Privacy Policy

Gregoir Group

Last updated: 29 April 2026

This Privacy Policy explains how Gregoir Holding NV processes your personal data when you visit gregoir.com or any of its subsidiary websites listed under “Scope” below (the “Site”), use the products and services offered through the Site (the “Services”), or otherwise interact with us. It is intended to satisfy the transparency requirements of Article 13 of the General Data Protection Regulation (Regulation (EU) 2016/679, the “GDPR”) and the Belgian Act of 30 July 2018 on the protection of natural persons with regard to the processing of personal data (the “Belgian Data Protection Act”).

We encourage you to read this Privacy Policy carefully. If anything is unclear, please contact us using the details in section 14.

1. Who is the controller?

The controller of your personal data is:

Gregoir Holding NV
Tentoonstellingslaan 317, 1090 Jette (Brussels), Belgium
KBO/BCE number: BE 0475.506.668
E-mail: info@gregoir.com

Where this Privacy Policy uses “we”, “us” or “our”, it refers to Gregoir Holding NV acting as controller.

We have not designated a Data Protection Officer under Article 37 GDPR. For any privacy-related question or to exercise your rights, please use the privacy contact above.

2. Scope

This Privacy Policy applies to personal data processed in connection with:

1. the website gregoir.com and any subsidiary website operated by the Gregoir Group that links to this Privacy Policy;
2. orders placed and accounts created through those websites;
3. communications with our customer-support and sales teams via e-mail, contact forms or telephone;
4. our marketing communications (e-mail, SMS, postal mail) and our presence on social-media platforms (insofar as we act as controller).

Where a different controller is responsible for processing your data (for example, a social-media platform on which you interact with our pages), that controller’s privacy policy applies in addition to this one.

3. What personal data do we process?

Depending on how you interact with us, we process the following categories of data:

1. Identification and contact data: name, postal address, e-mail address, telephone number, language preference.
2. Account data: username, password (stored in hashed form), security questions, account preferences.
3. Order and transaction data: billing and shipping address, items ordered, order history, returns, payment confirmation, invoice number.
4. Payment data: collected directly by our payment service providers; we receive only confirmation that payment has been made and a payment reference. We do not store your full card number.
5. Browsing data: items viewed, added to your cart or wish list, products reviewed.
6. Customer-support data: the content of your communications with us, copies of correspondence, attachments and the resolution of your request.
7. Technical and usage data: IP address, device identifier, browser type and version, operating system, referrer, pages visited, date and time of access, language settings — collected through cookies and similar technologies (see section 8).
8. Marketing data: your consent or objection to marketing communications, your interactions with our newsletters (open/click), and your participation in surveys, contests or events.

We do not knowingly process special categories of personal data within the meaning of Article 9 GDPR (e.g. data on health, ethnic origin, political opinions). Please do not share such data with us in unsolicited messages.

4. Where does the data come from?

Most personal data is collected directly from you when you create an account, place an order, contact us or interact with the Site. We also receive data from the following sources:

1. Our e-commerce platform: technical and order data necessary to operate the Site.
2. Payment service providers: payment confirmation and payment reference.
3. Shipping carriers: delivery status and proof of delivery.
4. Social-media platforms (only if you choose to log in or interact via them): the public profile data the platform makes available subject to your platform settings.
5. Analytics providers: aggregated and pseudonymous statistics about how the Site is used (only if you have consented to analytics cookies).

5. Why do we process your data and on what legal basis?

Article 6 GDPR requires us to identify a legal basis for each processing activity. The table below maps purposes to legal bases.

Purpose	Categories of data	Legal basis
Creating and administering your account	Identification, contact, account data	Performance of a contract — Article 6(1)(b) GDPR
Processing and delivering your order, returns and exchanges	Order, contact, payment, shipping data	Performance of a contract — Article 6(1)(b) GDPR
Bookkeeping, invoicing and tax obligations	Order, invoice, identification data	Legal obligation — Article 6(1)(c) GDPR (in particular Art. III.86 Code of Economic Law and Art. 60 VAT Code)
Customer-support requests	Identification, contact, order, support data	Performance of a contract / our legitimate interest in providing effective customer service — Article 6(1)(b)/(f) GDPR
Direct marketing by e-mail / SMS to existing customers for similar products	Identification, contact, marketing-preference data	Soft opt-in under Art. XII.13 Code of Economic Law, on the basis of our legitimate interest — Article 6(1)(f) GDPR
Direct marketing by e-mail / SMS to non-customers, and any cross-context advertising	Identification, contact, marketing-preference data, browsing data	Your consent — Article 6(1)(a) GDPR
Personalisation of the Site and advertising via cookies / similar technologies	Technical, usage, browsing, marketing data	Your consent — Article 6(1)(a) GDPR + Art. 129 e-Communications Act
Site analytics (where not strictly necessary)	Technical and usage data	Your consent — Article 6(1)(a) GDPR
Detecting and preventing fraud and abuse	Account, technical, usage, order data	Our legitimate interest in protecting our customers, our staff and our business — Article 6(1)(f) GDPR
Defending or enforcing legal claims, complying with court orders or supervisory-authority requests	All categories as relevant	Legal obligation / our legitimate interest in defending claims — Article 6(1)(c) / (f) GDPR
Internal reporting and management within the Gregoir Group	Aggregated / pseudonymised data where possible	Our legitimate interest in running the business — Article 6(1)(f) GDPR

Where processing is based on consent, you may withdraw your consent at any time, without affecting the lawfulness of processing carried out before withdrawal. Where processing is based on our legitimate interest, you may object at any time on grounds relating to your particular situation (see section 10).

6. Who has access to your data?

Within Gregoir Holding NV, access is limited to staff members who need it to perform their tasks (sales, customer support, IT, finance, marketing). All staff members are bound by confidentiality.

We share personal data with the following categories of recipients, all of whom act as our processors under a written agreement (Article 28 GDPR) or under their own statutory duties:

1. E-commerce platform: WooCommerce (operating the Site).
2. Hosting and IT service providers, CDN, security and back-up providers.
3. Payment service providers (processing your payment).
4. Shipping carriers (delivering your order).
5. Customer-support tooling (ticket / helpdesk software).
6. E-mail / SMS service providers (transactional and — subject to your consent or the soft opt-in — marketing communications).
7. Analytics and marketing tools (only with your cookie consent).
8. Affiliated companies of the Gregoir Group, for internal management and reporting.
9. Professional advisors (lawyers, accountants, auditors), insurers and, where required by law, public authorities or courts.
10. Acquirers in the context of a merger, acquisition or restructuring of the Gregoir Group, subject to appropriate confidentiality undertakings.

A list of our main processors is available on request through the privacy contact in section 14.

We do not sell your personal data, and we do not engage in cross-context behavioural advertising without your prior consent. Where personalised advertising or analytics is used on the Site, it is conditional on the consent you give in our cookie banner.

7. International transfers

Some of our processors are established outside the European Economic Area (“EEA”), in particular in the United States (e.g. WooCommerce, certain analytics and e-mail providers). Where we transfer personal data outside the EEA, we ensure that one of the following safeguards under Chapter V GDPR applies:

1. an adequacy decision of the European Commission — including, for transfers to the United States to a recipient certified under the EU-U.S. Data Privacy Framework (Commission Implementing Decision (EU) 2023/1795 of 10 July 2023);
2. the European Commission’s Standard Contractual Clauses of 4 June 2021, supplemented by a transfer impact assessment and additional measures where necessary;
3. any other safeguard recognised under Article 46 GDPR or, exceptionally, a derogation under Article 49 GDPR.

You can request a copy of the safeguard relied upon for a specific transfer by contacting us at info@gregoir.com.

8. Cookies and similar technologies

Like most websites, the Site uses cookies and similar technologies (pixels, web beacons, local storage). A cookie is a small file placed on your device when you visit a website.

We distinguish four categories:

1. Strictly necessary cookies (no consent required) — needed for the Site to function, e.g. to remember the items in your shopping cart, to keep you logged in, or to secure a payment. These cookies are placed on the basis of Article 129, §1, 2° of the e-Communications Act.
2. Functional cookies — remember your preferences (language, region, currency).
3. Analytics cookies — measure how the Site is used so we can improve it.
4. Marketing / advertising cookies — show you advertising on and off the Site that may be relevant to you, including via our partners.

Functional, analytics and marketing cookies are placed only after you have given your consent through our cookie banner. The banner is shown the first time you visit the Site, and you can change your choices at any time through the “Cookie settings” link in the footer of every page. Refusing non-essential cookies has no consequence other than the loss of the corresponding feature; you can continue to browse and shop on the Site.

A detailed list of the cookies we use, their purpose, retention period and the recipient of the data is published on the cookie-settings page.

9. How long do we keep your data?

We keep your personal data for the period necessary for the purposes set out in section 5, taking into account our legal obligations. Concrete retention periods are set out below; once expired, data is deleted or irreversibly anonymised.

Category of data	Retention period
Customer account	For as long as the account is active, then deleted 5 years after the last login or last order
Order, invoice and accounting data	10 years from the end of the financial year (Art. III.86 Code of Economic Law)
VAT-relevant data	10 years (Art. 60 VAT Code)
Customer-support tickets	3 years after the ticket is closed
Marketing consent and preference records	Until consent is withdrawn, plus 3 years for evidentiary purposes
Newsletter subscription data	Until you unsubscribe, plus 3 years for evidentiary purposes
Cookie consent records	13 months (Belgian DPA recommendation), then a fresh consent is requested
Analytics data	Maximum 13 months at user level, then aggregated
Server / security logs	12 months, longer where necessary to investigate an incident
Data necessary to defend a legal claim	Until the claim and any related limitation period are definitively expired

10. Your rights

Under Articles 15 to 22 GDPR and Articles 13 to 34 of the Belgian Data Protection Act, you have the rights described below in relation to your personal data. These rights are not absolute and apply within the conditions set out in those provisions.

1. Right of access (Art. 15) — to obtain confirmation that we process your personal data and a copy of that data.
2. Right to rectification (Art. 16) — to have inaccurate or incomplete data corrected or completed.
3. Right to erasure / “right to be forgotten” (Art. 17) — to have your data deleted in the cases listed in Article 17.
4. Right to restriction of processing (Art. 18) — to have processing limited in the cases listed in Article 18.
5. Right to data portability (Art. 20) — for data processed by automated means on the basis of consent or contract, to receive your data in a structured, commonly used, machine-readable format and to have it transmitted to another controller where technically feasible.
6. Right to object (Art. 21) — at any time on grounds relating to your particular situation to processing based on our legitimate interests, and at any time without justification to processing for direct marketing.
7. Right not to be subject to automated individual decision-making (Art. 22) — see section 11.
8. Right to withdraw consent at any time (Art. 7(3)) — without affecting the lawfulness of processing before withdrawal.
9. Right to lodge a complaint with the Belgian Data Protection Authority (Art. 77) — see section 12.

To exercise any of these rights, contact us using the details in section 14. We will reply without undue delay and in any event within one month of receipt of your request. That period can be extended by a further two months where the request is complex or where we receive a high number of requests; in that case we will inform you of the extension and the reasons within the first month.

We may need to verify your identity before acting on a request, in particular by asking you to confirm the request from the e-mail address linked to your account or by requesting additional information. Acting on your request is free of charge, except where it is manifestly unfounded or excessive — in which case we may charge a reasonable fee or refuse the request.

11. Profiling and automated decision-making

With your consent (cookie banner), we use analytics and personalisation tools that involve profiling within the meaning of Article 4(4) GDPR — for example, to recommend products, to personalise content on the Site, or to show you relevant advertising. This profiling does not produce legal effects concerning you and does not similarly significantly affect you within the meaning of Article 22 GDPR.

We do not take decisions about you based solely on automated processing, including profiling, that produce legal effects or similarly significantly affect you. You can object to profiling for direct-marketing purposes at any time by withdrawing your cookie consent or by contacting us.

12. Complaints

If you have a complaint about how we process your personal data, we ask that you first contact us — section 14. If you are not satisfied with our response, you have the right to lodge a complaint with the Belgian Data Protection Authority:

Gegevensbeschermingsautoriteit / Autorité de protection des données
Drukpersstraat 35 / Rue de la Presse 35, 1000 Brussels, Belgium
E-mail: contact@apd-gba.be
Telephone: +32 (0)2 274 48 00
Website: https://www.dataprotectionauthority.be

This is without prejudice to any other administrative or judicial remedy available to you (Art. 79 GDPR).

13. Children

In Belgium the digital age of consent is set at 13 years (Article 7 of the Belgian Data Protection Act of 30 July 2018, derogating from the GDPR default of 16). The Site is not directed at children under 13, and we do not knowingly collect personal data from children under 13.

If you are a parent or legal guardian and believe that a child under 13 has provided us with personal data, please contact us — section 14 — and we will take steps to delete that data.

14. Security of your data

We take appropriate technical and organisational measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access, as required by Article 32 GDPR. These include access controls, encryption in transit, regular back-ups, network and infrastructure security, segregation of environments, staff training and a written policy on the management of personal-data breaches.

No system is impenetrable, however, and we cannot guarantee absolute security. You also play a role: please use a strong, unique password for your account, do not share it with anyone, and notify us immediately if you suspect that your account has been compromised.

15. Contact

For any question about this Privacy Policy, to exercise your rights or for any other privacy-related matter:

Gregoir Holding NV — Privacy
Tentoonstellingslaan 317, 1090 Jette (Brussels), Belgium
E-mail: info@gregoir.com

16. Changes to this Privacy Policy

We may update this Privacy Policy to reflect changes to our practices or for legal, regulatory or operational reasons. The “Last updated” date at the top of the policy shows when the policy was last revised. Where the changes are material, we will inform you in advance, for example by e-mail or by a banner on the Site.

Previous versions of this Privacy Policy are available on request.

17. Language versions

This Privacy Policy is published in English, Dutch and French. In the event of any discrepancy between the language versions, the Dutch version prevails.