Privacy Policy

Effective date: 9 May 2026 Last updated: 9 May 2026

1. Introduction

This Privacy Policy explains how ZAAL (“ZAAL”, “we”, “us”, or “our”) collects, uses, stores, and protects personal data in connection with the websites zaal.cc (including any current or future subdomains) and tarekzaal.com (collectively, the “Website”), the related online store, and all communications and services connected to them (collectively, the “Services”).

ZAAL is committed to protecting your privacy and processing your personal data lawfully, fairly, and transparently in accordance with the General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”), the Dutch Implementation Act of the GDPR (Uitvoeringswet AVG), the Dutch Telecommunications Act (Telecommunicatiewet), and all other applicable Dutch and European data protection laws.

By accessing or using the Services, you acknowledge that you have read and understood this Privacy Policy.

2. Data Controller

The data controller responsible for the processing of your personal data is:

ZAAL (sole proprietorship, eenmanszaak) Frank van der Goesstraat 5-H 1064 RP Amsterdam The Netherlands

Chamber of Commerce (KVK) number: 72121076 VAT (BTW) number: NL002317666B56 Email: info@zaal.cc Website: https://zaal.cc

For all privacy-related questions, requests, or complaints, please contact us at info@zaal.cc.

ZAAL is not legally required to appoint a Data Protection Officer (DPO) under Article 37 GDPR. The data controller serves as the primary contact for all privacy matters.

3. Definitions

For the purposes of this Privacy Policy, the following definitions apply:

Personal Data: any information relating to an identified or identifiable natural person.
Processing: any operation performed on personal data, including collection, recording, storage, use, disclosure, and erasure.
Data Subject: the natural person to whom the personal data relates (you, the user or customer).
Controller: the entity that determines the purposes and means of processing personal data (ZAAL).
Processor: a third party that processes personal data on behalf of the Controller.
Consent: any freely given, specific, informed, and unambiguous indication of your wishes signifying agreement to the processing of your personal data.

4. Categories of Personal Data We Collect

We collect and process the following categories of personal data:

4.1 Data You Provide Directly

Account data: name, email address, password (stored in hashed form), shipping and billing address, phone number, date of birth (if provided), and any optional profile information you submit.
Order and transaction data: items purchased, order history, order value, shipping address, billing address, invoice details, and order status.
Communication data: the content of any emails, contact form submissions, or other correspondence you send to us, including any personal data you choose to include.
Marketing preferences: your subscription status, communication preferences, and consent records for marketing communications.
Reviews and user-generated content: any review, rating, photo, or comment you submit (in the future, via Trustpilot or a similar platform).

4.2 Data Collected Automatically

Device and technical data: IP address, device type, operating system, browser type and version, screen resolution, language preferences, and time zone.
Usage data: pages visited, time spent on pages, click paths, referring URLs, search queries, products viewed, items added to cart, and conversion events.
Cookie and tracking data: identifiers and behavioural data collected via cookies, pixels, tags, and similar technologies (see Section 8).
Location data: approximate geographic location derived from your IP address (country and city level only).

4.3 Data Collected from Third Parties

Payment confirmation data: transaction status, payment method used, and limited identifying information from our payment processor (Mollie). We do not receive or store full payment card numbers.
Shipping and delivery data: tracking status and delivery confirmations from carriers.
Marketing and advertising data: audience segments, conversion data, and aggregated insights from advertising platforms (Meta, TikTok, Pinterest, Google).
Authentication data: if you sign in via a third-party service in the future, basic profile information shared by that service.

4.4 Sensitive Data

We do not intentionally collect special categories of personal data (such as health data, racial or ethnic origin, political opinions, religious beliefs, or biometric data). Please do not submit such data to us through any of the Services.

5. Purposes and Legal Bases for Processing

We process your personal data for the purposes and on the legal bases set out below, as required by Article 6 GDPR.

Purpose	Legal Basis
Creating and managing your customer account	Performance of a contract (Art. 6(1)(b) GDPR)
Processing orders, payments, and deliveries	Performance of a contract (Art. 6(1)(b) GDPR)
Providing customer support and responding to enquiries	Performance of a contract / legitimate interests (Art. 6(1)(b) and (f) GDPR)
Issuing invoices and meeting tax and accounting obligations	Legal obligation (Art. 6(1)(c) GDPR)
Sending newsletters and marketing communications	Consent (Art. 6(1)(a) GDPR)
Sending abandoned cart reminders	Consent or legitimate interests (Art. 6(1)(a) or (f) GDPR), depending on jurisdiction
Personalising content and product recommendations	Consent (Art. 6(1)(a) GDPR)
Operating analytics and measuring Website performance	Consent (Art. 6(1)(a) GDPR), except for strictly necessary cookies
Running advertising campaigns and retargeting	Consent (Art. 6(1)(a) GDPR)
Preventing fraud, securing the Website, and protecting our legal rights	Legitimate interests (Art. 6(1)(f) GDPR)
Complying with legal requests and obligations	Legal obligation (Art. 6(1)(c) GDPR)
Improving products, services, and user experience	Legitimate interests (Art. 6(1)(f) GDPR)

Where we rely on legitimate interests, we have carried out a balancing test to ensure that our interests do not override your fundamental rights and freedoms. You may request details of this balancing test by contacting us at info@zaal.cc.

Where we rely on consent, you may withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal.

6. How We Collect Your Data

We collect personal data through the following channels:

Direct submissions when you create an account, place an order, subscribe to our newsletter, contact us, or submit a review.
Automated technologies including cookies, pixels, server logs, and similar tracking technologies when you interact with the Website.
Third-party services and integrations, including payment processors, shipping carriers, advertising platforms, and analytics providers.

7. Recipients of Personal Data and Third-Party Processors

We share personal data only with the recipients listed below, and only to the extent necessary for the purposes described in this Privacy Policy. All third-party processors are bound by data processing agreements (DPAs) in accordance with Article 28 GDPR.

7.1 Hosting and Infrastructure

DIGIZAAL (website hosting, EU-based servers).
Internal administrators with access to back-end systems, including the data controller and a designated technical administrator (immediate family member supporting development), who is bound by confidentiality.

7.2 Payment Processing

Mollie B.V. (Keizersgracht 313, 1016 EE Amsterdam, the Netherlands), processes all payments through the Website. Mollie acts as an independent data controller for fraud prevention and regulatory compliance purposes. Their privacy statement is available at https://www.mollie.com/privacy.

7.3 Shipping and Logistics

Shipping carriers selected to deliver your order, which may include but are not limited to PostNL, DHL, DPD, UPS, FedEx, and other regional or international carriers. The carrier used depends on your destination and the service selected at checkout. Each carrier acts as an independent data controller for delivery purposes and is governed by its own privacy policy.
A shipping aggregator platform (such as Sendcloud or an equivalent) may be used in the future to manage label generation and tracking.

7.4 Email Marketing and Customer Communication

We use one or more of the following email marketing and automation platforms to send transactional emails, newsletters, abandoned cart reminders, and other communications. The specific provider in use at any given time will be disclosed upon request:

Mailchimp (operated by Intuit Inc., USA)
Klaviyo (operated by Klaviyo Inc., USA)
MailerLite (operated by MailerLite Limited, Ireland)
Brevo (operated by Sendinblue SAS, France)
Omnisend (operated by Soundest Limited, United Kingdom)

7.5 Analytics

Google Analytics 4 (GA4), operated by Google Ireland Limited. We use GA4 in its standard configuration with cookie consent required prior to data collection. Data is retained for 14 months by default. We have configured GA4 to anonymise IP addresses and disable advertising features unless additional consent is obtained.

7.6 Advertising and Conversion Tracking

The following advertising and tracking pixels and tags are deployed on the Website, subject to your cookie consent:

Meta Pixel (Meta Platforms Ireland Limited), used for conversion tracking, audience building, and retargeting on Facebook and Instagram.
TikTok Pixel (TikTok Information Technologies UK Limited / TikTok Ireland), used for conversion tracking and advertising on TikTok.
Pinterest Tag (Pinterest Europe Limited), used for conversion tracking and advertising on Pinterest.
Google Ads conversion tracking and remarketing (Google Ireland Limited).

These services may combine the data they receive with other information they hold and may use it for their own purposes as described in their respective privacy policies.

7.7 Reviews

A reviews platform such as Trustpilot (Trustpilot A/S, Denmark) may be implemented in the future to collect and display customer reviews.

7.8 Artificial Intelligence Tools

We use artificial intelligence (AI) tools to assist with internal operations, including drafting communications, supporting customer service, generating product content, and analysing operational data. When personal data is processed using AI tools, we ensure that:

Only the minimum necessary data is provided to such tools.
The providers of these tools are bound by appropriate confidentiality and data protection terms.
No automated decision-making with legal or similarly significant effects on you takes place (see Section 13).

The AI tools currently in use may include large language models and generative AI services provided by reputable vendors operating under enterprise or professional terms that prohibit the use of customer data for model training. The specific vendors in use will be disclosed upon written request.

7.9 Influencer and Affiliate Partners (Forward-Looking)

In the future, we may engage influencers, content creators, and affiliate partners to promote our products. Where such partnerships involve unique discount codes, tracked links, or affiliate platforms, limited data (such as the use of a specific code or link, the order value associated with it, and aggregated conversion statistics) may be shared with the partner solely for commission tracking and campaign reporting. We will not share your name, contact details, or detailed order history with influencers or affiliates without your explicit consent. This Privacy Policy will be updated when such partnerships become active.

7.10 Other Recipients

We may share personal data with:

Professional advisors (accountants, legal counsel) bound by confidentiality.
Public authorities, regulators, or law enforcement agencies where required by law.
Successors in interest in the event of a merger, acquisition, or business transfer, subject to confidentiality obligations and prior notice where legally required.

8. Cookies and Similar Technologies

The Website uses cookies, pixels, local storage, and similar tracking technologies to function correctly, to analyse usage, to support marketing, and to personalise your experience.

We classify cookies into the following categories:

Strictly necessary cookies: required for the Website to function (for example, session management, authentication, shopping cart contents). These do not require consent.
Functional cookies: remember preferences such as language and region.
Analytics cookies: measure Website usage and performance (for example, GA4).
Marketing and advertising cookies: track behaviour for retargeting, audience building, and conversion measurement (for example, Meta Pixel, TikTok Pixel, Pinterest Tag, Google Ads).

Where required by law, we will obtain your consent before placing non-essential cookies. You can manage your cookie preferences at any time through the cookie banner on the Website or through your browser settings.

A separate Cookie Policy is available on the Website and provides a detailed list of cookies in use, their purpose, duration, and the third parties that set them. Please refer to that document for full information.

9. International Data Transfers

ZAAL ships internationally and uses service providers based both inside and outside the European Economic Area (EEA). Where personal data is transferred outside the EEA, we ensure that appropriate safeguards are in place in accordance with Articles 44 to 49 GDPR. These safeguards may include:

Transfers to countries that have received an adequacy decision from the European Commission.
Transfers based on Standard Contractual Clauses (SCCs) approved by the European Commission.
Transfers based on the EU-US Data Privacy Framework, where the recipient is certified.
Supplementary technical and organisational measures where required by the Court of Justice of the European Union’s Schrems II ruling.

When you place an order to be shipped outside the EEA, certain personal data (such as your name, address, contact details, and order contents) will necessarily be transferred to the destination country in order to complete delivery and clear customs.

A copy of the safeguards in place for any specific transfer may be requested by contacting us at info@zaal.cc.

10. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements.

The following retention periods apply:

Data Category	Retention Period
Account data	For as long as your account remains active, plus 14 months after closure or last activity.
Order and transaction records, invoices, and tax-related data	7 years after the end of the relevant fiscal year (mandatory under Article 52 of the Dutch General Tax Act, Algemene wet inzake rijksbelastingen).
Customer support correspondence	14 months from the date of last contact.
Newsletter and marketing data	Until you withdraw consent or unsubscribe, plus 14 months for suppression list maintenance.
Analytics data (GA4)	14 months.
Advertising and tracking pixel data	As determined by the relevant platform, typically up to 13 months, subject to your consent.
Cookie consent records	Up to 12 months, after which consent is requested again.
Server logs and security logs	Up to 14 months.
Reviews and user-generated content	For as long as displayed publicly, or until removal is requested.

After the applicable retention period expires, personal data is deleted or irreversibly anonymised, except where longer retention is required by law or necessary to establish, exercise, or defend legal claims.

11. Data Security

We implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures include:

Encryption of data in transit (SSL/TLS).
Hashed and salted passwords.
Access controls and authentication for back-end systems.
Restricted administrator access on a need-to-know basis.
Regular software and security updates for the Website, hosting environment, and integrated services.
Selection of processors that provide sufficient guarantees of GDPR compliance.
Confidentiality obligations for all individuals with access to personal data.

Despite these measures, no method of transmission over the internet or electronic storage is fully secure. In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) within 72 hours and, where required, inform affected data subjects without undue delay, in accordance with Articles 33 and 34 GDPR.

12. Your Rights Under the GDPR

You have the following rights in relation to your personal data:

Right of access (Art. 15 GDPR): to obtain confirmation of whether we process your personal data and to receive a copy of that data.
Right to rectification (Art. 16 GDPR): to have inaccurate or incomplete personal data corrected.
Right to erasure / right to be forgotten (Art. 17 GDPR): to have your personal data deleted in certain circumstances.
Right to restriction of processing (Art. 18 GDPR): to have processing of your personal data restricted in certain circumstances.
Right to data portability (Art. 20 GDPR): to receive your personal data in a structured, commonly used, and machine-readable format and to transmit it to another controller.
Right to object (Art. 21 GDPR): to object to processing based on legitimate interests, including for direct marketing purposes.
Right to withdraw consent (Art. 7 GDPR): to withdraw any consent you have given at any time, without affecting the lawfulness of processing prior to withdrawal.
Right not to be subject to automated decision-making (Art. 22 GDPR): see Section 13.
Right to lodge a complaint: with a supervisory authority (see Section 16).

How to Exercise Your Rights

To exercise any of these rights, please send a written request to info@zaal.cc with the subject line “GDPR Request” and include:

Your full name and the email address associated with your account or order.
A clear description of the right you wish to exercise.
Sufficient information to verify your identity. We may request proof of identity to prevent unauthorised disclosure.

We will respond to your request without undue delay and in any event within one month of receipt. This period may be extended by a further two months where necessary, taking into account the complexity and number of requests, in which case we will inform you of the extension and the reasons for it.

There is no charge for exercising your rights, except where requests are manifestly unfounded or excessive (in particular, where they are repetitive), in which case we may charge a reasonable fee or refuse to act on the request, as permitted by Article 12(5) GDPR.

13. Automated Decision-Making and Profiling

We do not make decisions based solely on automated processing, including profiling, that produce legal effects concerning you or similarly significantly affect you within the meaning of Article 22 GDPR.

We may use automated tools (including AI-assisted tools and advertising platforms) to:

Personalise marketing content and recommendations.
Segment audiences for advertising.
Detect fraudulent or suspicious activity.

These activities do not result in legally binding or similarly significant decisions about you. If this changes, we will update this Privacy Policy and obtain any consent required by law.

14. Children’s Privacy

The Services are not directed at children under the age of 16, and we do not knowingly collect personal data from children under 16 without verifiable parental consent. If you are a parent or legal guardian and believe that your child has provided us with personal data without your consent, please contact us at info@zaal.cc and we will promptly delete the data.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, services, or legal obligations. The updated version will be indicated by an updated “Last updated” date at the top of this policy and will be effective as soon as it is published on the Website.

Where changes are material, we will provide additional notice by email or through a prominent notice on the Website. We encourage you to review this Privacy Policy periodically.

16. Complaints and Supervisory Authority

If you have any concerns or complaints about how we handle your personal data, we encourage you to contact us first at info@zaal.cc so that we can address the matter directly.

You also have the right to lodge a complaint with the Dutch Data Protection Authority:

Autoriteit Persoonsgegevens Postbus 93374 2509 AJ Den Haag The Netherlands Website: https://www.autoriteitpersoonsgegevens.nl Telephone: +31 (0)88 1805 250

If you are resident in another EU/EEA member state, you may also lodge a complaint with the supervisory authority of your country of residence or place of the alleged infringement.

17. Contact

For any questions, requests, or concerns regarding this Privacy Policy or the processing of your personal data, please contact us at:

ZAAL Frank van der Goesstraat 5-H 1064 RP Amsterdam The Netherlands Email: info@zaal.cc KVK: 72121076 VAT: NL002317666B56