Privacy Policy

This website, pictoorstudio.com, is operated by Novarex Commerce B.V., a company registered in the Netherlands under Chamber of Commerce number (KVK) 98212834 and VAT identification number NL005315968B59. We trade under the name Pictoor Studio.

For the purposes of the General Data Protection Regulation (GDPR) and UK GDPR, Novarex Commerce B.V. is the data controller responsible for your personal data. For the purposes of the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), we are the business.

Our contact address for all privacy-related matters is: support@pictoorstudio.com

We collect only the data that is necessary to process and fulfil your order or to respond to your enquiries. We do not collect data speculatively or for marketing profiling.

Order data

• Your full name and email address
• Your delivery address including country
• Your order details: the product chosen, size, frame type, and options selected
• Your customisation inputs: the dates, text, or other content you enter into the frame designer to personalise your product

Payment data

We do not collect or store your payment card details at any point. Card numbers, CVV codes, and bank details are entered directly on a secure, hosted payment page operated by our payment processor and are never transmitted to or stored on our servers. We receive only a transaction reference number confirming that payment was successful.

Technical data

When you visit our website, your IP address is temporarily used to determine your approximate country. This is done solely to display prices in your local currency (for example, US dollars or euros). Your IP address is not stored in our database, is not linked to your order record, and is discarded after the currency has been determined for your session. The result — a currency code such as USD or EUR — is stored in a functional cookie in your browser for up to 30 days.

Communications

If you contact us by email or through any contact form, we collect your email address and the content of your message in order to respond to you.

For customers in the EU and UK (GDPR and UK GDPR)

We rely on the following lawful bases under Article 6 of the GDPR:

• Contract performance (Article 6(1)(b)): We process your name, email address, delivery address, and order details because it is necessary to fulfil the contract you enter into with us when placing an order. Without this data we cannot produce or ship your order.
• Legal obligation (Article 6(1)(c)): Dutch accounting law (Burgerlijk Wetboek) requires us to retain financial records including order data for a period of seven years. We process and retain order data to the extent required to comply with this obligation.
• Legitimate interests (Article 6(1)(f)): We use your IP address on a temporary basis for IP geolocation solely to display prices in your local currency. This processing is minimal, the data is not stored, and we consider it to be a proportionate use that does not override your fundamental rights. We also process data as necessary to detect and prevent fraud.

For customers in the United States (CCPA/CPRA)

All processing of your personal information is necessary to provide the service you have requested — namely, producing and delivering your personalised frame print. We do not sell your personal information to any third party. We do not share your personal information for the purpose of cross-context behavioural advertising. We do not use your personal information for automated decision-making that produces legal or similarly significant effects.

We use the personal data we collect for the following purposes:

• Fulfilling your order: We use your name, address, and order details to produce your personalised frame and arrange delivery to you.
• Order confirmation and shipping notifications: We send you a confirmation email when your order is placed and a shipping notification with tracking information when your order is dispatched. These are transactional emails directly related to your order. They are not marketing emails.
• Customer support: We use your contact details and order information to respond to your questions or concerns.
• Legal and accounting compliance: We retain order records as required by Dutch accounting law and any other applicable legal obligations.
• Currency display: We use your IP address temporarily to determine your country and show you prices in the most relevant currency. This data is not stored.
• Fraud prevention: We may use order information to detect and prevent fraudulent transactions.

We do not use your personal data for behavioural advertising, user profiling, or the creation of marketing segments. We do not send unsolicited marketing emails.

We share your personal data only with the service providers listed below, and only to the extent necessary for them to perform their specific function. These providers act as data processors on our behalf and are contractually prohibited from using your data for any purpose other than providing their service to us.

For all customers: We do not sell your personal data to any third party. We do not transfer your data to any country or organisation except as described in this policy and for the specific purposes listed above.

For Australian customers: Transfers to the United States are made with appropriate contractual safeguards consistent with the Australian Privacy Act 1988 and the Australian Privacy Principles.

For Canadian customers: Transfers of personal information outside Canada are made in accordance with PIPEDA, with contractual protections in place to ensure an equivalent level of protection.

• Order data (name, email, address, order details, customisation inputs): retained for 7 years from the date of your order. This period is required by Dutch accounting law (Boek 2 BW art. 10 and Boek 3 BW art. 15i) which mandates that businesses retain financial records for a minimum of seven years. After this period, order data is permanently deleted.
• Email communications (if you contact us directly): retained for 2 years from the date of the last communication, then permanently deleted.
• IP address for currency detection: not stored in our database. Used in real time only. The IP address is discarded once the currency has been determined.
• Currency preference cookie: stored in your browser only, for up to 30 days. Contains only a currency code (e.g. USD or EUR). Not stored on our servers.

Where we are required by law to retain data for a specific period, we will retain it for that period even if you request deletion. We will inform you of this if you make a deletion request that we cannot fully honour.

If you are located in the European Union or the United Kingdom, you have the following rights under the GDPR and UK GDPR respectively. There is no charge for exercising these rights. We will respond to your request within 30 days of receipt. If we need more time we will inform you.

• Right of access (Article 15 GDPR): You have the right to ask us whether we hold personal data about you, and to receive a copy of that data along with information about how it is being used.
• Right to rectification (Article 16 GDPR): If any personal data we hold about you is inaccurate or incomplete, you have the right to ask us to correct it.
• Right to erasure — "right to be forgotten" (Article 17 GDPR): You have the right to ask us to delete your personal data. We will comply unless we are required by law to retain it — for example, Dutch accounting law requires us to keep order data for seven years. We will tell you what we can and cannot delete and why.
• Right to restriction of processing (Article 18 GDPR): You may ask us to stop using your personal data in certain circumstances — for example, while you contest its accuracy or while you object to our processing.
• Right to data portability (Article 20 GDPR): Where we process your data based on your contract with us, you have the right to receive your personal data in a structured, commonly used, machine-readable format, and to have it transferred to another data controller where technically feasible.
• Right to object (Article 21 GDPR): You have the right to object to processing based on legitimate interests. If you object, we will stop processing unless we can demonstrate compelling legitimate grounds that override your interests, or unless processing is necessary for legal claims.
• No automated decision-making or profiling (Article 22 GDPR): We do not make any decisions about you using solely automated processing that produces legal or similarly significant effects. All decisions are made by people.

To exercise any of these rights, contact us at support@pictoorstudio.com. We may ask you to verify your identity before we respond.

EU customers — right to complain: If you believe we have not handled your personal data in accordance with GDPR, you have the right to lodge a complaint with the Dutch data protection authority, the Autoriteit Persoonsgegevens, at autoriteitpersoonsgegevens.nl. You may also lodge a complaint with the data protection authority in your country of residence.

UK customers — right to complain: UK customers may lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) 2023 gives you specific rights regarding your personal information. These rights are as follows:

• Right to know: You have the right to know what categories and specific pieces of personal information we have collected about you, the purposes for which we use it, the categories of sources from which it was collected, and the categories of third parties with whom we share it.
• Right to delete: You have the right to request that we delete personal information we have collected from you, subject to certain exceptions (for example, information we are legally required to retain).
• Right to correct: You have the right to request that we correct inaccurate personal information we hold about you.
• Right to opt out of sale or sharing: We do not sell your personal information to any third party. We do not share your personal information for cross-context behavioural advertising. There is nothing to opt out of with respect to the sale or sharing of personal information.
• Right to limit use of sensitive personal information: We do not collect sensitive personal information as defined by the CPRA — we do not collect Social Security numbers, financial account numbers, precise geolocation, racial or ethnic origin, health data, sexual orientation, or biometric data.
• Right to non-discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights. Exercising your privacy rights will not affect the price or quality of the products or services we offer you.

How to exercise your rights: Email us at support@pictoorstudio.com with your request. We will respond within 45 calendar days as required by CCPA. If we need additional time (up to a further 45 days), we will notify you of the extension and the reason for it.

Authorised agents: California residents may designate an authorised agent to submit a rights request on their behalf. We will require written confirmation of the authorisation before processing any request submitted by an agent.

Verification: To protect your personal information, we will verify your identity before processing a request. For deletion or access requests, we may ask you to provide the email address associated with your order.

Australia

If you are located in Australia, the Privacy Act 1988 (Cth) and the Australian Privacy Principles give you rights to access personal information we hold about you and to request correction of inaccurate information. To exercise these rights, contact us at support@pictoorstudio.com. If you are dissatisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner at oaic.gov.au.

Canada

If you are located in Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) gives you rights to access personal information we hold about you, to know how it is being used, to correct inaccurate information, and to withdraw consent to processing where we rely on consent as our legal basis. To exercise these rights, contact us at support@pictoorstudio.com. If you are dissatisfied with our response, you may contact the Office of the Privacy Commissioner of Canada at priv.gc.ca.

We respect Do Not Track signals sent by your browser. We do not use tracking cookies, behavioural advertising technology, cross-site tracking, or any form of user profiling. This is true regardless of whether you have a Do Not Track signal enabled — we simply do not engage in these practices for any visitor.

Our website and products are not directed at children. We do not knowingly collect personal data from anyone under the age of 13, consistent with the Children's Online Privacy Protection Act (COPPA). We also do not knowingly collect personal data from anyone under the age of 16, consistent with GDPR Article 8.

If you believe that a child under 13 (or under 16 for EU/UK purposes) has submitted personal data to us, please contact us immediately at support@pictoorstudio.com and we will delete that information promptly.

We implement appropriate technical and organisational security measures to protect your personal data against unauthorised access, loss, alteration, or disclosure. These measures include encrypted data transmission (HTTPS), access controls limiting who can view customer data, and monitoring of our infrastructure for suspicious activity.

Our servers are located in a secure data centre in the United States. Payment data is processed entirely by our PCI DSS certified payment processor and never reaches or is stored on our servers.

No method of electronic transmission or storage is 100% secure. While we use commercially reasonable measures to protect your personal data, we cannot guarantee absolute security. In the event of a data breach that is likely to affect your rights and freedoms, we will notify you and the relevant supervisory authorities as required by applicable law.

We may update this privacy policy from time to time to reflect changes in our practices, legal requirements, or the services we offer. The date at the top of this page shows when the policy was last updated.

If we make material changes — changes that significantly affect how we process your personal data — we will notify you by email (if you have placed an order with us) or by a prominent notice on the website before the changes take effect. EU and UK customers will be asked to acknowledge any material changes where required by GDPR.

For non-EU and non-UK customers, continued use of our website after a policy update constitutes acceptance of the updated policy.

If you have any questions about this policy or our privacy practices, please contact us at support@pictoorstudio.com.