Who we are
the data controller is Notes from the Villa, based in the Netherlands. you can reach us any time at hello@notesfromthevilla.com.
What we collect
for orders — your name, shipping address, email, phone (if provided), and the details of what you bought. for newsletter signups — just your email. for browsing — anonymous analytics about which pages are visited (see our cookie notice for detail).
How we use it
to fulfil your order, provide customer support, comply with tax and accounting rules, prevent fraud, and — only if you opted in — to send you occasional emails about new drops. we do not build advertising profiles.
Legal basis (GDPR)
we process your data under three grounds: performance of a contract (to send you what you ordered), legal obligation (tax records, invoicing), and consent (newsletter, non-essential cookies). you can withdraw consent at any time.
Who sees it
our shipping carrier (to deliver the parcel), our payment processor (to charge the card — we never see full card numbers), our email tool (to send order confirmations and newsletters if you opted in), and our hosting provider. each processor handles only what's strictly needed for their job, under a data-processing agreement.
International transfers
some of our processors are based outside the EU. where that's the case, transfers rely on the European Commission's standard contractual clauses or an equivalent safeguard.
Your rights
under GDPR you can request access to your data, correct it, export it in a portable format, restrict its processing, or ask us to delete it. write to hello@notesfromthevilla.com and we'll respond within one month. you also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).
Retention
order and invoice data is kept for 7 years — the legal retention period for accounting records in the Netherlands. newsletter data is kept until you unsubscribe. support emails are kept for up to 2 years so we can help if you write again.
Security
the site runs over HTTPS. payment is handled by PCI-compliant providers. we limit internal access to personal data to the few people who actually need it. no system is bulletproof — if something ever goes wrong, we'll notify affected customers and the authority as required by law.
Changes
if we update this policy in a way that materially affects you, we'll flag it on the site and — for newsletter subscribers — by email.
exercise your rights
write to hello@notesfromthevilla.com with the subject line "privacy request" and we'll come back within a month.