Bloembollenbedrijf J.C. Koot, operating under the name Sativus.com, located at Vennewatersweg 29, 1935 AR Egmond-Binnen, The Netherlands, is the data controller responsible for the processing of personal data as described in this Privacy Policy.

We respect your privacy and process personal data in accordance with the General Data Protection Regulation (EU) 2016/679 (GDPR) and applicable Dutch data protection laws.

This Privacy Policy applies to all users of our website, webshop, B2B services, and related communications.

Depending on how you use our services, we may collect:

Identity and contact data

• Name
• Company name (if applicable)
• Email address
• Telephone number
• Billing and shipping address
• VAT number (for B2B customers)

Account data

• Login credentials
• Order history
• Customer ID

Payment data

Payments are processed securely via third-party providers (e.g., Stripe, PayPal). We do not store full credit card details.

Technical data

• IP address
• Browser type
• Device information
• Cookies
• Usage data

Communication data

• Messages via contact forms
• Email correspondence
• WhatsApp Business messages

We process personal data based on the following legal grounds:

Performance of a contract (Art. 6(1)(b))

• Processing orders
• Delivering products
• Customer account management
• Payment handling

Legal obligation (Art. 6(1)(c))

• Tax and accounting obligations (Dutch fiscal retention requirements)

Legitimate interest (Art. 6(1)(f))

• Fraud prevention
• Website security
• Service improvement
• Responding to inquiries

Consent (Art. 6(1)(a))

• Marketing cookies
• Analytics cookies (where required)
• Review invitations (where applicable)

You may withdraw consent at any time.

We use personal data to:

• Process and deliver orders
• Provide customer service
• Manage B2B quotations and invoices
• Prevent fraud and misuse
• Improve website performance
• Comply with legal obligations
• Send review invitations via Trustpilot
• Analyze website usage (Google Analytics, Microsoft Clarity)

We do not engage in automated decision-making or profiling that produces legal effects.

We retain personal data only as long as necessary:

• Order and invoice data: 7 years (Dutch tax law)
• Customer accounts: Until account deletion or 2 years of inactivity
• Contact form submissions: 12 months
• WhatsApp communications: As long as necessary for customer service
• Analytics data: Maximum 14 months
• Marketing data (if applicable in future): Until withdrawal of consent

After these periods, data is securely deleted or anonymized.

We work with trusted service providers who may process data on our behalf. These parties act as data processors and process data under contractual agreements where applicable.

• Shopify - E-commerce platform and hosting
• Render - Hosting provider for B2B application
• Stripe - Payment processing (including local payment methods)
• PayPal - Payment processing
• Exact Online - Accounting software
• Sendcloud - Shipping services
• Trustpilot A/S - Review invitations
• Google LLC - Analytics, Ads, Tag Manager, Gmail, reCAPTCHA
• Meta Platforms, Inc. - Facebook Pixel, WhatsApp Business
• Microsoft - Microsoft Clarity
• Consentmo GDPR - Cookie consent management

Some of our service providers are located outside the European Economic Area (EEA), including the United States. Where data is transferred outside the EEA, we ensure appropriate safeguards such as:

• EU Standard Contractual Clauses (SCCs)
• Certification under the EU-U.S. Data Privacy Framework (where applicable)

We use cookies and similar technologies to:

• Ensure website functionality
• Analyze website usage
• Improve performance
• Measure marketing effectiveness

We use a cookie consent tool (Consentmo GDPR) allowing visitors to accept or reject non-essential cookies. Marketing and analytics cookies are only placed after consent where required.

You can adjust your preferences at any time via the cookie settings.

We implement appropriate technical and organizational measures, including:

• SSL encryption (HTTPS)
• Secure hosting environments
• Two-factor authentication for administrators
• Fraud detection tools
• Access controls
• Data backups

Our services are not intended for individuals under 16 years of age.

We do not knowingly collect personal data from children under 16.

You have the right to:

• Access your personal data
• Rectify inaccurate data
• Request deletion
• Restrict processing
• Object to processing
• Data portability
• Withdraw consent
• Lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens)

Bloembollenbedrijf J.C. Koot
Vennewatersweg 29
1935 AR Egmond-Binnen
The Netherlands

Email: j.c.koot@sativus.com
Phone: +31 6 24590389

We may update this Privacy Policy from time to time. The most recent version will always be available on our website.