Privacy Policy
Our policy in one simple sentence: we NEVER use any information you provide to us in any other way than the purpose you have provided it for! (with the exception of the automatic cookies)
Privacy policies are (thanks to the GPDR law, the EU privacy law) now enormous pages of text. And as required by that law, we will provide all the information in the utmost detail. To help you to get to the information you are looking for, we have summarized our policy in a few concise points. These are explained in more detail further down this page.
- We gather information automatically, including cookies. These are used to provide you with a functioning website in your language and currency (if available) and are used to track website performance. The Google analytics information is anonymous and cannot be tracked to a person in any way. We do not share information with Google.
- Information you supply to us is only used for the purpose you have supplied it for. For example, if you sign up for the newsletter, you won’t receive anything but the monthly newsletter (no personalized sales, or any other communication). Not even purchasing will mean you’ll receive the newsletter automatically, only if you have not indicated you wanted to receive the newsletter when creating an account.
- Any information provided to us is secured and encrypted by SSL (Secure Sockets Layer). Every form and the purchasing process will have the green lock in front of the URL showing that the forms are secured. If for some reason you are not seeing this, please type https:// in front of the URL.
- We do not share any of your information with any third party other than those needed to fulfil the service you are requesting from us. For example, in order to ship the order to you, we have to provide the address to a shipping company. They wouldn’t know where to deliver it otherwise.
- We do not show ads on our website and no information is gathered for such purposes either.
- We save your information as long as required (or adviced) by law, or as you wish. You can view and alter your account information by logging into it, or request deletion of your account by us, and unsubscribe from the newsletter by clicking the link on the bottom of each newsletter. You are allowed to view, alter or request deletion of your information at all times. Simply contact us for this (or if possible, log in to your account to do so). Please keep in mind that we are required by law to keep some information. We cannot delete an invoice for example, which also has your name and order info as we are obligated to save an invoice for at least 7 years. For more information about how long we save your information, see the tables below.
- You have the right to complain to the Dutch DPA (or European counterparts) and we have the obligation to report data leaks to the appropriate organizations (the Meldloket datalekken of the Dutch DPA in the Netherlands).
The extended version of our privacy policy:
We care about keeping your information secure and will explain how we do that, so you also feel secure about interaction with our site. We practice ‘privacy by design’ which means we will not ask you for any information we don’t need. For example, for our newsletter, we only need your email address and region. We won’t ask you for your name or birthday or anything else, because we don’t need it.
Why do we gather information from you?
We need it for something you are asking of us or to provide a well functioning website catered to your location (the cookies). Without an address we can’t ship products to you, without your email address we can’t send you our newsletter or respond to your questions etc. Information we gather automatically (the cookies) are so we can provide you with a website that shows you all the information in your language and currency and to analyse how to improve the website. A bit further below, we’ll explain cookies in more detail.
Which types of information are gathered? And what do you do with it?
We have divided this part of our privacy policy into two parts: information that is gathered automatically (cookies) and information that is gathered by you supplying it to us.
Information we gather automatically, the cookies!
Everyone has heard the term, but what are cookies? And what do they do? Well, they are packages of information stored on your computer. Upon entering our website, a cookie is made and placed on your computer. It tells your computer in which language and which currency to view the website. Without the cookie, browsing to the next page would show the website in the main language (English in our case) and main currency (Euro in our case). You’d have to reset those two things for each page you visit without the cookie. The cookie also allows your browser to remember products you have placed in your basket. Without the cookie, your computer would forget and you could never go through the order process!
Activity on the website is also tracked with Google Analytics. This allows us to analyze which pages where visited, for how long and the bounce rate among other things. (A bounce is when a person leaves the website). This allows us to analyse and improve the performance of the website. For example, if we see a high bounce rate on a certain page, something might be wrong with that page that causes people to leave without placing an order. This also allows us to see which categories and products are popular which we can use when deciding on new products. As far as Google Analytics is concerned:
- We have a processing agreement with Google to ensure your privacy
- No information is shared with Google for any reason, not for ads, benchmarking or anything else.
- The data is anonymous and depersonalized (no IP addresses)
- Google analytics data is automatically removed after 26 months
Information you actively supply to us
There are several ways to send us personal information. Not just by creating an account or by placing an order, but also by using one of several forms on the website. The contact form, online guarantee form and newsletter subscribing form are examples of such forms. Which information is gathered depends on the function. For the newsletter we only need your email address and region (which newsletter you want to receive). But for the contact form we need your name (so we know what to call you), your email address (in order to respond to you), what type of issue you have (so we can direct it to the right person quickly) and of course a description of why you are contacting us.
As part of our ‘privacy by design’ policy we don’t ask you for any personal information we don’t need. Furthermore, we won’t use any information provided to us for any other purpose than what you have provided it for. Contacting us, or even placing an order doesn’t mean you’ll receive the newsletter. We’ll answer your question, or resolve your problem and send the order, and that’s it! If you subscribe to the newsletter you’ll receive it once a month by email, we will not send you separate emails on sales or personalized discounts (if we want you to know about these things, that info will be IN the newsletter) and we won’t use your email for any other communication other than the newsletter.
We’ll never share your information with any third party not needed to provide the purpose you have supplied it for. If you place an order for example, we can’t ship your order without providing your address to the shipping company. They wouldn’t know where to deliver it otherwise! Another example is the newsletter. The newsletter is send through a company called Laposta (newsletter host, like MailChimp for example). Without supplying your email address to them, we couldn’t provide you with the newsletter at all.
So some third parties are involved in processing your personal information, but only for the purpose of supplying you with what you have requested. With all those third parties we have processor agreements stipulating the protection of your privacy (either before or on the 28th of May). For more information about which parties are involved for certain pieces of personal information, please see the tables below. The first table is for account creation/orders and the second is for the forms we have on the website. The tables shows the purpose of gathering them, if and which third parties are involved and how long the information is saved. For all these types of information you are required to check a box agreeing to this privacy policy and agree to the use of your information. The check box is on the bottom of every form on the website, including the checkout process.
For any information supplied digitally (including email) our website host is always involved as a third party. This applies to all the information in the tables below, but also emails send directly (not through the website). We have a data processing agreement with them.
Table 1: Personal information involved with purchase and account creation
Information type |
Purpose |
Third Parties involved |
Period saved |
Name |
Email notifications and shipping |
Shipping agents, PostNL, Fed Ex and intermediaries |
10 years on invoice, 7 years (required by law) if remove request is made. As part of account info: until deleted or request for deletion. |
Address |
Shipping |
Shipping agents, PostNL, Fed Ex and intermediaries |
10 years on invoice, 7 years (required by law) if remove request is made. As part of account info: until deleted or request for deletion. |
Email address |
Email notifications and track and trace (if applicable) |
Shipping agents, PostNL, Fed Ex and intermediaries |
Part of account info, until deleted or request for deletion. Emails send are saved for 5 years or until deletion request |
Phone number |
Back up communication for email, Shipping (if with Fed Ex) |
Intermediaries and Fed Ex as subcontractor |
Part of account info, until deleted or request for deletion. |
Order information (products ordered, purchase history) |
Delivery of products, creation of discounts, saving reward points |
Outside of the EU: Shipping agents, PostNL, Fed Ex and intermediaries and customs. Required to import products. Purchase history is not shared with any third party |
10 years on invoice, 7 years (required by law) if remove request is made. As part of account info: until deleted or request for deletion. |
Payment details and bank information* |
Receiving payment for your order |
One of our payment providers |
We do not receive any of our payment details and bank information, thus cannot save them |
*Please take into account that with the use of our payment providers, you are also sharing information with them. Usually these are parties you are already familiar with through previous only purchases (for example paypal or the commonly used and reputable credit card payment provider Stripe). The privacy policy of these third parties may also be applicable on your information (for example paypal, with whom you have shared your information and agreed to their privacy policy when you made the account with them).
Table 2: Personal information involved with the use of website forms
Information type |
Forms |
Purpose |
Third Parties involved |
Period saved |
Name |
Contact, Suggestions box, Return form |
Email notifications |
None |
5 years, or until deletion request |
Name |
Return form |
Email notifications |
None |
10 years on credit invoice, 7 years (required by law) if remove request is made. As part of account info: until deleted or request for deletion. |
Name |
Online guarantee form |
Email notifications and shipping |
Shipping agents, PostNL, Fed Ex and intermediaries |
If outside EU: 10 years on customs invoice, 7 years (required by law) if remove request is made. Inside EU: 5 years or until deletion request |
Email address |
Contact, Return form, Online Guarantee form, Suggestions box |
Email notifications |
None |
5 years, or until deletion request |
Email address |
Newsletter |
Sending the newsletter |
Our newsletter host Laposta (another famous newsletter host is Mailchimp for example) |
Until the unsubscribe link at the bottom of each newsletter is pressed. The original subscribe notfication is saved until deletion request (required by law, registering opt-ins) |
Order information (order number, amounts ordered, guarantee number, etc) |
Return form, Online guarantee form |
To find original order which you are returning one or more products from, or require extra supplies for. |
None |
5 years, or until deletion request |
Region |
Newsletter |
To provide you with the right newsletter (The Netherlands, Belgium, EU or rest of the world) |
Our newsletter host Laposta (another famous newsletter host is Mailchimp for example) |
Until the unsubscribe link at the bottom of each newsletter is pressed. The original subscribe notfication is saved until deletion request (required by law, registering opt-ins) |
Subject and reason for contact |
Contact form |
In order to get your message to the right person quickly |
None |
5 years, or until deletion request |
Your message, your idea, clarification return, details guarantee appliction |
Contact, Return form, Online Guarantee form, Suggestions box |
Details to help you with your question, complaint, return or guarantee appliction or to receive your suggestion |
None |
5 years, or until deletion request |
How do you make sure my information is safe with you?
First of all, we need to get it safely to us. Which is why we use a SSL connection (the green lock in front of the URL). This ensures the information you enter on our website is transmitted encrypted and safely. Even if the information was intercepted, it would be useless since it was encrypted. So now it has arrived safely on our servers. Of course we need to make sure our access to our servers is also secure, which we also do by SSL connections. So on both sides, the sending and retrieving of your information is through a secured connection.
Of course we must also store your information safely. Information stored on the website sever (hosted server) is protected by the website host. They have taken both technical and organisational measures to ensure a safe and secure hosting service. Including, but not limited to: a firewall, constant monitoring of suspicious activity, automatic patches, cryptography, segmentation and several other methods of encryption and access limitations. If any suspicious activity is found, it is instantly blocked. Our host is very reputable, and considerd one of the safest hosts in the Netherlands.
Invoices of orders are also stored on the cloud, with a reputable cloud service provider (so not dropbox). We also have a processing agreement with them, and they have also taken many technical and organisational measures to ensure a safe storage of our files and your information.
The right to be forgotten
Anyone who has ever supplied personal information to us has the right to view, edit or remove that information. It is commonly referred to as the right to be forgotten. Account information can be viewed and altered by logging into your account. If you want to delete your account, you’ll need to contact us (we are working to allow customers to do so themselves, but this is currently not possible). Of course that is not the only personal information we may have of yours. Perhaps you don’t even have an account, but rather filled out one of the forms? If you want that information removed you will need to contact us as well. If you simply want to know what information we have of yours, view or alter your information, you may always contact us for this as well.
Even if you request the removal of your information, we might not be allowed to remove an invoice for an order. Which not only contains your name and address, but also your order information and payment method (not payment info though, just the method. For example: paypal). Depending on how much time has passed we may not be allowed to delete the invoice. Dutch law requires that invoices are saved for 7 years. If you placed an order in the past and request removal of your information before the end of this 7 year period, all of your information is removed with the exception of the invoice. The invoice will be removed after this 7 year period, you don’t need to request removal again.
For more information about how long your information is saved, please see the tables a bit further up this page.
Obligation to report leaks
All leaks of any personal information, are to be reported to the Dutch Data Protection Authority (DPA). If there is considerable risk to the persons of whom information was leaked, those persons are also to be informed of the leak. Each and every leak has to be documented by Orcraphics.
Leaks are rarely caused by hacking or digital attacks of some kind, unless you’re a big bank or large institution with valuable information. Credit card information and BSN or social security numbers are very high risk information. We don’t gather or store such information. For webshops who have outsourced payment methods like us, the highest risk of leaks comes from the people working there. Leaving laptops or flash drives with personal information behind, providing login information to others, or even sending personal information to the wrong person. Human mistakes can never be completely prevented, but we try to minimize these risk by:
- Concentrating where information is stored (if you never store personal information on a flash drive, one can’t forget it in public)
- Concentrating access to information (less people who can make those mistakes)
- Strict compliance of not sharing login info for ANY reason (we’ll grant new access privileges if needed, sharing logins is strictly prohibited)
- Stimulating mindfulness of the risks of dealing with and sharing of personal information.
Need help?
If you are having trouble understanding this privacy policy or have questions about it, please contact us before placing an order. Simply fill out the contact form or send an email directly to info@orcraphics.com.