Privacy policy
Last updated: 24 April 2026
Version: 3.0
Stoney Bracelets values your privacy. This policy explains what personal data we process, why, how long we keep it, and what rights you have. It is written in accordance with the EU General Data Protection Regulation (GDPR) and Dutch implementation law.
1. Data Controller
Stoney Bracelets is a trading name of RVH Handelsonderneming.
- Address: [insert business address]
- Chamber of Commerce (KvK) no.: [insert]
- VAT no.: [insert]
- Email: info@stoneybracelets.nl
- Website: stoneybracelets.nl / stoneybracelets.com
For any privacy-related question, contact us at info@stoneybracelets.nl.
2. What data we process
We process the following categories of personal data:
When you place an order: first and last name, billing and shipping address, email, phone number, payment data (handled by our payment providers — we never receive card numbers), IP address.
When you create an account: the above plus a chosen password (stored as a hash) and order history.
When you subscribe to our newsletter: email address and first name, plus open and click behaviour in our emails.
When you contact us: the data you enter yourself plus message metadata.
When you browse the site: IP address, browser type, device type, pages visited, referring URL, click and scroll behaviour, and cookies (see section 7).
When you leave a review: name and review content (processed by Judge.me).
3. Purpose and legal basis
| Purpose | Legal basis (GDPR) |
|---|---|
| Processing your order and delivery | Performance of contract (Art. 6(1)(b)) |
| Payment processing | Performance of contract (Art. 6(1)(b)) |
| Customer service and warranty handling | Performance of contract (Art. 6(1)(b)) |
| Statutory retention (tax, accounting) | Legal obligation (Art. 6(1)(c)) |
| Newsletter and marketing emails | Consent (Art. 6(1)(a)) |
| Post-purchase review requests | Legitimate interest (Art. 6(1)(f)) |
| Fraud prevention and site security | Legitimate interest (Art. 6(1)(f)) |
| Analytics and site optimisation | Consent (Art. 6(1)(a)) |
| Personalised advertising | Consent (Art. 6(1)(a)) |
4. Who we share data with
We never sell your data. We share it only with the following categories of processors, strictly for the purposes listed above:
- Shopify Inc. – hosting, checkout and order processing
- Payment providers – Mollie, Klarna, PayPal, Shop Pay
- Carriers – PostNL, DHL, DPD and comparable couriers (for delivery)
- Email marketing – Klaviyo (newsletter and transactional emails)
- Review platform – Judge.me
- Analytics and advertising partners – Google (Analytics, Ads), Meta (Facebook, Instagram), TikTok – only with your consent
- Accountant / bookkeeper – for tax and administrative obligations
- Legal authorities – where legally required
Data Processing Agreements under Art. 28 GDPR are in place with every processor.
5. Transfers outside the EU
Some of our processors (including Shopify, Google, Meta, TikTok) are based in the United States. Transfers take place exclusively on the basis of:
- the EU-US Data Privacy Framework (for certified parties), or
- the European Commission’s Standard Contractual Clauses (SCCs), supplemented by appropriate technical and organisational measures.
6. Retention periods
| Data | Retention |
|---|---|
| Order and invoice data | 7 years (statutory tax retention) |
| Account data | As long as the account is active + 12 months |
| Newsletter subscription | Until you unsubscribe |
| Contact form / email correspondence | 24 months after last contact |
| Analytics data | Maximum 14 months |
| Cookies | See cookie policy |
7. Cookies
We use functional, analytical and marketing cookies. Functional cookies are required for the site to work and are always set. Analytical and marketing cookies are only placed after your consent through the cookie banner. You can change your preferences at any time through the “Cookie settings” link at the bottom of the site.
8. Your rights
Under the GDPR you have the right to:
- Access – know what data we hold about you
- Rectification – have inaccurate data corrected
- Erasure – have your data deleted (“right to be forgotten”)
- Restriction – have processing temporarily stopped
- Object – object to processing based on legitimate interest
- Portability – receive your data in a machine-readable format
- Withdraw consent – at any time, with effect going forward
- Lodge a complaint with the Dutch Data Protection Authority (autoriteitpersoonsgegevens.nl) or the supervisory authority in your country of residence
Send any request to info@stoneybracelets.nl. We will respond within 30 days. We may ask for additional identification to verify your request.
9. Security
We apply appropriate technical and organisational measures to protect your data, including SSL encryption, role-based access control, strong passwords, and the use of PCI-DSS-certified payment providers.
10. Automated decision-making
We do not make decisions with legal or similarly significant effects based solely on automated processing or profiling.
11. Minors
We do not target individuals under 16 and do not knowingly process children’s data without parental or guardian consent.
12. Changes
We may update this policy. The current version is always available on this page with the date shown at the top. We will actively notify you of material changes by email or by a notice on the site.