LEGAL
Privacy policy
Last updated: 17 mei 2026
Genabyte BV, trading as STOOF·36, is committed to protecting your personal data. This privacy policy explains what data we collect, why we collect it, and how you can exercise your rights under the General Data Protection Regulation (GDPR — Regulation (EU) 2016/679).
1. Data controller
Genabyte BV
Trading name: STOOF·36
VAT number: BE1011.746.919
Email: info@stoof36.be
2. Data we collect
We collect the following categories of personal data:
• Identification data: first name, last name
• Contact data: email address, phone number
• Address data: street, number, postcode, city, country (for orders)
• Order and booking data: products purchased, quantities, amounts, event details
• Payment data: transaction status (payment details are processed by Mollie — we do not store card numbers)
• Technical data: IP address, browser type (via Vercel server logs)
• Account data: email address and password hash (via Supabase Auth)
3. Purposes and legal basis
We process your data for the following purposes:
• Performance of a contract (Art. 6.1.b GDPR): order processing, invoicing, handling bookings, customer area access
• Legal obligation (Art. 6.1.c GDPR): retention of accounting records under Belgian accounting law
• Legitimate interests (Art. 6.1.f GDPR): fraud prevention, system security, technical operation of the website
4. Third parties (processors)
We work with the following processors who handle your data solely on our instructions:
• Supabase Inc. — database, authentication and file storage (EU-hosted servers)
• Mollie B.V. (Netherlands) — payment processing; independent data controller for payment data
• Resend Inc. (United States) — transactional email delivery; Standard Contractual Clauses apply
• Vercel Inc. (United States) — web hosting and serverless functions; Standard Contractual Clauses apply
We never sell your data to third parties and do not share it outside the processors listed above.
5. Retention periods
• Order data and invoices: 10 years (Belgian accounting law)
• Customer accounts: until you delete your account or request deletion
• Booking data: 3 years after the event date
• Server logs (IP addresses): maximum 90 days
6. Your rights
As a data subject you have the following rights:
• Right of access (Art. 15 GDPR): request a copy of the data we hold about you
• Right to rectification (Art. 16 GDPR): have inaccurate or incomplete data corrected
• Right to erasure (Art. 17 GDPR): have your data deleted, unless a legal retention obligation applies
• Right to restriction of processing (Art. 18 GDPR)
• Right to data portability (Art. 20 GDPR): receive your data in a structured, machine-readable format
• Right to object (Art. 21 GDPR): object to processing based on legitimate interests
Send your request to info@stoof36.be. We will respond within 30 days.
You also have the right to lodge a complaint with the Data Protection Authority (GBA):
Drukpersstraat 35 — 1000 Brussels — contact@apd-gba.be — www.gegevensbeschermingsautoriteit.be
7. Cookies
We use only functional cookies that are strictly necessary for the operation of the website:
• NEXT_LOCALE: remembers your chosen language (session/persistent cookie)
• Supabase Auth session cookies: for logged-in users in the customer area
We do not use tracking or advertising cookies. No third parties place cookies for marketing purposes via our website.
8. Contact us
For questions about this policy or to exercise your rights:
Email: info@stoof36.be