This Privacy Policy explains how The Hidden Page ("THP", "we", "us") collects, uses, discloses, and protects personal data when you visit our website, create an account, request information, subscribe to communications, or purchase items. We process personal data in accordance with the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"), the Belgian Act of 30 July 2018 on the protection of natural persons with regard to the processing of personal data, and, where applicable, the ePrivacy rules on cookies and similar technologies.

1. Controller and contact details

Controller: Corpat bv trading as The Hidden Page.

Address: Oude Molenstraat 3, 8550 Zwevegem, Belgium.

THP is established in Belgium. For certain cross-border processing within the EEA, the Belgian supervisory authority may act as lead authority, where applicable.

Email (privacy): info@thehiddenpage.fr

If we appoint a Data Protection Officer (DPO), we will publish the DPO contact details on this page.

2. Scope

• Website visitors (including device and log data).

• Account holders and buyers (order and payment-related data).

• Newsletter subscribers and marketing audiences.

• People who contact us (email, forms, social media, or customer support).

3. Personal data we collect

3.1 Data you provide

• Identity and contact data: name, title, email address, telephone number, billing and delivery address.

• Account data: login credentials (hashed), language and communication preferences.

• Transaction data: items purchased, order history, invoices, delivery instructions, and customer service interactions.

• Content you send us: messages, appraisal or sourcing requests, and any attachments you provide.

3.2 Data collected automatically

• Technical data: IP address, device type, browser, operating system, referral URL, and approximate location derived from IP.

• Usage data: pages viewed, clicks, time spent, and error logs (via cookies or similar technologies, where permitted).

3.3 Data from third parties

• Payment status and tokenised payment references from our payment service provider (we do not store full card numbers).

• Shipping updates from carriers (delivery status and tracking).

• If you engage with us on third-party platforms (e.g., Instagram), the data you share is governed by that platform’s privacy settings and policies.

4. Purposes and legal bases

We process personal data only when a lawful basis applies under the GDPR. Depending on context, we rely on:

• Contract (Art. 6(1)(b) GDPR): to create and manage your account, process orders, deliver items, handle returns, and provide customer service.

• Legal obligation (Art. 6(1)(c) GDPR): to comply with accounting, tax, anti-fraud, consumer, and record-keeping requirements.

• Legitimate interests (Art. 6(1)(f) GDPR): to secure and improve our services, prevent fraud, manage disputes, and operate our business efficiently (balanced against your rights).

• Consent (Art. 6(1)(a) GDPR): for marketing emails where required, and for non-essential cookies/trackers.

Examples of processing

• Order fulfilment and logistics, including delivery notifications.

• Customer support, warranty/return handling, and dispute resolution.

• Website security, debugging, and performance monitoring.

• Marketing and communications (newsletter, launch updates, curated selections) when you opt in or where soft opt-in applies under applicable law.

5. Cookies and similar technologies

We use cookies and similar technologies to provide core website functions and, with your consent where required, to measure audience and improve our services.

5.1 Strictly necessary cookies

These cookies are required for core functionality (e.g., language preference, session security, shopping cart). They are set based on our legitimate interests and/or to perform the service you request.

5.2 Preference, analytics, and marketing cookies

These cookies (or third-party tags) are used only with your consent where required by the ePrivacy rules. You can change your choices at any time via our cookie settings.

5.3 Managing your choices

You may also configure your browser to delete or block cookies; however, some site features may not function properly. Where required, refusing non-essential cookies will not prevent you from accessing the website.

6. Sharing and recipients

We do not sell your personal data. We may share data only with:

• Service providers acting as processors (e.g., hosting, e-commerce platform, email delivery, analytics, customer support tools) under written data processing agreements.

• Payment service providers and banks to process payments and prevent fraud (as independent controllers or processors, depending on the service).

• Shipping and logistics partners to deliver orders.

• Professional advisers (lawyers, accountants) and authorities where disclosure is required by law.

7. International transfers

If personal data is transferred outside the European Economic Area (EEA), the UK, or Switzerland, we ensure appropriate safeguards in accordance with Chapter V GDPR. This may include:

• An adequacy decision by the European Commission (where applicable).

• Standard Contractual Clauses (SCCs) plus, where needed, supplementary measures.

• Other lawful transfer mechanisms recognised under the GDPR.

You can request information about the safeguards used for specific transfers by contacting us.

8. Data retention

We retain personal data only for as long as necessary for the purposes described above, unless a longer retention period is required or permitted by law. Typical retention periods include:

• Account data: for the life of the account, and up to 10 years after last activity (unless you delete the account, subject to legal obligations).

• Order and invoicing records: typically 10 years to comply with accounting and tax rules (country-dependent).

• Customer support correspondence: up to 3 years after the ticket is closed (unless needed for disputes).

• Marketing lists: until you unsubscribe or object, plus a limited suppression list to respect your opt-out.

• Cookie/analytics data: according to cookie category settings, generally up to 13 months for consent/cookie preference records (a common EEA supervisory practice; actual duration can differ by tool).

9. Security

We implement appropriate technical and organisational measures to protect personal data, including access controls, encryption in transit (TLS), least-privilege access, and vendor security reviews. No method of transmission or storage is completely secure; however, we continuously work to protect your information.

10. Your rights

Subject to conditions and exceptions in applicable law, you have the right to:

• Access your personal data and obtain a copy.

• Rectify inaccurate or incomplete data.

• Request erasure ("right to be forgotten").

• Restrict processing.

• Object to processing based on legitimate interests, including direct marketing.

• Data portability for data you provided to us where processing is based on consent or contract.

• Withdraw consent at any time where processing is based on consent (without affecting prior processing).

To exercise your rights, contact us using the details above. We may need to verify your identity.

11. Children

Our services are not directed to children. We do not knowingly collect personal data from children without appropriate consent. If you believe a child has provided us data, contact us so we can take appropriate steps.

12. Complaints and supervisory authorities

If you are in the EEA, you have the right to lodge a complaint with your local data protection authority. For Belgium, the competent supervisory authority is the Autorité de protection des données / Gegevensbeschermingsautoriteit (APD/GBA).

13. Changes to this policy

We may update this Privacy Policy from time to time. We will post the updated version on our website and update the “Last updated” date. Material changes may also be communicated by email where appropriate.

14. Contact

For privacy-related questions or requests, contact: [privacy@thehiddenpage.xx].