Privacy Policy

We collect the following categories of personal data: • Identity data: name, job title, company name • Contact data: email address, phone number, billing and delivery address • Account data: login credentials (passwords stored as hashed values), preferences • Order data: product configurations, order history, quote requests • Payment data: invoice details (no full card data — payments processed via certified payment providers) • Communication data: email correspondence, support tickets • Technical data: IP address, browser type, device info, session ID (via cookies) • B2B-specific data: Chamber of Commerce number, VAT number, credit limit, Net-30 payment term requests

We process personal data only on one of the following legal bases (Art. 6 GDPR): Performance of contract (Art. 6(1)(b)): Processing and delivering (custom) orders, invoicing, warranty handling. Legitimate interest (Art. 6(1)(f)): Fraud prevention, IT security, service improvement, B2B relationship management. Legal obligation (Art. 6(1)(c)): Tax record retention (7 years, Dutch Tax Law art. 52 AWR), export customs documentation. Consent (Art. 6(1)(a)): Newsletter, marketing emails, non-essential cookies — you may withdraw consent at any time.

We apply the following retention periods: • Order data & invoices: 7 years (statutory fiscal retention obligation) • Account data: for as long as your account is active; upon deletion request, data is removed within 30 days unless legally required • Marketing consent: until withdrawal of consent • Support communication: 2 years after closure • Web analytics (anonymised): maximum 26 months

We share personal data with third parties only to the extent necessary and under a data processing agreement (Art. 28 GDPR): • Payment providers (e.g. Mollie, Stripe) — for payment processing • Logistics partners (e.g. PostNL, DHL, DPD) — for shipping and tracking • Cloud hosting providers (AWS EU-West-1, Dublin) — for storage and processing within the EU/EEA • Email providers (transactional email) — for order confirmations and notifications • Accounting platforms — for invoice processing We never sell your personal data to third parties. All external processors are located in the EU/EEA or have appropriate safeguards in place (e.g. Standard Contractual Clauses).

Under the GDPR you have the following rights. Exercise them via privacy@blikcart.nl: • Right of access (Art. 15) — request a copy of your personal data • Right to rectification (Art. 16) — have inaccurate data corrected • Right to erasure (Art. 17) — "right to be forgotten" • Right to restriction of processing (Art. 18) • Right to data portability (Art. 20) — receive your data in machine-readable format • Right to object (Art. 21) — object to processing based on legitimate interest or direct marketing • Right to withdraw consent — at any time, without affecting the lawfulness of processing before withdrawal We respond to your request within 30 days. You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens — autoriteitpersoonsgegevens.nl).

We use the following categories of cookies: • Necessary cookies — session, cart, authentication (no consent required) • Analytical cookies — anonymised website statistics (consent required) • Marketing cookies — retargeting and advertising platforms (consent required) You can change your cookie preferences at any time via the cookie banner or your browser settings.

We implement appropriate technical and organisational measures to protect your personal data, including TLS/HTTPS encryption, hashed passwords, role-based access controls, and regular security audits. In the event of a data breach with likely high risks to data subjects, we will notify the Dutch Data Protection Authority within 72 hours (Art. 33 GDPR) and inform you without undue delay (Art. 34 GDPR).

We may update this privacy policy from time to time. The most recent version is always available on this page. For material changes, we will notify you by email or through a prominent notice on the website.