutch Telecommunications Act (Telecommunicatiewet), and any other applicable data protection legislation.

This Privacy Policy explains what personal data we collect, how and why we process it, who we share it with, how long we retain it, and what rights you have. We encourage you to read this policy carefully. If you have any questions, you can contact us using the details provided in Section 15.

2. Data Controller

The data controller responsible for the processing of your personal data is:

FitsList B.V. determines the purposes and means of processing your personal data and is therefore the controller within the meaning of Article 4(7) of the GDPR.

3. What Data We Collect

We collect and process various categories of personal data depending on how you interact with our Platform. Below is a detailed overview.

3.1 Account Data

When you create an account on FITS-LIST, we collect and store the following information:

3.2 Influencer Profile Data

If you register as an Influencer, you may provide or we may process the following additional data:

3.3 Partner (Business) Data

If you register as a Partner, we collect:

3.4 Social Media Data (via ScrapeCreators API)

To verify Influencer profiles and provide accurate matching, we use the ScrapeCreators API to retrieve publicly available data from Instagram and TikTok profiles. This includes:

This data is refreshed periodically to ensure tier classifications and profile information remain accurate. Only publicly available information is collected; we do not access private accounts or direct messages.

3.5 Deal and Booking Data

When you interact with deals on the Platform, we collect:

3.6 Payment Data

Payment processing is handled entirely by our payment service provider, Mollie B.V. We do not store your credit card details, bank account numbers, or other direct payment credentials on our servers. We do store:

3.7 Communication Data

We collect data related to communications on or through the Platform:

3.8 Technical Data

When you access our Platform, we automatically collect certain technical data:

3.9 Location Data

We process location data in the following ways:

3.10 Push Notification Tokens

If you use our mobile application (built with Expo/React Native) and opt in to push notifications, we store your device push token. This token is used solely to deliver notifications such as booking confirmations, deal updates, and important account alerts. Tokens are deleted when you unregister from notifications or delete your account.

4. How We Use Your Data

We process your personal data for the following purposes:

4.1 Service Delivery and Account Management

To create and maintain your account, authenticate your identity, manage your profile settings, and provide you with access to the Platform's features.

4.2 Deal Matching

To connect Influencers with relevant deals offered by Partners. Matching is based on factors such as geographic location, influencer tier, content niche preferences, availability, and historical performance.

4.3 Tier Classification

To calculate and assign Influencer tiers (Starter, Rising, Premium, Elite) based on follower counts, engagement rates, and other social media metrics. Tiers determine which deals an Influencer is eligible for and the compensation structure.

4.4 Social Media Verification and Profile Enrichment

To verify the authenticity and accuracy of Influencer social media profiles, prevent fraud, and keep profile data up to date through periodic syncing via the ScrapeCreators API.

4.5 Payment Processing and Invoicing

To generate invoices, process subscription payments from Partners, and manage financial transactions through our payment processor Mollie. This includes sending invoice notifications and payment reminders.

4.6 Communication

To send you transactional communications including:

4.7 Platform Analytics and Improvement

To analyze platform usage patterns, improve our features, optimize deal matching algorithms, provide Partners with aggregated performance analytics, and enhance the overall user experience.

4.8 Legal Compliance and Fraud Prevention

To comply with applicable laws and regulations (including Dutch tax law), respond to lawful requests from public authorities, detect and prevent fraudulent or abusive behavior, enforce our Terms and Conditions, and protect the rights and safety of our users.

5. Legal Basis for Processing (Art. 6 GDPR)

We process your personal data only when we have a valid legal basis under the GDPR. The applicable legal bases are:

5.1 Performance of a Contract (Art. 6(1)(b) GDPR)

Processing is necessary for the performance of our contract with you (our Terms and Conditions). This covers:

5.2 Legitimate Interest (Art. 6(1)(f) GDPR)

Processing is necessary for our legitimate interests, provided these do not override your fundamental rights and freedoms. This covers:

5.3 Consent (Art. 6(1)(a) GDPR)

Where required, we process data based on your explicit consent. You may withdraw your consent at any time. This covers:

5.4 Legal Obligation (Art. 6(1)(c) GDPR)

Processing is necessary to comply with legal obligations to which we are subject. This covers:

6. Third-Party Services

We engage the following third-party service providers (processors) to help us operate the Platform. Each provider processes data on our behalf under a Data Processing Agreement (DPA) in accordance with Article 28 of the GDPR.

ServicePurposeLocation
SupabaseDatabase hosting, authentication services, and file storage (profile images, proof uploads, logos)EU (Frankfurt)
RailwayApplication and API server hosting (backend infrastructure)EU
Mollie B.V.Payment processing, subscription management, and invoicingNetherlands
ScrapeCreatorsSocial media data enrichment and verification (public Instagram and TikTok profile data)US (with SCCs)
ResendTransactional email delivery (booking confirmations, password resets, invoice notifications)US (with SCCs)
Google Maps PlatformLocation services, geocoding, map display, and distance calculations for deal matchingUS (with SCCs)
Expo / Firebase Cloud MessagingPush notification delivery for the mobile applicationUS (with SCCs)
VercelWeb application hosting, CDN, and static asset deliveryGlobal (with SCCs)

All third-party processors are contractually bound by Data Processing Agreements and are required to handle your data in accordance with the GDPR. We regularly review our processors to ensure ongoing compliance.

7. Cookies and Tracking

Our Platform uses only strictly necessary cookies and local storage, which are exempt from the consent requirement under Article 11.7a of the Dutch Telecommunications Act (Telecommunicatiewet), as they are essential for the provision of the Service.

Specifically, we use:

We do not use:

Because we only use strictly necessary cookies, no cookie consent banner is required under Dutch law. We do not track you across third-party websites, and we do not build advertising profiles.

8. Data Sharing

We do not sell your personal data to third parties. We share your data only in the following limited circumstances:

9. International Data Transfers

Your data is primarily processed and stored within the European Economic Area (EEA). However, some of our third-party service providers are located in or process data in the United States or other countries outside the EEA.

For any transfer of personal data outside the EEA, we ensure that appropriate safeguards are in place in accordance with Chapter V of the GDPR. Specifically:

You may request a copy of the relevant safeguards by contacting us at Info@fits-list.com.

10. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by applicable law. Below are our specific retention periods:

Data CategoryRetention Period
Account dataDuration of your account + 1 year after account deletion (to allow for reactivation requests and resolve any outstanding matters)
Social media metricsRefreshed weekly; historical metric data retained for 90 days for tier calculation and trend analysis
Deal and booking data3 years after completion of the deal, for reporting, dispute resolution, and analytics purposes
Payment and invoice data7 years after the date of the transaction, as required by Dutch fiscal retention requirements (Belastingdienst — Article 52 Algemene wet inzake rijksbelastingen)
Support tickets2 years after ticket closure
Technical and server logs30 days
Push notification tokensDeleted immediately upon unregistering from notifications or upon account deletion
Content proof uploads1 year after the collaboration is completed

After the applicable retention period expires, data is permanently deleted or irreversibly anonymized. Where anonymization is applied, the anonymized data may be retained indefinitely for statistical and analytical purposes as it no longer constitutes personal data.

11. Your Rights Under the GDPR

Under the GDPR (and the Dutch UAVG), you have the following rights regarding your personal data. You may exercise these rights free of charge, unless your requests are manifestly unfounded or excessive.

How to exercise your rights: Send an email to Info@fits-list.com with the subject line "GDPR Request". We may need to verify your identity before processing your request. We will respond within one month, as required by Article 12(3) of the GDPR. In complex cases, this period may be extended by two additional months, in which case we will inform you of the extension and the reasons for it.

Right to lodge a complaint: If you believe that we have not handled your personal data properly, you have the right to lodge a complaint with the Dutch Data Protection Authority (see Section 16 for details).

12. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction, in accordance with Article 32 of the GDPR. These measures include:

Despite these measures, no method of transmission over the Internet or electronic storage is completely secure. If you discover or suspect a security vulnerability or believe your account has been compromised, please contact us immediately at Info@fits-list.com.

13. Children's Privacy

FITS-LIST is not intended for use by individuals under the age of 18. We do not knowingly collect or process personal data from children under 18 years of age. If we become aware that we have inadvertently collected personal data from a person under 18, we will take prompt steps to delete such data from our systems.

If you are a parent or guardian and believe your child has provided us with personal data, please contact us at Info@fits-list.com so that we can take appropriate action.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our data practices, legal requirements, or the features of our Platform. When we make material changes, we will:

We encourage you to review this Privacy Policy periodically. Your continued use of the Platform after the effective date of a revised policy constitutes your acceptance of the changes, except where additional consent is required by law.

15. Contact

If you have any questions about this Privacy Policy, want to exercise your data protection rights, or have concerns about how we handle your personal data, please contact us:

We aim to respond to all inquiries within 5 business days. For formal GDPR requests (access, rectification, erasure, etc.), we will respond within one month as required by law.

16. Supervisory Authority

If you are not satisfied with our response to your privacy concern, or if you believe we are processing your personal data unlawfully, you have the right to lodge a complaint with the Dutch Data Protection Authority:

You may also lodge a complaint with the supervisory authority in your country of residence or place of work if this is different from the Netherlands, in accordance with Article 77 of the GDPR.

This Privacy Policy was last updated in April 2026. FitsList B.V. is registered in the Netherlands. For legal advice specific to your situation, please consult a qualified legal professional.