Introduction

We attach paramount importance to respecting your privacy and protecting your personal data. This privacy policy details our commitments and your rights regarding the use of this site and our services.

Detailed privacy policy

Who is responsible for processing your data?

We are responsible for processing your personal data on this website. This means that we decide why and how your data is collected and used. Our company is registered in Belgium and we strictly comply with the General Data Protection Regulation (GDPR) and the Belgian law of July 30, 2018, on the protection of individuals. If you have any questions, you can contact our Data Protection Officer (DPO) at: dpo@cold-vibes.org.

What is personal data and why do we collect it?

Personal data is any information that can be used to identify you directly or indirectly: your name, email address, phone number, IP address, or even your browsing history on our site. We collect this information only when necessary: to process your orders, deliver your products, answer your questions, improve your experience on our site, comply with our legal obligations (accounting, taxation), and ensure the security of our platform. We never collect data without a legitimate reason, and we always limit our collection to the strict minimum.

What data do we collect and for what purposes?

We collect different types of data depending on your interactions with our site:

• For your registration and orders: last name, first name, mailing address, email address, phone number, purchase history, payment details.
• Pour améliorer votre expérience : cookies techniques (indispensables au fonctionnement du site), cookies analytiques (pour comprendre comment vous naviguez, avec votre accord).
• For our customer relations: your communications with our customer service department by email or telephone.
• To comply with the law: accounting and tax data that we are required to keep for 10 years under Belgian law.
• For security purposes: IP address, connection logs to protect our site against fraud and intrusions.
• For marketing purposes (only with your consent): newsletters and commercial communications.

Each piece of data has a specific and legitimate purpose. We do not collect anything “just in case.”

who can access your data?

Your data is never sold or rented to third parties. It is only accessible to:

• To our employees: strictly limited to those who need it for their work (customer service, accounting, logistics).
• To our technical partners: web host, secure payment processor, delivery carriers. All these partners are bound by strict confidentiality agreements and comply with the GDPR.
• To the Belgian authorities: only if required by law (tax authorities, courts).

We never transfer your data outside the European Union, unless the recipient country offers equivalent guarantees of protection (European Commission adequacy decision or standard contractual clauses).

General Data Protection Regulation (GDPR) – Compliance with Belgian legislation

Categories of data collected: We collect and process the following categories of personal data: (a) Identity data: last name, first name, date of birth, gender; (b) Contact data: postal address, email address, phone number; (c) Transactional data: order history, payment details, invoice numbers; (d) Connection data: IP address, login credentials, browsing data, cookies, and other similar technologies; (e) Communication data: email or telephone correspondence with our customer service department; (f) Technical data: browser type, operating system, screen resolution.

Legal basis for processing: In accordance with the GDPR and the Belgian law of July 30, 2018 on the protection of individuals with regard to the processing of personal data, our processing is based on the following legal grounds: (a) Consent: for sending newsletters, marketing communications, and the use of certain non-essential cookies; (b) Performance of a contract: for processing your orders, delivering products, invoicing, and managing after-sales service; (c) Legal obligation: for the storage of accounting and tax data in accordance with Belgian law; (d) Legitimate interest: for fraud prevention, site security, improvement of our services, and anonymized statistical analysis.

Collection process and purposes: Your data is collected via: (a) Online forms: when creating an account, placing an order, subscribing to the newsletter, contacting customer service, for the purposes of managing the commercial relationship, processing orders, and communications; (b) Website browsing: via technical cookies (necessary for the website to function), analytical cookies (anonymized usage statistics), and marketing cookies (with prior consent), to improve the user experience and personalize content; (c) Transactions: during payment and delivery, to execute the sales contract and comply with Belgian accounting and tax obligations; (d) Communications: emails and calls with our service, to process requests and improve our services.

Recipients of the data: Your personal data is accessible internally to: (a) Authorized personnel: employees of our company strictly within the scope of their duties (customer service, accounting, logistics); (b) Subcontractors: technical service providers (web hosting, payment processing, delivery carriers), bound by confidentiality agreements and subject to the same GDPR obligations; (c) Authorities: in the event of a legal obligation, communication to Belgian tax, judicial, or administrative authorities. No data is transferred outside the European Union unless the country benefits from an adequacy decision by the European Commission or appropriate safeguards (standard contractual clauses) are in place.

Retention periods: Your data is retained for the following periods, in accordance with Belgian law: (a) Customer account data: for the duration of the commercial relationship and up to 3 years after the last order, unless a request for deletion is made; (b) Accounting and tax data: 10 years from the end of the financial year, in accordance with the Belgian Companies and Associations Code; (c) Cookies: variable duration depending on the type (session, maximum 13 months for analytical and marketing cookies); (d) Prospecting data: 3 years from the last contact or withdrawal of consent; (e) Archives in the event of a dispute: until the expiry of the legal limitation periods. After these periods, the data is irreversibly deleted or anonymized.

Your rights regarding your personal data: In accordance with the GDPR and Belgian law, you have the following rights: (a) Right of access (Art. 15 GDPR): obtain confirmation that your data is being processed and access a copy of it; (b) Right to rectification (Art. 16 GDPR): correct inaccurate or incomplete data; (c) Right to erasure/right to be forgotten (Art. 17 GDPR): obtain the deletion of your data subject to legal retention obligations; (d) Right to restriction of processing (Art. 18 GDPR): request the temporary freezing of your data; (e) Right to object (Art. 21 GDPR): object to processing based on legitimate interest or commercial prospecting; (f) Right to data portability (Art. 20 GDPR): receive your data in a structured format and transmit it to another controller; (g) Right to withdraw your consent at any time, without affecting the lawfulness of prior processing; (h) Right to define post-mortem guidelines regarding the fate of your data after your death.

How to exercise your rights: To exercise any of your rights, you can: (a) Contact us by email at: dpo@cold-vibes.org; (b) Write to us by post at our head office address, marking your letter “Personal Data Protection”; (c) Access your customer account to modify certain information directly. We undertake to respond to your request within a maximum of one month, which may be extended by two months in complex cases. You may be asked to provide proof of identity. If you feel that your rights have not been respected, you can lodge a complaint with the Belgian Data Protection Authority (APD), Rue de la Presse 35, 1000 Brussels, or via their website: www.autoriteprotectiondonnees.be.

Security measures: We implement technical and organizational measures to ensure the security of your personal data: (a) SSL/TLS encryption: all communications between your browser and our server are encrypted; (b) Secure authentication: use of strong passwords and authentication mechanisms for data access; (c) Access control: access to data is limited to authorized persons on a “need-to-know” basis; (d) Regular backups: automated backup copies stored securely; (e) Updates: regular maintenance of our systems and application of security patches; (f) Firewalls and intrusion detection systems to protect against unauthorized access; (g) Staff training in best practices for security and data protection.

Procedure in the event of a data breach: Despite our security measures, in the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we undertake to: (a) Notify the Belgian Data Protection Authority (DPA) within 72 hours of becoming aware of it, in accordance with Article 33 of the GDPR; (b) Inform you directly and as soon as possible of the nature of the breach, the categories of data concerned, the likely consequences and the measures taken or proposed to remedy the breach; (c) Document any breach, its effects and the corrective measures taken; (d) Immediately implement all necessary actions to limit the negative consequences and prevent further breaches.

Consent

By using this site, you agree to these commitments and acknowledge that you have read and understood all the provisions of this privacy policy.

Non-Disclosure Agreement (NDA) – Compliance with Belgian law

This non-disclosure agreement (hereinafter “NDA”) is established in accordance with Belgian civil law (Belgian Civil Code, in particular Articles 1134 et seq. relating to contractual obligations), Belgian commercial law (Economic Law Code), the Belgian law of July 30, 2018, on the protection of trade secrets transposing Directive (EU) 2016/943, and the General Data Protection Regulation (GDPR – Regulation (EU) 2016/679) and the Belgian law of July 30, 2018, on the protection of natural persons with regard to the processing of personal data.

Definition of Confidential Information: “Confidential Information” within the meaning of this agreement shall include all information, data, documents, knowledge, know-how, and elements of a technical, commercial, financial, strategic, operational, or personal nature, whether communicated in writing, orally, electronically, or by any other means, including: (a) Technical data: technical specifications, plans, diagrams, drawings, prototypes, manufacturing methods, industrial processes, formulas, algorithms, software source code and object code, system architecture, technical documentation, test reports and test results; (b) Commercial and financial data: commercial strategies, development plans, market studies, competitive analyses, lists of customers and prospects, sales data, prices, margins, budgets, financial forecasts, balance sheets, income statements, commercial contracts, pricing conditions; (c) Intellectual property data: patented or unpatented inventions, patent applications, trademarks, designs and models, copyrights, domain names, trade secrets, know-how, creative concepts, product or service ideas, research and development projects; (d) Personal data: in accordance with the GDPR, any information relating to identified or identifiable natural persons (surname, first name, address, contact details, health data, personal financial data, etc.).

Scope of the confidentiality obligation: The parties undertake to: (a) Maintain strict confidentiality regarding all Confidential Information brought to their attention; (b) Not disclose, publish, communicate, transmit, disseminate, or reveal, directly or indirectly, all or part of the Confidential Information to unauthorized third parties without the prior express written consent of the owner of such information; (c) Not reproduce, copy, duplicate, or record the Confidential Information, except as strictly necessary for the performance of contractual obligations and with the prior consent of the owner; (d) Not use the Confidential Information for purposes other than those defined within the framework of the contractual relationship; (e) Refrain from any act that could compromise the confidentiality or integrity of the Confidential Information; (f) Return or destroy, in accordance with the holder's instructions, all Confidential Information and any copies, media, and derivatives thereof at the end of the contractual relationship or upon request. This confidentiality obligation is absolute, except in the case of a legal, regulatory, judicial, or administrative obligation that is expressly enforceable.

Persons and entities subject to confidentiality obligations: Confidentiality obligations apply to: (a) All employees, officers, directors, and representatives of our company who have access to Confidential Information in the course of their duties; (b) All our subcontractors, service providers, consultants, business partners, suppliers, and contractual intermediaries, who are bound by equivalent confidentiality clauses incorporated into their respective contracts, in accordance with the requirements of Article 28 of the GDPR for personal data processors; (c) Any natural or legal person who has access, directly or indirectly, to Confidential Information in the context of their relationship with our company. We undertake to ensure that all the above-mentioned persons and entities comply with these confidentiality obligations and to take all necessary measures to ensure their effective compliance.

Duration of the confidentiality obligation: The confidentiality obligation takes effect upon disclosure of the Confidential Information and remains in force: (a) Throughout the duration of the contractual relationship between the parties; (b) And for a period of five (5) years from the date of definitive termination of the contractual relationship, regardless of the cause (termination, expiration, cancellation, rescission), in accordance with the provisions of the Belgian law of July 30, 2018, on trade secrets. This period may be extended for certain categories of Confidential Information whose strategic or commercial value continues beyond this period, or when applicable legislation imposes longer retention periods (in particular for accounting and tax data: 10 years in accordance with the Belgian Companies and Associations Code). The obligation ceases only when the information enters the public domain by lawful means, regardless of any breach of this agreement.

Legal exceptions to the confidentiality obligation: The confidentiality obligation does not apply to information that: (a) Is or becomes public without breach of this agreement by the receiving party; (b) Was legitimately in the possession of the receiving party prior to its disclosure by the owner, as evidenced by prior written proof; (c) Is lawfully and independently obtained from a third party not itself subject to a confidentiality obligation; (d) Is independently developed by the receiving party without use of or reference to the owner's Confidential Information; (e) Must be disclosed pursuant to a legal or regulatory obligation, a court order, an administrative order, or a request from a competent public authority, provided that the party required to disclose the information promptly notifies the owner in advance, unless such notification is itself prohibited by law, and limits the disclosure to what is strictly necessary; (f) Are subject to the prior express written consent of the owner of the Confidential Information authorizing their disclosure or use.

Measures to protect Confidential Information: In order to ensure the effective protection of Confidential Information, we implement the following measures: (a) Technical measures: encryption of sensitive data in transit (SSL/TLS) and at rest (AES-256 or equivalent); strict access control based on the “need-to-know” principle with multi-factor authentication for sensitive access; firewalls, intrusion detection and prevention systems (IDS/IPS); regular encrypted and tested backups; logging and auditing of access and modifications; regular system updates and application of security patches; logical and physical separation of production, testing, and development environments; (b) Organizational measures: contractual confidentiality agreement signed by all employees and partners with access to Confidential Information; Regular training and awareness-raising for staff on confidentiality obligations and good security practices; access management policy with immediate revocation in the event of termination of employment; procedures for managing security incidents and breaches of confidentiality; periodic internal and external compliance audits; appointment of a Data Protection Officer (DPO) who can be contacted at dpo@cold-vibes.org in accordance with Article 37 of the GDPR; (c) Contractual measures: systematic inclusion of confidentiality clauses in all contracts with subcontractors, partners, and service providers, with the obligation to pass on these requirements to their own subcontractors; regular verification of compliance with these obligations by our partners.

Consequences of breaching the confidentiality obligation: Any breach of the confidentiality obligation set out in this agreement constitutes a serious breach of contract that may render the perpetrator liable and result in the following consequences: (a) Immediate notification: the party responsible for the breach must immediately inform the owner of the Confidential Information and provide full details of the nature, extent, and circumstances of the breach; (b) Immediate corrective measures: implementation of all necessary actions to stop the breach, limit its effects, recover the disclosed information, and prevent any recurrence; (c) Contractual liability: breach of the confidentiality obligation may result in immediate termination of the contract at the sole fault of the party at fault, without prejudice to any other rights and remedies; (d) Tortious or quasi-tortious liability: in accordance with Articles 1382 et seq. of the Belgian Civil Code, the party at fault is required to fully compensate the owner of the Confidential Information for any damage caused; (e) Compensation: the owner may claim compensation for all direct and indirect damages resulting from the breach, including in particular: loss of turnover, damage to reputation, commercial damage, costs of implementing corrective measures, legal fees; (f) Criminal penalties: in the event of an intentional violation constituting an infringement of trade secrets, criminal proceedings may be brought in accordance with Articles 309 to 314 of the Belgian Criminal Code and the Law of July 30, 2018, which may result in imprisonment and/or fines; (g) Precautionary and judicial measures: the owner may request the president of the competent commercial court or corporate court, ruling in summary proceedings, to take any precautionary and emergency measures (prohibition of disclosure, seizure, sequestration, penalty payment) to stop the violation and preserve their rights; (h) Personal data breaches: in the event of a personal data breach, application of the specific provisions of the GDPR, in particular notification to the Belgian Data Protection Authority (DPA) within 72 hours, information to the persons concerned, and administrative penalties of up to €20 million or 4% of global annual turnover.

Applicable law and competent jurisdiction: This non-disclosure agreement is governed by and interpreted in accordance with Belgian law. In the event of a dispute relating to the interpretation, performance, or breach of this agreement, the parties shall endeavor to find an amicable solution. If no amicable agreement is reached within thirty (30) days of notification of the dispute by one of the parties, exclusive jurisdiction shall be assigned to the courts of the judicial district of Liège, Belgium, notwithstanding multiple defendants or the introduction of third parties. For any questions relating to the protection of personal data, data subjects may also lodge a complaint with the Belgian Data Protection Authority (APD), Rue de la Presse 35, 1000 Brussels, or via their website: www.autoriteprotectiondonnees.be.