Privacy Policy
Last updated: [DATE]
1. Data Controller
Véronique [SURNAME]
[ADDRESS LINE 1]
L-[POSTAL CODE] [CITY], Grand Duchy of Luxembourg
E-mail: [EMAIL]
2. Data Collected
When processing an order, we collect the following data:
| Data | Purpose | Required |
|---|---|---|
| First and last name | Delivery, invoicing | Yes |
| E-mail address | Order confirmation, shipping notification | Yes |
| Delivery address | Shipping | Yes |
| Phone number | Contact in case of delivery issue | No |
| VAT number | B2B invoicing (reverse charge) | No |
No banking data is stored on our servers. Payments are processed directly by Stripe (Stripe Inc., San Francisco, USA) and Mollie (Mollie B.V., Amsterdam, Netherlands), subject to their own security standards (PCI-DSS).
No tracking, advertising profiling or behavioural analytics cookies are used on this website.
3. Purposes of Processing
Your personal data is processed exclusively for:
- Order fulfilment: preparation, dispatch, delivery tracking;
- Invoicing: issuing invoices in compliance with legal obligations;
- Order communications: confirmation, tracking number, shipping notification;
- Certificate of authenticity: transmission linked to the acquired artwork;
- Legal compliance: accounting retention under Luxembourg law.
4. Legal Basis
Processing is based on:
- Performance of a contract (Art. 6(1)(b) GDPR) for purposes 1–4;
- Legal obligation (Art. 6(1)(c) GDPR) for purpose 5 (10-year accounting retention).
5. Retention Periods
| Category | Retention period |
|---|---|
| Order data and invoices | 10 years (Luxembourg accounting obligations) |
| Delivery data | 3 years after the order |
| Contact data (e-mail) | 3 years after the last interaction |
6. Data Recipients
Your data is never sold or transferred to third parties for commercial purposes.
It may be shared only with service providers strictly necessary for order fulfilment:
| Provider | Role | Data shared |
|---|---|---|
| Carrier (Post / DHL / other) | Delivery | Name, address, phone |
| Stripe Inc. | Card payment processing | Amount, order reference |
| Mollie B.V. | Bank transfer payment | Amount, order reference |
| Resend Inc. | Transactional e-mails | E-mail address, first name |
These providers act as data processors and are subject to contractual confidentiality obligations in compliance with the GDPR.
7. International Transfers
Stripe Inc. and Resend Inc. are US-based companies. Data transfers to the United States are governed by Standard Contractual Clauses (SCCs) approved by the European Commission, and/or the EU-US Data Privacy Framework.
8. Your Rights (GDPR)
Under Regulation (EU) 2016/679 (GDPR), you have the following rights:
- Right of access: obtain a copy of your personal data;
- Right to rectification: correct inaccurate or incomplete data;
- Right to erasure: request deletion of your data (subject to legal retention obligations);
- Right to restriction: request temporary suspension of processing;
- Right to data portability: receive your data in a structured, machine-readable format;
- Right to object: object to processing based on legitimate interest.
To exercise any of these rights, contact us at: [EMAIL]
We will respond within a maximum of 30 days.
9. Supervisory Authority
If you believe that the processing of your data does not comply with applicable regulations, you have the right to lodge a complaint with the competent supervisory authority in Luxembourg:
Commission Nationale pour la Protection des Données (CNPD)
15, Boulevard du Jazz — L-4370 Belvaux
cnpd.public.lu
10. Security
We implement appropriate technical and organisational measures to protect your data against unauthorised access, loss or disclosure: TLS encryption in transit, restricted data access, and secure hosting infrastructure.