Vive la Flex

Privacy Policy

Privacy Policy

Last updated: March 2026

Vive la Flex (“we”, “us”, “our”) respects your privacy and is committed to protecting your personal data. This privacy policy explains what personal data we collect, why we collect it, how we use it, who we share it with, and what rights you have.

We are the controller of your personal data. You can reach us at:

Company: Vive la Flex

Email: hey@vivelaflex.com

Website: vivelaflex.com

Country: The Netherlands

If you have questions about this privacy policy or want to exercise any of your rights, contact us at hey@vivelaflex.com.

What Personal Data We Collect

We collect personal data only when it is necessary for specific purposes. Below is an overview of the categories of data we process:

When you place an order

Name (first and last name), email address, billing address, shipping address, payment information (processed by Stripe; we do not store card details), order details (products, sizes, colours, quantities, amounts), and phone number (if provided for delivery).

When you sign up for our newsletter

Email address.

When you visit our website

IP address (anonymised where possible), browser type and version, device type, pages visited and interaction data, referral source, cookies and similar technologies (see “Cookies” section below).

When you contact us

Email address and any personal data you include in your message.

Why We Process Your Data and Our Legal Basis

Under the GDPR (Article 6), we need a lawful basis for every processing activity. Below we explain each purpose and its legal basis:

Processing and fulfilling your order — Data used: name, address, email, order details, payment data. Legal basis: Performance of a contract (Art. 6(1)(b)).

Sending order confirmation, shipping updates and delivery notifications — Data used: name, email, order details, tracking info. Legal basis: Performance of a contract (Art. 6(1)(b)).

Sending cart recovery emails — Data used: email, cart contents. Legal basis: Legitimate interest (Art. 6(1)(f)) — recovering abandoned purchases. You can opt out at any time.

Processing payments — Data used: payment details, name, email, billing address. Legal basis: Performance of a contract (Art. 6(1)(b)).

Tax and financial administration — Data used: order data, invoices, transaction records. Legal basis: Legal obligation (Art. 6(1)(c)) — Dutch fiscal retention obligation (Algemene wet inzake rijksbelastingen).

Sending newsletters — Data used: email address. Legal basis: Consent (Art. 6(1)(a)) — you actively opt in and can withdraw at any time.

Website analytics (GA4) — Data used: anonymised usage data, cookies. Legal basis: Consent (Art. 6(1)(a)) — only activated after you accept analytical cookies.

Advertising and remarketing (Meta Pixel) — Data used: pseudonymised usage data, cookies. Legal basis: Consent (Art. 6(1)(a)) — only activated after you accept marketing cookies.

Fraud prevention and security — Data used: IP address, transaction data. Legal basis: Legitimate interest (Art. 6(1)(f)) — protecting our business and customers.

Improving our website and services — Data used: aggregated, anonymised usage data. Legal basis: Legitimate interest (Art. 6(1)(f)).

Where we rely on consent, you can withdraw it at any time without affecting the lawfulness of processing before withdrawal. Where we rely on legitimate interest, you have the right to object (see “Your Rights” below).

Who We Share Your Data With

We only share your personal data with third parties when it is necessary for the purposes described above. We never sell your personal data.

Service providers (processors)

Stripe — Payment processing. Data shared: name, email, billing/shipping address, payment details. Location: EU & US. Safeguard: EU-US Data Privacy Framework + Standard Contractual Clauses.

Promio — Order fulfilment (printing & shipping). Data shared: name, shipping address, order details. Location: Breda, The Netherlands.

Resend — Transactional emails & newsletter. Data shared: email address, name, order details. Location: US. Safeguard: EU-US Data Privacy Framework + Standard Contractual Clauses.

Hetzner — Web hosting & data storage. Data shared: all data processed through our website. Location: Germany (EU).

Google (Google Analytics 4, via GTM) — Website analytics. Data shared: anonymised usage data, IP address (anonymised), cookies. Location: EU & US. Safeguard: EU-US Data Privacy Framework.

Meta (Meta Pixel, via GTM) — Advertising & remarketing. Data shared: pseudonymised usage data, cookies. Location: EU & US. Safeguard: EU-US Data Privacy Framework.

We have data processing agreements in place with all processors. For transfers to the United States, our processors are certified under the EU-US Data Privacy Framework and/or we rely on EU Standard Contractual Clauses as additional safeguards.

We may also share your data with government authorities if legally required (e.g., tax authorities, law enforcement upon lawful request).

International Data Transfers

Some of our service providers are based in or transfer data to the United States. For these transfers, we rely on the following safeguards:

EU-US Data Privacy Framework (DPF): Stripe, Google, Meta, and Resend are certified under the DPF, which was granted an adequacy decision by the European Commission on 10 July 2023.

Standard Contractual Clauses (SCCs): Where applicable, we additionally rely on SCCs as approved by the European Commission.

Supplementary measures: Our processors implement encryption in transit and at rest, access controls, and other technical and organisational measures.

If the legal framework for international transfers changes, we will update our safeguards accordingly.

Cookies

Our website uses cookies and similar technologies. We distinguish three categories:

Functional cookies (always active)

These are strictly necessary for the website to function. They enable core features like navigation, session management, and your shopping cart. No consent is required for these cookies under Article 11.7a of the Dutch Telecommunications Act (Telecommunicatiewet).

Shopping cart data (stored in sessionStorage, not a cookie — no personal data) and language preference.

Analytical cookies (consent required)

We use Google Analytics 4 to understand how visitors use our website. These cookies are only placed after you give explicit consent via our cookie banner. Cookies used: _ga, _ga_* — Google Analytics visitor identification and session tracking.

Marketing cookies (consent required)

We use the Meta Pixel for advertising purposes. These cookies are only placed after you give explicit consent via our cookie banner. Cookies used: _fbp, _fbc — Meta Pixel identification and conversion tracking.

Cookie consent

When you first visit our website, a cookie banner asks for your consent. You can choose to accept all cookies or accept only necessary cookies. You can change your cookie preferences at any time through the cookie settings on our website. We use Google Consent Mode v2 to ensure that analytical and marketing cookies are only activated based on your choices.

Managing cookies in your browser

You can also manage or delete cookies through your browser settings. Note that disabling functional cookies may affect the functionality of our website.

How Long We Keep Your Data

We do not keep your personal data longer than necessary. The retention periods depend on the purpose:

Order and transaction data: 7 years after the end of the financial year — Dutch fiscal retention obligation (Art. 52 Algemene wet inzake rijksbelastingen).

Customer email for order communication: 7 years (linked to order data) — legal obligation.

Newsletter subscriber data: Until you unsubscribe — based on your consent.

Analytical data (GA4): According to Google’s default retention settings (14 months) — consent-based.

Marketing data (Meta Pixel): According to Meta’s retention policies — consent-based.

Cart recovery data: 30 days after cart abandonment — legitimate interest.

Contact/support correspondence: 2 years after last contact — legitimate interest.

After the retention period expires, we delete or anonymise the data.

Your Rights

Under the GDPR, you have the following rights regarding your personal data:

Right of access (Art. 15) — You can request a copy of the personal data we hold about you.

Right to rectification (Art. 16) — You can ask us to correct inaccurate or incomplete data.

Right to erasure (Art. 17) — You can ask us to delete your personal data, unless we have a legal obligation to keep it (e.g., tax records).

Right to restriction of processing (Art. 18) — You can ask us to temporarily restrict the processing of your data.

Right to data portability (Art. 20) — You can request your data in a structured, commonly used, machine-readable format.

Right to object (Art. 21) — You can object to processing based on legitimate interest or direct marketing. For direct marketing, we will always stop immediately.

Right to withdraw consent (Art. 7) — Where processing is based on consent (newsletter, cookies), you can withdraw at any time.

Right to lodge a complaint — You have the right to file a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).

How to exercise your rights

Send your request to hey@vivelaflex.com. We will respond within one month. If your request is complex, we may extend this by two additional months, but we will inform you of this within the first month. We may ask you to verify your identity before processing your request.

Supervisory authority

Autoriteit Persoonsgegevens — Website: autoriteitpersoonsgegevens.nl — Phone: 088 - 1805 250

Security

We take appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These measures include:

Encryption of data in transit (TLS/HTTPS) and at rest; access controls and authentication; regular security updates and monitoring; data processing agreements with all service providers; self-hosted CMS and database on EU servers (Hetzner, Germany).

No system is completely secure. If you suspect a data breach involving your personal data, please contact us immediately at hey@vivelaflex.com.

Minors

Our website and services are not directed at children under 16 years of age. We do not knowingly collect personal data from children under 16. If you believe we have collected data from a child under 16, please contact us at hey@vivelaflex.com and we will delete it promptly.

Automated Decision-Making

We do not use automated decision-making or profiling that produces legal effects or similarly significantly affects you.

Changes to This Privacy Policy

We may update this privacy policy from time to time. When we make significant changes, we will notify you via our website. The date at the top of this page indicates when the policy was last updated. We recommend reviewing this page periodically.

Contact

If you have any questions about this privacy policy, your personal data, or your rights, please contact us:

Vive la Flex

Email: hey@vivelaflex.com

Website: vivelaflex.com