Privacy policy

Last updated: October 2025

Controller

Dutchblue.com Ltd.
Parizhka Komuna 26, Floor 9, 9000 Varna, Bulgaria
Website: www.varnalux.com

Data Protection Contact

Email: [email protected]

What Data We Process and Why

We process personal data only when necessary to operate and improve our shop and to provide our services. This includes:

  • Orders delivery name, address, company details, VAT (if provided), email, phone (optional) to process and deliver your purchase and handle returns/warranty.
  • Payments: order reference and payment details (we do not store full card data) to complete transactions and prevent fraud.
  • Customer support: data you provide via contact forms or email to respond to your request.
  • Newsletter/marketing (optional) email address to send updates and offers (only with your consent; unsubscribe anytime).
  • Security logs: server logs (e.g., IP address, timestamp, URLs) to maintain security and diagnose issues.
  • Cookies/analytics (consent-based): usage data to understand and improve site performance.

Legal Bases (Art. 6 GDPR)

  • Contract performance – processing orders, deliveries, returns (Art. 6(1)(b)).
  • Legal obligation – tax/commercial retention (Art. 6(1)(c)).
  • Consent – newsletter, non-essential cookies/analytics (Art. 6(1)(a)).
  • Legitimate interests – security logs, fraud prevention (Art. 6(1)(f)).

Sharing with Third Parties

We do not sell personal data. We share data only when necessary to provide our services:

  • Shipping carriers: e.g., DPD, DHL, GLS (address/contact for delivery).
  • Payment processors: banks, card processors, ADYEN (transaction processing and fraud prevention).
  • Email service (newsletter): Mailchimp (The Rocket Science Group LLC) for opt-in communications.
  • Hosting/IT providers: infrastructure and maintenance within the EU/EEA where possible.

All processors are bound by data processing agreements (Art. 28 GDPR). Data is kept within the EU/EEA unless stated otherwise below.

International Transfers

If we use Mailchimp for newsletters, data may be transferred to the USA. Mailchimp participates in the EU–U.S. Data Privacy Framework (adequacy decision; Art. 45 GDPR). Where required, we also implement appropriate safeguards.

Retention Periods

  • Order invoice data up to 10 years (statutory retention).
  • Customer support messages: up to 12 months after resolution.
  • Newsletter data: until you unsubscribe (or consent withdrawal).
  • Security logs: up to 30 days unless longer needed to investigate incidents.
  • Cookies: per your choices (see Cookie Policy for durations).

Cookies and Tracking

We use cookies and similar technologies. Essential cookies are required for the site to function. Non-essential cookies (analytics/marketing) are used only with your consent via our cookie banner, which you can change or withdraw at any time. Details are described in our Cookie Policy.

Analytics

If you consent, we use privacy-friendly analytics (e.g., Google Analytics 4 with IP anonymization) to measure traffic and improve our site. You can withdraw consent anytime via the cookie settings.

Newsletter and Marketing Emails

We send newsletters only if you explicitly subscribe (double opt-in). You can unsubscribe at any time via the link in each email or by contacting [email protected]. Provider: Mailchimp, acting as our processor under GDPR.

Your Rights (GDPR Arts. 12–22)

  • Access to your data
  • Rectification of inaccurate data
  • Erasure (“right to be forgotten”)
  • Restriction of processing
  • Data portability
  • Objection to processing based on legitimate interests
  • Withdrawal of consent at any time (does not affect prior lawful processing)

To exercise your rights, contact: [email protected].

Supervisory Authorities (Information for EU Consumers)

You can lodge a complaint with your local data protection authority. Examples:

  • Austria: Datenschutzbehörde
  • Belgium: Autorité de protection des données / Gegevensbeschermingsautoriteit
  • France: CNIL
  • Germany: Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI)
  • Netherlands: Autoriteit Persoonsgegevens

You may also contact the Bulgarian Commission for Personal Data Protection (our country of establishment).

Security

We use SSL/TLS encryption and appropriate technical and organizational measures to protect data against loss, misuse, and unauthorized access. Our measures are reviewed regularly.

Children

Our services are not directed to children. We do not knowingly collect data from children. If you believe a child has provided personal data, please contact us to delete it.

Changes to this Policy

We may update this Privacy Policy to reflect legal, technical, or business changes. The latest version is always available on this page.