Privacy policy

Privacy Policy – Tavellio

1. Controller and Contact Details
Tavellio – a brand of the Amsterdam Lighting Group
Keizersgracht 482, 1017 EG Amsterdam, The Netherlands
Email: info@tavellio.com
Phone: +31 (0)20 123 4567
Chamber of Commerce (KvK) No: 92601065

For all data privacy inquiries, you may contact us at the above email or telephone. We have not appointed a separate data protection officer.

2. Scope of this Privacy Policy
This policy applies to all users of Tavellio’s websites and services, including individuals located in the EU, EEA (including the UK), Switzerland, the United States, and Canada. It complies with the following laws and frameworks:

GDPR (EU & EEA)
UK GDPR (post-Brexit)
Data Protection Act 2018 (UK)
CCPA/CPRA (California, USA)
PIPEDA (Canada)
CNIL guidelines (France)
BDSG & TTDSG (Germany)
AVG & UAVG (Netherlands)
Belgian Privacy Act (Belgium)

3. Data Collection and Purpose of Use
We collect only the necessary personal data for the following purposes:

Order processing and fulfilment
Customer account management
Marketing (with consent)
Website analytics and optimization
Legal and tax obligations
Customer service communication

Types of data collected:

Identity information (name, address, email, phone)
Order and payment information
IP address and browser/device data
Communication history
Marketing consent preferences

We do not sell or rent personal data to third parties.

4. Legal Basis for Processing (EU/UK)

Contract performance (Art. 6(1)(b) GDPR)
Legal obligation (Art. 6(1)(c) GDPR)
Legitimate interest (Art. 6(1)(f) GDPR)
Consent (Art. 6(1)(a) GDPR – for marketing & cookies)

5. Third Parties and International Transfers
We share personal data with the following categories of third parties:

Payment providers: Mollie, PayPal, Klarna, Visa, Mastercard, American Express, Apple Pay, Google Pay
Shipping & logistics: PostNL, DHL, FedEx, UPS
Platform services: Shopify (hosting, webshop, email), Omnisend (email marketing), Google (Analytics, Ads), Meta (Facebook, Instagram), TikTok, Bing (Microsoft)

International Data Transfers
Some service providers (e.g. Shopify, Google, Meta, TikTok) may process your data outside the EU/EEA (e.g. USA, Canada). These transfers rely on:

Standard Contractual Clauses (SCCs)
Data Processing Agreements (DPAs)
Appropriate safeguards under Art. 46 GDPR
Adequacy decisions where applicable

Note: Shopify relies on SCCs for transfers of personal data to the United States, as the EU-US Privacy Shield has been invalidated.

6. Security Measures
We take technical and organizational measures to protect your data against loss, misuse, unauthorized access, disclosure, alteration or destruction. This includes:

SSL encryption
Access restrictions
Pseudonymization and anonymization
Employee confidentiality agreements

7. Data Retention

Customer data: as long as your account is active or as required for the purpose collected
Order data: 7–10 years (tax/legal requirements)
Email and marketing preferences: until withdrawn
Analytics and log data: maximum 26 months (Google default)

8. Your Rights (EU/UK/Canada)
You have the right to access, rectify, erase ("right to be forgotten"), restrict the processing of, and transfer your personal data. You also have the right to object to processing, withdraw consent at any time, and lodge a complaint with a data protection authority.

California (CCPA/CPRA)

Right to know, delete, correct
Right to opt-out of “sale” of personal data
Right to non-discrimination

You can exercise your rights by emailing info@tavellio.com. We will respond within 30 days.

9. Automated Decision Making and Profiling
We use limited automated tools such as Google Analytics, Meta Pixel, TikTok Pixel, and Omnisend to optimize our marketing. This does not result in legal or similarly significant effects for individuals.

10. Use of Cookies
We use cookies for:

Functionality (necessary)
Preferences
Statistics (e.g. Google Analytics)
Marketing (Meta, TikTok, Bing)

We use Pandectes GDPR for cookie consent management. Users can adjust preferences via the banner or settings at any time.

11. Communication and Email Privacy
Our transactional and marketing emails are sent via Shopify and Omnisend. These systems are secured and content is not accessible to third parties. All data is encrypted during transmission.

We do not permit access to the content or metadata of our communications unless legally required. All email communication is stored securely and encrypted in transit.

12. Anonymized and Aggregated Data
We may share anonymized or aggregated data with partners to improve our services. This data does not contain personal identifiers.

13. Policy Changes
We may revise this policy. Updates will be posted on our website with the new effective date. We will notify users of significant changes via email.

14. Contact
Tavellio – Amsterdam Lighting Group
Email: info@tavellio.com
Phone: +31 (0)20 123 4567
KvK: 92601065

Last updated: 19 May 2025