Privacyverklaring

Wij respecteren je privacy en gaan zorgvuldig om met persoonsgegevens. Op deze pagina leggen we uit welke gegevens we verzamelen en verwerken, waarom we dat doen, hoe lang we gegevens bewaren, met wie we gegevens delen, en hoe we gegevens beveiligen.

English version below (for Amazon SP-API and international compliance).

Privacy & Data Handling Policy

Website

www.brr.nl

Company

BRR

Address

Hullerpad 26B

Chamber of Commerce (KVK)

09094315

VAT number

NL806446134B01

Contact

info@brr.nl

Last updated

2026-01-20

1. Scope

This Privacy & Data Handling Policy explains how BRR Nederland / Black Rhythm Records (“we”, “us”, “our”) collects, processes, stores, uses, shares, and disposes of personal data.

This policy also covers data obtained through Amazon Selling Partner API (SP-API) and/or Seller Central that may include Personally Identifiable Information (PII), such as buyer name, address, telephone number, email address, and order-related information.

2. Categories of personal data we process

Depending on how you interact with us, we may process the following categories of personal data:

2.1 Customer and order information

Full name
Shipping and billing address
Telephone number
Email address
Order details (products, quantities, order IDs)
Delivery information (tracking numbers, carrier events)
Customer messages related to order support

2.2 Amazon SP-API data

If we sell products through Amazon marketplaces, we may process Amazon customer/order data provided through SP-API for:

Fulfillment operations
Customer support
Returns and delivery issue resolution
Legal and accounting reconciliation

We do not use Amazon PII for marketing or profiling.

2.3 Website usage data (if applicable)

IP address (may be considered personal data)
Browser type / device information
Website interaction data (e.g., pages visited)

3. Purposes and legal basis for processing

We only process personal data for legitimate business purposes, including:

Order fulfillment and delivery
prepare shipment, generate shipping labels, handle carrier handover
Customer service
respond to delivery issues, returns, questions, complaints
Compliance with legal obligations
tax/accounting retention requirements, fraud prevention, dispute handling
Security and integrity
protect systems, detect unauthorized access or misuse Legal bases include:

Performance of a contract (order fulfillment)
Legal obligations (tax/accounting rules)
Legitimate interests (security, fraud prevention, service improvement)

4. Data minimization and acceptable use

We follow the principles of:

Purpose limitation: data is used only for the stated purposes
Data minimization: we only process data necessary for fulfillment/support/compliance
Least privilege access: staff only accesses data needed for their job

Amazon SP-API restricted data (PII) is used strictly for operational purposes related to Amazon selling activities.

5. How data is collected

We may collect personal data through:

Orders placed via marketplaces (including Amazon)
Customer communication (email/messages about orders)
Website forms or customer contact channels (if applicable)

6. Storage and processing

Personal data is processed and stored within company-controlled systems, including:

A company-managed application and database
Internal operational systems for fulfillment and customer support

Where possible, sensitive data is not stored longer than necessary and is removed/anonymized after its operational use.

We only share personal data when necessary for operational purposes, including:

7.1 Logistics and carriers

We may share limited personal data with shipping carriers (e.g., name/address) to deliver orders.

7.2 Service providers (if applicable)

We may use service providers for hosting, backups, or security. When used, such providers are bound by confidentiality and data protection obligations.

We do not sell personal data.

8. Data retention and disposal

We retain personal data only as long as necessary.

8.1 Operational retention (server/application)

Amazon and other customer PII required for fulfillment/support is retained for a maximum of 60 days for operational follow-up (delivery exceptions, returns, customer inquiries).
After this period, PII is deleted and/or anonymized in operational systems.

8.2 Legal retention

Certain data such as invoices and accounting records are retained for the legally required period.

8.3 Disposal

At the end of retention:

data is securely deleted, anonymized, or otherwise disposed of
access to deleted records is not possible through normal system operation

9. Security controls (technical and organizational measures)

We take security seriously and apply measures to protect personal data against unauthorized access, disclosure, alteration, or destruction.

9.1 Access controls (least privilege)

Unique user accounts (no shared credentials)
Role-based access control (RBAC)
Owner/admin has full access
Operational employees have restricted access to only required fields/workflows

9.2 Encryption

Data stored on server storage is protected using encryption at rest (e.g., AES-256 disk/volume encryption where applicable)
Backups are encrypted and access-restricted
Credentials and secrets are not stored in source code

9.3 Logging and monitoring

We log and monitor relevant security events, including:

authentication events (login success/failure)
permission changes
administrative actions and unusual access patterns

Suspicious activity triggers investigation and containment procedures.

9.4 Credential and password management

strong password requirements (minimum 12 characters, passphrases allowed)
MFA enabled where supported
credentials rotated after incidents or staff offboarding

9.5 Incident response

We maintain an incident response process including:

detection and triage
containment (disable accounts, isolate systems)
eradication and patching
recovery and verification
notification evaluation (including Amazon and regulators where required)

10. International transfers

Where data is processed outside the EU/EEA by third parties (if applicable), appropriate safeguards are applied.

11. Your rights

Depending on applicable law (e.g., GDPR), you may have rights such as:

access to your personal data
rectification
deletion (where legally possible)
restriction or objection
data portability

Requests can be submitted via: privacy@< domein >. nl

12. Changes to this policy

We may update this policy periodically. The most recent version will always be published on this page.