Privacy Policy
Last updated: 11 June 2026
This policy explains how we collect, use, and protect your personal data when you use this webshop, in line with the EU General Data Protection Regulation (GDPR) and Dutch data-protection law. ITC Leiden handles personal data carefully and only within the limits of the law.
1. Who we are (data controller)
The data controller for this webshop is:
- Stichting International Tax Center Leiden (ITC Leiden)
- Rapenburg 65, 2311 GJ Leiden, The Netherlands
- Chamber of Commerce (KvK): 27169660
- VAT: NL8097.23.207.B01
- Privacy contact: AVG@itc-leiden.nl
2. What personal data we collect
We collect the information you provide when placing an order:
- Name, email address, and phone number.
- Shipping address, and billing address if different.
- VAT number (for business customers requesting a VAT exemption).
- The contents and value of your order.
- Your IP address and basic technical data needed to deliver the site securely.
Payment details (such as card or bank account numbers) are handled directly by our payment provider, Mollie, and are never stored on our systems. We use only functional cookies and browser storage to run the shop — see our Cookie Policy.
3. Why we use it and our legal basis
- To process and deliver your order and send invoices — performance of a contract.
- To comply with tax and accounting obligations — legal obligation.
- To validate EU VAT numbers via the official VIES service — legal obligation / legitimate interest.
- To keep the shop secure and prevent abuse — legitimate interest.
4. Service providers we share data with
To run the shop we rely on the processors below, each bound by a data processing agreement to handle your data confidentially:
- Mollie — payment processing.
- Resend — sending order and confirmation emails.
- Google Maps — optional address autocomplete at checkout (loaded only with your consent).
- DHL — parcel delivery.
- Neon — database hosting.
- Vercel — website hosting.
- Clerk — secure staff sign-in for the admin area (staff accounts only).
We do not sell your data. We only share it where needed to fulfil your order, or with public authorities where we are legally required to do so.
5. International transfers
Some providers may process data outside the EU/EEA. Where that happens, the transfer is covered by appropriate safeguards — an EU adequacy decision or the EU Standard Contractual Clauses — so your data keeps an equivalent level of protection.
6. How long we keep your data
We keep your data no longer than necessary. Order and invoice records are kept for the period required by Dutch tax law (7 years); other personal data is deleted once it is no longer needed for the purpose it was collected for.
7. Your rights
Under the GDPR you have the right to access, rectify, erase, restrict, and port your data, and to object to certain processing.
To exercise these rights, email AVG@itc-leiden.nl with your request in the subject line, or write to ITC Leiden, AVG inspection request, Rapenburg 65, 2311 GJ Leiden. We respond within four weeks. We may ask you to confirm your identity first. You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, autoriteitpersoonsgegevens.nl).
8. Security
We protect your data with appropriate technical and organizational measures: all connections use encrypted HTTPS, staff access to the admin area is restricted and authenticated, and no payment card data is stored on our systems. If a data breach ever affects you, we will inform you as required by law.
9. Changes to this policy
We may update this policy when our processing or providers change. The current version always appears on this page, with the “Last updated” date above.
