1. Who We Are
Studio Nør is a digital design studio based in the Netherlands, operating under the trade name Studio Nør / Vaartin Communicatie. Controller (verwerkingsverantwoordelijke): Studio Nør / Vaartin Communicatie The Netherlands Email: vaartincommunicatie@gmail.com This Privacy Policy explains how we collect, use, store, and protect your personal data when you visit our website and purchase our digital products. We process your data in accordance with the General Data Protection Regulation (GDPR / AVG) and other applicable Dutch privacy legislation.
2. What Data We Collect
We collect the following categories of personal data: Purchase & payment data • Full name and email address (provided at checkout via Stripe) • Billing address (required for tax calculation purposes) • Payment method type (e.g. credit card, iDEAL) — we never store card details; these are handled exclusively by Stripe Transaction data • Order ID, product purchased, purchase amount, currency and date • Download history (number of times a file has been accessed) Technical data • IP address (collected automatically when you access the site) • Browser type and operating system (anonymised usage statistics only) • Cookie data (see Section 7 — Cookies) We do not collect sensitive personal data (bijzondere persoonsgegevens) such as health information, racial or ethnic origin, or political opinions.
3. Why We Collect Your Data
We process your personal data for the following purposes and on the following legal bases (grondslagen): Order fulfilment — Legal basis: performance of a contract (Art. 6(1)(b) GDPR) We need your email address and name to deliver your download link and send your purchase confirmation. Tax compliance — Legal basis: legal obligation (Art. 6(1)(c) GDPR) We are required by Dutch and EU tax law to collect and retain billing address information for VAT reporting purposes (including the OSS scheme). Purchase records must be retained for 7 years. Fraud prevention & security — Legal basis: legitimate interests (Art. 6(1)(f) GDPR) We may use transaction and technical data to detect and prevent fraudulent activity. Service communications — Legal basis: performance of a contract (Art. 6(1)(b) GDPR) We may contact you by email regarding your specific order (e.g. download issues, refund requests). We do not send marketing emails without your explicit consent.
4. Stripe — Payment Processing
All payments are processed by Stripe Payments Europe, Ltd., an Irish company subject to GDPR. When you complete a purchase, you are also subject to Stripe's Privacy Policy (stripe.com/privacy). Stripe acts as a separate data controller for payment processing. We receive limited transaction metadata from Stripe (order ID, email, billing country, payment status) but never receive or store your full card details. Stripe may store your payment information for fraud prevention, compliance, and future purchases under their own policies.
5. Supabase — Data Storage
We use Supabase (a cloud database and infrastructure provider) to store order records, download tokens, and product file metadata. Supabase stores data on servers located in the European Union (AWS eu-central-1, Frankfurt, Germany). Supabase processes data on our behalf as a data processor (verwerker). A Data Processing Agreement (DPA) is in place in accordance with Art. 28 GDPR. Your personal data stored in our database includes: email address, order reference, product ID, and download access tokens. No full payment card data is stored.
6. How Long We Keep Your Data
We retain your personal data for as long as necessary to fulfil the purpose for which it was collected: • Purchase & billing records: 7 years (required by Dutch tax law — Belastingdienst) • Download tokens: 24 hours after generation (automatically expire) • Email address for order follow-up: up to 2 years after purchase, unless you request deletion sooner • Technical / server logs: maximum 90 days After these retention periods, data is securely deleted or anonymised.
8. Your Rights Under GDPR
As a data subject under the GDPR, you have the following rights (rechten): • Right of access (inzagerecht) — You may request a copy of the personal data we hold about you. • Right to rectification (correctierecht) — You may request correction of inaccurate or incomplete data. • Right to erasure (recht op vergetelheid) — You may request deletion of your personal data, subject to legal retention obligations (e.g. 7-year tax records cannot be deleted early). • Right to restriction of processing — You may request that we limit how we use your data in certain circumstances. • Right to data portability — You may request your data in a machine-readable format. • Right to object — You may object to processing based on legitimate interests. • Right to withdraw consent — Where processing is based on consent, you may withdraw it at any time. To exercise any of these rights, please contact us at vaartincommunicatie@gmail.com. We will respond within 30 days. If you are dissatisfied with our response, you have the right to lodge a complaint with the Dutch Data Protection Authority: Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl).
9. Third Parties & Data Sharing
We do not sell, rent, or trade your personal data to third parties for marketing purposes. We share data only with the following service providers, strictly for the purposes described in this policy: • Stripe Payments Europe, Ltd. — payment processing • Supabase, Inc. — database and file storage infrastructure All third-party providers are required to process your data only on our instructions and in accordance with GDPR. Where data is transferred outside the European Economic Area (EEA), appropriate safeguards (such as Standard Contractual Clauses) are in place. We may disclose personal data if required by law, court order, or a lawful request by a government authority.
10. Security
We implement appropriate technical and organisational measures to protect your personal data against accidental loss, unauthorised access, disclosure, alteration, or destruction. These measures include: • HTTPS/TLS encryption for all data in transit • Row-Level Security (RLS) policies on our database to ensure users can only access their own data • Signed, time-limited download URLs (valid for 24 hours only) • No storage of full payment card details — all card data is handled by Stripe's PCI-DSS-certified infrastructure While we take reasonable precautions, no method of internet transmission is 100% secure. If you believe your data has been compromised, please contact us immediately.
11. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. The date of the most recent update is shown at the top of this page. If we make significant changes that affect your rights, we will notify you by email where we hold your contact details, or by placing a prominent notice on our website. We encourage you to review this policy periodically. Continued use of our website and services after any changes constitutes acceptance of the updated policy.
Exercise your rights or ask a question
To access, correct, or delete your personal data, or for any privacy-related question, please contact us. We will respond within 30 days.
vaartincommunicatie@gmail.com