Skip to content

  • Vragen of advies? We helpen graag
  • Gecureerde collecties uit Parijs en Milaan
  • Gratis verzending binnen NL boven €150,-
  • /

Privacy policy

Last revised: 10 June 2026

This privacy statement (“Privacy Statement”) explains how Pauw B.V., established at Europaplein 37, 1078 GV Amsterdam, the Netherlands (“Pauw”, “we”, “us” or “our”), collects, uses, stores and shares personal data in connection with your use of our websites, digital services, communication channels or other interaction with us (collectively referred to as: the “Services”). This includes our web shop at pauw-live.myshopify.com, our business WhatsApp channels for customer contact, as well as other platforms operated by or on behalf of Pauw.

As a controller established in Europe, we process your personal data in accordance with the requirements of the General Data Protection Regulation (EU) 2016/679 (GDPR) and other applicable privacy legislation. Insofar as we transfer personal data to recipients outside the European Economic Area (“EEA”), this takes place solely on the basis of valid transfer mechanisms, such as an adequacy decision, the European Commission’s standard contractual clauses or — for transfers to the United States — certification under the EU-US Data Privacy Framework.

This Privacy Statement applies to all individuals whose data we process, including customers, website visitors and other data subjects. By using our Services, you confirm that you have read and agree to the terms of this Privacy Statement. We advise you to review this policy carefully.

1. Changes to this Privacy Statement

Pauw B.V. reserves the right to unilaterally amend or update this Privacy Statement at any time in order to comply with legal requirements, internal policy changes, technological developments or changes in the way we process personal data.

We will publish a revised version of this Privacy Statement on our website, updating the date of the last amendment at the top of the document.

If the changes are material in nature — for example, if they concern the purposes of processing, the categories of personal data involved, or the rights of data subjects — we will, where legally required, inform you in advance by e-mail or via a prominent notice on our website, so that you have the opportunity to take note of and, where applicable, give your consent to the amended terms.

We advise you to consult this Privacy Statement regularly so that you remain informed about how we process your personal data.

2. Controller of data processing

Unless expressly stated otherwise, Pauw B.V., established at Europaplein 37, 1078 GV Amsterdam, the Netherlands, is the controller for the processing of your personal data within the meaning of the General Data Protection Regulation (GDPR).

This privacy statement is primarily aimed at data subjects within the European Economic Area (EEA) and has been drawn up in accordance with the GDPR.

3. What personal data do we collect?

Pauw B.V. processes personal data obtained in various ways, depending on your interaction with our website and services. By ‘personal data’ we mean any information relating to an identified or identifiable natural person, as referred to in Article 4(1) of the GDPR.

We collect personal data through the following sources:

a. Data you actively provide to us

This is data you voluntarily share with us, for example when placing an order, creating an account, completing a contact form, submitting a return notification, or when you contact us via one of our business WhatsApp channels. This may include the following information:

    Contact details, such as your name, e-mail address, telephone number and (billing and delivery) address;

    Account details, such as a username, password (stored encrypted), language preference and profile settings;

    Payment details, such as the type of payment method and transaction information (we do not receive full card details; these are processed by certified external payment providers);

    Content of communications, such as messages via contact forms, e-mail correspondence, WhatsApp messages via our business channels, return requests or customer support.

Providing this data is in some cases necessary in order to use certain services (for example placing an order or making a return). Where this is the case, you will be expressly informed of it.

b. Data we collect automatically

When you use our website or digital services, we automatically collect certain data via cookies, scripts and similar technologies. This data is collected to improve the functionality, security and performance of our website, as well as for analytical and marketing purposes. Insofar as this data contains personal data, processing takes place on the basis of our legitimate interest or your consent.

Examples of automatically collected data include:

    IP address, device ID, browser type and operating system;

    Time, duration and frequency of your visit;

    Approximate location data based on IP address;

    Navigation, click, scroll and purchase behaviour on our website;

    Interactions with e-mails or advertisements, such as open and click behaviour.

See our cookie policy for more information about how we collect and use this data.

c. Data we receive from third parties

In certain cases we receive personal data from third parties, solely where this is necessary for the performance of the contract, the provision of our services or marketing purposes. This may include data originating from:

    Shopify, our e-commerce platform, which processes technical and order-related data;

    Odoo, our business and communication platform to which, among other things, our business WhatsApp channels are connected and through which customer contact is handled;

    Payment providers such as Shopify Payments, PayPal or Apple Pay, which pass on transaction data to us;

    Marketing and advertising partners, such as Meta (Facebook/Instagram), Google Ads, Klaviyo and similar platforms, if you have given consent for the use of cookies or advertising tracking;

    Analytics tools, such as Hotjar or Shopify Analytics, for user behaviour and optimisation of the user experience.

We process this data solely in accordance with this Privacy Statement and on the basis of valid processing grounds under the GDPR, such as performance of a contract, legitimate interest or your explicit consent. For more information regarding Google, please refer to https://business.safety.google/privacy/

4. Purposes and legal bases of data processing

We process your personal data solely on the basis of one or more legal grounds as set out in Article 6(1) of the General Data Protection Regulation (GDPR). Depending on the nature of your interaction with Pauw, the following grounds may apply:

    Performance of a contract (Article 6(1)(b) GDPR): for processing and handling orders, payments, shipping, returns and providing customer service.

    Compliance with a legal obligation (Article 6(1)(c) GDPR): for complying with tax retention obligations, accounting obligations, and fraud prevention.

    Legitimate interest (Article 6(1)(f) GDPR): for improving our website and services, carrying out internal analyses, securing our systems, and — where legally permitted — direct marketing to existing customers.

    Consent (Article 6(1)(a) GDPR): for sending marketing communications by e-mail or SMS, placing cookies and tracking technologies, or sharing data with advertising partners, where legally required.

Where we process your data on the basis of consent, you have the right to withdraw that consent at any time, without affecting the lawfulness of processing prior to the withdrawal.

5. Marketing and personalised communication

With your consent, or where permitted on the basis of our legitimate interest, we may send you promotional communications by e-mail, SMS or post. This may include information about our products, services, offers, events or other commercial messages that may be relevant to you.

Insofar as required under the GDPR (Article 6(1)(a)), we base the processing of your personal data for direct marketing purposes on your explicit consent. In some cases we may approach existing customers regarding similar products or services on the basis of our legitimate interest (Article 6(1)(f) GDPR), provided this is in line with the Dutch Telecommunications Act.

You can unsubscribe from marketing communications at any time by using the unsubscribe link at the bottom of our e-mails, or by contacting us at unsubscribe@pauw.com. Withdrawing your consent does not affect the lawfulness of processing prior to the withdrawal.

6. Cookies and tracking technologies

We use cookies and similar technologies, such as pixels, scripts and software development kits (SDKs), to optimise the operation of our website and improve your user experience. Depending on the type of cookie and the purpose of processing, we process your personal data on the basis of your consent or our legitimate interest.

We use cookies for, among others, the following purposes:

    Functional cookies: necessary for the technical operation of the website and the provision of basic functionalities, such as the shopping cart, language settings and logging in;

    Analytical cookies: for measuring website usage and improving performance, for example via Google Analytics or Shopify;

    Marketing and tracking cookies: to track your browsing behaviour and display personalised advertisements via external platforms such as Meta (Facebook/Instagram) or Google Ads.

For the placement of non-essential cookies we request, as required under the ePrivacy Directive and Article 6(1)(a) of the GDPR, your prior explicit consent via our cookie banner.

You can adjust your cookie preferences at any time via:

    The cookie settings available on our website;

    Or via your browser settings, with which you can block or delete cookies.

Please note that disabling cookies may affect the functioning of certain parts of our website.

7. Communication via WhatsApp

Pauw B.V. offers two business WhatsApp numbers through which you, as a customer or interested party, can contact us, for example for customer service, an order, a complaint or a question. For the processing of personal data via these business channels, Pauw B.V. is the controller within the meaning of the GDPR.

The following principles apply to this communication:

    Processing via Odoo: all business WhatsApp communication is handled via our platform Odoo. WhatsApp (Meta) and Odoo act as processors in this respect; see also Chapter 8 (Disclosure of personal data to third parties) and Chapter 9 (International transfers).

    Transparency at first contact: when you contact us via WhatsApp for the first time, we inform you via an automatic welcome message that you are communicating with Pauw B.V. and that your personal data is processed in accordance with this Privacy Statement.

    Purpose limitation: data you share with us via these channels is used solely for the purpose for which you made contact. Use for marketing purposes only takes place if you have given separate consent for it.

    No special categories of personal data: we never ask you for special categories of personal data (such as health data) via these channels. Should you nevertheless share these voluntarily, we do not store them and we refer you to a secure channel.

    Retention period: conversations are archived after handling and subsequently deleted in accordance with the retention periods laid down in our internal record of processing activities (see also Chapter 10).

8. Disclosure of personal data to third parties

Pauw shares your personal data with third parties only where this is necessary for the performance of our services, compliance with legal obligations or on the basis of a legitimate interest, and always within the bounds of applicable law.

We may share your personal data with the following categories of recipients:

Service providers (processors): third parties that provide services on our behalf and require access to personal data to perform their tasks. This includes, among others:

    E-commerce and business platforms (such as Shopify and Odoo);

    Messaging and communication services (such as WhatsApp/Meta, connected to Odoo, for our business WhatsApp channels);

    Payment providers (such as Shopify Payments, PayPal);

    Logistics partners and shipping services;

    IT and hosting providers, technical support and cloud storage services.

Marketing and analytics partners: third parties that support us in sending marketing communications, carrying out analyses or displaying personalised advertisements, such as:

    e-mail marketing services (e.g. Klaviyo);

    advertising platforms (such as Meta/Facebook, Google Ads);

    data analytics tools (such as Hotjar or Shopify Analytics).

Government authorities and supervisory bodies: where this is legally required or where it is necessary to protect our rights, for example in the context of tax law, fraud investigations or a court order.

Business transactions: in the event of a (proposed) merger, acquisition, restructuring or sale of (part of) our business, personal data may be shared with the parties involved, solely to the extent necessary and with appropriate safeguards.

Only the data that is strictly necessary for the intended purpose is shared. Where applicable, we conclude a data processing agreement with third parties setting out arrangements regarding confidentiality, security, data use and GDPR compliance.

If personal data is transferred to countries outside the European Economic Area (EEA), we do so solely where there is an adequacy decision recognised by the European Commission, certification under the EU-US Data Privacy Framework (for the United States), valid standard contractual clauses or other legally permitted mechanisms.

9. International transfers of personal data

In the course of our services, it may be necessary for your personal data to be transferred to parties established outside the European Economic Area (EEA), for example when we use technical suppliers or platforms with infrastructure outside Europe — such as Shopify (Canada and the US), WhatsApp/Meta or certain cloud providers.

We transfer personal data to countries outside the EEA only where one of the following legal conditions is met:

    The country concerned has been formally recognised by the European Commission as a country with an adequate level of data protection (a so-called adequacy decision);

    For transfers to the United States: the receiving party is certified under the EU-US Data Privacy Framework (DPF);

    Standard Contractual Clauses (SCCs) have been agreed with the recipient of the data, as approved by the European Commission;

    In specific cases, other instruments or derogations under Article 49 GDPR may apply, such as explicit consent or performance of a contract.

In all cases, we ensure that appropriate technical, organisational and contractual measures have been taken to adequately protect your personal data against loss, misuse or unauthorised access.

10. Security of personal data

Pauw B.V. takes appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, destruction, alteration or unlawful processing. These measures are tailored to the state of the art, the costs of implementation, and the nature, scope, context and purposes of the processing, as well as the risks to data subjects.

Examples of security measures include:

    secured network connections (SSL/TLS);

    encrypted storage of sensitive data;

    access management based on authorisation;

    internal procedures for data security and incident response;

    periodic review of security measures and suppliers.

Despite our efforts, we cannot guarantee absolute security. The transmission of data via the internet always involves a certain risk. We therefore advise you to handle sensitive information with care and, where possible, to use secure means of communication. In the event of a security incident with a possible impact on your personal data, we act in accordance with the data breach notification obligation under the GDPR. Where required, we report a data breach to the Dutch Data Protection Authority within 72 hours and inform you in good time where necessary, in accordance with our internal data breach notification procedure.

11. Retention periods

Pauw B.V. does not retain personal data longer than necessary for the purposes for which it was collected or further processed, unless a longer retention period is legally required or justified.

The retention periods are tailored to the nature of the data, the purpose of the processing, the applicable legal obligations and the requirements for responsible archiving, legal evidence or defence against claims. In particular, we apply the following (indicative) periods:

    Tax and administrative data (including invoices, payment information and transaction history): 7 years, in accordance with the statutory tax retention obligation;

    Customer and account data (such as contact details, order history, communications): for as long as the account is active, and no more than 2 years after the last activity or closure of the account;

    Marketing consents and preferences: until you withdraw your consent or request deletion, unless we apply a shorter period;

    Correspondence with customer service (including via our business WhatsApp channels): no more than 2 years after handling of the request or dispute, unless a longer period is necessary for legal evidence.

The precise retention periods per processing activity are laid down in our internal record of processing activities. When personal data is no longer needed for the aforementioned purposes, it is securely deleted or anonymised, unless a statutory retention obligation prevents this.

12. Your rights under the GDPR

As a data subject within the meaning of the General Data Protection Regulation (GDPR), you have various rights regarding the processing of your personal data. Depending on the nature of the processing and your relationship with Pauw B.V., you can exercise the rights set out below:

    Right of access (Article 15 GDPR): you have the right to know whether we process personal data about you and, if so, which data and for what purpose.

    Right to rectification (Article 16 GDPR): you have the right to have inaccurate or incomplete personal data corrected.

    Right to erasure (the “right to be forgotten”) (Article 17 GDPR): in certain cases you have the right to have your personal data deleted, for example when it is no longer needed for the purposes for which it was collected.

    Right to restriction of processing (Article 18 GDPR): in certain cases you can request that the processing of your personal data be temporarily restricted, for example during an objection procedure.

    Right to data portability (Article 20 GDPR): you have the right to receive your personal data, which you have provided to us, in a structured, commonly used and machine-readable format and — where technically feasible — to have it transmitted to another controller.

    Right to object (Article 21 GDPR): you have the right to object to the processing of your personal data on the basis of our legitimate interest, including for direct marketing.

    Right to withdraw consent (Article 7(3) GDPR): where processing is based on your consent, you can withdraw that consent at any time. This has no retroactive effect on processing already carried out.

You can submit a request to exercise one of these rights via privacy@pauw.com. We will respond within one month, in accordance with Article 12 GDPR. If your request is complex or if we receive a large number of requests, this period may be extended by up to two months. In that case we will inform you in good time.

To prevent misuse, we may ask you to verify your identity before we deal with your request substantively. If we are unable to grant your request, we will explain the reasons to you.

You also have the right to lodge a complaint with the competent supervisory authority, such as the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) in the Netherlands.

13. Data of minors

Our Services are not directed at, nor intended for, children under the age of 16, and we do not knowingly collect personal data from persons below this age limit, in accordance with Article 8 of the General Data Protection Regulation (GDPR).

If we discover that we have inadvertently collected personal data from a child under the age of 16 without valid consent from their parent or legal guardian, we will delete this data without delay.

Parents or legal guardians who suspect that their child has provided personal data to us without their consent can contact us at privacy@pauw.com to request deletion of this data.

14. Complaints and supervision

If you have questions, concerns or complaints about the way in which Pauw B.V. processes your personal data, we ask you to first contact us via the contact details at the bottom of this Privacy Statement. We will handle your notification carefully and seek to reach an appropriate solution.

In addition, under Article 77 of the General Data Protection Regulation (GDPR) you have the right to lodge a complaint at any time with a supervisory authority, in particular in the Member State of your habitual residence, place of work or the place of the alleged infringement.

In the Netherlands, the competent supervisory authority is:

Autoriteit Persoonsgegevens (Dutch Data Protection Authority)

Postbus 93374, 2509 AJ The Hague

Website: www.autoriteitpersoonsgegevens.nl

 

If you reside in another country within the European Economic Area (EEA), you can contact the supervisory authority competent in your country. An overview of supervisory authorities within the EU can be found at https://edpb.europa.eu.

15. Contact details

For questions about this Privacy Statement, the processing of your personal data, or to submit a request to exercise your rights under the General Data Protection Regulation (GDPR), you can contact:

Pauw B.V.

Attn: Privacy Officer / Data Protection Officer

Europaplein 37

1078 GV Amsterdam

The Netherlands

privacy@pauw.com

 

We aim to respond within one month of receiving your request or question, in accordance with Article 12 GDPR.