Privacy Policy | Collector's Realm

Collector's Realm ("we", "us", or "our") is committed to protecting your personal data. This Privacy Policy explains how we collect, use, store, and share your personal information when you use our website and services, in accordance with the General Data Protection Regulation (GDPR) and the Dutch implementation thereof (Algemene Verordening Gegevensbescherming, AVG).

By using our website, you acknowledge that you have read and understood this Privacy Policy.

1. Data Controller

The data controller responsible for your personal data is:

Collector's Realm Schouwburgplein 52 7001 DJ Doetinchem Netherlands

Contact person: Laura Garritsen Email: collectorsrealm97@gmail.com VAT number: NL005366423B21

If you have any questions about this Privacy Policy or our data practices, you can reach us at the email address above.

2. What Personal Data We Collect

We collect different types of personal data depending on how you interact with our website. Below is a detailed overview of the data we collect.

Account Registration

When you create an account, we collect your full name, email address, and a password. Your password is securely hashed using bcrypt and is never stored in plain text.

Google Sign-In

If you choose to sign in with Google, we receive your name, email address, and profile image from Google via our authentication provider (Neon Auth). We do not receive or store your Google password.

Checkout (Guest)

When you place an order as a guest, we collect your first name, last name, email address, phone number, and shipping address (street, house number, postal code, city, and country).

Checkout (Registered User)

When you check out as a registered user, we use your saved shipping address or collect a new shipping address consisting of street, house number, postal code, city, and country.

Order Information

For each order, we store the order details including items purchased, quantities, prices at time of purchase, payment method used, payment status, shipping method, and tracking information.

Saved Addresses

Registered users may save multiple shipping addresses with a label (e.g. "Home", "Work"). These are stored until you delete them or request their deletion.

Wishlist and Cart

We store the products you add to your wishlist and shopping cart so they persist between sessions for registered users.

Technical Data

For security and fraud prevention purposes, we collect and hash your IP address using SHA-256. The hashed IP address is used for rate limiting (e.g. limiting registration and checkout attempts). We do not store your IP address in plain text.

3. Legal Basis for Processing

We process your personal data based on the following legal grounds under Article 6 of the GDPR:

Performance of a Contract (Art. 6(1)(b))

Processing your data is necessary to fulfil our contractual obligations to you, including processing orders, managing your account, delivering products, and handling payments.

Legitimate Interest (Art. 6(1)(f))

We have a legitimate interest in preventing fraud and abuse of our services. This includes rate limiting registration and checkout attempts using hashed IP addresses, and maintaining the security of our platform.

Consent (Art. 6(1)(a))

When you sign in with Google, you provide consent for us to receive your profile information from Google. You can withdraw this consent at any time by unlinking your Google account or deleting your account.

Legal Obligation (Art. 6(1)(c))

We are required by Dutch tax law (fiscale bewaarplicht) to retain financial records, including order and payment data, for a period of seven (7) years.

4. How We Use Your Data

We use your personal data for the following purposes:

• Processing and fulfilling your orders, including payment processing and shipping • Managing your user account and saved preferences • Providing customer support related to your orders • Validating shipping addresses to ensure accurate delivery • Preventing fraud and protecting against abuse (rate limiting, IP hashing) • Complying with legal obligations (tax record keeping) • Improving the security and functionality of our website

We do not use your data for automated decision-making or profiling. We do not sell your personal data to third parties.

5. Third-Party Processors

We share your personal data with the following third-party service providers (data processors) who process data on our behalf. Each processor is bound by a Data Processing Agreement (DPA) in compliance with GDPR.

Mollie (Payment Processing)

Location: Netherlands. Mollie processes your payment information (including payment method, amount, and transaction status). Payment is handled on Mollie's PCI-compliant hosted payment pages — your credit card details never reach our servers. Mollie's privacy policy: https://www.mollie.com/privacy

SendCloud (Shipping & Tracking)

Location: Netherlands. SendCloud receives your shipping address for address validation, shipping label generation, and parcel tracking. Carriers such as PostNL may receive your address for delivery purposes. SendCloud's privacy policy: https://www.sendcloud.com/privacy-policy/

Google (Authentication)

Location: United States. If you use Google Sign-In, Google processes your authentication data. Data transfers to the US are protected by Standard Contractual Clauses (SCCs) and the EU-US Data Privacy Framework. Google's privacy policy: https://policies.google.com/privacy

Vercel (Hosting & CDN)

Location: United States. Vercel hosts our website and serves product images via their CDN (Vercel Blob). Server-side request logs may temporarily contain IP addresses as part of standard web hosting. Data transfers are protected by Standard Contractual Clauses (SCCs). Vercel's privacy policy: https://vercel.com/legal/privacy-policy

Neon (Database Hosting)

Location: United States. Neon hosts our PostgreSQL database which contains user accounts, orders, and related data. Data transfers are protected by Standard Contractual Clauses (SCCs). Neon's privacy policy: https://neon.tech/privacy-policy

6. International Data Transfers

Some of our third-party processors are located in the United States (Google, Vercel, Neon). When your personal data is transferred outside the European Economic Area (EEA), we ensure that appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs) approved by the European Commission • EU-US Data Privacy Framework certification where applicable

Our payment processor (Mollie) and shipping provider (SendCloud) are both based in the Netherlands and process data within the EEA.

7. Cookies and Tracking

We use only essential cookies that are strictly necessary for the functioning of our website. We do not use any analytics, marketing, or advertising cookies.

Essential Cookies

Session cookie (neon-auth.session_token): This cookie is set when you log in and is used to maintain your authenticated session. It expires when your browser session ends or when you log out.

Locale preference (NEXT_LOCALE): This cookie stores your preferred language (English or Dutch) so the website displays in the correct language on your next visit.

What We Do Not Use

We do not use Google Analytics, Meta/Facebook Pixel, or any other third-party analytics or tracking services. We do not use advertising or marketing cookies. We do not use tracking pixels or similar technologies. Because we only use strictly necessary cookies, no cookie consent banner is required under EU ePrivacy rules.

8. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law.

Account Data

Your account information (name, email, hashed password) is retained for as long as your account is active. You may request deletion of your account at any time by contacting us.

Order and Payment Data

Order records, including guest checkout details and payment information, are retained for seven (7) years in accordance with Dutch fiscal record-keeping obligations (fiscale bewaarplicht).

Hashed IP Addresses

IP address hashes used for rate limiting are retained for the duration of the rate-limiting period (typically 24 hours) and are then automatically discarded.

Session Cookies

Session cookies expire when you close your browser or when you log out.

9. Data Security

We take appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction:

• Passwords are hashed using bcrypt with a cost factor of 10 — we never store passwords in plain text • IP addresses are hashed using SHA-256 before storage — we do not store IP addresses in plain text • All data is transmitted over HTTPS (TLS encryption) • Authentication uses secure, HTTP-only session cookies • Rate limiting is applied to registration and checkout to prevent abuse • Payment card details are handled entirely by Mollie on their PCI DSS-compliant hosted payment pages and never reach our servers • We employ email enumeration prevention to protect user accounts

10. Your Rights Under GDPR

As a data subject under the GDPR/AVG, you have the following rights regarding your personal data:

• Right of access (Article 15) — You may request a copy of all personal data we hold about you. • Right to rectification (Article 16) — You may request correction of inaccurate or incomplete personal data. • Right to erasure (Article 17) — You may request deletion of your personal data, subject to legal retention obligations. • Right to restriction of processing (Article 18) — You may request that we limit the processing of your data under certain conditions. • Right to data portability (Article 20) — You may request to receive your data in a structured, commonly used, machine-readable format. • Right to object (Article 21) — You may object to processing based on legitimate interest. • Right to withdraw consent (Article 7) — Where processing is based on consent (e.g. Google Sign-In), you may withdraw your consent at any time.

To exercise any of these rights, please contact us at collectorsrealm97@gmail.com. We will respond to your request within one (1) month, as required by law.

If you believe that we have not handled your personal data in accordance with the GDPR, you have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens):

Autoriteit Persoonsgegevens Postbus 93374 2509 AJ Den Haag Netherlands Telephone: +31 (0)70 888 85 00 Website: https://www.autoriteitpersoonsgegevens.nl

11. Children's Privacy

Our services are not directed at children under the age of 16. We do not knowingly collect personal data from children under 16. In the Netherlands, the age of digital consent under the GDPR is 16 years.

If we become aware that we have inadvertently collected personal data from a child under 16, we will take steps to delete that information as soon as possible. If you believe that a child under 16 has provided us with personal data, please contact us at collectorsrealm97@gmail.com.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, or legal requirements. When we make material changes, we will update the "Last updated" date at the top of this page.

We encourage you to review this Privacy Policy periodically. Your continued use of our website after any changes constitutes your acceptance of the updated policy.

13. Contact

If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us:

Collector's Realm Attn: Laura Garritsen Schouwburgplein 52 7001 DJ Doetinchem Netherlands Email: collectorsrealm97@gmail.com

For complaints, you may also contact the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at https://www.autoriteitpersoonsgegevens.nl.