Privacybeleid | AutoSound24

This Privacy Policy describes what personal data AutoSound24 — a trading name of LEUPEN Group B.V. — collects when you visit our website or place an order, for what purpose we use this data, with whom we share it, how long we retain it, and what rights you have. This policy has been drafted in accordance with the General Data Protection Regulation (GDPR) and, for the United Kingdom, the UK GDPR + Data Protection Act 2018.

1. Data controller

The data controller responsible for the processing of your personal data is:

LEUPEN Group B.V.
Tocht 18, 1713 GP Obdam, the Netherlands
KvK number: 91997143
BTW (VAT) number: NL865844999B01
Email: privacy@leupen-group.com

We have not appointed a Data Protection Officer (DPO) because this is not mandatory for our size and activities under the GDPR. You can direct any questions about privacy to the email address above.

2. What data we collect

We only collect data that is necessary for executing your order, managing your account, or for purposes for which you have given explicit consent.

2.1 Data you provide to us yourself

Name, address, city, phone number, and email address (when ordering, creating an account, or using the contact form)
Billing and delivery address
For business customers: company name, KvK number, BTW (VAT) number
Order history and payment method (payment details are not stored by us — see section 4)
Any question or complaint content when contacting us

2.2 Data collected automatically

IP address and general location information derived from that IP address (country, region)
Browser type, operating system, screen resolution
Visited pages, click behaviour, and session duration (only after "Statistics" consent)
Originating advertising channel — Google Ads, Meta, TikTok — if you arrive via an advertisement (only after "Marketing" consent)

We do not collect special categories of personal data (such as ethnic origin, religious beliefs, health, political preferences, or sexual orientation).

3. Purposes and legal bases of processing

Purpose	Legal basis (GDPR Art. 6)	Retention period
Handling of your order, delivery, and invoicing	Performance of a contract (6(1)(b))	7 years (fiscal retention obligation)
Customer account and order history	Performance of a contract (6(1)(b))	Until account deletion + 2 years
Answering questions via contact form or email	Legitimate interest — customer service (6(1)(f))	2 years after last contact
Newsletter and marketing emails	Consent (6(1)(a))	Until unsubscription
Product reviews via WebwinkelKeur	Consent (6(1)(a)) — upon invitation	In accordance with WebwinkelKeur policy
Statistics and site improvement (Google Analytics 4)	Consent (6(1)(a))	14 months (GA4 retention setting)
Ad attribution and remarketing (Meta, TikTok, Google Ads)	Consent (6(1)(a))	90 days to 13 months (per platform)
Fraud prevention and IT security (server logs)	Legitimate interest (6(1)(f))	30 days
Storing consent choice (audit log)	Legal obligation (6(1)(c) — burden of proof GDPR Art. 7)	25 months
Fiscal administration	Legal obligation (6(1)(c))	7 years

4. How we measure and advertise — hybrid server-side architecture

To measure site usage and assess our advertising effectiveness, we use a hybrid approach that we have deliberately chosen to better protect your privacy than a traditional setup with tracking pixels in the browser.

4.1 What we do do

Google Analytics 4 (gtag.js, client-side): anonymously measures how visitors use the site. Only active after your consent. IP addresses are anonymised by Google before they are stored.
Google Analytics 4 — server-side purchase registration: as soon as you complete a payment, our server (not your browser) sends a purchase event to Google with the order value and products. Personal data is sent as a SHA-256 hash.
Meta Conversions API (server-side): we send purchase events directly from our server to Meta for ad attribution. We do not use a Facebook Pixel script in your browser.
TikTok Events API (server-side): likewise, only server-side, no TikTok Pixel script in your browser.
WebwinkelKeur: after an order, we may invite you to leave a review — only if you have given marketing consent.

4.2 What we deliberately do not do

No Google Tag Manager (web container) — we manage tracking code directly in our source code.
No Facebook Pixel JavaScript (fbevents.js) in your browser.
No TikTok Pixel JavaScript in your browser.
No third-party tracking networks such as AddThis, Criteo, or similar advertising partners that build profiles across multiple websites.
No selling or renting of your personal data to third parties for their own marketing purposes.

A complete overview of cookies can be found in our Cookie Policy.

5. With whom we share data

We only share your data with parties that are necessary for the execution of your order, for legal obligations, or for which you have given explicit consent. We conclude a data processing agreement with all these parties.

5.1 Transfer outside the European Economic Area (EEA)

A number of our suppliers are located in the United States. We base the lawfulness of this transfer on the EU-U.S. Data Privacy Framework (DPF) — a mechanism recognised as adequate by the European Commission — or on Standard Contractual Clauses (SCCs) with supplementary technical measures.

Party	Purpose	Country	Transfer mechanism
Vercel Inc.	Hosting of this website (servers in EU region)	US	DPF (active, annual review)
Neon Database	Database hosting (EU region)	US	DPF (active)
Google LLC	Google Analytics 4, Google Ads	US	DPF (active until 13 September 2026, commercial + HR data)
Meta Platforms Inc.	Meta Conversions API (ad attribution)	US	DPF (active until 23 July 2026, commercial data)
TikTok (ByteDance)	TikTok Events API (ad attribution)	US / Ireland / Singapore	No DPF — SCCs with supplementary technical measures ("Project Clover"). Increased risk profile — we only share hashed identifiers.
Mollie B.V.	Payment processing — we do not receive credit card or bank details	the Netherlands (EU)	Not applicable — within EEA
WebwinkelKeur B.V.	Customer reviews	the Netherlands (EU)	Not applicable — within EEA
DHL / PostNL / GLS / DPD	Delivery of your order	EU	Not applicable — within EEA
Accounting firm	Fiscal administration	the Netherlands (EU)	Not applicable — within EEA

We only provide your data on the basis of a legal obligation or an order from a judicial or administrative authority. We never sell or rent your personal data to third parties for their own marketing purposes.

6. Security

We take appropriate technical and organisational measures to protect your personal data against loss, unlawful processing, or unauthorised access:

All connections to our site are via HTTPS (TLS 1.3)
Passwords are stored as a one-way hash (bcrypt)
Our database is "encrypted at rest" via Neon Database
Access to personal data within our organisation is limited to employees who need it for their work
We periodically conduct security audits and keep our software up to date
We do not store payment card details — these are processed directly by Mollie

7. Data breaches

Should a data breach unexpectedly occur, we will report it to the Information Commissioner's Office (ICO) within 72 hours of discovery, provided the breach poses a risk to your rights and freedoms. In the event of a high risk, we will also notify you personally.

8. Your rights

Under the GDPR, you have the following rights regarding your personal data:

Right of access (Art. 15) — you can request an overview of what data we process about you.
Right to rectification (Art. 16) — you can have incorrect or incomplete data corrected.
Right to erasure (Art. 17, "right to be forgotten") — you can request the deletion of your data, subject to legal retention periods (for example, the fiscal retention obligation of 7 years).
Right to restriction of processing (Art. 18) — you can request to temporarily halt processing.
Right to data portability (Art. 20) — you can request a machine-readable export of your data.
Right to object (Art. 21) — you can object to processing based on legitimate interest or direct marketing.
Right to withdraw consent (Art. 7(3)) — for processing based on consent, at any time, without affecting data already processed. You can withdraw cookie consent via the Cookie Preferences button in the footer.

8.1 How to submit a request

Send your request by email to privacy@leupen-group.com. To prevent abuse, we may ask you to prove your identity (for example, via a copy of your identity document on which you have blacked out your national identification number and passport photo). We will respond within 30 days of receiving a complete request.

9. Automated decision-making and profiling

We do not make fully automated decisions with legal or similarly significant effects on you within the meaning of GDPR Art. 22. We do use — only after your consent — aggregated segmentation for advertising purposes (for example: "visitors of category X receive advertisements for product line Y"). In doing so, we do not build an individual personal profile.

10. Complaints

Do you have a complaint about how we handle your data? Please contact us first via privacy@leupen-group.com. If we cannot resolve it together, you can:

Submit your complaint to your national data protection supervisory authority. In the United Kingdom, this is the Information Commissioner's Office (ICO) (ico.org.uk).
For disputes arising from an online purchase, you can use the European Online Dispute Resolution (ODR) platform: ec.europa.eu/odr.

11. Changes to this policy

We reserve the right to amend this Privacy Policy, for example in the event of legislative changes, new suppliers, or changed processing activities. The date at the top of this page shows when this version was updated. In the event of material changes that affect your rights, we will inform you via email (if you have an account) or a prominent notice on our site.

12. Contact

LEUPEN Group B.V.
Tocht 18, 1713 GP Obdam, the Netherlands
KvK 91997143 — BTW (VAT) NL865844999B01
Email: privacy@leupen-group.com