Privacy policy

PRIVACY POLICY

Last modified on: November 16, 2023.

1. Introduction

1.1. General

The website www.nodum-by-max.com (hereinafter the “Website”) and the services are offered by Nodum by Max (hereinafter “we” and “us”). Any person who visits our Website (hereinafter the “Visitor”) as well as any person who uses our services (hereinafter the “Customer”) almost inevitably discloses certain personal data. These personal data constitute information that allows us to identify you as a natural person, whether or not we actually do so. You are identifiable as soon as it is possible to create a direct or indirect link between one or more personal data and you as a natural person. The Visitor and Customer are also referred to collectively as “you/your” in this Privacy Statement. We aim to use and process your personal data in accordance with the General Data Protection Regulation (“GDPR”) and other relevant legal provisions. Any reference in this privacy statement to the GDPR is a reference to the Regulation of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation). Through this privacy statement, you are informed of the processing activities we may carry out with your personal data. This privacy statement applies when we act as the data controller for the processing of personal data of our Website and our services, in other words, when we determine the purposes and means of processing such personal data. Please read this privacy statement carefully and make sure you understand it.

1.2. What are personal data?

Personal data is defined in the GDPR as “any information relating to an identifiable person who can be identified, directly or indirectly.” Personal data, in simpler terms, is any information about you that allows you to be identified. Personal data includes obvious information, such as your name and contact information, as well as less obvious information, such as identification numbers, electronic location data and other online identifiers.

1.3. Changes

We may update this Statement from time to time by posting a new version on our Website. You will find the date of the current version at the top (“Last modified”). This may be necessary, for example, if the law changes, or if we change things in a way that affects the protection of personal data. If we are in possession of your email address (for example, because you are subscribed to our newsletter/have an account) we are committed to notifying you of any significant changes to our privacy statement via email.

2. Contact details

Our Website and services are offered and operated by Nodum by Max. We are registered in Belgium under registration number BE 0741 918 455 and our registered office is located at Heidestraat 10, 2520 Emblem,Belgium.

You can contact us:

(a) by mail, to the postal address listed above;

(b) by email, using info@nodum-by-max.com.

3. 
   What personal data is processed and how is it used?

3.1. Information processing

Depending on the capacity in which you visit or use our Website, we may collect and process the following personal data.

3.1.1. Browser data (technical data) of Visitor & Customer

• IP address;
• geographical location;
• browser type and version;
• operating system;
• reference source;
• duration of your visit, page views and website navigation paths, as well as information about the timing, frequency and pattern of your use of the service.

The source of this data is the use of either necessary cookies or non-necessary cookies.

− For necessary cookies, the legal basis is our legitimate interest so that the Website functions properly technically in accordance with necessary cookies as referred to in our Cookie Statement.

− In the case of non-necessary cookies, the technical data may be processed for analysing/improving the use of the Website. The legal basis for this processing is your consent.

Retention period: See the Cookie Statement on our Website.

3.1.2. Communication data of Visitor & Customer

= the data you provide us when completing the contact form on our Website or when contacting us by email/telephone. These include:

• First name and surname
• Email address
• Telephone number
• Date of birth
• Gender
• Your message

Processing purpose: Communication data may be processed for the purpose of this communication with you and record keeping.

The source of the communication data is the information you provide to us when you contact us.

Legal basis: Our legitimate interest, to respond to requests, questions or comments or to contact you for questions of any kind (e.g. when you contact us via the contact form, phone or email).

Retention period: Data will be retained for 3 years after the response.

3.1.3. Account data of Customer

• Login data, namely username and (pseudonymised) password.
• Personal data such as: first name, surname, email address, telephone number, date of birth and gender.
• Wishlist of products

This applies when the Customer chooses to register with a purpose of possible future purchases.

Processing purpose: Account data may be processed to enable and control your use of our Website and services.

The source of account data is the information you provide when creating your account.

Legal basis:

− Performance of a contract between you and us

− At your request, taking steps to enter into such an agreement. 

Retention period: Data will be retained for a period of X years after the last login.

3.1.4. Order data of Customer

• First name and surname
• Date of birth
• Email address
• Delivery address
• Billing address (with optional VAT number)
• Telephone or mobile number

Processing purpose: Order data may be processed for sending the purchased good.

The source of the Order Data is the information provided to us by the Customer when the Customer purchases a good through our Website.

Legal basis:

− Execution of a contract (general terms and conditions) between you and us

− At your request, taking steps to enter into such an agreement

− Consent

Retention period: Personal data will be retained for the duration of the agreement (until delivery has taken place). After termination of the agreement, personal data are retained for a further seven years to comply with legal obligation (tax obligation).

3.1.5. Transaction data of Customer

• Contact details
• Card details
• Transaction data

Processing purpose: Transaction data may be processed for delivering the goods purchased and keeping proper records of those transactions.

The source of transaction data is the information you provide to us when you make purchases through our Website.

Legal basis:

− Execution of a contract (terms and conditions) between you and us;

− At your request, taking steps to enter into such an agreement.

Retention period: Personal data will be kept for the duration of the agreement. After termination of the agreement, personal data are retained for a further seven years to comply with the legal obligation (tax obligation).

3.1.6. Data for the purpose of direct marketing of Visitor & Customer 

• Email address
• Date of birth
• Gender

Processing purpose: The direct marketing data is processed to send you updates regarding new product launches/ new designers/ events etc. from us, for which you have given your consent. You can unsubscribe at any time by clicking the “unsubscribe” link in the relevant email or by any other action described therein.

The source of the direct marketing data is the information you provide to us when you subscribe to the newsletter.

Legal basis: consent.

Retention period: Your data will be processed until you unsubscribe.

3.1.7. Other data processing

In addition, we may process your personal data when necessary to comply with a legal obligation to which we are subject (such as tax laws). Without prejudice to the above, we may retain your personal data where this would be necessary for the establishment, exercise or defense of legal claims, whether in judicial proceedings or in administrative or extrajudicial proceedings. The legal basis for this processing is our legitimate interests, namely the protection and exercise of our legal rights.

3.2. Processors

A processor is a natural person or legal entity that processes personal data at our request or on our behalf. We may sometimes contract with this party to provide certain products and/or services. In other words: We use processors because it is necessary for the provision of our services. In this case, we will enter into a written agreement with the processor whereby the security of your personal data is guaranteed by the processor. The processor will always act according to our instructions.

We use the following categories of processors:

• Companies we have engaged for marketing purposes;
• Companies we have engaged for ICT -technical support and hosting purposes;
• Companies we have engaged for administrative purposes (e.g. CRM system);
• Companies we have engaged for communication purposes (e.g. live chat on the Website);
• Companies we have engaged for logistical purposes (e.g. order picking, delivery, etc.);
• Companies we have engaged for analytical purposes;
• Companies we have engaged for payment purposes.

4. Providing your personal data to third parties

We will not share your personal data with third parties (other than processors) for any purposes, subject to the following exceptions. In some circumstances, we may be required by law to share certain personal data, including yours, if we are involved in legal proceedings or for compliance with legal obligations, a court order or the instructions of a government agency.  

5. International transfer (outside EEA) of your personal data

We may store or transfer some or all of your personal data in countries that are not part of the European Economic Area (the “EEA” consists of all EU member states, plus Norway, Iceland and Liechtenstein). These are known as “third countries” and may have less stringent data protection laws than those in the EEA. This means that we take additional steps to ensure that your personal data is treated as securely and reliably as it is in the EEA.

We use specific contracts with external third parties approved by the European Commission (also known as Standard Contractual Clauses: SCC) for the transfer of personal data to third countries. The SCCs guarantee the same level of protection of personal data as would apply under the GDPR. In addition, additional measures are taken to protect your data from unauthorized access. More information is available from the European Commission.

6. Your rights

Some rights are complex and not all details are included here. Therefore, please read the relevant provisions and guidelines of supervisory authorities for a full explanation of these rights.

You may exercise your rights with respect to your personal data by notifying us in writing at info@nodum-by-max.com.

We will respond to your request within one month of receiving your request. We normally aim to provide a full response within that time. However, in some cases, especially if your request is more complex, more time may be required, up to a maximum of three months from the date we receive your request. You will be kept fully informed of progress.

6.1. The right of access

You have the right to confirm whether or not we process your personal data and, where we do, to access the personal data, along with certain additional information. This additional information includes details of the purpose of the processing, the categories of personal data involved and the recipients of the personal data. Provided that the rights and freedoms of others are not affected, we will provide you with a copy of your personal data. The first copy will be provided free of charge, but additional copies may be provided for a reasonable fee.

6.2. The right of correction

You have the right to have inaccurate personal data about you corrected and, taking into account the purposes of processing, to have incomplete personal data about you completed.

6.3. The right to erasure (“right to be forgotten”)

In some circumstances, you have the right to have your personal data erased without undue delay. These circumstances include:

− the personal data are no longer necessary in connection with the purposes for which they were collected or otherwise processed;

− you withdraw your consent to processing based on consent;

− you object to processing under certain rules of applicable data protection law (the GDPR);

− the processing is for direct marketing purposes; and

− the personal data were processed unlawfully;

− the personal data were collected in the case of a direct offer of services to a child and the processing is thereby based on consent.

− personal data must be deleted to comply with a legal obligation incumbent upon us.

However, there are exclusions to the right to erase data. The general exclusions include where processing is necessary:

− For the exercise of the right to freedom of expression and information;

− For compliance with a legal obligation imposed on us; or

− For the establishment, exercise or defense of legal claims;

− For archiving in the public interest, scientific or historical research or statistical purposes;

− For public health reasons.

6.4. The right to restrict processing

In some circumstances, you have the right to restrict the processing of your personal data. These circumstances are: you dispute the accuracy of the personal data; the processing is unlawful, but you oppose erasure; we no longer need the personal data for our processing, but you need personal data for the establishment, exercise or defense of legal claims; and you have objected to the processing, pending verification of that objection.

If processing is restricted on this basis, we may continue to store your personal data. However, we will only process them otherwise: with your consent; for the establishment, exercise or defense of legal claims; for the protection of the rights of another natural or legal person; or for important reasons of public interest.

6.5. The right to object to processing

You have the right to object to our processing of your personal data for reasons relating to your particular situation, but only to the extent that the legal basis for the processing is that the processing is necessary for the purposes of legitimate interests pursued by us or by a third party. If you raise such an objection, we will stop processing the personal data unless we can demonstrate that there are compelling legitimate grounds for the processing which outweigh your interests, rights and freedoms, or that the processing is for the establishment, exercise or defense of legal claims.

In addition, you have the right to object to our processing of your personal data for direct marketing purposes (including profiling for direct marketing purposes). If you object, we will stop processing your personal data for this purpose.

Furthermore, you have the right to object to our processing of your personal data for scientific or historical research purposes or statistical purposes for reasons related to your particular situation, unless the processing is necessary for the performance of a task carried out in the public interest.

6.6. The right to data portability

To the extent that the legal basis for our processing of your personal data is based on:

(a) consent;

(b) the processing is necessary for the performance of a contract to which you are a party, or to take action at your request before entering into a contract; or

(c) such processing is carried out automatically, you have the right to receive your personal data from us in a structured, commonly used and machine-readable format.

However, this right does not apply when it would interfere with the rights and freedoms of others.

6.7. The right to lodge a complaint with a supervisory authority

If you believe that our processing of your personal data violates the General Data Protection Regulation (GDPR), you have the right to lodge a complaint with a supervisory authority responsible for data protection. In Belgium, the supervisory authority is the Data Protection Authority (GBA). Data subjects from other Member States have the right to complain to their own national supervisory authority. For an overview of the contact details of these authorities, click on this link.

Data Protection Authority (GBA).
Drukpersstraat 35, 1000 Brussels
+32 (0)2 274 48 00
contact@apd-gba.be
https://www.gegevensbeschermingsautoriteit.be

6.8. The right to withdraw your consent

Insofar as the legal basis for our processing of your personal data is consent, you have the right to withdraw this consent at any time. Withdrawal does not affect the lawfulness of the processing prior to the withdrawal.