Privacy policy

Last updated: 19 April 2026

Who we are

Holy Callsheet is operated by a sole proprietorship (eenmanszaak) registered in the Netherlands under KVK number 80736246 and VAT number NL003480764B26. Our registered address is Willem Runderkampstraat 6, 1132HX Volendam, Nederland.

We are the data controller for the personal data we collect from visitors and customers. For privacy-related questions, contact us at privacy@holycallsheet.com.

What we collect

We collect only what is necessary to provide the service:

  • Account data: email address (required for sign-up), display name (optional), encrypted password managed by Supabase Auth.
  • Workspace data: company name, brand logo, company address, KVK number (when entered on brand profiles), team membership.
  • Project data: callsheet content including project names, shoot dates, crew names, phone numbers and email addresses, location names and addresses, equipment lists, notes, and shot lists.
  • Billing data: Stripe customer ID and subscription status. We do not store card numbers, Stripe holds those under PCI-DSS Level 1 compliance.
  • Technical data: IP address (retained transiently for authentication and fraud prevention only), browser user agent.
  • Cookies: an essential auth session cookie (Supabase), an active workspace cookie, and optional share-link auth cookies. No analytics cookies.

How we use your data

  • To provide and operate Holy Callsheet, creating callsheets, sharing them, generating PDFs, and managing your crew database.
  • To send transactional email, account confirmations, callsheet share notifications (when you trigger them), and billing receipts from Stripe.
  • To prevent fraud and abuse, IP-based rate limiting and authentication security.

We do not send marketing emails. If we introduce a newsletter or promotional emails in the future, you will be asked to opt in separately. That opt-in will be entirely voluntary.

Legal basis (GDPR)

  • Performance of contract: the majority of processing (account data, project data, billing) is necessary to deliver the service you signed up for.
  • Legitimate interest: security, fraud prevention, and system integrity monitoring.
  • Consent: any future marketing communications will be based on your explicit opt-in.

Sharing your data

We do not sell your data. We share data only with the following sub-processors, each of which is GDPR-compliant:

  • Supabase: database, authentication, and file storage. Hosted in Frankfurt, EU-Central-1.
  • Vercel: web application hosting and edge network. EU edge locations used for EU traffic.
  • Stripe: payment processing. PCI-DSS Level 1 certified. US and EU infrastructure.
  • Resend: transactional email delivery (account emails, billing receipts). US and EU infrastructure.

International transfers

Your primary data is stored in the EU (Frankfurt). Stripe and Resend may transfer data to the United States under Standard Contractual Clauses (SCCs) approved by the European Commission, which provide an adequate level of protection for your personal data.

Retention

We retain your data for as long as your account is active. If you delete your account, all personal data is permanently removed from our systems within 30 days. Database backups that may contain your data expire within 90 days of the deletion request.

Your rights (GDPR)

As a data subject in the EU/EEA, you have the following rights:

  • Access: request a copy of the personal data we hold about you.
  • Rectification: ask us to correct inaccurate data.
  • Erasure: request deletion of your data (“right to be forgotten”).
  • Restriction: ask us to limit processing in certain circumstances.
  • Portability: receive your data in a structured, machine-readable format.
  • Object: object to processing based on legitimate interest.

To exercise any right, email privacy@holycallsheet.com. We will respond within 30 days. You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).

Security

We take technical and organisational measures to protect your data. For a full overview of our security practices, see our security page.

Cookies

For a detailed breakdown of the cookies we use, see our cookie policy.

Changes to this policy

We may update this policy from time to time. When we do, we will notify registered users by email and update the “Last updated” date at the top of this page. Continued use of Holy Callsheet after a policy change constitutes acceptance of the new terms.

Contact

Privacy questions or requests: privacy@holycallsheet.com

Postal address: Willem Runderkampstraat 6, 1132HX Volendam, Nederland