Golden Kumquats

Privacy Policy

Privacy Policy (Last updated: 13 January 2026)

1) Who we are

This website and webshop are operated by:

Golden Kumquats
Geraniumstraat 3, Enschede, The Netherlands
Chamber of Commerce (KvK): 99431858
Email: goldenkumquats@gmail.com
Phone: +31 0612356552
VAT ID: Not applicable

Golden Kumquats is the “data controller” for personal data processed through this website.

2) Scope

This Privacy Policy explains how we collect, use, share, and protect personal data when you:

  • visit our website,
  • place an order,
  • create an account,
  • contact customer support,
  • post content (e.g., reviews) if such features are enabled.

3) Personal data we collect

Depending on how you use the website, we may collect:

A. Account & contact data

  • Name, email address, password (stored in hashed form), account preferences.

B. Order & delivery data

  • Billing and shipping address, phone number (if provided), purchased items, order history, invoices, refunds/returns.

C. Communication data

  • Messages you send us by email or via the website, plus any attachments.

D. Payment-related data

  • We do not store full card details. Payments are processed by payment providers. We may receive confirmation and limited payment details (e.g., transaction ID, payment status).

E. Technical and usage data

  • IP address, device/browser information, log data, and cookie identifiers (see Cookies section).

F. User-generated content (if enabled)

  • Product reviews/comments and associated metadata (e.g., time, IP address) for security and moderation purposes.

4) Why we process your data (purposes)

We process personal data to:

  • Fulfil your order (payment, shipping, customer service, returns/refunds).
  • Manage your account (login, order history).
  • Communicate with you (order updates, support requests).
  • Prevent fraud and secure the website (abuse prevention, security monitoring).
  • Comply with legal obligations (tax/accounting requirements).
  • Improve the webshop (only where permitted, and with cookie consent where required).

5) Legal bases (GDPR)

We rely on the following legal bases under the GDPR:

  • Performance of a contract (to process your purchase and deliver goods).
  • Legal obligation (e.g., keeping invoices/records).
  • Legitimate interests (fraud prevention, security, limited operational analytics where permitted).
  • Consent (for non-essential cookies and similar tracking technologies, and where required for certain marketing/analytics). The AP describes tracking cookies as enabling profiling and typically requiring consent.

6) Cookies and similar technologies

We use cookies and similar technologies:

  • Necessary cookies: required for core webshop functions (shopping cart, checkout, security).
  • Preference cookies: remember choices (optional).
  • Analytics cookies: help understand usage (optional; consent may be required depending on configuration and local rules).
  • Marketing/tracking cookies: used for personalized ads/measurement (optional; consent required).

We ask for consent for non-essential cookies via a cookie banner where required. The AP emphasizes that visitors must have real choice and that banners must not be misleading (e.g., no pre-ticked options).

(For detailed cookie categories and how to change settings, see our Cookie Policy page.)

7) Who we share data with

We share personal data only when necessary, for example with:

  • Payment service providers (to process payments).
  • Shipping and logistics partners (to deliver your order).
  • Hosting and IT service providers (to run the website).
  • Accounting/tax services (legal compliance).
  • Fraud-prevention/security tooling (where used).

These providers act under contracts and process data only for the agreed purposes.

8) International transfers

If a service provider processes data outside the EU/EEA, we use appropriate safeguards (such as Standard Contractual Clauses) where required.

9) How long we keep your data (retention)

We do not keep personal data longer than necessary. The AP notes there is no single GDPR retention period; you must set retention periods appropriate to your situation, while other laws (e.g., tax law) may impose specific retention duties.

Typical retention periods (guidance):

  • Invoices and financial records: generally 7 years (Netherlands).
  • Some data may require 10 years in specific cases (e.g., certain VAT schemes/immovable property records).
  • Customer support messages: kept as long as needed to resolve the request and for a reasonable follow-up period.
  • Account data: kept until you delete your account (unless we must keep certain data for legal reasons).
  • Security logs: kept for a limited period necessary for security/fraud prevention.

10) Your rights

Depending on your location (especially EU/EEA), you may have rights to:

  • access your data,
  • correct your data,
  • delete your data,
  • restrict processing,
  • object to processing,
  • data portability,
  • withdraw consent (where processing is based on consent).

To exercise your rights, email goldenkumquats@gmail.com.

11) Security

We take reasonable technical and organizational measures to protect personal data (access controls, updates, encryption where appropriate). No system is perfectly secure, but we work to reduce risk.

12) Children

Our webshop is not intended for children. If you believe a child has provided data, contact us and we will address it.

13) Complaints

If you have concerns about privacy, please contact us first at goldenkumquats@gmail.com. If you are in the EU/EEA, you may also contact your local data protection authority.

14) Changes to this policy

We may update this Privacy Policy. The newest version will always be published on this page with an updated date.