Data controller
GradePurity is the data controller for personal data processed via this website.
For privacy-related queries: privacy@gradepurity.com.
What data we collect
When you place an order we process: first and last name, e-mail address, phone number, shipping address, payment data (via our payment service provider — we never see full card numbers) and the IP address from which the order was placed.
For newsletter sign-ups: e-mail address and optionally a name.
For general website use: technical data through cookies (see our cookie policy).
Purpose and legal basis
We process your data on the following legal grounds (Art. 6 GDPR):
Performance of the contract — for order handling, delivery and customer communication.
Legal obligation — for tax administration (7-year retention requirement).
Legitimate interest — for fraud prevention, webshop security and product improvement.
Consent — for marketing cookies and newsletter messaging. You can withdraw consent at any time.
Retention periods
Order data: 7 years (tax retention requirement).
Account and contact data: up to 2 years after last activity.
Newsletter sign-up: until unsubscribe.
Website cookies: varies per cookie (see cookie policy).
After the retention period, data is securely deleted or anonymised.
Sharing with third parties
We only share your data with parties strictly needed to perform the contract. We have a data-processing agreement in place with all of them:
Payment service provider (TagadaPay / Mollie) for payment handling.
Carrier (PostNL or equivalent) for delivery.
E-mail provider for transactional mail and newsletter.
Hosting provider for the webshop infrastructure.
We never sell your data to third parties for marketing purposes.
International transfers
Where a processor is located outside the European Economic Area (EEA), we ensure appropriate safeguards via the European Commission's Standard Contractual Clauses (SCCs).
Security
We apply appropriate technical and organisational measures: TLS encryption across the entire site, access restrictions on personal data, periodic backups and monitoring for suspicious activity. In the unlikely event of a data breach, we notify the Dutch Data Protection Authority within 72 hours and, where required, the affected individuals.
Your rights
Under the GDPR you have the right to:
Access the data we hold about you (Art. 15).
Rectification of inaccurate data (Art. 16).
Erasure of your data (Art. 17), unless we have a legal retention obligation.
Restriction of processing (Art. 18).
Data portability — a copy of your data in a common format (Art. 20).
Object to processing based on legitimate interest (Art. 21).
Withdraw consent at any time, without affecting the lawfulness of prior processing.
Requests via privacy@gradepurity.com. We respond within 30 days.
File a complaint
Not happy with how we handle your data? You always have the right to file a complaint with the Dutch Data Protection Authority via autoriteitpersoonsgegevens.nl, or with the supervisory authority of your country of residence.