Website under construction — launching soon
Skip to content
Legal

Privacy Policy

Last updated: 2026-05-21

This policy explains what personal data we collect, why we collect it, how we use it, who we share it with, and what rights you have.

1. The data controller

The controller responsible for your personal data within the meaning of the EU General Data Protection Regulation (GDPR) is BAZELLAND BV, registered in Belgium under company number 0471.764.646 (VAT BE 0471.764.646), with registered office at Welvaartstraat 54A bus 4, 2000 Antwerpen, Belgium.

We have not appointed a Data Protection Officer because the criteria for mandatory appointment do not apply to our activity. For any privacy-related question, write to info@holygrailbookshop.com.

2. What data we collect

We collect only the data we need to deliver the service you have asked for:

  • Order data: name, email address, billing address, and country. Required to issue invoices and confirm orders.
  • Payment data: we do not see, store, or process your card details. Payment is handled directly by the processor you choose at checkout (WooPayments, Stripe, or PayPal), whose privacy policy applies to that step. We receive only a transaction reference.
  • Account data (optional): if you choose to create an account, we store the email and password (hashed) you provide, your order history, and your download links.
  • Newsletter data (optional): if you subscribe, we store your email address, the timestamp of your consent, and the confirmation timestamp from the double opt-in process.
  • Server log data: IP address, browser identifier, page visited, timestamp, and referrer. Standard for any web server. Used for security, debugging, and statistical analysis only.
  • Cookies: we use only the strictly necessary cookies that make the cart, checkout, and login work. We do not run advertising trackers or third-party analytics on this website.

3. Why we collect it (purposes and legal bases)

  • To perform the contract — process your order, deliver the download, issue invoices, handle support requests. (GDPR Art. 6(1)(b).)
  • To comply with legal obligations — keep accounting records, fulfil VAT requirements, respond to authority requests. (GDPR Art. 6(1)(c).)
  • On the basis of your consent — newsletter subscription, optional account creation. You may withdraw consent at any time, without affecting prior lawful processing. (GDPR Art. 6(1)(a).)
  • On the basis of our legitimate interest — fraud prevention, server security, debugging, basic statistical analysis of traffic patterns. (GDPR Art. 6(1)(f).)

4. Automated decision-making

We do not engage in automated decision-making or profiling within the meaning of GDPR Article 22. No purchase, account, or communication decision about you is taken by an algorithm without human review.

5. Who receives your data

We share your data only with the processors who help us run the shop, and only the data they need to do their part:

  • Hostinger International — web hosting (server logs, database).
  • WooPayments (operated by Automattic Inc., on the Stripe infrastructure), Stripe Payments Europe Ltd, and PayPal (Europe) S.à r.l. et Cie, S.C.A. — payment processing, depending on which method you select.
  • Our transactional email provider — order-confirmation and (if you subscribe) newsletter email delivery.
  • Tax and accounting professionals — only when legally required for our reporting obligations.

We do not sell, rent, or trade your personal data with anyone. Ever.

6. International transfers

Some of our processors may store or process data outside the European Economic Area. Where this happens, the transfer is governed either by an EU adequacy decision or by Standard Contractual Clauses adopted by the European Commission, ensuring an equivalent level of protection.

7. How long we keep your data

  • Order and invoice data: 7 years, as required by Belgian tax law.
  • Account data: until you delete your account or request erasure.
  • Newsletter data: until you unsubscribe or request erasure.
  • Server logs: typically 30 days, longer only if a security incident requires it.

8. Your rights under the GDPR

You have the following rights regarding your personal data:

  • Access — a copy of the data we hold on you.
  • Rectification — correction of inaccurate or incomplete data.
  • Erasure (“right to be forgotten”) — deletion, subject to our legal retention duties.
  • Restriction — pause processing in defined cases.
  • Portability — a machine-readable export of the data you have provided.
  • Objection — to processing based on our legitimate interest.
  • Withdrawal of consent — at any time, without affecting prior lawful processing.
  • Complaint — with a supervisory authority (see Section 11).

To exercise any right, write to info@holygrailbookshop.com. We will respond within one month. We may ask for proof of identity to prevent unauthorised disclosure.

9. Newsletter

We use double opt-in for newsletter subscriptions: after you submit your email, you receive a confirmation message; your subscription is activated only after you click the confirmation link. Every newsletter contains a one-click unsubscribe link.

10. Cookies

We use only the cookies strictly necessary to operate the shop — keeping your cart between pages, keeping you logged in if you have an account, and securing the checkout session. These are exempt from the consent requirement under EU ePrivacy rules. We do not use advertising, profiling, or third-party analytics cookies.

11. Supervisory authority

If you believe we have mishandled your data, you have the right to lodge a complaint with the Belgian Data Protection Authority (Gegevensbeschermingsautoriteit) — www.gegevensbeschermingsautoriteit.be — Drukpersstraat 35, 1000 Brussels. You may also lodge a complaint with the supervisory authority of your habitual residence.

12. Children

Holy Grail Bookshop is not directed at children. We do not knowingly collect personal data from any person under 16 years of age. If you believe a child has provided us with personal data, write to us and we will delete it.

13. Changes to this policy

We may update this policy as our processing or the law evolves. The version that applies to your data is the version published at the time of collection. Material changes will be flagged at the top of this page for at least 30 days. The current version's last-updated date is shown at the top.

Join the Inner Circle

New arrivals, rare finds, and knowledge others won't share — delivered to your inbox.