GDPR & Data Protection
Last Updated: March 12, 2026
01Our Commitment to Data Protection
At The Scene of Amsterdam, operating as LlamaChilly, we are committed to the protection of personal data and full compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the Dutch Implementation Act (Uitvoeringswet AVG, "UAVG").
The GDPR is a comprehensive data protection law that regulates the processing of personal data of individuals in the European Economic Area (EEA), providing individuals with fundamental rights over their data and requiring organizations that process personal data to meet stringent obligations around transparency, security, and accountability.
"We process personal data exclusively to deliver, maintain, and improve our AI-powered restaurant reservation platform. We never sell personal data to third parties."
02Legal Basis for Processing
We process personal data under one or more of the following legal bases as defined in Article 6(1) of the GDPR:
- Contractual Necessity (Art. 6(1)(b)): Processing necessary for the performance of our service agreement with restaurant clients, including lead qualification, reservation management, and automated guest communications.
- Legitimate Interest (Art. 6(1)(f)): Processing for our legitimate business interests such as fraud prevention, system security, and service analytics, provided these interests do not override the fundamental rights of data subjects.
- Consent (Art. 6(1)(a)): Where applicable, we rely on explicit, informed, and freely given consent for marketing communications and non-essential analytics cookies.
- Legal Obligation (Art. 6(1)(c)): Processing required to comply with applicable EU and Dutch laws, including tax, accounting, and anti-money laundering regulations.
03Data Processing Architecture
Our platform processes the following categories of personal data to deliver the LlamaChilly service:
Name, phone number, email, party size, dietary preferences, and reservation history.
Retention: 24 monthsAI-assisted dialogues across WhatsApp, Instagram DM, and Web Chat channels.
Retention: 12 monthsAggregated, anonymized platform interaction metrics used for service optimization.
Retention: 36 monthsClient API keys, OAuth tokens, and system integration credentials stored with AES-256.
Retention: Lifetime of account04Data Processing Addendum
The terms of our Data Processing Addendum ("DPA") are incorporated by reference into every client agreement. The DPA governs all processing of personal data that LlamaChilly performs on behalf of our restaurant clients as a Data Processor under Article 28 of the GDPR.
Our DPA includes provisions for:
- Sub-processor Management: Full transparency on all third-party sub-processors involved in delivering our service, with prior notification of changes.
- Security Measures: Technical and organizational measures including end-to-end encryption (TLS 1.3 in transit, AES-256 at rest), access controls, and regular penetration testing.
- Breach Notification: Commitment to notify data controllers within 48 hours of becoming aware of a personal data breach, in accordance with Article 33.
- Data Return & Deletion: Upon termination, all personal data is returned or securely deleted within 30 days, with certification upon request.
05Your Rights Under GDPR
Under the GDPR, data subjects have the following rights, which we are committed to facilitating:
Obtain confirmation and a copy of all personal data we process about you.
Request correction of inaccurate or incomplete personal data.
Request deletion of your personal data ("right to be forgotten").
Request limitation of processing of your personal data.
Receive your data in a structured, machine-readable format.
Object to processing based on legitimate interests or direct marketing.
To exercise any of these rights, please contact our Data Protection Officer at privacy@llamachilly.com. We will respond within 30 days of receipt of your request.
06International Data Transfers
LlamaChilly primarily stores and processes data within the European Economic Area (EEA). In cases where data transfers outside the EEA are necessary (e.g., use of cloud infrastructure providers), we rely on:
- EU Standard Contractual Clauses (SCCs): As approved by the European Commission, ensuring equivalent protection for transferred data.
- Adequacy Decisions: Transfers to countries recognized by the European Commission as providing an adequate level of data protection.
- Supplementary Measures: Additional technical safeguards in line with the EDPB's post-Schrems II guidance, including encryption and pseudonymization.
07Sub-Processors
We engage carefully vetted sub-processors to deliver our services. All sub-processors are contractually bound to equivalent data protection standards. Our current sub-processor list includes:
08Data Portability & Management
- Export: All client data (reservations, guest profiles, conversation logs) can be exported at any time in structured JSON or CSV format via the LlamaChilly dashboard or upon written request.
- Import: We support importing existing guest databases from common POS and reservation systems to ensure seamless onboarding.
- Account Deletion: Client accounts can be terminated at any time. Upon termination, all associated data will be permanently deleted from our production systems within 30 days and from backup systems within 90 days.
- Data Retention: We retain personal data only for as long as necessary to fulfill the purposes outlined in this policy, or as required by applicable law.
09Security Framework
10Contact & Supervisory Authority
For any questions or concerns regarding our data protection practices, you may contact us at:
You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at autoriteitpersoonsgegevens.nl.
This page is for informational purposes. The Scene of Amsterdam may update this policy at any time. Material changes will be communicated via email or platform notification. Continued use of our services after such modifications constitutes your acceptance of the revised policy.