Privacy policy
Last updated: 19 April 2026
This Privacy Policy describes how Cirkle Planet SRL collects, uses, and protects your personal data when you visit cirkleplanet.com or place an order with us. It is drafted in line with the EU General Data Protection Regulation (GDPR, Regulation 2016/679) and Belgian data protection law.
1. Who we are (data controller)
Cirkle Planet SRL ("we", "us", "our")
- Registered address: 4 rue des pères blancs, 1040 Brussels, Belgium
- VAT: BE0563713619
- Contact for privacy matters: via the contact page
We do not have a statutory DPO obligation (Art. 37 GDPR) given our size and processing. For any privacy question, use the contact form and mark your message as a privacy request.
2. What personal data we collect and why
| Purpose | Data collected | Lawful basis (GDPR Art. 6) |
|---|---|---|
| Process your order and ship it | Name, shipping address, email, phone (optional) | Contract — Art. 6(1)(b) |
| Process payment | Payment method (handled by our payment processor) | Contract — Art. 6(1)(b) |
| Send order confirmation and tracking | Email, order data | Contract — Art. 6(1)(b) |
| Invoicing and accounting | Name, address, order history, VAT ID if business | Legal obligation — Art. 6(1)(c) |
| Newsletter and marketing emails | Email, first name, marketing preferences | Consent — Art. 6(1)(a) |
| Waitlist requests (new models or colours) | Email, first name, filter model of interest | Consent — Art. 6(1)(a) |
| Customer service | Name, email, content of your message | Contract / Legitimate interests — Art. 6(1)(b), 6(1)(f) |
| Fraud and abuse prevention | Order metadata, IP address | Legitimate interests — Art. 6(1)(f) |
| Website analytics (aggregated, pseudonymized) | Pseudonymized usage data | Legitimate interests — Art. 6(1)(f) |
We do not collect special category data (Art. 9 GDPR). We do not take automated decisions that produce legal or similarly significant effects about you (Art. 22).
3. Who we share data with (processors)
We only share data with service providers that are bound by a data processing agreement (Art. 28 GDPR). Our current processors are:
- Shopify Inc. — e-commerce platform hosting (data stored on Shopify's EU and Canadian infrastructure).
- Shopify Payments / Stripe — payment processing.
- Sendcloud — shipping label creation, carrier selection, and tracking management.
- Parcel carriers via Sendcloud — currently bpost, PostNL, DHL, DPD, UPS, GLS, Colissimo, and Mondial Relay. The carrier used for your order depends on the destination and the option you pick at checkout. This list may evolve.
- Shopify Email (or similar) — newsletter and transactional emails.
We never sell your personal data.
4. International transfers (Art. 44–49)
Some processors may store or process data on servers outside the European Economic Area (in particular Canada and the United States). For these transfers we rely on:
- European Commission adequacy decisions where applicable (for example, the EU–US Data Privacy Framework).
- Standard Contractual Clauses (SCCs, Art. 46(2)(c) GDPR) as a fallback safeguard.
A copy of the relevant safeguards is available on request.
5. How long we keep your data (Art. 5(1)(e))
| Data | Retention period |
|---|---|
| Order and invoice records | 7 years (Belgian accounting law) |
| Customer account | For the life of the account, plus 2 years after last activity |
| Marketing consent and unsubscribe records | Active consent until you withdraw, then 3 years as proof |
| Waitlist entries | Until the requested model is released and you have been contacted, or until you unsubscribe |
| Contact form messages | 2 years after last exchange |
| Website and security logs | 90 days |
Data is securely deleted or anonymized at the end of the retention period, unless a legal hold applies.
6. Your rights (Art. 15–22)
Under GDPR you have the right to:
- Access your data (Art. 15) — receive a copy of the data we hold about you.
- Rectify inaccurate or incomplete data (Art. 16).
- Erase your data in certain cases (Art. 17).
- Restrict processing in certain cases (Art. 18).
- Data portability — receive your data in a structured, machine-readable format and transfer it to another controller (Art. 20).
- Object to processing based on legitimate interests (Art. 21).
- Object to direct marketing at any time (Art. 21(2)) — absolute right, no justification required.
- Withdraw consent at any time, without affecting the lawfulness of prior processing (Art. 7(3)).
To exercise these rights, contact us via the contact page. We respond within one calendar month (Art. 12(3)), extendable by two further months for complex or numerous requests.
To unsubscribe from marketing emails, click the unsubscribe link at the bottom of any email or email us directly.
7. Right to lodge a complaint
If you believe we have mishandled your data, you have the right to lodge a complaint with the Belgian supervisory authority:
- Autorité de protection des données / Gegevensbeschermingsautoriteit
- Rue de la Presse 35, 1000 Brussels
- contact@apd-gba.be
- autoriteprotectiondonnees.be / gegevensbeschermingsautoriteit.be
You may also complain to the supervisory authority of your country of residence.
8. Cookies and similar technologies
Our website uses cookies in the following categories:
- Strictly necessary: cart, session, security. These cannot be turned off — they are required for the site to work.
- Analytics: aggregated, pseudonymized usage data. Enabled only with your consent.
We do not use advertising or cross-site tracking cookies. A cookie banner lets you manage your choices, and you can change them at any time via the cookie settings link in the footer.
9. Security (Art. 32)
We apply technical and organizational measures in line with Art. 32 GDPR, including:
- HTTPS encryption for all traffic between your browser and our site.
- Restricted admin access with strong authentication.
- Reliance on Shopify's security infrastructure (PCI-DSS Level 1 for payments).
- Regular review of access rights and processor contracts.
In the unlikely event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the supervisory authority within 72 hours (Art. 33) and inform you directly where required (Art. 34).
10. Children
Our products and website are not directed at children under 16. We do not knowingly collect data from children under 16. If you believe a child has submitted data to us, contact us and we will delete it.
11. Use of artificial intelligence (EU AI Act)
We do not operate any AI system that processes your personal data to take decisions about you. We do not profile visitors, do not use AI-driven personalisation, and do not use generative AI to handle your customer service messages without a human in the loop.
Some of the third-party platforms we rely on (for example, Shopify's fraud-analysis features) may use machine-learning models as part of their infrastructure. Where this is the case, the relevant provider acts as a controller or processor for that specific processing and publishes its own information under the EU AI Act (Regulation 2024/1689) and the GDPR. We link to the relevant provider notices in section 3 above.
If we later introduce an AI feature that changes this (for example, an AI-assisted product recommender or chatbot), we will update this section, identify the AI system and its provider, explain the lawful basis, and — where the system is classified as high-risk under the EU AI Act — meet the transparency and oversight obligations that apply.
12. Changes to this Privacy Policy
We may update this Privacy Policy from time to time. The current version is posted at cirkleplanet.com/policies/privacy-policy with a "last updated" date. For material changes, we notify active subscribers by email.