Privacy Policy

Last updated: 27/11/2025

This Privacy Policy explains how Laroto Merch Lab (“we”, “us”, “our”) collects, uses and protects personal data in compliance with the General Data Protection Regulation (EU 2016/679) (“GDPR”) and applicable Belgian law.

1. Data Controller

The data controller responsible for processing your personal data is:

Laroto Merch Lab
Address: Slachthuislaan 10, Leuven, Belgium
Email: [Email]
VAT number: [VAT]
Website: [Website URL]

2. Personal Data We Collect

We may collect the following categories of personal data:

2.1 Information you provide

  • Name and surname
  • Billing and shipping address
  • Email address
  • Phone number
  • Order details
  • Messages and design files submitted during communication
  • Payment-related information (we do not store card or bank details; these are handled by the payment provider)

2.2 Automatically collected data

When visiting our website, certain information may be collected automatically:

  • IP address
  • Browser type and version
  • Device information
  • Cookie data
  • Website usage statistics (analytics)

3. Legal Basis for Processing

We process personal data on the following legal bases:

  • Contract performance (Article 6(1)(b) GDPR): to process and deliver your order.
  • Legal obligation (Article 6(1)(c) GDPR): bookkeeping and tax requirements.
  • Legitimate interest (Article 6(1)(f) GDPR): website security, analytics, fraud prevention.
  • Consent (Article 6(1)(a) GDPR): newsletters or optional marketing communications.

4. How We Use Your Data

Your personal data may be used for:

  • Processing and fulfilling orders
  • Handling payments
  • Communicating with you about your order
  • Shipping and delivery purposes
  • Customer support and service
  • Improving our website and services
  • Sending newsletters, if you have opted in
  • Internal record keeping and compliance with legal obligations

We do not use your data for automated decision-making or profiling.

5. Data Sharing

We only share personal data when necessary for the operation of our business:

  • Payment providers: to process payments securely
  • Shipping companies: to deliver your order
  • Website hosting providers
  • Accounting or invoicing tools, if used
  • IT and security service providers, if relevant

We do not sell, rent or trade personal data.

All third-party providers are required to comply with GDPR.

6. International Data Transfers

We aim to keep data within the European Economic Area (EEA).
If a service provider stores data outside the EEA, appropriate safeguards (e.g., Standard Contractual Clauses) will be applied to ensure GDPR compliance.

7. Data Retention

We retain personal data only as long as necessary for the purposes it was collected for:

  • Order information: 7 years, in accordance with Belgian accounting law
  • Customer accounts: until you request deletion
  • Newsletter subscriptions: until you unsubscribe
  • Cookies: according to the cookie policy and your browser settings
  • Design files: retained for potential reorders unless you request removal

8. Your Rights Under GDPR

You have the following rights regarding your personal data:

  • Right of access: to request a copy of your data
  • Right to rectification: to correct inaccurate information
  • Right to erasure (“right to be forgotten”)
  • Right to restriction of processing
  • Right to data portability
  • Right to object to processing based on legitimate interest
  • Right to withdraw consent: for newsletter/marketing communications at any time

You can exercise these rights by contacting [Email].

You also have the right to file a complaint with the Belgian Data Protection Authority:

Gegevensbeschermingsautoriteit (GBA)
Website: https://www.gegevensbeschermingsautoriteit.be/