Privacy policy
Last updated: June 3, 2026
Bricky operates this store and website, including all related information, content, features, tools, products and services, in order to provide you, the customer, with a curated shopping experience (the "Services"). Bricky is powered by Shopify, which enables us to provide the Services to you. This Privacy Policy describes how we collect, use, and disclose your personal information when you visit, use, or make a purchase or other transaction using the Services or otherwise communicate with us. If there is a conflict between our Terms of Service and this Privacy Policy, this Privacy Policy controls with respect to the collection, processing, and disclosure of your personal information.
For the purpose of the General Data Protection Regulation (GDPR) and the Dutch Implementation Act (UAVG), the data controller is Brightmart, Loenermark 808, 1025 VN Amsterdam, the Netherlands, reachable at brickynl2@gmail.com.
Please read this Privacy Policy carefully. By using and accessing any of the Services, you acknowledge that you have read this Privacy Policy and understand the collection, use, and disclosure of your information as described here.
Personal Information We Collect or Process
When we use the term "personal information," we are referring to information that identifies or can reasonably be linked to you or another person. Personal information does not include information that is collected anonymously or that has been de-identified. Depending on how you interact with the Services, we may collect or process the following categories:
- Contact details including your name, address, billing address, shipping address, phone number, and email address.
- Financial information including payment card information, transaction details, form of payment, and payment confirmation. (Full card numbers are handled by our payment providers; we do not store them ourselves.)
- Account information including your username, password, preferences and settings.
- Transaction information including the items you view, add to your cart or wishlist, or purchase, return, exchange or cancel, and your past transactions.
- Communications with us including the information you include when you contact us, for example a customer support inquiry.
- Device information including information about your device, browser, or network connection, your IP address, and other unique identifiers.
- Usage information including how and when you interact with or navigate the Services.
Sources of Personal Information
We may collect personal information from the following sources:
- Directly from you, e.g. when you create an account, use the Services, communicate with us, or otherwise provide your personal information;
- Automatically through the Services, from your device when you use our Services, and through cookies and similar technologies (see Cookies below);
- From our service providers when they collect or process personal information on our behalf;
- From our partners or other third parties.
How We Use Your Personal Information, and Our Legal Bases 🇪🇺
We only process your personal information where we have a lawful basis under Article 6 GDPR. The table below sets out our purposes and the legal basis we rely on for each.
| Purpose | Legal basis |
|---|---|
| Processing and fulfilling your orders, payments, returns, exchanges and cancellations; managing your account; providing customer support | Performance of our contract with you (Art. 6(1)(b)) |
| Keeping records of transactions and invoices for tax and accounting purposes | Compliance with a legal obligation (Art. 6(1)(c)) |
| Securing the Services, authenticating accounts, and detecting and preventing fraud or misuse | Our legitimate interests in protecting our business and customers (Art. 6(1)(f)) |
| Improving and tailoring the Services, including product recommendations | Our legitimate interests in operating and improving our store (Art. 6(1)(f)) |
| Sending marketing communications by email, and showing you personalised advertising / using profiling for marketing | Your consent (Art. 6(1)(a)). For existing customers, we may email you about our own similar products on the basis of our legitimate interest, and you can opt out at any time |
| Complying with applicable law and responding to valid legal requests | Compliance with a legal obligation, and our legitimate interests in defending legal claims (Art. 6(1)(c) and (f)) |
Where we rely on consent, you may withdraw it at any time (see Your Rights below). Where we rely on legitimate interests, you may object to that processing.
Cookies and Similar Technologies 🇪🇺
We and our service providers use cookies and similar technologies on the Services. Strictly necessary cookies (for example to keep your cart and let you check out) are placed without consent because the store cannot function without them. For all other cookies — including analytics and advertising/tracking cookies — we ask for your consent before placing them, through our cookie banner, and you can change or withdraw your choices at any time via the cookie settings. Full details of which cookies we use are set out in our Cookie Policy [LINK]. [You must add a cookie consent banner and a separate Cookie Policy.]
How We Disclose Personal Information
We may disclose your personal information to third parties for the purposes described above, including:
- With Shopify and other service providers who perform services on our behalf (e.g. IT, payment processing, analytics, customer support, cloud storage, fulfilment and shipping). These parties act as our processors and may only use the data on our instructions.
- With marketing partners to provide marketing and advertising, where you have consented. These partners use your information in accordance with their own privacy notices. You can withdraw consent for personalised advertising at any time.
- When you direct or consent to disclosure, such as to ship you products or through social media or login integrations.
- With our affiliates or otherwise within our corporate group.
- In connection with a business transaction such as a merger or insolvency, to comply with legal obligations (including responding to lawful requests from authorities), to enforce our terms, and to protect our rights and those of our users or others.
Relationship with Shopify
The Services are hosted by Shopify, which collects and processes personal information about your access to and use of the Services in order to provide and improve the Services. Information you submit will be transmitted to and shared with Shopify as well as third parties that may be located in countries other than where you reside. We also use certain Shopify enhanced features that combine data from your interactions with our store, other merchants, and Shopify. For these features Shopify acts as a controller and is responsible for handling your rights requests. To learn more, see the Shopify Consumer Privacy Policy and, where available to you, the Shopify Privacy Portal at https://privacy.shopify.com/en.
Third Party Websites and Links
The Services may link to websites or platforms operated by third parties. If you follow such links, you should review their privacy and security policies. We are not responsible for the privacy or security of those sites or the accuracy of information found there. Information you share on public or third-party platforms may be viewable by others. Our inclusion of links does not imply endorsement.
Children's Data 🇪🇺
The Services are not intended for children. We do not knowingly collect personal information from children under 16 years of age (the age of digital consent in the Netherlands) without the consent of a parent or guardian. If you are a parent or guardian of a child who has provided us with personal information, please contact us at the details below and we will delete it.
Security and Retention of Your Information 🇪🇺
We take appropriate technical and organisational measures to protect your personal information against unauthorised access, loss or misuse, in line with Article 32 GDPR. No method of transmission or storage is completely secure, so we cannot guarantee absolute security; we recommend you do not send sensitive information through unsecure channels.
We keep your personal information only as long as necessary for the purposes set out above. For example, we keep account data while your account is active, and we retain transaction and invoice records for 7 years to comply with Dutch tax-retention obligations. After the applicable period we delete or anonymise your information.
Your Rights and Choices 🇪🇺
Depending on where you live, you may have the following rights in relation to your personal information. These rights are not absolute and may apply only in certain circumstances.
- Access — request a copy of the personal information we hold about you.
- Rectification — request that we correct inaccurate or incomplete information.
- Erasure — request that we delete personal information we hold about you.
- Portability — receive a copy of certain information in a structured, commonly used, machine-readable format, and ask us to transfer it to a third party.
- Restriction and Objection — ask us to restrict, or object to, our processing of your information for certain purposes, including profiling for direct marketing.
- Withdrawal of consent — where we rely on consent, withdraw it at any time. This does not affect the lawfulness of processing before withdrawal.
- Marketing opt-out — unsubscribe from promotional emails at any time using the link in our emails. We may still send non-promotional messages about your account or orders.
To exercise any of these rights, contact us using the details below. We will not discriminate against you for exercising your rights. We may need to verify your identity before acting on a request, and you may use an authorised agent (with proof of authorisation). We will respond within the timeframe required by law (under the GDPR, normally within one month).
Complaints 🇪🇺
If you have a complaint about how we process your personal information, please contact us first using the details below. You also have the right to lodge a complaint with a data protection supervisory authority. In the Netherlands this is the Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl). If you live elsewhere in the EEA, you can contact your local authority.
International Transfers
We may transfer, store and process your personal information outside the country you live in. If we transfer your personal information out of the European Economic Area, we rely on recognised transfer mechanisms such as the European Commission's Standard Contractual Clauses, unless the transfer is to a country recognised as providing an adequate level of protection.
Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes to our practices or for operational, legal or regulatory reasons. We will post the revised version here, update the "Last updated" date, and provide notice where required by law.
Contact
If you have questions about our privacy practices or this Privacy Policy, or would like to exercise your rights, contact us at brickynl2@gmail.com or at Loenermark 808, 1025 VN Amsterdam, the Netherlands. For the purposes of applicable data protection law, we are the data controller of your personal information.