Last updated: 27 May 2026.

This privacy policy explains what personal data dukeoftokyo.com processes when you make a reservation or subscribe to a notification, and what rights you have under the EU General Data Protection Regulation (GDPR).

Duke of Tokyo consists of four Dutch private limited companies, one per venue. They act as joint controllers (Article 26 GDPR) for reservations made at the corresponding venue:

• Duke Of Tokyo B.V. (Amsterdam) — KVK 68811063, VAT NL857602275B01, Reguliersdwarsstraat 37, 1017 BK Amsterdam.
• Duke of Tokyo Rotterdam B.V. — KVK 88461963, VAT NL864636283B01, Hofplein 19, 3032 AC Rotterdam.
• Duke Of Tokyo Utrecht B.V. — KVK 73850454, VAT NL859685913B01, Ganzenmarkt Tunnel 3, 3512 GE Utrecht.
• Duke of Tokyo Groningen B.V. — KVK 96677589, Poelestraat 33, 9711 PL Groningen.

For all questions, complaints and requests under this policy you can reach us at a single central contact point: sing@dukeoftokyo.com.

When you make a reservation we process the data we need to fulfil your booking:

• first and last name, email address, phone number;
• date of birth (only when you opt in to birthday emails);
• chosen venue, room, date and time, number of guests;
• notes (free-text field);
• language preference (Dutch or English);
• newsletter and/or birthday-mail preference (opt-ins).

For business reservations we additionally process company name, billing address and VAT number.

To process the payment our website sends the amount, the booking description and the return URL to Mollie B.V. You enter payment and card details directly on Mollie's page; they never reach our systems. We only receive the outcome (paid, failed, refunded) and the transaction ID.

When you subscribe to a notification list (room availability, timeslot waitlist, newsletter or birthday mail) we process your email address, first name, last name and language preference. Subscriptions require a double opt-in: we first send you an email with a confirmation link and only activate the subscription after you click it.

We process your data solely for the purposes below and on the corresponding legal basis from Article 6 GDPR.

• Fulfilling your reservation, processing payments and delivering the visit — basis: performance of a contract (Article 6(1)(b) GDPR).
• Sending transactional emails (booking confirmation, reminder, change, cancellation, thank-you) — basis: performance of a contract.
• Invoicing and retaining invoices — basis: compliance with a legal obligation (Article 6(1)(c) GDPR, combined with Article 52 of the Dutch General Taxation Act).
• Sending newsletters and birthday emails — basis: consent (Article 6(1)(a) GDPR), with double opt-in and the option to withdraw via the unsubscribe link in every email.
• Notifying you when a room or timeslot becomes available — basis: consent (your waitlist subscription).
• Error monitoring, fraud prevention and security of our services — basis: legitimate interest (Article 6(1)(f) GDPR). We strip personal data from error reports before they leave our system.
• Analytics and marketing — basis: consent (Article 6(1)(a) GDPR), only when you have given consent via the cookie banner.

We share your data with the following parties, only to the extent necessary for the purposes above. We have concluded a data-processing agreement with each of these parties, or they act as an independent controller.

• Mollie B.V. (Amsterdam, NL) — processing of iDEAL, credit card and Bancontact payments.
• Amazon Web Services EMEA SARL (region eu-west-1, Dublin, Ireland) — delivery of transactional and marketing emails via Amazon SES.
• Functional Software, Inc. (Sentry, United States) — error monitoring; personal data is scrubbed before transmission based on a key and URL allow-list.
• Hetzner Online GmbH (Germany) — application hosting and object storage for media files in production.
• Cloudflare, Inc. (EU/US) — object storage (R2) for staging media files.
• Google Ireland Ltd. — Google Analytics 4 and Google Ads, only with your consent.
• Meta Platforms Ireland Ltd. — Meta Pixel, only when enabled and with your consent.
• Adobe — Typekit web fonts; Adobe receives your IP address and User-Agent when the stylesheet loads.

We do not sell, swap or rent your data to other parties.

Some of our processors (Sentry, Google, Meta) are headquartered in the United States. Transfers take place on the basis of the EU-US Data Privacy Framework and supplementary Standard Contractual Clauses (SCCs) issued by the European Commission.

We keep your data no longer than necessary for the purpose for which it was collected:

• Reservation, invoice and associated payment data — seven years after the booking, in line with the Dutch statutory invoice retention period (Article 52 AWR).
• Unconfirmed notification subscriptions (waitlists, newsletter, birthday) — automatically deleted thirty days after subscription (daily job at 03:00 Europe/Amsterdam).
• Confirmed subscriptions (newsletter, birthday, waitlists) — until you unsubscribe.
• Suppression list (email addresses that have hard-bounced or filed a spam complaint) — kept indefinitely so we can continue to respect your opt-out.
• Error reports in Sentry — per Sentry's default retention policy (typically 90 days).

Under the GDPR you have the right to:

• Access — receive a copy of the data we process about you.
• Rectification — have incorrect data corrected.
• Erasure — have your data deleted, except where we still need to retain it under a legal obligation (such as the tax retention period).
• Restriction — have processing temporarily suspended.
• Portability — receive your data in a machine-readable format or have it transferred to another party.
• Object — object to processing based on a legitimate interest.
• Withdraw consent — for processing based on consent, at any time and without giving reasons.

For marketing emails you can unsubscribe directly via the link at the bottom of every email or via the /unsubscribe page. For all other requests please email sing@dukeoftokyo.com; we respond within one month.

You also have the right to lodge a complaint with the Dutch Data Protection Authority (autoriteitpersoonsgegevens.nl).

We protect your data with appropriate technical and organisational measures. Our website is served only over HTTPS with HSTS preload. All data at rest in our database lives on infrastructure within the European Union. We store Mollie webhook tokens only as SHA-256 hashes. Error reports sent to Sentry are scrubbed of personal data first; our application logs only contain reservation UIDs, never names, email addresses or phone numbers.

Our services are intended for visitors aged 18 and over. We do not knowingly collect data from individuals under 18. If you become aware that a minor has shared data with us, please contact us so we can remove it.

We may update this privacy policy from time to time, for example because the law changes or because we engage new processors. The latest version is always on this page; we notify active subscribers by email for material changes.

Joint controllers: Duke Of Tokyo B.V., Duke of Tokyo Rotterdam B.V., Duke Of Tokyo Utrecht B.V. and Duke of Tokyo Groningen B.V.
Central contact point for privacy enquiries: sing@dukeoftokyo.com
Cookies and tracking: see our cookies policy.