PRIVACY POLICY

1. Data Controller

Maison Noor Brussels (hereinafter: "we", "us" or "our") is the data controller for the personal data collected through the website noorbrussels.com

Contact details: Maison Noor Brussels, Email: info@maisonnoorbrussels.com, VAT number: BE 1038456957

We have not appointed a Data Protection Officer (DPO) as we do not meet the thresholds set out in Article 37 GDPR. For all privacy-related questions, please contact us using the details above.

2. What Personal Data Do We Collect?

Depending on your interaction with our website, we collect the following categories of personal data:

2.1 Order and account data

• First and last name

• Billing and delivery address

• Email address

• Phone number

• Payment information (processed via certified payment service providers — we do not store full card details)

• Order history and purchase information

2.2 Technical and usage data

• IP address

• Browser type, version and operating system • Device information

• Pages visited and click behaviour

• Referring URL

• Time of visit

2.3 Communication data

• Content of messages sent via our contact form

• Email correspondence with our customer service

• Data relating to complaints or return requests

2.4 Marketing data (subject to consent)

• Email address for newsletter

• Marketing preferences and unsubscribe history

3. Purposes and Legal Bases for Processing

We process your personal data for the purposes described below, on the basis of the indicated legal ground and subject to the applicable retention period.

3.1 Processing and fulfilling orders

Category of data: Order, invoice and delivery data
Legal basis: Art. 6(1)(b) GDPR — Performance of a contract Retention period: 10 years (accounting obligation)

3.2. Payment processing

Category of data: Payment information
Legal basis: Art. 6(1)(b) GDPR — Performance of a contract Retention period: 10 years

3.3 Customer service and complaint handling

Category of data: Communication data
Legal basis: Art. 6(1)(b) & Art. 6(1)(f) GDPR Retention period: 3 years after resolution

3.4 Legal accounting and tax obligations

Category of data: Invoice data
Legal basis: Art. 6(1)(c) GDPR — Legal obligation
Retention period: 10 years (Belgian Income Tax Code, VAT Code)

3.5 Fraud prevention and security

Category of data: Technical data and order patterns Legal basis: Art. 6(1)(f) GDPR — Legitimate interest Retention period: Maximum 6 months

3.6 Website analysis and optimisation

Category of data: Technical and usage data
Legal basis: Art. 6(1)(a) GDPR — Consent (via cookie consent) Retention period: Max. 26 months (Google Analytics)

3.7 Sending newsletters and promotional emails

Category of data: Email address and marketing preferences
Legal basis: Art. 6(1)(a) GDPR — Consent
Retention period: Until withdrawal of consent or 3 years of inactivity

3.8 Personalised advertising (retargeting)

Category of data: Technical and usage data
Legal basis: Art. 6(1)(a) GDPR — Consent
Retention period: In accordance with cookie policy, max. 13 months

4. Cookies and Similar Technologies

Our website uses cookies. A cookie is a small file stored on your device when you visit our website. We use the following categories of cookies:

• Strictly necessary cookies: required for the operation of the website (shopping cart, login, payment process). These cookies do not require consent.

• Analytical cookies: measure website usage (e.g. Google Analytics). Require your consent.

• Marketing cookies: used for targeted advertising via social media and advertising networks. Require your consent.

• Preference cookies: remember your language settings and other preferences. Require your consent.

You can manage your cookie preferences at any time via the cookie banner or your browser settings. Refusing non-essential cookies does not affect your ability to make purchases.

We recognise the Global Privacy Control (GPC) signal as a valid opt-out request for non-essential processing.

5. Sharing Personal Data with Third Parties

We only share your personal data with third parties where necessary and always on the basis of a legal ground. The categories of recipients are:

• Squarespace: technical platform for our webshop.

• Payment service providers (e.g. Mollie, Stripe, Bancontact/Payconiq): processing of payments. PCI-DSS certified.

• Logistics partners and courier services (e.g. bpost, DHL, FedEx): fulfilment of deliveries.

• Email marketing services (e.g. Klaviyo, Mailchimp): sending newsletters — only on the basis of consent.

• Analytics services (e.g. Google Analytics): website statistics — only on the basis of consent via cookie consent.

• Accountants and legal advisors: for the fulfilment of legal obligations, under a duty of confidentiality.

• Government authorities: only where required by law (e.g. tax obligations, court order). We never sell your personal data to third parties for commercial purposes.

6. International Transfers of Personal Data

Some of our service providers (such as Shopify and Google) process personal data outside the European Economic Area (EEA), in particular in the United States. We ensure an adequate level of protection through:

• Standard Contractual Clauses (SCCs) approved by the European Commission (Decision 2021/914);

• Adequacy decisions by the European Commission where applicable; • Data Processing Agreements (DPAs) with all external processors.

7. Security of Your Personal Data

We take appropriate technical and organisational measures to protect your personal data against unauthorised access, loss or misuse, including:

• SSL/TLS encryption for all data transactions on our website (HTTPS)
• Access controls and minimisation of privileges (need-to-know principle) • Regular security audits
• Pseudonymisation of analytical data where possible
• Careful selection of processors that apply appropriate security measures

Please note that no transmission over the internet is entirely secure. If you have reason to believe that your interaction with us is not secure, please contact us immediately at [your email address].

In the event of a data breach that may pose risks to your rights and freedoms, we will notify the Data Protection Authority within 72 hours (Art. 33 GDPR) and inform you personally where required (Art. 34 GDPR).

8. Your Rights as a Data Subject
Under the GDPR, you have the following rights with regard to your personal data:

• Right of access (Art. 15 GDPR): you may request a copy of the personal data we process about you.

• Right to rectification (Art. 16 GDPR): you may have inaccurate or incomplete data corrected. • Right to erasure / right to be forgotten (Art. 17 GDPR): you may request the deletion of your data, unless statutory retention obligations apply.

• Right to restriction of processing (Art. 18 GDPR): you may request that the processing of your data be restricted in certain circumstances.

• Right to data portability (Art. 20 GDPR): you may receive your data in a structured, commonly used and machine-readable format.

• Right to object (Art. 21 GDPR): you may object to processing based on legitimate interest or for direct marketing purposes.

• Right not to be subject to automated decision-making (Art. 22 GDPR).

• Right to withdraw consent (Art. 7(3) GDPR): you may withdraw your consent at any time

without affecting the lawfulness of processing carried out prior to withdrawal.

To exercise a right, please send a request to info@maisonnoorbrussels.com stating your name, email address and the specific request. We will respond within 30 days (extendable by 60 days for complex requests, with notice).

9. Complaints

If you believe that we are not processing your personal data lawfully, please contact us at info@maisonnoorbrussels.com We will endeavour to handle your complaint within 30 days.

If you are not satisfied with our response, you have the right to lodge a complaint with the Belgian supervisory authority:

Data Protection Authority (GBA/APD)

Rue de la Presse 35, 1000 Brussels
Tel.: +32 2 274 48 00
Email: contact@apd-gba.be
Website: www.dataprotectionauthority.be

10. Minors

Our website is not directed at persons under the age of 18. We do not knowingly collect personal data from minors. If you are a parent or guardian and discover that your child has provided us with personal data, please contact us at info@maisonnoorbrussels.com to have that data deleted.

11. Links to Third-Party Websites

Our website may contain links to third-party websites. We are not responsible for the privacy policy or content of these external websites. We recommend that you review the privacy policy of each website you visit separately.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time, for example in response to changes in our practices or in applicable legislation. The most recent version is always available at maisonnoorbrussels.com. The date of the last amendment is always shown at the top.

13. Contact Details

For any questions, requests or comments regarding this Privacy Policy or our data processing, please contact us at: info@maisonnoorbrussels.com.

This Privacy Policy has been drawn up in accordance with the General Data Protection Regulation (GDPR) — Regulation (EU) 2016/679.