Privacy Policy

Kwik Buy ("we", "us", "our") is committed to protecting and respecting your privacy. This Privacy Policy explains how we collect, use, store, and share your personal data when you visit our website or make a purchase.

This policy is drafted in compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the Belgian Data Protection Act of 30 July 2018, and other applicable European data protection legislation.

By using our website and services, you acknowledge that you have read and understood this Privacy Policy. We encourage you to read it carefully and contact us if you have any questions.

The data controller responsible for your personal data is:

• Business name: Kwik Buy
• Country: Belgium
• VAT number: BE1001488871
• Contact: Contact Form

As the data controller, we determine the purposes and means of processing your personal data, in accordance with Article 4(7) of the GDPR.

We may collect and process the following categories of personal data, as permitted under Articles 6 and 9 of the GDPR:

3.1 Information You Provide Directly

• Identity data: first name, last name.
• Contact data: email address, telephone number, shipping address, billing address.
• Transaction data: details of the products you purchase and your order history.
• Communication data: any correspondence or messages you send to us via our contact form, email, or other channels.

3.2 Information Collected Automatically

• Technical data: IP address, browser type and version, operating system, device type, screen resolution.
• Usage data: pages visited, time spent on pages, click patterns, referring URLs, and other browsing behaviour on our website.
• Cookie data: information collected through cookies and similar tracking technologies (see Section 7).

3.3 Information from Third Parties

• Payment data: Stripe, our payment processor, may provide us with limited transaction information such as the last four digits of your card, card type, and transaction status. We never receive or store your full payment card details.

Under Article 6(1) of the GDPR, we process your personal data on the following legal bases:

• Performance of a contract (Art. 6(1)(b)): We process your identity, contact, and transaction data as necessary to fulfil our contractual obligations to you, including processing orders, arranging delivery, handling returns, and providing customer support.
• Legal obligation (Art. 6(1)(c)): We process certain data to comply with legal obligations, such as tax reporting, accounting requirements, and responding to lawful requests from public authorities.
• Legitimate interests (Art. 6(1)(f)): We process technical and usage data for our legitimate interests, including improving our website, preventing fraud, ensuring security, and conducting business analytics. We always balance our interests against your fundamental rights and freedoms.
• Consent (Art. 6(1)(a)): Where applicable, we rely on your explicit consent for specific processing activities, such as sending marketing communications or placing non-essential cookies. You may withdraw your consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

We use your personal data for the following purposes:

• Order processing and fulfilment: To process your purchases, arrange shipping, send order confirmations and delivery updates.
• Customer service: To respond to your enquiries, handle complaints, process returns and warranty claims.
• Legal compliance: To maintain records for tax, accounting, and regulatory purposes as required by Belgian and EU law.
• Website improvement: To analyse usage patterns, diagnose technical issues, and improve the functionality and user experience of our website.
• Security and fraud prevention: To protect our website, systems, and users from fraudulent activity and unauthorised access.
• Marketing communications: Where you have given your explicit consent, to send you promotional emails about new products, offers, or services. You may unsubscribe at any time.

We do not sell, rent, or trade your personal data. We share your data only with the following categories of recipients, and only to the extent necessary:

• Stripe (payment processing): Your payment information is securely transmitted to Stripe for transaction processing. Stripe acts as an independent data controller for payment data. Stripe's privacy policy governs their processing of your data. Stripe is certified under PCI DSS Level 1 and complies with the GDPR.
• Shipping and logistics providers: We share your name, delivery address, and contact details with our shipping partners to fulfil and deliver your orders. These providers act as data processors on our behalf and are contractually bound to protect your data.
• Hosting and infrastructure providers: Our website is hosted by third-party infrastructure providers who may process data on our behalf. These providers are selected for their GDPR compliance and data security practices.
• Legal and regulatory authorities: We may disclose your data when required by law, regulation, or legal process, or when necessary to protect our rights, property, or safety or that of others.

All third-party processors with whom we share data are bound by Data Processing Agreements (DPAs) in accordance with Article 28 of the GDPR, ensuring they process your data only on our documented instructions and implement appropriate technical and organisational security measures.

Our website uses cookies and similar tracking technologies in accordance with the ePrivacy Directive 2002/58/EC (as amended by Directive 2009/136/EC) and the GDPR.

Types of Cookies We Use

• Strictly necessary cookies: Essential for the operation of our website (e.g., session management, shopping cart). These cookies do not require your consent.
• Functional cookies: Enable enhanced functionality and personalisation, such as remembering your preferences. Placed only with your consent.
• Analytics cookies: Help us understand how visitors interact with our website by collecting anonymous usage data. Placed only with your consent.

You can manage your cookie preferences at any time through our cookie consent banner or your browser settings. Please note that disabling certain cookies may affect the functionality of our website.

As a data subject, you have the following rights under the GDPR. You may exercise these rights at any time by contacting us:

• Right of access (Art. 15): You have the right to obtain confirmation as to whether your personal data is being processed and, if so, to request access to that data along with supplementary information about the processing.
• Right to rectification (Art. 16): You have the right to request the correction of inaccurate personal data and to have incomplete data completed.
• Right to erasure (Art. 17): You have the right to request the deletion of your personal data when it is no longer necessary for the purposes for which it was collected, when you withdraw consent, or when there is no overriding legitimate ground for continued processing.
• Right to restriction of processing (Art. 18): You have the right to request restriction of processing in certain circumstances, such as when you contest the accuracy of the data or when the processing is unlawful.
• Right to data portability (Art. 20): You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit it to another controller without hindrance.
• Right to object (Art. 21): You have the right to object to the processing of your personal data based on legitimate interests or for direct marketing purposes. Where you object to processing for direct marketing, we will cease processing immediately.
• Right not to be subject to automated decision-making (Art. 22): You have the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal or similarly significant effects. We do not currently engage in such automated decision-making.

To exercise any of these rights, please contact us through our contact form. We will respond to your request within one month, as required by Article 12(3) of the GDPR. In complex cases, this period may be extended by a further two months, in which case we will inform you of the extension within the initial one-month period.

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, in accordance with Article 5(1)(e) of the GDPR (storage limitation principle):

• Order and transaction data: Retained for 7 years from the date of the transaction, as required by Belgian tax and accounting legislation.
• Customer account data: Retained for the duration of your relationship with us and for up to 3 years after your last interaction, unless you request earlier deletion.
• Communication records: Retained for up to 3 years from the date of the last communication for customer service quality and dispute resolution purposes.
• Marketing consent records: Retained for as long as the consent is active and for 3 years after withdrawal, for the purpose of demonstrating compliance.
• Technical and analytics data: Retained for up to 26 months from collection.

When data is no longer needed, it is securely deleted or irreversibly anonymised.

Your personal data may be transferred to and processed in countries outside the European Economic Area (EEA). When such transfers occur, we ensure that appropriate safeguards are in place in accordance with Chapter V of the GDPR, including:

• Transfers to countries that have received an adequacy decision from the European Commission (Art. 45 GDPR).
• Standard Contractual Clauses (SCCs) adopted by the European Commission (Art. 46(2)(c) GDPR).
• Binding Corporate Rules where applicable (Art. 47 GDPR).

For transfers to the United States, we rely on the EU-US Data Privacy Framework where the recipient is certified, or on Standard Contractual Clauses supplemented by additional safeguards where necessary.

You may request further information about the specific safeguards applied to international transfers by contacting us.

Our website and services are not directed at individuals under the age of 16. We do not knowingly collect personal data from children under 16 years of age, in accordance with Article 8 of the GDPR.

If we become aware that we have inadvertently collected personal data from a child under 16, we will take immediate steps to delete that data. If you believe that a child under 16 has provided us with personal data, please contact us immediately.

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or operational needs. Any material changes will be communicated by posting the revised policy on our website with an updated "Last updated" date.

Where changes are significant (for example, changes to the legal basis for processing or the introduction of new data sharing arrangements), we will provide a more prominent notice, such as an email notification or a banner on our website.

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your data.

If you have any questions about this Privacy Policy, wish to exercise your data protection rights, or have a complaint about how we handle your personal data, please contact us:

• Business name: Kwik Buy
• Country: Belgium
• VAT number: BE1001488871
• Contact: Contact Form

We aim to resolve all data protection enquiries promptly and within the timeframes mandated by the GDPR.

Supervisory Authority

If you are not satisfied with our response or believe we are processing your data unlawfully, you have the right to lodge a complaint with a supervisory authority, in accordance with Article 77 of the GDPR. Our lead supervisory authority is:

• Belgian Data Protection Authority (Autorité de protection des données / Gegevensbeschermingsautoriteit)
• Rue de la Presse 35, 1000 Brussels, Belgium
• Website: www.dataprotectionauthority.be

You may also lodge a complaint with the supervisory authority of the EU member state in which you reside or work, or in which the alleged infringement took place.