Privacy Policy

Who is responsible for your data

Melly's Stroopwafels (Melly's BV) is the controller (verwerkingsverantwoordelijke) for the personal data described in this policy. Our company is registered in the Netherlands under KvK number 96080442, with VAT number NL867460878B01.

You can contact us by post at Nieuwezijds Voorburgwal 141, 1012 RJ Amsterdam, by email at info@mellyscookiebar.nl, or by phone at +31 20 423 4797.

We are a small family business and we read these messages ourselves, so please reach out if anything about your data is unclear.

What personal data we collect

When you place an order, we collect your name, billing and shipping address, email address, phone number, and the details of the products you buy.

When you pay, the transaction is processed by our payment provider Mollie. We receive confirmation of payment and limited payment details, but we never store your full card or bank account number.

When you contact us by email or phone, we keep the content of your message so we can help you and follow up where needed.

When you visit our website, we collect limited usage data such as pages viewed and approximate location, as described in our Cookie Policy.

Why we use your data and on what legal basis

To process and deliver your order, including invoicing, shipping, and customer service. The legal basis is the performance of our contract with you (Art. 6(1)(b) GDPR).

To meet our legal obligations, such as keeping invoices and tax records. The legal basis is compliance with a legal obligation (Art. 6(1)(c) GDPR).

To keep our website and orders secure and to prevent and detect fraud. The legal basis is our legitimate interest in running a safe webshop (Art. 6(1)(f) GDPR).

To measure how our website is used through analytics, and to send marketing if you have signed up for it. The legal basis is your consent (Art. 6(1)(a) GDPR), which you can withdraw at any time.

Who we share your data with

We share data only with the partners we need to run the webshop, and only for the purposes described here. These partners act as our processors under a data processing agreement.

Mollie processes your payments. Vercel hosts our website. Resend sends our transactional emails, such as order confirmations. Google Analytics and Google Search Console help us understand and improve our website.

Shipping carriers receive the name and address needed to deliver your parcel. If you book a workshop, that booking is handled separately through Bokun.

We never sell your personal data, and we do not share it for advertising by third parties.

Cookies and analytics

Our website uses cookies and similar technologies for it to function and, with your consent, to measure usage through Google Analytics.

You can accept or refuse analytics cookies, and you can change your choice at any time. A full overview is set out in our Cookie Policy.

Refusing analytics cookies does not affect your ability to browse the site or place an order.

Transfers outside the European Union

Some of our partners, in particular Google, may process data on servers located in the United States.

Where data leaves the European Economic Area, we rely on appropriate safeguards such as the EU Standard Contractual Clauses (SCCs) and, where applicable, the EU-US Data Privacy Framework (DPF).

These safeguards are intended to give your data a level of protection comparable to that under EU law.

How long we keep your data

We keep your order and invoice data for seven years, because Dutch tax law requires us to retain our administration for that period.

We keep general contact data, such as messages that are not linked to an order, for a shorter time, no longer than we need it to handle your question.

Marketing data is kept until you withdraw your consent or unsubscribe, after which we stop using it for that purpose.

Your rights

Under the GDPR you have the right to access your personal data, to have it corrected or erased, to restrict or object to its processing, and to receive it in a portable format.

Where we rely on your consent, you can withdraw it at any time. This does not affect the lawfulness of processing carried out before you withdrew it.

To exercise any of these rights, email us at info@mellyscookiebar.nl. We may ask you to confirm your identity, and we will respond within the legal time limit.

If you believe we have not handled your data properly, you have the right to lodge a complaint with the Dutch supervisory authority, the Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl).

Security and changes to this policy

We take appropriate technical and organisational measures to protect your data, including encrypted connections (HTTPS), access controls, and trusted processors who are bound by data processing agreements.

No method of transmission over the internet is completely secure, but we work to keep the risk as low as we reasonably can.

We may update this Privacy Policy from time to time, for example when our services or the law change. The current version always applies, and we encourage you to review it from time to time.