Privacy Policy
1. Who We Are
Data Controller: Arthusiasm BV · [Address — to be completed] · Belgium
Email: privacy@arthusiasm.be
2. Data We Collect
Account data
- Name, email, password hash (never plain text)
- Profile info: bio, location, website (sellers)
- Profile photo (optional)
Transaction data
- Purchase and sales history
- Shipping addresses
- Payment details (processed by Stripe — we never store card numbers)
Usage data
- IP address, browser type, device
- Pages visited, search queries (analytics only with consent)
Communications
- Messages between buyers and sellers
- Support emails and DSA reports
3. How We Use Your Data
| Purpose | Data used | Legal basis |
|---|---|---|
| Account creation & authentication | Email, password, name | Contract performance |
| Processing transactions | Payment data, shipping address | Contract performance |
| Customer support | Account data, messages | Legitimate interest |
| Fraud prevention | IP address, usage patterns | Legitimate interest |
| Legal compliance | Transaction records | Legal obligation |
| Platform analytics | Usage data (anonymised) | Consent |
| Marketing emails | Email, purchase history | Consent |
| DSA content moderation | Reports, flagged content | Legal obligation |
4. Legal Basis for Processing
- Contract (Art. 6(1)(b)): Account and transaction processing
- Legal obligation (Art. 6(1)(c)): Tax records, DSA, anti-money laundering
- Legitimate interest (Art. 6(1)(f)): Fraud prevention, security, support
- Consent (Art. 6(1)(a)): Analytics cookies, marketing — withdrawable at any time
5. Data Sharing
- Stripe: Payment processing — Stripe Privacy Policy
- Cloudflare R2: Image storage and CDN
- Email provider: Transactional emails
- Belgian authorities: When required by law or court order
We do not sell personal data. We do not share data with advertisers.
6. Cookies
- Necessary: Session authentication, CSRF — always active
- Analytics: Anonymous usage stats — only with consent
- Marketing: Targeted advertising — only with explicit consent
Manage preferences via Cookie Settings.
7. Data Retention
- Account data: Active period + 2 years after closure
- Transaction records: 7 years (Belgian VAT law)
- Messages: 2 years from last activity
- Analytics: Maximum 26 months (anonymised)
- DSA reports: 18 months from resolution
8. Your Rights
Under GDPR you have the right to:
- Access (Art. 15) — request a copy of your data
- Rectification (Art. 16) — correct inaccurate data
- Erasure (Art. 17) — request deletion
- Restriction (Art. 18) — limit processing
- Portability (Art. 20) — receive data in machine-readable format
- Objection (Art. 21) — object to legitimate-interest processing
Email privacy@arthusiasm.be. We respond within 30 days. You may also complain to the Belgian Data Protection Authority.
9. Children
The Platform is not intended for users under 18. We do not knowingly collect data from children and will delete it promptly if discovered.
10. Security
- TLS/HTTPS encryption for all data in transit
- Passwords stored as secure cryptographic hashes
- Payment data processed exclusively by Stripe (PCI DSS Level 1)
- Access controls and regular security reviews
Report vulnerabilities to security@arthusiasm.be.
11. International Transfers
Stripe and Cloudflare may process data outside the EEA. We ensure appropriate safeguards (EU Standard Contractual Clauses or adequacy decisions) are in place.
12. Changes to This Policy
We will notify registered users by email at least 14 days before material changes take effect. The current version is always at arthusiasm.be/privacy.html.
13. Contact
Privacy: privacy@arthusiasm.be
Security: security@arthusiasm.be
Arthusiasm BV · [Address] · Belgium