Legal · GDPR
Privacy Policy
PRIVACY POLICY: INCUTEC BV
1. Data controller
| Name | Incutec BV |
| Registered office | Stapelhuisstraat 15, 3000 Leuven |
| Company number | Published after incorporation (KBO) |
| contact@opendrone.be |
Incutec BV has not appointed a Data Protection Officer (DPO) because this is not mandatory for its current activities (Art. 37 GDPR).
2. What personal data do we process?
| Category | Data | Purpose |
|---|---|---|
| Order data | Name, address, email, telephone number | Processing and delivery of orders |
| Payment data | Payment method, transaction ID | Payment processing (via payment provider) |
| Account data | Email, password (hashed) | Customer account on the webshop |
| Communication | Email, content of messages | Customer service, complaint handling |
| Website usage | IP address, browser, pages visited | Website optimisation, security |
| Newsletter | Marketing communication (only with consent) |
3. Legal bases (Art. 6 GDPR)
| Processing | Legal basis |
|---|---|
| Execution of the order | Necessary for performance of a contract (Art. 6.1.b) |
| Payment processing | Necessary for performance of a contract (Art. 6.1.b) |
| Invoicing and bookkeeping | Legal obligation (Art. 6.1.c: VAT legislation, accounting law) |
| Customer service | Legitimate interest (Art. 6.1.f) |
| Website analytics | Legitimate interest (Art. 6.1.f) or consent (Art. 6.1.a) |
| Newsletter | Consent (Art. 6.1.a) |
| Fraud / abuse prevention | Legitimate interest (Art. 6.1.f) |
4. Retention periods
| Data | Retention period |
|---|---|
| Order and invoice data | 10 years (statutory bookkeeping retention obligation) |
| Customer account | Until deletion by the customer or 3 years after last activity |
| Customer service communication | 3 years after closure |
| Website log files | 6 months |
| Newsletter subscription | Until unsubscribed |
5. Recipients / processors
| Recipient | Purpose | Location |
|---|---|---|
| Shopify International Ltd. | Webshop and order platform | Ireland (EU) |
| Shopify Oxygen | Website hosting | EU edge network |
| Mollie B.V. | Payment processing (Bancontact, SEPA, cards) | Netherlands (EU) |
| Stripe Payments Europe Ltd. | Card processing and fraud prevention | Ireland (EU) |
| Sendcloud B.V. | Shipping labels and tracking | Netherlands (EU) |
| Bpost / DHL / DPD (carrier depending on order) | Parcel delivery | EU |
| Plausible Analytics | Cookieless website analytics | Plausible Insights OÜ — Estonia (EU); hosting in Germany |
| Polar Advisory BV (accountant) | Invoicing and annual accounts | Belgium |
| Discord Inc. | Support tickets via the Discord bridge (name, email, message content, attachments) | US — EU-US Data Privacy Framework |
| Anthropic PBC | AI-assisted draft replies for support tickets | US — data processing agreement with SCCs |
| Resend (Plus Five Five, Inc.) | Transactional support emails (resume links) | US — SCCs |
| Upstash, Inc. | Temporary ticket index for the support module | US — SCCs |
| Cloudflare, Inc. | Turnstile anti-spam verification on forms | US — EU-US Data Privacy Framework |
Transfers outside the EEA. For the US processors listed above, Incutec BV transfers personal data on the basis of appropriate safeguards (Art. 46 GDPR): certification under the EU-US Data Privacy Framework or standard contractual clauses (SCCs, Decision 2021/914). Shopify may additionally process data in Canada (adequacy decision) and through sub-processors in the US and Singapore under SCCs. All other processing keeps personal data inside the EEA.
AI assistance in support. When you submit a support ticket, the content of your message may be passed to Anthropic to prepare a draft reply. A staff member reviews every reply before it is sent; no automated decision-making takes place.
6. Rights of the data subject
You have the right to:
- Access your personal data (Art. 15)
- Rectification of inaccurate data (Art. 16)
- Erasure of your data ("right to be forgotten") (Art. 17)
- Restriction of processing (Art. 18)
- Object to processing based on legitimate interest (Art. 21)
- Portability of your data (Art. 20)
- Withdraw your consent (Art. 7.3)
Requests can be sent to: privacy@opendrone.be We respond to your request within one month (Art. 12(3) GDPR), extensible by a further two months for complex or numerous requests.
7. Complaints
You have the right to file a complaint with the Belgian Data Protection Authority (GBA):
| Address | Drukpersstraat 35, 1000 Brussels |
| Phone | +32 (0)2 274 48 00 |
| Website | https://www.gegevensbeschermingsautoriteit.be |
| contact@apd-gba.be |
You may also lodge a complaint with the supervisory authority of your place of residence or work within the EU, if you do not reside in Belgium (Art. 77 GDPR).
8. Security
Incutec BV takes appropriate technical and organisational measures to protect personal data against unauthorised access, loss or destruction:
- SSL/TLS encryption on the website
- Hashed passwords (bcrypt or equivalent)
- Access control (need-to-know basis)
- Regular backups
9. Automated decision-making
Incutec BV does not use automated decision-making or profiling that produces legal effects concerning you or similarly significantly affects you, within the meaning of Art. 22 GDPR.
Shopify's automated fraud detection systems (Shopify Protect / Fraud Analysis) may result in orders being refused or flagged. This constitutes automated decision-making that affects the processing of your order. You may contact Incutec BV for human review of a refused order.
10. Data breaches
In the event of a data breach presenting a risk to your rights and freedoms, we are obliged to notify the Belgian Data Protection Authority (GBA) within 72 hours (Art. 33 GDPR). If the breach is likely to result in a high risk to your rights and freedoms, we will inform you personally as soon as possible in accordance with Art. 34 GDPR.
11. Amendments
Incutec BV may amend this privacy policy. The most recent version is always available at opendrone.be/privacy. In the event of material changes, you will be notified by email.