PRIVACY POLICY AND DATA PROTECTION NOTICE - Black-Hole Design webshop

Effective Date: 01/02/2026

Last Revised: 01/02/2026

PREAMBLE

This Privacy Policy and Data Protection Notice (hereinafter referred to as the “Policy”) sets forth the legally binding privacy principles governing the use of Black-Hole Design, operated by Black-Hole Design (hereinafter “the Company,” “we,” “our,” or “us”).

Pursuant to the General Data Protection Regulation (Regulation (EU) 2016/679) (hereinafter “GDPR”) and applicable national data protection legislation, this Policy constitutes the legally required notification to inform you (hereinafter the “Data Subject” or “User”) regarding the nature, scope, and purpose of the collection, processing, and use of personal data.

1. DEFINITIONS

For the purposes of this Policy, the following definitions shall apply in accordance with Article 4 of the GDPR:

“Personal Data” means any information relating to an identified or identifiable natural person.
“Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means.
“Controller” means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.
“Processor” means a natural or legal person, public authority, agency, or other body which processes Personal Data on behalf of the Controller.

2. IDENTITY AND CONTACT DETAILS OF THE DATA CONTROLLER

The legal entity acting as the Data Controller responsible for the processing of your Personal Data is:

Entity Name: Black-Hole Design
Registration Number: BE1015885750
Data Protection Officer (DPO) / Privacy Contact: info@black-hole.design

3. STRICT DATA LOCALIZATION AND TERRITORIAL LIMITATION

3.1. Exclusive EU Data Storage: The Controller explicitly represents, warrants, and guarantees that all Personal Data collected through the Website is transmitted to, stored, and processed exclusively on physical servers maintained within the sovereign territory of the European Union (EU) and the European Economic Area (EEA). Our primary data infrastructure is hosted in EU.

3.2. Prohibition of Third-Country Transfers: We strictly prohibit the transfer of your Personal Data to “third countries” (jurisdictions outside the EU/EEA) or international organizations. In the event that the Controller engages third-party Processors, such engagement is strictly conditioned upon the Processor executing a legally binding Data Processing Agreement (DPA) that mandates EU-exclusive data storage and prohibits unauthorized cross-border data transfers pursuant to Chapter V of the GDPR.

4. CATEGORIES OF PERSONAL DATA PROCESSED

In the course of operating the Website, we may collect and process the following categories of Personal Data:

Identity Data: Legal name, aliases, username, date of birth, and title.
Contact Information: Primary email address, billing address, delivery address, and telephone numbers.
Financial Data: Bank account details and payment card information (processed entirely via secure, PCI-DSS compliant third-party payment gateways; we do not retain full credit card numbers).
Transaction Data: Historical records of products or services purchased, financial transactions, and related commercial activities.
Technical and Network Data: Internet Protocol (IP) addresses, browser type and version, geographic location data, operating system and platform, time zone settings, and digital footprint logs (e.g., access times, referring URLs).

5. LAWFUL BASIS AND PURPOSES OF PROCESSING

Pursuant to Article 6 of the GDPR, the Controller strictly limits the processing of Personal Data to specific, explicit, and legitimate purposes. The following table delineates the purposes of processing, the categories of data involved, and the corresponding lawful basis:

Purpose of Processing	Categories of Data Processed	Lawful Basis for Processing (GDPR Article 6)
Contractual Fulfillment: To register you as a new customer, process orders, deliver goods/services, and manage payments.	Identity, Contact, Financial, Transaction	Article 6(1)(b): Necessary for the performance of a contract to which the Data Subject is party.
Website Operations & Security: To administer the Website, troubleshoot technical issues, ensure network security, and prevent fraudulent activity.	Technical and Network Data	Article 6(1)(f): Necessary for the purposes of the legitimate interests pursued by the Controller (i.e., network security and integrity).
Legal and Regulatory Compliance: To maintain legally mandated accounting records, tax documentation, and respond to lawful requests from authorities.	Identity, Contact, Transaction	Article 6(1)(c): Necessary for compliance with a legal obligation to which the Controller is subject.
Direct Marketing Communications: To deliver targeted promotional materials, newsletters, and commercial offers.	Identity, Contact	Article 6(1)(a): The Data Subject has given explicit, affirmative consent to the processing.

6. DATA RETENTION AND STORAGE LIMITATION

In adherence to the storage limitation principle (Article 5(1)(e) of the GDPR), the Controller shall not retain Personal Data longer than is strictly necessary to fulfill the operational, commercial, or legal purposes for which it was originally collected.

Customer Records: Retained for the duration of the commercial relationship, plus a statutory limitation period of [e.g., six (6) years] to comply with prevailing tax and accounting statutes.
Consent-Based Data: Retained until such time as the Data Subject explicitly withdraws consent (e.g., unsubscribes from a newsletter), after which the data shall be securely purged without undue delay.

7. TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES (TOMS)

Pursuant to Article 32 of the GDPR, the Controller has implemented comprehensive technical and organizational measures to ensure a level of security appropriate to the risk. These measures include, but are not limited to:

Cryptographic hashing and encryption of Personal Data in transit (TLS/SSL protocols) and at rest.
Implementation of principle-of-least-privilege (PoLP) access controls for all internal personnel.
Regular penetration testing, vulnerability scanning, and auditing of our EU-based server infrastructure.
Routine systematic backups to prevent data loss due to physical or technical incidents.

8. DISCLOSURE OF PERSONAL DATA TO THIRD PARTIES

The Controller does not sell, trade, or otherwise commercially exploit your Personal Data. Disclosure to third parties is strictly limited to the following circumstances:

Authorized Processors: We may disclose data to carefully vetted third-party service providers (e.g., EU-based hosting providers, EU-based analytics services) strictly for the purpose of facilitating our business operations. All such Processors are bound by rigorous Data Processing Agreements (DPAs) under Article 28 of the GDPR.
Legal Process: We reserve the right to disclose Personal Data when compelled by a subpoena, court order, or formal request from a competent EU judicial or law enforcement authority.

9. EXERCISE OF DATA SUBJECT RIGHTS

Under Chapter III of the GDPR, you, as the Data Subject, possess enforceable legal rights regarding your Personal Data. You may exercise the following rights without prejudice:

Right of Access (Art. 15): The right to obtain confirmation as to whether or not Personal Data concerning you is being processed, and access to a copy of said data.
Right to Rectification (Art. 16): The right to compel the Controller to correct inaccurate or incomplete Personal Data.
Right to Erasure / “Right to be Forgotten” (Art. 17): The right to mandate the deletion of Personal Data when it is no longer necessary in relation to the purposes for which it was collected, or if consent is withdrawn.
Right to Restriction of Processing (Art. 18): The right to limit the processing of your Personal Data under specific legally defined circumstances.
Right to Data Portability (Art. 20): The right to receive your Personal Data in a structured, commonly used, and machine-readable format, and to transmit those data to another controller.
Right to Object (Art. 21): The right to object, on grounds relating to your particular situation, to the processing of your Personal Data based on legitimate interests.

To exercise any of the aforementioned rights, formal written requests should be directed to info@black-hole.design. The Controller shall process and respond to all lawful requests within thirty (30) calendar days of receipt.

10. GOVERNING LAW AND JURISDICTION

This Privacy Policy, and any disputes arising out of or in connection with the processing of Personal Data hereunder, shall be governed by, construed, and interpreted in accordance with the laws of Belgium, without regard to its conflict of law principles.

11. RIGHT TO LODGE A COMPLAINT

Without prejudice to any other administrative or judicial remedy, every Data Subject shall have the right to lodge a formal complaint with a Supervisory Authority, in particular in the EU Member State of their habitual residence, place of work, or place of the alleged infringement, if the Data Subject considers that the processing of Personal Data relating to them infringes upon the GDPR.