Privacy Policy (Sample)

Important: This template is provided for guidance only and does not constitute legal advice. Please have a qualified attorney review and adapt it to your specific practices.

Effective date: [DD Month YYYY]

1) Who we are (Controller)

Veloura (“Veloura”, “we”, “us”, “our”) operates https://stg.veloura.pgsgoldandcoin.com/ (the “Site”). We are the controller of personal data processed via the Site.

Company details
Legal entity: [Veloura B.V.]
Registered address: [Street, No., Postcode, City, Country]
KVK: [12345678]
VAT (BTW): [NL123456789B01]
Email (privacy): [privacy@veloura.com]
Phone: [+31 …]
If appointed: Data Protection Officer (DPO): [Name / Contact]

2) Scope

This Policy explains how we collect, use, disclose and protect personal data when you browse the Site, create an account, place an order, contact us, subscribe to marketing, leave reviews, or interact with us on social media. It applies to consumers in the EU/EEA and is designed to comply with the GDPR and Dutch law.

3) What data we collect

We collect the following categories of data, depending on your interactions:

• Identity & contact data: name, email, phone, billing/shipping address, company details (if B2B).

• Account data: username, password (hashed), preferences, saved addresses, order history.

• Order & payment data: products purchased, order IDs, totals, methods, partial payment details (note: full card data is handled by our payment provider; we do not store it).

• Communications & content: messages to support, product questions, reviews, uploaded photos.

• Technical & usage data: IP address, device identifiers, browser type, operating system, pages viewed, clickstream, time stamps, approximate location (derived from IP).

• Marketing data: newsletter opt‑in/opt‑out, campaign engagement.

• Social media data: your profile/handle and content you make public when you interact with our accounts.

• In‑store interactions (if applicable): CCTV images at our premises (retention is short; see §10).

Special category data: We do not intentionally collect special categories of personal data (e.g., health, religion). Please do not provide such data.

4) How we obtain data

• Directly from you when you create an account, place an order, contact us or subscribe to marketing.

• Automatically via cookies and similar technologies (see §12 and our Cookie Policy).

• From third parties (payment providers, delivery partners, analytics/advertising platforms, identity verification or anti‑fraud providers) as permitted by law.

5) Purposes and legal bases

We process personal data for the purposes below and on the following legal bases (Art. 6 GDPR):

• To operate the Site, enable account creation and manage your orders (order processing, delivery, returns, customer service).
  Legal basis: performance of a contract and steps prior to entering into a contract (Art. 6(1)(b)); legal obligation for invoicing and tax (Art. 6(1)(c)).

• Payments and fraud prevention.
  Legal basis: performance of a contract (Art. 6(1)(b)); legitimate interests in preventing abuse (Art. 6(1)(f)); legal obligations (e.g., tax, bookkeeping) (Art. 6(1)(c)).

• Customer support and communications.
  Legal basis: contract (Art. 6(1)(b)) and legitimate interests in responding to queries (Art. 6(1)(f)).

• Marketing communications (newsletters, offers).
  Legal basis: consent where required (Art. 6(1)(a)); or legitimate interests for existing customers (soft opt‑in) where permitted (Art. 6(1)(f)). You may object or withdraw consent at any time (§9).

• Analytics, personalisation and improvement of our services and Site.
  Legal basis: consent for non‑essential cookies (Art. 6(1)(a)); legitimate interests in improving services (Art. 6(1)(f)) for aggregated data.

• Legal and compliance purposes (record‑keeping, accounting, responding to lawful requests, enforcing terms).
  Legal basis: legal obligation (Art. 6(1)(c)); legitimate interests (Art. 6(1)(f)).

Automated decision‑making: We do not engage in automated decisions with legal or similarly significant effects. Fraud checks or risk scoring may be used to protect our business; they do not produce such effects on their own.

6) Disclosures (recipients)

We share personal data with trusted processors and partners under contracts that require them to protect your data:

• Hosting & cloud infrastructure

• Payment service providers (e.g., iDEAL, card processors, Klarna/AfterPay)

• Logistics & delivery partners

• Customer support & CRM tools

• Email and marketing automation platforms

• Analytics and A/B testing providers (e.g., GA4)

• IT security & anti‑fraud providers

• Professional advisors (accountants, auditors, legal)

• Public authorities where required by law We do not sell your personal data.

7) International transfers

If data is transferred outside the EU/EEA, we rely on an adequacy decision (Art. 45 GDPR) or Standard Contractual Clauses (SCCs) with supplementary measures (Art. 46). For UK transfers, we use the UK IDTA/SCCs where applicable. You may contact us for a copy of relevant safeguards.

8) Retention periods

We retain data only as long as necessary for the purposes collected, or as required by law. Indicative periods:

• Order & invoicing records: 7 years (Dutch tax law).

• Customer account: active use + 24 months of inactivity (then deletion/anonymisation).

• Customer support tickets & emails: 2 years after closure.

• Marketing data: until you withdraw consent or object (plus limited logs to respect your choice).

• Technical logs: up to 12 months unless required longer for security/investigations.

• CCTV (if applicable): typically 30 days, unless needed for incidents.

9) Your rights (EU/EEA)

You have the following rights under the GDPR, subject to conditions and exceptions:

• Access to your data and copy (Art. 15).

• Rectification of inaccurate data (Art. 16).

• Erasure (“right to be forgotten”) (Art. 17).

• Restriction of processing (Art. 18).

• Data portability (Art. 20).

• Object to processing based on legitimate interests and to direct marketing (Art. 21).

• Withdraw consent at any time where processing relies on consent (Art. 7(3)).

To exercise your rights, contact us at [privacy@veloura.com]. We will respond within one month (extendable by two months for complex requests). We may need to verify your identity.

If you believe your rights have been infringed, you can lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) or your local supervisory authority.

10) Security

We implement technical and organisational measures appropriate to risk, including encryption in transit (TLS), access controls, least‑privilege policies, backups, and staff training. No system is perfectly secure; we will notify you and authorities of a data breach where legally required.

11) Children

Our services are not directed to children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us data, contact us to delete it. Where local law requires parental consent for minors, we will obtain it before processing.

12) Cookies & similar technologies

We use cookies and similar technologies to operate the Site, measure performance, and personalise content/ads. Non‑essential cookies are used only with your consent. For details (types, purposes, providers, retention) and to change your preferences at any time, please see our Cookie Policy and on‑site Consent Management tool.

13) Social media & third‑party links

Our Site may include links to third‑party websites and social media features. These services have their own privacy policies, and we are not responsible for their practices. We recommend reviewing their policies before providing personal data.

14) Changes to this Policy

We may update this Policy from time to time. The latest version will always be posted on the Site with an updated Effective date. For material changes, we will provide additional notice where appropriate.

15) Contact

Questions or requests regarding this Policy?
Email: [privacy@veloura.com]
Postal address: [Street, No., Postcode, City, Country]
Phone: [+31 …]