Privacy statement

HypoStore BV values your privacy. We only process personal data that is necessary for (improving) our services and handle the information we collect about you and your use of our services with care. We do not share your personal data with third parties for commercial purposes, unless this is necessary for the execution of our services as described below.
This privacy policy applies to the use of the website and the services provided by HypoStore BV. The effective date of this privacy policy is 02/04/2026. The publication of a new version invalidates all previous versions. This privacy policy describes which data is collected about you, the legal basis for such processing, the purposes for which data is used and with whom and under which conditions data may be shared with third parties. We also explain how we store your data, how we protect your data against misuse and what rights you have regarding the personal data you have provided to us.
If you have any questions about our privacy policy, you can contact our privacy officer. You will find the contact details at the end of this privacy policy.
Legal bases for processing
We process your personal data on the following legal bases (Article 6 GDPR):
- Performance of a contract: processing your order, payment, shipping and customer service.
- Legal obligation: maintaining our financial administration and retaining invoice data in accordance with fiscal legislation.
- Consent: sending newsletters and placing non-essential cookies. You may withdraw your consent at any time.
- Legitimate interest: improving our website and services, fraud prevention and securing our systems.
About data processing
Below you can read how we process your data, where we (have it) stored, what security measures we use and who has access to the data.
Webshop software
Magento
Our webshop has been developed using Magento (Adobe Commerce) software. Personal data you provide to us for our services is shared with this party. Magento has access to your data to provide us with (technical) support and will not use your data for its own purposes. Magento is required under a data processing agreement to take appropriate security measures, including SSL encryption, a strong password policy and secure data storage. Magento respects the applicable legal retention periods for personal data. Legal basis: performance of a contract.
Web hosting
Leaseweb
We use the web hosting and email services of Leaseweb. Leaseweb processes personal data on our behalf and does not use your data for its own purposes. This party may, however, collect metadata about the use of the services. Leaseweb has taken appropriate technical and organisational measures to prevent loss and unauthorised use of your personal data, including SSL encryption, a strong password policy and regular backups. Leaseweb is bound by confidentiality under a data processing agreement. Legal basis: performance of a contract.
Email and mailing lists
MailChimp (Intuit)
We send our email newsletters via MailChimp, a service of the American company Intuit. MailChimp will not use your name and email address for its own purposes. At the bottom of each newsletter you will find an unsubscribe link. Your personal data is securely stored by MailChimp. MailChimp uses cookies and other internet technologies to track whether emails are opened and read.
As MailChimp is based in the United States, personal data is transferred outside the European Economic Area (EEA). This transfer is based on the EU-US Data Privacy Framework and supplementary Standard Contractual Clauses (SCCs) in accordance with Article 46 GDPR. Legal basis: consent (you actively subscribe to the newsletter and may unsubscribe at any time).
Payment service providers
Pay.nl, PayPal and Billink
For processing (part of) the payments in our webshop, we use the services of Pay.nl, PayPal and Billink. These parties process your name, address, place of residence and payment details such as your bank account or credit card number. They have taken appropriate technical and organisational measures to protect your personal data and do not retain your data beyond the statutory retention periods.
In the case of a request for deferred payment (credit facility), Billink shares personal data and information regarding your financial position with credit assessment agencies. All safeguards mentioned above regarding the protection of your personal data also apply to the parts of the service for which these parties engage third parties.
PayPal is based in the United States. The transfer of personal data is based on the EU-US Data Privacy Framework and Standard Contractual Clauses (SCCs). Legal basis: performance of a contract.
Reviews
Google, Trustpilot and Facebook
We collect reviews via the platforms of Google, Trustpilot and Facebook (hereinafter: the providers). When you leave a review, you are required to provide your name, place of residence and email address. The providers share this data with us so that we can link the review to your order. The providers also publish your name and place of residence on their own website. In some cases, the provider may contact you to request clarification of your review.
If we invite you to leave a review, we share your name and email address with the relevant provider. They use this data solely to invite you to leave a review. The providers have taken appropriate technical and organisational measures to protect your personal data. Legal basis: legitimate interest (quality improvement and transparency).
Shipping and logistics
PostNL and UPS
When you place an order with us, we use the services of PostNL and UPS to carry out deliveries. It is therefore necessary for us to share your name, address and place of residence with these parties. PostNL and UPS use this data solely for the purpose of carrying out the shipment. If they engage subcontractors, your data is also made available to these parties. Legal basis: performance of a contract.
Invoicing and accounting
Sherpaan and Exact
For maintaining our administration and accounting, we use the services of Sherpaan and Exact. We share your name, address, place of residence and order details with them. This data is used for the administration of sales invoices. Your personal data is transmitted and stored securely. Sherpaan and Exact are bound by confidentiality and will not use your data for purposes other than those described above. Legal basis: legal obligation (fiscal retention requirement).
External sales channels
Bol.com
We sell part of our products via the Bol.com platform. If you place an order through this platform, Bol.com shares your order and personal data with us. We use this data to process your order and treat your data confidentially. Legal basis: performance of a contract.
Amazon
We sell part of our products via the Amazon platform. If you place an order through this platform, Amazon shares your order and personal data with us. We use this data to process your order and treat your data confidentially. Legal basis: performance of a contract.
Kaufland
We sell part of our products via the Kaufland platform. If you place an order through this platform, Kaufland shares your order and personal data with us. We use this data to process your order and treat your data confidentially. Legal basis: performance of a contract.
Marktplaats.nl
We sell part of our products via the Marktplaats.nl platform. If you place an order through this platform, Marktplaats.nl shares your order and personal data with us. We use this data to process your order and treat your data confidentially. Legal basis: performance of a contract.
Purpose of data processing
General purpose of processing
We use your data exclusively for our services. This means the purpose of processing is always directly related to the assignment you provide to us. We do not use your data for targeted marketing without your explicit consent. If we wish to use your data to contact you at a later time — other than at your request — we will ask for your explicit consent. Your data will not be shared with third parties, other than to fulfil accounting and other administrative obligations. These third parties are bound by confidentiality under a data processing agreement or legal obligation.
Automatically collected data
Data automatically collected by our website is processed for the purpose of improving our services. This data includes your IP address, web browser and operating system. An IP address is considered personal data under the GDPR. We process this data on the basis of our legitimate interest (website security and improvement) and do not retain it longer than necessary.
Cooperation with fiscal and criminal investigations
In certain cases, HypoStore may be required by law to share your data in connection with fiscal or criminal investigations by government authorities. In such cases, we are compelled to share your data, but we will oppose this within the possibilities the law affords us.
Retention periods
We apply the following retention periods:
- Customer account data: as long as you have an active account with us. After deletion of your account, this data will be removed within 30 days, unless legal retention obligations apply.
- Invoice and order data: 7 years after the financial year in which the transaction took place, in accordance with fiscal retention requirements.
- Newsletter data: until the moment you unsubscribe. After unsubscribing, your data will be removed from the system within 30 days.
- Website statistics and log files: a maximum of 26 months.
Under applicable administrative obligations, we are required to retain invoices containing your personal data for the statutory period. After deletion of your account, our employees no longer have access to your customer profile.
Your rights
Under the General Data Protection Regulation (GDPR), you have the following rights as a data subject regarding the personal data processed by or on behalf of us:
Right of access
You have the right to view the data we process about you. You can submit a request to our privacy officer. You will receive a response within 30 days.
Right to rectification
You have the right to have incorrect or incomplete data corrected. You can submit a request to our privacy officer. You will receive a response within 30 days.
Right to erasure (right to be forgotten)
You have the right to request that we delete your personal data. We will comply with this request unless we have a legal obligation to retain the data (for example, fiscal retention requirements). You will receive a response within 30 days.
Right to restriction of processing
You have the right to request restriction of the processing of your personal data. You can submit a request to our privacy officer. You will receive a response within 30 days.
Right to data portability
You have the right to receive your personal data in a structured, commonly used and machine-readable format and to transfer this data to another controller. You will receive a response within 30 days.
Right to withdraw consent
Where the processing of your personal data is based on consent (for example, newsletter or non-essential cookies), you have the right to withdraw this consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out prior to the withdrawal.
Right to object
You have the right to object to the processing of your personal data based on our legitimate interest. Upon receipt of your objection, we will cease processing pending evaluation. If your objection is well-founded, we will provide you with copies of the relevant data and permanently cease processing.
Right regarding automated decision-making
You have the right not to be subject to automated individual decision-making or profiling. We do not use fully automated decision-making. However, we do use analytical cookies (see above) that track browsing behaviour. If you believe this affects your rights, please contact our privacy officer.
In principle, we send copies of your data to the email address known to us in order to prevent misuse. If you wish to receive them at a different address, we will ask you to verify your identity. You have the right at any time to file a complaint with the relevant data protection authority in your country of residence if you believe that we are using your personal data improperly.
Cookies
Our website uses cookies. A cookie is a small text file stored on your device when you visit our website. We distinguish the following categories:
Necessary cookies
These cookies are essential for the functioning of the website, such as remembering your shopping cart and login credentials. These cookies are placed without consent, on the basis of our legitimate interest.
Analytical cookies — Google Analytics
Cookies are placed on our website by Google (Alphabet Inc.) as part of the Google Analytics service. We use this service to gain insight into how visitors use the website. We have taken the following measures to protect your privacy:
- We have concluded a data processing agreement with Google.
- IP addresses are anonymised.
- Sharing of data with other Google services has been disabled.
Google is based in the United States. The transfer of data is based on the EU-US Data Privacy Framework and Standard Contractual Clauses (SCCs). Analytical cookies are retained for a maximum of 26 months. Legal basis: consent (via cookie banner).
Marketing and tracking cookies
We may place marketing cookies from third parties (such as Google Ads or social media platforms) to display relevant advertisements. These cookies are only placed after your explicit consent via our cookie banner. You can change your cookie preferences at any time via the cookie banner on our website. Legal basis: consent.
Third-party cookies
If other third-party software solutions use cookies, this is stated in this privacy policy or separate consent is requested via the cookie banner.
Transfers outside the EEA
A number of our processors are based in the United States (Google, MailChimp/Intuit, PayPal). The transfer of personal data to these parties is based on:
- The EU-US Data Privacy Framework, for parties certified under this framework.
- Standard Contractual Clauses (SCCs) in accordance with Article 46 GDPR, as a supplementary safeguard.
We monitor the validity of these transfer mechanisms and take additional measures where necessary.
Changes to the privacy policy
We reserve the right to amend our privacy policy at any time. You will always find the most recent version on this page. If the amended privacy policy affects the way in which we process data already collected about you, we will notify you by email.
Contact details
HypoStore BV
Gildenweg 14
8304 BC Emmeloord
The Netherlands
T +31 527 522 125
E [email protected]
Privacy officer
I. Stoutjesdijk
T +31 527 522 125
E [email protected]
Please complete your information below to login.