Privacy statement
How Schaduwplan handles your data.
Short and honest: we collect as little as possible. The 3D viewer works without an account and without tracking cookies. What you do in the viewer (address, scenario, projects, optional attachments) stays locally in your own browser until you erase it yourself. To purchase a report we need, at a minimum, your email and the address of the report.
Last updated: 28 April 2026
In short
Schaduwplan is a web application for sunlight studies (bezonningsonderzoek) on Dutch addresses. The 3D viewer runs entirely in your browser: we do not send anything to a server of ours to record what you do. What we do do is explained per section below.
- No tracking cookies, no advertising pixels, no ad networks. What we do do in the logged-in part of the app: anonymised product analytics via PostHog (EU) and error monitoring via Sentry (EU). On public pages no persistent identifier and no cookies. See Processors below.
- Address searches go directly from your browser to PDOK (Kadaster). 3D models are fetched via our own Cloudflare cache from 3DBAG; height data from PDOK and Ellipsis Drive (the official AHN distribution partner). See Third parties & sources.
- Your work (addresses, projects, optional attachments, any height uploads) is kept by the viewer functionally in your own browser — in localStorage and IndexedDB. None of it reaches our servers. See Cookies & local storage and the cookie statement for the full list.
- Only when you purchase a report do we process your email, invoicing details and the address of the report — only then does your data leave your browser.
Controller
The controller within the meaning of the GDPR (Article 4(7)) is:
- Trade name: Schaduwplan
- Business: Schaduwplan is operated as a sole proprietorship (eenmanszaak) under Dutch law.
- Chamber of Commerce (KvK) number: 99118998
- VAT ID: NL005372731B91
- Registered address: the business address registered with the Chamber of Commerce can be retrieved via kvk.nl. For formal correspondence and GDPR requests the email address below is sufficient.
- Contact: [email protected] — for privacy questions, support, complaints and everything else.
- Data Protection Officer: Schaduwplan does not qualify as an organisation for which the GDPR (Article 37) requires a DPO. Questions you would put to a DPO can be sent directly to [email protected].
Age & minors
Schaduwplan is intended for use by people aged 16 or over (Article 8 GDPR, Dutch implementation practice). The service is not aimed at children under 16 and we do not knowingly collect personal data from minors.
Do you suspect we have unintentionally collected data from a child under 16? Email [email protected] — we will delete that data without undue delay.
Which data we process
Depending on how you use the service, different categories of data are processed. We deliberately split them into "locally in your browser" (which Schaduwplan technically cannot access) and "at Schaduwplan":
Locally in your browser (functional storage, only on your device — we cannot reach it):
- Recently searched addresses — at most 6, in localStorage, so you can jump back quickly in the address bar. Contains street, house number, postcode, town, RD/WGS84 coordinates and BAG id.
- Saved projects — in IndexedDB (database
schaduwplan, storeprojects), when you save a scenario via Projects → Save. Contains the address, planned buildings, measurement points and the chosen moment in time. Any heights derived from a GeoTIFF upload are included as a measured value in the saved project — we neverkeep the raw GeoTIFF itself ("extract-and-discard"). - Permit attachments — in localStorage, when you upload a PDF or photo of a building permit or drawing under "Adjust source data" to support a manual height correction. At most 5 MB in total.
- Waitlist email — in localStorage, if you leave your email address via the "Sign in / accounts are coming" popover. That email stays on your device until the real account functionality goes live — only then do we explicitly ask you again to submit it.
- Temporary session state — in sessionStorage, to hand over a chosen address from the landing page to the viewer and to remember "do not show again" choices within one session. Erased as soon as you close the tab.
Full keys and retention periods are listed in the cookie statement.
At Schaduwplan (only relevant once a paid flow goes live — at present no paid reports have been delivered yet):
- Report purchase: your email address, the address of the report, and (for Business) optionally a company name and KvK number for invoicing.
- Payments: Stripe processes the payment. We only receive a transaction reference, amount and date — no card number.
- Contact: when you email [email protected] we keep that correspondence.
- Server logs from our hosting (Cloudflare Pages): technical access data (IP address, timestamp, requested path) as every web server does. Cloudflare keeps these for a short time for security and debugging and does not share them with us in aggregated or identified form.
What we use that data for
- Delivering the purchased report (PDF by email).
- Processing payments and issuing invoices.
- Answering contact requests.
- Legal obligations (tax retention duty on invoices).
We never use your data for marketing purposes beyond your request, never sell it to third parties, and carry out no profiling.
Legal basis (GDPR)
- Performance of the contract — for delivering the report you purchase.
- Legal obligation — for invoicing and the tax retention duty.
- Legitimate interest — for handling your contact requests.
Third parties and external sources
To make the 3D viewer work we connect to a number of external services. Some connections run directly from your browser to the source, others run via our Cloudflare cache (so we do not overload the upstream API and you get faster responses):
- PDOK Locatieserver (Kadaster) — address autocomplete and BAG building resolution. Directly from your browser. A government service; no personal data recorded beyond the search itself.
- 3DBAG (TU Delft + 3DGI) — 3D building models and building attributes. Via our Cloudflare Pages function at
/api/bag3d/*(24-hour edge cache, because 3DBAG sends no CORS headers). Open data, CC BY 4.0; no personal data — although Cloudflare does log standard access metadata such as IP and timestamp for security. - PDOK (AHN4) — height data via WCS. Directly from your browser. Open data.
- Ellipsis Drive (AHN5 / AHN6) — more recent height data, only when 3DBAG is outdated for your building or could not produce a roof fit. Ellipsis Drive is a Dutch SaaS appointed by AHN as the official distribution partner for AHN5+ (see ahn.nl/dataroom). Directly from your browser. No personal data.
- Cloudflare Pages — our hosting. Serves the website and the 3DBAG cache from EU edges. Cloudflare sees standard web server logs (IP, timestamp, path).
- Stripe (Stripe Payments Europe Ltd, Ireland) — for payments (not yet live at the time of this statement). An EU processor with its own privacy policy.
We use no Google Analytics, no Meta Pixel, no Cloudflare Web Analytics and no advertising or social tracking. For error monitoring we use Sentry (EU) with privacy-conservative settings; for product analytics in the logged-in part PostHog (EU). Both are described in detail under "Processors" below. Fonts (Fraunces, Inter Tight, JetBrains Mono) are bundled into our build via @fontsource — so no request goes to Google Fonts or a comparable CDN.
Processors (GDPR Art. 28)
For the services listed below we work with a data processing agreement (DPA) or the supplier's standard DPA. All with an EU establishment or an EU-residency guarantee. A complete up-to-date list, including DPA versions and transfer mechanisms, is in our sub-processor register (GDPR Art. 30).
- Cloudflare, Inc. — hosting (Cloudflare Pages, Workers, R2 object storage, Queues, DNS). EU edges; R2 bucket in EU jurisdiction; standard DPA and EU SCCs for any transatlantic sub-processing.
- Supabase Inc. (eu-central-1, Frankfurt) — database (Postgres with Row Level Security), authentication and Realtime broadcasts for the customer dashboard. Own DPA with EU SCCs Module 2.
- Stripe Payments Europe Ltd (Dublin, Ireland) — payment processor for the paid reports: Stripe Checkout for the transaction, Stripe Tax for automatic VAT calculation and Stripe Invoicing for invoice generation. EU entity, PCI DSS Level 1, own DPA.
- Resend (eu-west-1, Ireland; Plus Five Five, Inc.) — transactional email (report ready, payment error) via the subdomain
mail.schaduwplan.nland SMTP relay for Supabase Auth emails (password reset, email verification). EU SCCs Module 2 + EU-US DPF. - Sentry (de.sentry.io, Frankfurt; Functional Software, Inc.) — error monitoring for the frontend and the render Worker. No IP collection (
sendDefaultPii: false), no session replay, sample rate 10%. Own DPA v5.1.0 with EU SCCs Module 2. - PostHog, Inc. (eu.posthog.com, AWS Frankfurt) — product analytics. On public pages without a persistent identifier and without cookies (
disable_persistence: true); in the logged-in part linked to your account id for conversion-funnel analysis, with opt-in via the terms of use at registration. No session recording, no heatmaps, no autocapture. Own DPA + EU SCCs Module 2. - Zoho Corporation B.V. (EU) — incoming email for
hello@,privacy@,security@and similar aliases under@schaduwplan.nl. Standard Zoho DPA based on Model Contractual Clauses.
Any future expansion of the stack will be added to this statement in advance, at least 30 days before it is put into use. Sentry and PostHog were announced on this date (2026-05-14) and go live with the Schaduwplan paid-backend MVP.
International transfers
We aim to process data within the European Economic Area (EEA). Cloudflare and Stripe are, however, part of groups with US parent companies, which means supporting processing may occasionally take place outside the EEA. Where that is the case, we rely on the standard safeguards the GDPR prescribes:
- a valid adequacy decision of the European Commission (such as the EU-US Data Privacy Framework, insofar as the receiving party is certified under it); or
- the European Standard Contractual Clauses (SCCs), supplemented where appropriate with additional safeguards such as encryption and pseudonymised processing; or
- another appropriate safeguard in accordance with GDPR Chapter V.
An up-to-date list of our processors and their transfer mechanism is available on request via [email protected].
How long we keep data
At Schaduwplan:
- Report-related data: 12 months after purchase (for support and iteration), then deleted unless kept longer at your request.
- Invoices: 7 years (statutory tax retention duty, Art. 52 AWR).
- Contact emails: at most 24 months.
- Hosting / server logs: Cloudflare keeps access logs at edge level for at most a few days by default. We ourselves log nothing structurally. Error reports are kept for 30 days for debugging.
Locally in your browser — we do not set these periods, you do:
- sessionStorage is erased as soon as you close the tab.
- localStorage and IndexedDBremain until you erase them via your browser settings, via "Clear recent addresses" / "Remove attachment" in the viewer, or until your browser cleans up on its own (e.g. iOS Safari eviction after prolonged inactivity).
- For projects you can optionally allow
navigator.storage.persist()so the browser does not clean up your work unprompted.
Your rights under the GDPR
You have the right to:
- Access to which data we hold about you.
- Correction of inaccurate data.
- Erasure ("right to be forgotten") within what the tax retention duty allows.
- Restriction of processing.
- Data portability.
- Object to processing based on legitimate interest.
- The right to complain to the Dutch Data Protection Authority (autoriteitpersoonsgegevens.nl).
Questions about your rights? Email [email protected]. We respond within the statutory period of four weeks.
Account and data deletion
You have the right to have your data and (future) account deleted.
- Local data (3D viewer)you can erase yourself via the browser settings for schaduwplan.nl, or via the "Delete" buttons in the viewer.
- Self-service at schaduwplan.nl/app/settings — if you have an account, you can there (a) delete your account with all associated report bytes at the press of a button, and (b) download a JSON export of all your data (Art. 20 GDPR — right to data portability). Confirmation follows immediately in the UI.
- By email is also possible, from the email address known to us, to [email protected]. We confirm the deletion within the statutory period of 30 days (extendable by 60 days for complex requests).
- What we are legally required to keep: invoices remain under the tax retention duty (Art. 52 AWR — 7 years), even after a deletion request. A deletion request for this category is refused on the basis of Art. 17(3)(b) GDPR (statutory retention duty). The link with the deleted account is broken (the project row remains, user_id becomes NULL).
- Stripe keeps a payment history separate from Schaduwplan. If you also want their copy deleted, you can do so via privacy.stripe.com.
Security
The website runs on Cloudflare Pages with TLS 1.3. Payment data is processed by Stripe with PCI DSS Level 1 compliance. Emails are sent and stored encrypted (TLS). Report PDFs are stored encrypted. Local browser storage is accessible only to you — we have no read access to it.
Data breaches
Should a data breach involving your personal data unexpectedly occur and present a risk, we will report it in accordance with Article 33 GDPR within 72 hours of discovery to the Dutch Data Protection Authority. Where the breach is likely to result in a high risk to your rights and freedoms, we will inform you directly without undue delay (Article 34 GDPR). Do you suspect a breach yourself? Email [email protected] as specifically as possible.
Changes to this statement
We announce substantial changes via a banner on the website at least 30 days before they take effect. Small editorial changes we publish quietly, with an updated "last updated" date at the top.
Contact
Questions, complaints or requests: [email protected]. We respond within one business day.