Legal · Elenvelle
Privacy Policy
Last updated: 2026-05-26
1. Who we are
Elenvelle is responsible for the processing of personal data as described in this privacy policy.
KVK: [KVK-NUMBER] · VAT: NL[BTW-NUMBER]B01
Contact: [email protected]
We take privacy seriously. We collect only what is necessary, retain it no longer than needed, and never sell your data to third parties.
2. What data we collect and why
| Data | Purpose | Legal basis |
|---|---|---|
| Email address | Account sign-in (magic link), order confirmation, newsletter | Contract / Consent |
| Name (optional) | Personalised order communication | Contract |
| Order details (products, price, address) | Fulfilling your order, legal obligation (7-year tax retention) | Contract / Legal obligation |
| Daily anonymous visit hash (SHA-256 of IP + user-agent + daily salt) | Aggregate site analytics — no individual tracking, no cookies, no cross-site profiling | Legitimate interest |
| Chat messages (support chat) | Customer support | Legitimate interest / Consent |
No cookies for tracking. Our analytics are cookieless — we compute a daily one-way hash of your IP address and browser fingerprint. This hash cannot be reversed to identify you, expires daily, and is never shared. No consent banner is required for this approach under the ePrivacy Directive.
3. Third parties
| Party | Role | Country |
|---|---|---|
| Resend Inc. | Transactional email (magic links, order confirmations) | USA (SCCs) |
| Mollie B.V. | Payment processing | Netherlands (EU) |
| Hosting provider (VPS) | Server infrastructure | Canada (OVH) |
We do not share your personal data with any other party without your explicit consent, except where required by law.
4. Retention periods
- Account data: retained for as long as your account is active. You may request deletion at any time.
- Order data: retained for 7 years as required by Dutch tax law.
- Newsletter subscription: retained until you unsubscribe or request deletion.
- Analytics hashes: auto-expire daily; aggregate counts retained for up to 24 months.
- Support chat: retained for 6 months, then permanently deleted.
5. Your rights
Under GDPR you have the right to:
- Access — request a copy of the data we hold about you.
- Rectification — correct inaccurate data.
- Erasure— request deletion of your data (“right to be forgotten”).
- Restriction — ask us to limit how we process your data.
- Portability — receive your data in a structured, machine-readable format.
- Object — object to processing based on legitimate interest.
- Withdraw consent — where processing is based on consent, you may withdraw it at any time without affecting prior processing.
To exercise any of these rights, email [email protected]. We will respond within 30 days.
6. Security
We use TLS/HTTPS for all data in transit. Your database is stored on encrypted storage on a private server. Passwords are never stored — authentication uses magic links only. Access to the admin system is role-restricted.
7. Cookies
Elenvelle does not place tracking or advertising cookies. We use one essential session cookie (authjs.session-token) strictly necessary to keep you signed in. No consent is required for strictly necessary cookies under the ePrivacy Directive.
8. Contact & complaints
For privacy questions or requests: [email protected]
If you believe we have not handled your request properly, you have the right to lodge a complaint with the Dutch Data Protection Authority:
Autoriteit Persoonsgegevens — autoriteitpersoonsgegevens.nl