Skip to content

CONCEPT — Dit document is tijdelijke inhoud en vereist juridische beoordeling voor publicatie.

Privacybeleid

Laatst bijgewerkt: 30 maart 2026

1. Data Controller

The data controller responsible for your personal data is:

Composerie B.V.

The Netherlands

Email: [email protected]

2. Information We Collect

We collect information you provide directly and information generated through your use of our services. The categories of personal data we process include:

2.1 Account Information

  • Full name and email address
  • Company name and business information
  • Account credentials (passwords are stored in hashed form)
  • Profile preferences and language settings

2.2 Store and Platform Data

  • Store URL and platform API tokens (Shopify, Etsy, WooCommerce)
  • Product catalog data synchronized from your store
  • Order information for personalized products

2.3 Design and Product Data

  • Product templates and design files you create
  • Images, fonts, and media uploaded to the Design Studio
  • Customer personalization data (text, images submitted by your customers)

2.4 Payment Information

  • Billing address and company details
  • Payment method details are processed and stored by Stripe; we do not store full card numbers
  • Transaction history and invoices

2.5 Usage Data

  • Pages visited, features used, and actions taken within the platform
  • Device type, browser version, and operating system
  • IP address and approximate geographic location
  • Timestamps of access and interactions

3. Legal Basis for Processing

Under the General Data Protection Regulation (GDPR), we process your personal data on the following legal bases:

  • Contract performance (Art. 6(1)(b) GDPR) — Processing necessary to provide our services, manage your account, process payments, and fulfill our contractual obligations.
  • Legitimate interests (Art. 6(1)(f) GDPR) — Processing for fraud prevention, security, product improvement, and analytics, where our interests do not override your rights.
  • Legal obligation (Art. 6(1)(c) GDPR) — Processing required by tax, accounting, or other applicable laws.
  • Consent (Art. 6(1)(a) GDPR) — Where required, such as for marketing communications. You may withdraw consent at any time.

4. How We Use Your Information

  • Provide, maintain, and improve the Composerie platform and services
  • Process transactions, send invoices, and manage subscriptions
  • Route personalized orders to your connected print providers
  • Generate production-ready print files from customer personalizations
  • Send technical notices, security alerts, and support messages
  • Respond to your comments, questions, and customer support requests
  • Monitor platform performance, diagnose issues, and improve reliability
  • Analyze usage patterns to improve features and user experience
  • Detect, prevent, and address fraud, abuse, and security issues
  • Comply with legal obligations and enforce our terms of service

5. Data Sharing and Third-Party Processors

We do not sell your personal information. We share data only with trusted third-party processors who assist in providing our services:

S

Stripe

Payment processing, subscription management, invoicing

Location: US/EU

C

Cloudflare

CDN, DDoS protection, edge caching

Location: Global (EU primary)

R

Resend

Transactional email delivery

Location: US

P

Print Providers

Order fulfillment (PrintAPI, Printify, etc.)

Location: Varies

All processors are contractually obligated to protect your data and process it only as instructed by us.

6. International Data Transfers

Your data is primarily stored in EU data centers. When data is transferred outside the European Economic Area (EEA), we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission, adequacy decisions, or other lawful transfer mechanisms under GDPR.

7. Data Security

We implement industry-standard security measures to protect your personal data:

  • TLS encryption for all data in transit
  • AES-256 encryption for data at rest
  • Regular security audits and vulnerability assessments
  • Access controls with role-based permissions
  • Secure authentication with hashed passwords
  • Automated threat detection and monitoring

8. Data Retention

We retain your personal data only as long as necessary for the purposes outlined in this policy:

Account data Duration of account + 30 days after closure
Design and product files Duration of account + 30 days
Order history 7 years (legal/tax obligation)
Payment records 7 years (legal/tax obligation)
Usage analytics 26 months (aggregated/anonymized)
Support communications 3 years after last interaction

9. Your Rights Under GDPR

As a data subject, you have the following rights under the GDPR:

  • Right of access (Art. 15) — Request a copy of the personal data we hold about you.
  • Right to rectification (Art. 16) — Request correction of inaccurate or incomplete data.
  • Right to erasure (Art. 17) — Request deletion of your personal data ("right to be forgotten").
  • Right to restriction (Art. 18) — Request restriction of processing in certain circumstances.
  • Right to data portability (Art. 20) — Receive your data in a structured, machine-readable format.
  • Right to object (Art. 21) — Object to processing based on legitimate interests or direct marketing.
  • Right to withdraw consent (Art. 7) — Withdraw consent at any time where processing is based on consent.

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

10. Automated Decision-Making

We use automated processing for lead scoring during beta signup (to prioritize onboarding) and for fraud detection. These processes do not produce legal effects or similarly significant effects on you. You have the right to request human review of any automated decision.

11. Children's Privacy

Composerie is a business-to-business service designed for merchants aged 18 and older. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, please contact us immediately and we will delete it.

12. Cookies and Tracking

Our marketing website uses privacy-respecting analytics that do not require cookies for tracking. The Composerie application uses essential cookies only:

  • Session cookies — Required for authentication and maintaining your login state.
  • Preference cookies — Store your language, theme, and UI preferences.
  • Security cookies — Used for CSRF protection and fraud prevention.

We do not use advertising or tracking cookies. For more details, see our Cookie Policy.

13. Supervisory Authority

If you believe we have not adequately addressed your data protection concerns, you have the right to lodge a complaint with a supervisory authority. Our lead supervisory authority is:

Autoriteit Persoonsgegevens (Dutch Data Protection Authority)

Bezuidenhoutseweg 30, 2594 AV The Hague, The Netherlands

Website: autoriteitpersoonsgegevens.nl

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email and by posting a notice on our website at least 30 days before the changes take effect. Your continued use of the Service after changes become effective constitutes acceptance of the revised policy.

15. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data protection rights, please contact us:

Email: [email protected]

Response time: within 30 days of receiving your request.