Skip to main content
Michiu
Reserve a table

Legal · Last updated 2026-05-05

Privacy Policy

We keep this short and direct. If you want the formal version, ask us — we'll send it. For any privacy question or to exercise your rights, email info@michiu.nl.

Who we are

This site is operated by Restaurant Michiu, located at Maasstraat 102, 1078 HM Amsterdam, Netherlands. Registered with the Dutch Chamber of Commerce under KvK 66392047, BTW (VAT) identification NL856530293B01. You can reach us at info@michiu.nl or +31 20 671 9221.

For questions about how we process personal data, the same address works. We act as the data controller for everything described below.

What we collect, and why

  • Reservation bookings. Name, contact details (email or phone), party size, time, and any dietary or allergy notes you choose to share. We need this to hold a table for you and to run the kitchen safely.
  • Group event inquiries. The contact details you submit, plus your event description. We use it to reply and propose options.
  • Circle of Michiu sign-up. Your name and email when you opt in to our loyalty program. We use it to recognize you on visits and send the occasional update if you've opted into marketing.
  • Direct messages on Instagram and Facebook. When you message our pages, Meta provides us with your message text, the time, and your platform display name. We use this to reply, and we keep records of past messages so a follow-up has context.
  • Reviews. When you leave a public review on Google, TheFork, Tripadvisor, or any other platform, we may import the public text, rating, and your display name into our internal admin so we can write a thoughtful reply. We do not import private information.
  • Site analytics. Basic aggregated traffic data (page views, country, device type) so we can understand how the site is used. No cross-site tracking, no advertising IDs.

Why we're allowed to process it

Under GDPR Article 6, we rely on these legal bases:

  • Contract / pre-contract. Reservations, event inquiries, allergen notes — we cannot serve you without this.
  • Consent. Newsletter signup, Circle program marketing, optional cookies. You can withdraw consent at any time.
  • Legitimate interest. Replying to public reviews and inbound DMs, and keeping internal records of past correspondence so we can serve you well on a return visit. We balance this against your privacy and use the minimum data needed.
  • Legal obligation. Tax records and any information we're required to retain by Dutch law.

How long we keep it

  • Reservation records: up to 24 months after your last visit.
  • Group event correspondence: up to 36 months after the event.
  • Circle membership data: until you ask us to remove it.
  • DM and review correspondence: up to 24 months.
  • Financial records: 7 years (Dutch tax law).

You can ask us to delete sooner. We'll do it unless we're legally required to keep something — in which case we'll explain what and why.

Who else sees your data

We use a small number of third-party processors to run the restaurant. Each of them has a data-processing agreement in place with us:

  • Supabase (EU region) — stores reservation, review, and DM correspondence data.
  • Meta Platforms Ireland Ltd — controller of Instagram and Facebook in the EU. We integrate with Meta's Graph API to manage our Page and to receive direct messages sent to our Instagram and Facebook accounts. Meta is the source of that data and applies its own Instagram and Facebook privacy policies to that data before it reaches us.
  • Zenchef — our reservation system. When you book a table, the booking flow runs on Zenchef's platform; their privacy policy applies to that interaction and we receive the booking record.
  • Cloudflare — serves this website and applies its standard CDN-level processing (IP, request metadata) to keep the site fast and protected from abuse.
  • Resend — transactional email provider (e.g., contact-form replies, Circle outreach). They process recipient email addresses and message bodies on our behalf as a data processor.

We don't sell your data. We don't share it with advertisers. We don't combine it with data from other sources to build a profile of you.

Your rights

Under GDPR you can ask us to:

  • Show you what data we have about you (right of access).
  • Correct anything that's wrong (rectification).
  • Delete it (erasure / right to be forgotten).
  • Restrict how we use it.
  • Receive a copy in a portable format.
  • Object to processing based on legitimate interest.
  • Withdraw consent for anything you previously opted into.

Email info@michiu.nl and we'll respond within 30 days. If you're not happy with how we handle your request, you can lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).

Cookies

We use only cookies that are strictly necessary for the site to work (session, theme preference, language). No advertising cookies, no cross-site tracking, no data sold to analytics brokers. If we ever change this, we'll ask for consent first.

Changes to this policy

When we change this policy in any meaningful way, we'll update the "last updated" date at the top. For substantial changes that affect how we use existing data, we'll notify you directly if we have your contact details.