PRIVACY POLICY
OF THE DELUXDECO.NL ONLINE STORE
Last updated: March 2026
TABLE OF CONTENTS
- GENERAL PROVISIONS
- LEGAL BASIS FOR DATA PROCESSING
- PURPOSE, LEGAL BASIS AND PERIOD OF DATA PROCESSING
- DATA RECIPIENTS
- PROFILING
- DATA SUBJECT RIGHTS
- COOKIES AND ANALYTICS
- PERSONAL DATA BREACHES
- FINAL PROVISIONS
1. GENERAL PROVISIONS
1.1 Purpose of this policy
This online store privacy policy is for informational purposes. It primarily contains rules regarding the processing of personal data by the Controller in the online store, including the basis, purposes, and duration of personal data processing and the rights of data subjects, as well as information regarding the use of cookies and analytical tools.
1.2 Data Controller
The controller of personal data collected via the online store is:
DELUX DECO SPÓŁKA Z OGRANICZONĄ ODPOWIEDZIALNOŚCIĄ
- Registered address: ul. Kineskopowa 1F, 05-500 Piaseczno, Poland
- KRS number: 0000835964
- Registration court: District Court for the capital city of Warsaw, 14th Commercial Division
- Share capital: PLN 5,000
- VAT-EU number (NIP): PL1231466874
- REGON number: 385905056
- Email address: help@deluxdeco.nl
- Hereinafter referred to as the "Controller", also being the Service Provider and Seller
1.3 Data Protection Officer
Delux Deco does not process personal data on a scale or of a nature that requires the mandatory appointment of a Data Protection Officer (DPO) under Article 37 GDPR. No DPO has been appointed.
For all questions, requests or complaints regarding personal data, please contact us directly:
- Email: help@deluxdeco.nl
- Mail: DELUX DECO SP. Z O.O., ul. Kineskopowa 1F, 05-500 Piaseczno, Poland
1.4 Applicable legislation
Personal data are processed by the Controller in accordance with applicable law, in particular:
- Regulation (EU) 2016/679 (General Data Protection Regulation or "GDPR")
- Dutch legislation implementing the GDPR
- Dutch Telecommunications Act
- Other applicable Dutch and European regulations
Official text of the GDPR: http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32016R0679
1.5 Voluntary nature
Use of the online store and making purchases is voluntary. Providing personal data is also voluntary, with two exceptions:
-
Contract conclusion – Failure to provide personal data required for concluding and performing the sales agreement or electronic service agreement will result in the inability to enter into the contract.
-
Legal obligations – Providing personal data is a legal requirement arising from generally applicable legal provisions obliging the Controller to process personal data (e.g., processing data for maintaining tax or accounting records).
2. LEGAL BASIS FOR DATA PROCESSING
The Controller is entitled to process personal data when at least one of the following conditions is met:
- Consent – The data subject has given consent (Art. 6(1)(a) GDPR)
- Contract performance – Processing is necessary for performance of a contract (Art. 6(1)(b) GDPR)
- Legal obligation – Processing is necessary to comply with a legal obligation (Art. 6(1)(c) GDPR)
- Legitimate interest – Processing is necessary for legitimate interests pursued by the Controller (Art. 6(1)(f) GDPR)
3. PURPOSE, LEGAL BASIS AND PERIOD OF DATA PROCESSING
3.1 Processing purposes
The Controller may process personal data for the following purposes:
| Purpose | Legal Basis | Retention Period |
|---|---|---|
| Performance of sales agreement or electronic service | Art. 6(1)(b) GDPR | Data retained for period necessary for performance, termination or expiry of the agreement |
| Direct marketing | Art. 6(1)(f) GDPR (legitimate interest) | Data retained for duration of legitimate interest, but no longer than limitation period for claims (3 years general business claims, 2 years sales agreements under Dutch Civil Code). Controller may not process data for direct marketing if effective objection by data subject |
| Marketing (with consent) | Art. 6(1)(a) GDPR | Data retained until data subject withdraws consent |
| Customer reviews | Art. 6(1)(a) GDPR | Data retained until data subject withdraws consent |
| Accounting | Art. 6(1)(c) GDPR in conjunction with Dutch tax law | Data retained for legally required period (7 years from beginning of year following tax year) |
| Product safety and compliance | Art. 6(1)(c) GDPR (legal obligation) in conjunction with General Product Safety Regulation (EU 2023/988) | Technical documentation and customer data related to product safety retained for 10 years per GPSR requirements |
| Establishment, exercise or defense of claims | Art. 6(1)(f) GDPR (legitimate interest) | Data retained for duration of legitimate interest, but no longer than limitation period (5 years under Dutch Civil Code) |
| Website use and proper functioning | Art. 6(1)(f) GDPR (legitimate interest) | Data retained for duration of legitimate interest, but no longer than limitation period |
| Statistics and traffic analysis | Art. 6(1)(f) GDPR (legitimate interest) | Data retained for duration of legitimate interest, but no longer than limitation period |
4. DATA RECIPIENTS
4.1 External service providers
For proper functioning of the online store, the Controller must use external entities' services. The Controller only uses processors who provide sufficient guarantees for implementation of appropriate technical and organizational measures.
4.2 Categories of recipients
Personal data may be shared with:
- Carriers/freight forwarders – For product delivery (when applicable)
- Payment service providers – For processing electronic/card payments
- Shopify Payments
- Supported methods: Visa, Mastercard, American Express, Maestro, UnionPay, Apple Pay, Google Pay, Shop Pay
- Payout account: Alior Bank Spółka Akcyjna
- More information: https://www.shopify.com/payments
- NOTE: We do NOT store credit card or bank details on our servers
- Review systems – For customer review collection
- IT and software providers – For technical solutions enabling business operations
- Accounting, legal and advisory services – For professional support
- Social media plugins – Facebook, Instagram (Meta Platforms Ireland Ltd.)
5. PROFILING
The Controller may use profiling for direct marketing purposes, but decisions made do not concern conclusion/refusal of sales agreements or ability to use electronic services.
Effects of profiling may include granting discounts, sending discount codes, or offering better terms. The individual freely decides whether to use these offers.
Data subjects have the right not to be subject to automated decision-making which produces legal effects or significantly affects them.
6. DATA SUBJECT RIGHTS
6.1 Your rights
- Right of access – Request access to your personal data
- Right to rectification – Correct inaccurate data
- Right to erasure ("right to be forgotten") – Request deletion
- Right to restriction – Limit processing
- Right to object – Object to processing
- Right to data portability – Transfer data to another controller
6.2 Right to withdraw consent
You can withdraw consent at any time without affecting lawfulness of processing based on consent before withdrawal.
6.3 Right to lodge a complaint
You have the right to lodge a complaint with:
Dutch Data Protection Authority (Autoriteit Persoonsgegevens)
- Postbus 93374
- 2509 AJ Den Haag, Netherlands
- Phone: (+31) - (0)70 - 888 85 00
- Website: https://autoriteitpersoonsgegevens.nl
6.4 Right to object to direct marketing
You can object at any time to processing of your personal data for direct marketing purposes, including profiling related to such marketing.
6.5 Exercising your rights
Contact us at:
- Email: help@deluxdeco.nl
- Mail: DELUX DECO SP. Z O.O., ul. Kineskopowa 1F, 05-500 Piaseczno, Poland
7. COOKIES AND ANALYTICS
See separate Cookie Policy for detailed information.
7.1 Cookie usage summary
The website uses cookies to:
- Enable proper website functioning (necessary cookies)
- Remember your preferences (functional cookies)
- Maintain statistics (analytical cookies)
- Personalize marketing and advertising (marketing cookies)
IMPORTANT NOTE FOR DUTCH USERS: In accordance with Dutch Telecommunications Act and strict enforcement by the Dutch Data Protection Authority, prior opt-in consent is required for all non-essential cookies (tracking, analytics, marketing).
- Pre-checked boxes are NOT valid
- Cookie walls (blocking access without consent) are NOT permitted
- You can withdraw consent at any time
7.2 Analytics
The Controller may use Google Analytics 4 (GA4) to analyze traffic and website usage. Collected data is used in aggregated form to improve the website. Universal Analytics was discontinued by Google on July 1, 2023; we exclusively use GA4.
You can block Google Analytics by installing the browser add-on: https://tools.google.com/dlpage/gaoptout?hl=en
8. PERSONAL DATA BREACHES
8.1 Notification to supervisory authority
The Controller is legally obligated (Art. 33 GDPR) to report a personal data breach that poses a risk to the rights and freedoms of data subjects to the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) within 72 hours of becoming aware of it.
8.2 Notification to data subjects
If a breach is likely to result in a high risk to your rights and freedoms (e.g., identity theft, financial harm, or discrimination), you will be notified without undue delay. The notification will include:
- The nature of the breach
- Name and contact details of the Data Protection Officer (if appointed) or other contact point
- Likely consequences of the breach
- Measures taken or proposed to address the breach and mitigate its effects
8.3 Internal documentation
The Controller documents all personal data breaches, including the facts, consequences, and remedial action taken, in accordance with Art. 33(5) GDPR.
8.4 Contact in case of suspected breach
If you suspect that a breach affecting your personal data has occurred, please contact us immediately at help@deluxdeco.nl.
9. FINAL PROVISIONS
9.1 Links to other websites
The online store may contain links to other websites. The Controller encourages reviewing privacy policies on those websites. This privacy policy applies only to the Controller's online store.
9.2 Changes to privacy policy
The Controller reserves the right to modify this privacy policy. Changes will be announced in advance on the website and take effect on the indicated date.
9.3 Questions and contact
For questions about this privacy policy:
- Email: help@deluxdeco.nl
- Phone: +48 795 966 766
- Address: DELUX DECO SP. Z O.O., ul. Kineskopowa 1F, 05-500 Piaseczno, Poland
9.4 Applicable law
This privacy policy is governed by the GDPR and Dutch legislation implementing the GDPR. For Dutch consumers, Dutch consumer law applies insofar as it is more favorable.
Last update: March 2026 Version: 1.1 (EN)