Privacy Policy Xelly Beauty B.V.

This privacy statement applies to Xelly Beauty B.V., located at Van Oldenbarneveldtstraat 8h, 1052KA Amsterdam, registered with the Chamber of Commerce under number 98352075 and VAT number NL868459987B01.


Xelly Beauty B.V. is the data controller for the processing of personal data as described in this statement. We process personal data in accordance with the General Data Protection Regulation (GDPR) and other applicable legislation.

 1. What personal data do we process and why?

Orders and performance of the agreement
Legal basis: performance of the agreement

Data
• Name
• Address details
• Email address
• Phone number
• Payment details
• Order details

Purposes
• Processing and delivering orders
• Payment processing
• Shipping
• Customer service
• Communication about your order

Account registration
Legal basis: performance of the agreement

Data
• Name
• Email address
• Password (stored encrypted)
• Order history

Purposes
• Creating and managing an account
• Facilitating future orders

Newsletter and marketing communication
Legal basis: consent

Data
• Email address
• Name (if provided)
• Interaction data such as open and click behavior

Purposes
• Sending newsletters
• Informing about offers and new products

You can withdraw your consent at any time via the unsubscribe link in every email. Withdrawal does not affect previously lawfully processed data.

Fraud prevention and security
Legal basis: legitimate interest

Data
• IP address
• Payment details
• Order behavior
• Device and usage data


Purposes
• Securing the webshop
• Detecting and preventing fraud or misuse

We carefully weigh our interest in a secure webshop against your right to privacy.

Legal obligations
Legal basis: legal obligation

Data
• Invoice and payment details

Purpose
• Compliance with tax and administrative obligations
 
2. Retention periods

We do not retain personal data longer than necessary for the purposes for which it was collected, unless we are legally obliged to retain data for a longer period.

We apply the following periods, among others:

• Invoice and order data: 7 years (tax retention obligation)
• Account data: up to 2 years after last activity
• Newsletter data: until unsubscribe
• Customer service correspondence: up to 2 years after handling
• Fraud and security data: as long as necessary for security purposes

After the retention period, personal data will be deleted or anonymized.

 3. Sharing personal data with third parties

We only share personal data when this is necessary for our services or when we are legally obliged to do so.

This may include sharing with:

• Shopify (hosting and webshop infrastructure)
• Payment providers such as Shopify Payments, Klarna, Mollie, Stripe, and PayPal
• Shipping partners
• IT and hosting providers
• Email marketing software

With parties who process personal data on our behalf, we conclude data processing agreements when legally required.

 4. International data transfer

Because we use international service providers, personal data may be processed outside the European Economic Area.

When personal data is transferred outside the EEA, we ensure appropriate safeguards, such as:

• Standard Contractual Clauses
• Transfer under the EU-US Data Privacy Framework, if applicable
 
5. Profiling and automated decision-making

We do not use automated decision-making that has legal consequences or otherwise significantly affects you.

For marketing purposes, limited profiling may occur, for example, based on purchase history or newsletter interaction. This has no legal or similar significant consequences.

 6. Security

We take appropriate technical and organizational measures to protect personal data against loss, misuse, unauthorized access, or unlawful processing.

 7. Your rights

Under the GDPR, you have the following rights:

• Right of access
• Right to rectification
• Right to erasure
• Right to restriction of processing
• Right to data portability
• Right to object
• Right to withdraw consent

We will respond to a request within one month as a rule. If necessary, we may request additional information to establish your identity.

In addition, you have the right to lodge a complaint with the Dutch Data Protection Authority.

 8. Changes

We may amend this privacy statement if our services or legislation changes. The most current version is always available on our website.

 9. Contact details

Xelly Beauty B.V.
Van Oldenbarneveldtstraat 8h
1052KA Amsterdam
KvK 98352075
VAT NL868459987B01
Email: info@xellybeauty.com