Privacy Policy
// Last updated: 5 May 2026 //
This Privacy Policy explains how Unusual Companies BV, operating the brand The Unusual Space, collects, uses, shares, stores, and protects personal data when you visit https://theunusualspace.com, contact us, register for an event, request information, create an account, book or purchase services, subscribe to newsletters, or otherwise interact with us.
We are the controller for the personal data described in this Privacy Policy unless we clearly state otherwise. You can contact us at [email protected] or at Vinkenburgstraat 2A, 3512 AB Utrecht, The Netherlands.
Key terms
Personal data means any information relating to an identified or identifiable person.
Processing means any operation performed on personal data, such as collection, storage, use, disclosure, deletion, or transfer.
Controller means the organisation that determines why and how personal data is processed. For this Website and the Services, the controller is Unusual Companies BV unless stated otherwise.
Processor means a service provider that processes personal data on our behalf and under our instructions.
Personal data we may collect
Identity and contact data: name, company name, role, email address, phone number, billing address, delivery address, and contact preferences.
Account data: username, account ID, password hash, login history, account settings, and authentication data if accounts are offered.
Order, booking, and contract data: service selected, event registration, booking details, subscription or membership details, payment status, invoice information, customer support communications, and contract history.
Payment and invoice data: transaction references, payment method type, billing information, VAT details, invoice records, and payment provider confirmations. We generally do not store full payment card details ourselves unless expressly stated.
Communication data: emails, forms, enquiries, complaints, support requests, feedback, survey responses, and newsletter subscription records.
Website and technical data: IP address, browser type, device information, operating system, page visits, timestamps, referral URLs, cookie identifiers, log files, and security event logs.
Marketing and preference data: newsletter consent, unsubscribe records, event interests, service interests, cookie consent choices, and marketing interaction data.
Event and media data: participation details and, where applicable, photographs, video, audio, or testimonials captured at events or submitted by you.
User content: reviews, comments, uploaded files, profile information, or messages you submit if such features are available.
Special category data: we do not intentionally request special categories of personal data, such as health, religion, political opinions, or biometric data. You should not submit such data unless expressly requested and legally justified.
Sources of personal data
Directly from you, for example when you contact us, complete a form, create an account, book a service, subscribe to a newsletter, join an event, or submit a complaint.
Automatically from your use of the Website, through server logs, cookies, analytics tools, security tools, and similar technologies.
From third-party service providers, such as payment providers, booking tools, CRM systems, email platforms, analytics providers, event platforms, and security providers.
From business partners or professional advisers where you have authorised them to contact us or where the information is necessary for a service request.
Why we process personal data and our lawful bases
We process personal data only where we have a lawful basis under GDPR. The main lawful bases are performance of a contract, taking steps before entering into a contract, compliance with legal obligations, legitimate interests, consent, and, in rare cases, protection of vital interests.
Purpose | Examples of data | Lawful basis |
Responding to enquiries and contact forms | Name, email, phone, company, message, contact history | Legitimate interests; pre-contractual steps where the enquiry relates to a requested service |
Providing services, bookings, events, venue/facility services, memberships, or subscriptions | Identity, contact, booking, contract, account, event participation, support records | Performance of contract; pre-contractual steps; legitimate interests |
Processing orders, payments, invoices, and administration | Billing data, payment status, invoice records, VAT details, transaction references | Performance of contract; legal obligation; legitimate interests |
Account creation and authentication | Account details, login credentials, security logs, preferences | Performance of contract; legitimate interests in security and account management |
Customer support and complaints | Contact details, correspondence, complaint details, order/booking history | Performance of contract; legal obligation; legitimate interests |
Website operation and security | IP address, log files, device/browser data, security events | Legitimate interests in operating and securing the Website; legal obligation where applicable |
Analytics and service improvement | Usage data, page views, aggregate analytics, cookie identifiers | Consent where required; legitimate interests for privacy-friendly analytics where legally permitted |
Marketing, newsletters, and event invitations | Email, name, preferences, consent records, unsubscribe records, marketing interactions | Consent; legitimate interests where permitted for existing customer communications; legal obligation to keep suppression records |
Cookie consent management | Consent choices, cookie identifiers, timestamp, settings | Legal obligation; legitimate interests in maintaining consent records |
Event photos, videos, and testimonials | Images, video, audio, name, quote, event context | Consent where required; legitimate interests for limited event documentation where appropriate and non-intrusive |
Legal compliance and dispute management | Contracts, correspondence, transaction records, logs, evidence, complaint history | Legal obligation; legitimate interests in establishing, exercising, or defending legal claims |
Business transfers or restructuring | Relevant customer, supplier, and contract data | Legitimate interests; legal obligation where applicable |
Legitimate interests
Where we rely on legitimate interests, we assess whether our interest is not overridden by your privacy rights and freedoms.
Our legitimate interests may include operating and improving the Website and Services, responding to business enquiries, securing systems, preventing fraud and misuse, managing customer relationships, handling complaints, enforcing agreements, and limited business-to-business marketing where legally permitted.
You may object to processing based on legitimate interests at any time. We will stop unless we have compelling legitimate grounds or the processing is needed for legal claims.
Consent and withdrawal of consent
Where we rely on consent, such as for non-essential cookies, certain newsletter subscriptions, marketing preferences, or certain event media use, you may withdraw consent at any time.
Withdrawal of consent does not affect processing that took place before withdrawal. It also does not affect processing based on another lawful basis, such as legal obligations or contract performance.
You can withdraw newsletter consent by using the unsubscribe link in our emails or by contacting us. You can change cookie consent through the cookie settings mechanism on the Website.
Cookies and similar technologies
We use cookies and similar technologies to operate the Website, remember preferences, measure performance, support security, and, where consent is given, support analytics or marketing.
Necessary cookies may be used without consent where they are strictly required to provide the Website or a service requested by you.
Non-essential cookies, including marketing/tracking cookies and non-privacy-friendly analytics cookies, are used only after prior consent where required by Dutch and EU rules.
For details, see our Cookie Policy.
Marketing and newsletters
We may send newsletters, event invitations, service updates, or promotional messages where we have your consent or another lawful basis under applicable law.
You can unsubscribe from marketing communications at any time. We may keep limited suppression records to ensure we do not contact you again for marketing after you unsubscribe.
Service-related messages, such as booking confirmations, payment notices, important account information, or security updates, are not marketing messages and may still be sent where necessary.
Recipients and processors
We may share personal data with service providers that help us operate the Website and Services, such as hosting providers, IT support, CMS providers, analytics providers, cookie consent tools, CRM providers, email and newsletter platforms, payment providers, booking/event tools, communication tools, professional advisers, accountants, and security providers.
We require processors to protect personal data, process it only under our instructions, maintain confidentiality, apply appropriate security measures, and assist us with GDPR obligations where required.
We may also disclose personal data to public authorities, regulators, courts, law enforcement, professional advisers, insurers, auditors, or transaction parties where required by law, necessary for legal claims, or necessary for legitimate business purposes.
International transfers
We aim to process personal data within the European Economic Area where reasonably possible.
If personal data is transferred outside the EEA, we will use a lawful transfer mechanism where required, such as an EU adequacy decision, the European Commission Standard Contractual Clauses, transfer impact assessments, supplementary safeguards, or another lawful mechanism under GDPR.
The actual vendors and transfer mechanisms must be confirmed before publication in the internal vendor compliance checklist.
Security
We use appropriate technical and organisational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access.
Measures may include access controls, secure hosting, encryption where appropriate, backups, logging, least-privilege access, confidentiality obligations, vendor due diligence, and security monitoring.
No method of transmission or storage is completely secure. We do not guarantee absolute security, but we take reasonable and proportionate measures based on the nature and risk of the processing.
Data breaches
If a personal data breach occurs, we will assess the risk and, where legally required, notify the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) without undue delay and, where applicable, within 72 hours after becoming aware of the breach.
Where a breach is likely to result in a high risk to your rights and freedoms, we will also notify affected individuals where required by law.
Automated decision-making and profiling
We do not make decisions based solely on automated processing, including profiling, that produce legal effects concerning you or similarly significantly affect you.
If this changes, we will update this Privacy Policy and provide the information required by GDPR before using such processing.
Children and minors
The Website and Services are not directed at children.
We do not knowingly collect personal data from children under 16 based on consent without appropriate parental or guardian consent where required by law.
If you believe a child has provided us with personal data without proper authority, please contact us and we will take appropriate steps.
Your GDPR rights
You may have the right to request access to your personal data, correction of inaccurate data, deletion of data, restriction of processing, data portability, objection to processing based on legitimate interests, and withdrawal of consent where processing is based on consent.
You also have the right not to be subject to certain solely automated decisions where GDPR applies.
To exercise your rights, contact us at [email protected]. We may ask for information necessary to verify your identity. We will respond within one month unless GDPR permits an extension due to complexity or number of requests.
Some rights are not absolute. We may refuse or limit a request where permitted by law, for example where retention is required for tax, accounting, legal, security, or legal-claim purposes.
Complaints to the supervisory authority
You may lodge a complaint with the Dutch Data Protection Authority, the Autoriteit Persoonsgegevens, if you believe our processing of your personal data violates data protection law.
We would appreciate the opportunity to address your concern first, but you are not required to contact us before submitting a complaint to the supervisory authority.
Retention periods
Data category | Typical retention period |
General enquiries and contact forms | Up to 24 months after the last contact, unless a longer period is needed for a contract, complaint, dispute, or legal obligation. |
Customer, booking, service, and contract records | During the contract and up to 7 years after the end of the financial year where required for tax/accounting records; longer if necessary for legal claims. |
Invoices and accounting records | Generally 7 years in line with Dutch tax/accounting retention obligations. |
Account data | For as long as the account is active, then up to 24 months after closure unless a longer retention period is required for legal, security, accounting, or dispute reasons. |
Payment records | As long as necessary to process the payment and comply with accounting/legal obligations; full card details are generally handled by payment providers rather than by us. |
Newsletter and marketing data | Until you unsubscribe or withdraw consent; suppression records may be kept as long as necessary to respect opt-out choices. |
Cookie consent records | For the duration necessary to demonstrate consent choices, typically up to 24 months unless a different period is required by the consent tool or law. |
Website logs and security logs | Typically 6 to 12 months, unless a longer period is needed for security investigation, fraud prevention, or legal claims. |
Analytics data | According to the analytics configuration and cookie duration; aggregate anonymised data may be kept longer where it no longer identifies individuals. |
Complaints and disputes | During handling and up to 5 years after closure, or longer if necessary for legal proceedings or statutory limitation periods. |
Event media and testimonials | For the period reasonably necessary for the stated purpose or until consent is withdrawn where consent is the basis, subject to lawful retention where already published or legally required. |
Job applicant data, if collected through the Website | Generally 4 weeks after completion of the recruitment process, or up to 1 year with applicant consent, unless a longer legal period applies. |
Updates to this Privacy Policy
We may update this Privacy Policy when our processing, legal obligations, vendors, cookies, or Services change.
The latest version will be published on the Website with the last updated date. If changes materially affect your rights or ongoing services, we will provide additional notice where required by law.
Contact details
Controller: Unusual Companies BV, operating the brand The Unusual Space.
Address: Vinkenburgstraat 2A, 3512 AB Utrecht, The Netherlands.
Email: [email protected].
Phone: +31 30 799 60 23.
Website: https://theunusualspace.com.