Privacy Statement BeadPainter
Version: 1.0 | Effective Date: December 30, 2025
Welcome to BeadPainter. We (BeadPainter) may process personal data as referred to in the General Data Protection Regulation (GDPR) (hereinafter: “Personal Data”). Such processing may occur, for example, when you visit our website at https://beadpainter.nl (including any of its subdomains) or when you use our products or services, including the BeadPainter App.
This privacy statement outlines how we collect and use your Personal Data, and for what purposes.
1. When does this privacy statement apply?
This privacy statement only applies to the processing of Personal Data by us (BeadPainter) as the controller. When an organisation processes Personal Data through one of our products or services, that organisation is the controller and we act as the processor. In such cases, this privacy statement does not apply, and we recommend that you consult the privacy statement of the relevant controller.
2. “Personal Data”
For a proper understanding of this privacy statement, it is important to understand what “Personal Data” is. When we use the term “Personal Data” in this privacy statement, we mean “personal data” as defined in the General Data Protection Regulation (GDPR). That is to say, “any information relating to an identified or identifiable natural person.” But more simply, it refers to all information that identifies you or can be reasonably linked to you as a person.
3. Your privacy matters to us
We value your privacy and are committed to handling your Personal Data responsibly. We process Personal Data only for legitimate purposes, in line with this privacy statement and the applicable data protection laws and regulations.
This means, among other things, that we:
- clearly define the purposes before processing Personal Data;
- store as little Personal Data as possible and only the Personal Data that is necessary for the specific purposes;
- only process Personal Data if there is a valid basis for doing so;
- take appropriate security measures to protect Personal Data. We also impose these obligations on parties that process Personal Data for us;
- respect your rights, such as the right to access, correct, transfer, or delete your Personal Data.
Our services are intended for persons aged 16 and older. We do not knowingly collect data from persons aged younger than 16 years old. If and insofar we discover such data, we will delete it.
BeadPainter uses cookies for various purposes. In this privacy statement, we explain for which purposes we use cookies. A more detailed explanation can be found in BeadPainter's Cookie Policy, which is accessible via https://beadpainter.nl/cookie-policy-eu.
If you have any questions or would like to receive more information about how we handle your Personal Data, please contact us using the contact details provided in this privacy statement.
4. BeadPainter
We aim to inform you in a clear and transparent manner about how and why we process Personal Data. This includes the purposes of processing, the legal basis for that processing, how long we retain Personal Data, and which parties may be involved.
Below is an non-exhaustive overview of the main categories of processing activities, organized by context.
- When you use our BeadPainter app
- When you visit our website
- When you create an account or place an order as a customer
- When you contact us for support
- When you sign up for our waitlist
- When you subscribe to our marketing communications
- When you take part in surveys or provide feedback
- When you take part in beta testing
- When you supply goods or services to us as a business partner
5. When you use our BeadPainter app
When you use our BeadPainter app, we may process certain Personal Data. Below, we have provided a detailed description of the processing operations that may take place along with purposes and examples of each category of Personal Data.
| Processing activity & purpose | Personal Data | Legal basis | Retention period |
|---|---|---|---|
| App Consent Management Recording acceptance of the Terms of Service and Privacy Policy and managing user consent for optional processing. |
Pseudonymous identifiers (app installation UUIDs), consent records (including user choices and timestamps). | Legal obligation(Article 6(1)(c) of the GDPR). Performance of a contract(Article 6(1)(b) of the GDPR). Consent for optional processing(Article 6(1)(a) of the GDPR). |
We retain consent records as long as needed to demonstrate legal compliance and/or as long as needed for the performance of a contract. |
| Logging & Security Monitoring To ensure the proper functioning and security of our services (including API calls and feature flag delivery), monitor performance, detect and resolve errors, prevent misuse or automated abuse. |
Connection metadata (including IP address, timestamps, URLs, user-agent), and diagnostic/error information. | Legitimate interest(Article 6(1)(f) of the GDPR). | Up to 30 days. We may retain the data for longer if required by law or necessary to investigate or address a security incident. |
| Usage Analytics & Product Improvements To understand how the app is used and improve features, performance, and user experience. This includes running controlled A/B tests on design and functionality. |
Pseudonymous identifiers, technical data, app usage data (including feature usage), truncated IP address and coarse location, experiment data, and other usage-related information such as subscription tier, tenure, and purchase interactions (e.g., purchase status). | Consent (Article 6(1)(a) of the GDPR). | Up to 14 months. Deleted upon withdrawal of consent or request without undue delay, subject to technical feasibility. After expiry, data is anonymised and aggregated. |
| Diagnostics (Crash Reporting & Performance Monitoring) To detect, investigate, and resolve technical issues; monitor app stability and performance. |
Pseudonymous identifiers, application data (app version, feature flags), device & technical data, performance data (including crash frequency), network data (including truncated IP address), diagnostic data (including stack traces). | Legitimate interest (Article 6(1)(f) of the GDPR). | Up to 30 days |
| In-App Purchases / Subscription Management To provide and manage paid features and products, validate purchases, and handle subscription status. |
In-App Purchases are securely processed and managed by Apple. We receive only limited information necessary to confirm your purchase or subscription status and provide access to the content. We do not receive or store any payment details. | Performance of a contract(Article 6(1)(b) of the GDPR). Legal obligation (statutory financial obligations)(Article 6(1)(c) of the GDPR). |
For the duration of the subscription and up to 10 years thereafter to comply with statutory financial record-keeping obligations. |
| Apple App Analytics To understand general app performance and improve stability and functionality. |
Apple may provide us with a relevant subset of app analytics information and statistics. The data does not personally identify individual users, in accordance with Apple’s App Analytics & Privacy statement. | Consent (Article 6(1)(a) GDPR). Data is provided only if you share App Analytics with App Developers in your Apple Account settings. | Determined and controlled by Apple as an independent data controller. |
6. When you visit our website
When you visit our website, we may process certain Personal Data. Below, we have provided a detailed description of the processing operations that may take place along with purposes and examples of each category of Personal Data.
| Processing activity & purpose | Personal Data | Legal basis | Retention period |
|---|---|---|---|
| Logging & Security Monitoring To ensure proper functioning of services, maintain security, detect and resolve errors, and prevent misuse, automated abuse, or fraud. |
Connection metadata, such as IP address, timestamps, URLs, user-agent (browser/device info), and related diagnostic/error information. | Legitimate interest (Article 6(1)(f) of the GDPR). | Up to 30 days. We may retain the data for longer if required by law or necessary to investigate or address a security incident. |
| Cookies Consent Management To collect, record, and manage user choices regarding the use of cookies and similar tracking technologies, ensuring compliance with ePrivacy and GDPR requirements. |
Pseudonymous identifiers (consent ID), consent records (choices, timestamps), and technical context (browser type, truncated IP address, coarse geo-location). | Legal obligation (Article 6(1)(c) of the GDPR). | We retain consent records as long as needed to demonstrate legal compliance, up to 5 years. Every 12 months, we will ask you again whether or not you give your consent. |
| Cookies To enable the proper functioning of the website (essential cookies) and, where consent is given, to support analytics and marketing features. |
Necessary/Essential Cookies: Pseudonymous identifiers, usage data (login/session status, shopping cart contents), and language settings. | Legitimate interest (strictly necessary for website operation) (Article 6(1)(f) of the GDPR). Consent for analytics and marketing cookies. (Article 6(1)(a) of the GDPR). |
Session cookies: deleted when the browser is closed. Persistent cookies: retained until the browser cleans cookies. |
| Web Analytics To measure visits, page views, traffic sources, and user flows on the website in order to evaluate performance, improve user experience, and run controlled A/B tests. |
Analytical Cookies: Pseudonymous identifiers, technical data, website usage and interaction data (e.g., pages visited and referrer/UTM parameters), truncated IP address and coarse location, and experiment data. | Consent (Article 6(1)(a) of the GDPR). | Up to 14 months. Deleted upon withdrawal of consent or request without undue delay, subject to technical feasibility. After expiry, data is anonymised and aggregated. |
7. When you create an account or place an order as a customer
When you create an account or place an order as a customer, we may process certain Personal Data. Below, we have provided a detailed description of the processing operations that may take place along with purposes and examples of each category of Personal Data.
| Processing activity & purpose | Personal Data | Legal basis | Retention period |
|---|---|---|---|
| Customer Accounts Management To provide registered users with accounts that allow them to log in, manage personal details, view order history, and store preferences. |
Identification data (name, email, username), authentication data (hashed password), contact data, and user preferences/settings. | Performance of a contract (Article 6(1)(b) of the GDPR). | We retain this data for as long as your account is active. We delete the data when the account is deleted. |
| Orders, Payments & User Designs To process and fulfill webshop orders, including checkout, payment processing, invoicing, and returns. |
Identification data, order details, address data (billing address), contact data, payment metadata (method, transaction ID, no full card data), technical metadata (IP address at checkout), and User Designs or uploaded content provided to customize products or to share publicly. | Performance of a contract (Article 6(1)(b) of the GDPR). Legal obligation (statutory financial obligations) (Article 6(1)(c) of the GDPR). Consent (Article 6(1)(a) GDPR) — if users choose to share their uploaded designs publicly. |
For the duration of the contract and up to 10 years thereafter to comply with statutory financial record-keeping obligations. Private designs are retained only as long as needed for order fulfillment. Publicly shared designs remain stored on our website until you delete them from your account. |
| Shipping & Delivery To deliver purchased products to customers, including providing shipping information to carriers and tracking deliveries. |
Identification data (recipient name), address data (shipping address), contact data for updates, order details, and delivery data (tracking number). | Performance of a contract (Article 6(1)(b) of the GDPR). Legal obligation (statutory financial obligations) (Article 6(1)(c) of the GDPR). |
For the duration of the contract and up to 10 years thereafter to comply with statutory financial record-keeping obligations. |
| Transactional Communication To send order-related and service messages such as confirmations, payment receipts, shipping updates, and subscription renewals. |
Identification data (name), contact data (email, phone number if used), order details, and communication metadata. | Legitimate interest (Article 6(1)(f) of the GDPR). Performance of a contract (Article 6(1)(b) of the GDPR). |
For the duration of the contract and up to 10 years thereafter to comply with statutory financial record-keeping obligations. |
| Accounting & Tax To comply with statutory obligations for bookkeeping, accounting, financial reporting, and tax compliance. |
Identification data, order details, contact data, address data, payment metadata (e.g. payment method, transaction ID, status), and copies of the issued invoices. | Legal obligation (statutory financial obligations) (Article 6(1)(c) of the GDPR). | For the duration of the contract and up to 10 years thereafter to comply with statutory financial record-keeping and tax obligations. |
8. When you contact us for support
When you contact us for support, we may process certain Personal Data. Below, we have provided a detailed description of the processing operations that may take place along with purposes and examples of each category of Personal Data.
| Processing activity & purpose | Personal Data | Legal basis | Retention period |
|---|---|---|---|
| User/Customer Support & Customer Service To respond to user inquiries, provide technical assistance, and resolve issues. |
Identification data (name, email address, if provided), communication content (messages, attachments), account information (user ID, subscription status, if provided), and technical context (device type, app version, error logs, if provided). | Legitimate interest (Article 6(1)(f) of the GDPR). Performance of a contract (Article 6(1)(b) of the GDPR). |
Until the issue is addressed and for up to 6 months thereafter, and/or as long as needed for the performance of a contract. |
9. When you sign up for our waitlist
When you sign up for our waitlist, we may process certain Personal Data. Below, we have provided a detailed description of the processing operations that may take place along with purposes and examples of each category of Personal Data.
| Processing activity & purpose | Personal Data | Legal basis | Retention period |
|---|---|---|---|
| User Waitlist Management (notification-only) To collect email addresses of interested individuals in order to send a one-time notification when the product or feature becomes available. |
Contact details (name, email) and optional metadata (interest category, referral source, region). | Consent for notifications (Article 6(1)(a) of the GDPR) Legitimate interest (users reasonably expect to be contacted once after signing up). (Article 6(1)(f) of the GDPR). |
Email addresses are retained until the notification is sent and deleted within 1 month thereafter, or until you withdraw your consent, unless you separately subscribe to marketing or create an account. |
10. When you subscribe to our marketing communications
When you subscribe to our marketing communications, we may process certain Personal Data. Below, we have provided a detailed description of the processing operations that may take place along with purposes and examples of each category of Personal Data.
| Processing activity & purpose | Personal Data | Legal basis | Retention period |
|---|---|---|---|
| Marketing Communication To send newsletters, promotional offers, and product updates to users who have consented or to existing customers under applicable legal exceptions for direct marketing. |
Contact details (name, email) and optional metadata (interest category, referral source, region). | Consent for marketing communication (Article 6(1)(a) of the GDPR). | As long as you are registered for marketing communications, or until you withdraw your consent. |
11. When you take part in surveys or provide feedback
When you take part in surveys or provide feedback, we may process certain Personal Data. Below, we have provided a detailed description of the processing operations that may take place along with purposes and examples of each category of Personal Data.
| Processing activity & purpose | Personal Data | Legal basis | Retention period |
|---|---|---|---|
| User Surveys / Feedback Collection To collect user opinions, ratings, and feedback in order to evaluate satisfaction and improve services and features. |
Identification data (name, email address) if provided, feedback data (survey responses, comments), context data (product used, subscription tier), and technical metadata. | Consent (Article 6(1)(a) of the GDPR). | As long as necessary for the processing of the results of the survey and/or feedback, and up to 12 months. |
12. When you take part in beta testing
When you take part in beta testing, we may process certain Personal Data. Below, we have provided a detailed description of the processing operations that may take place along with purposes and examples of each category of Personal Data.
| Processing activity & purpose | Personal Data | Legal basis | Retention period |
|---|---|---|---|
| Beta Testing with Apple TestFlight To provide selected users with early access to unreleased features, gather feedback, and evaluate usability and stability before general release. |
Identification data (Apple ID, name, email) device/technical data, session statistics, crash/diagnostic data, and feedback data. | Consent (voluntary participation in beta testing) (Article 6(1)(a) of the GDPR). | As long as the beta program is active, or until the tester withdraws. Feedback may be retained longer if relevant for product improvement. |
13. When you supply goods or services to us as a business partner
When you supply goods or services to us as a business partner, we collect and use your business contact details for the purposes of our collaboration. Insofar as Personal Data is processed in this context, the basis for the processing of this Personal Data is Article 6(1)(b) of the GDPR: the processing is necessary for the performance of a contract. We retain this information for as long as necessary for the performance of the agreement, unless the law requires a longer retention period
14. Special categories of Personal Data
We do not process any special categories of Personal Data. Thus, we do not process any Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation, as described in Article 9(1) of the GDPR. If and insofar you provide this Personal Data to us (inadvertently or otherwise), we will delete this Personal Data.
15. Security
We protect your Personal Data by taking technical and organisational measures against unauthorised, unlawful, or accidental access, loss, destruction, or damage to Personal Data. We ensure that only the necessary persons have access to your Personal Data, that access to Personal Data is secure, and that our security measures are regularly checked and evaluated. We continuously take steps to improve data security.
We care about your Personal Data. To ensure that third parties also adhere to our high standards, we only store Personal Data with carefully selected third parties who help us to protect your Personal Data. Below, we will tell you more about the third parties and how we ensure that your Personal Data remains secure.
16. Third parties
We do not sell your data to third parties. However, we may engage third parties to process certain Personal Data on our behalf and under our responsibility.
These providers help us operate, secure, and improve our services — for example, by offering the following types of services:
- Web hosting and cloud infrastructure providers – for website, app, backend services, email, and file hosting.
- Apple Inc. – Independent controller providing services such as in-app purchases, TestFlight beta testing, App Store distribution, and App Analytics.
- Payment and financial service providers (planned) – Independent controllers providing payment processing and related financial services, including the settlement of transactions and maintenance of banking records.
- Delivery service providers (planned) – for shipping and logistics.
- Email and communication service providers – for sending transactional, marketing, and administrative messages.
- Bookkeeping and accounting partners – for financial administration and tax compliance.
- Monitoring and error-tracking service provider - for detecting and resolving technical issues.
- Self-hosted app and web usage analytics – no data is shared externally except to cloud infrastructure provider.
- Professional service providers and contractors – for legal, quality assurance, development, design, or other professional services.
We may update or expand the main categories of third-party service providers as our services evolve. A current overview of the types of providers we use is available upon request.
Some of these third parties are located in the European Economic Area (EEA), while others are located outside the EEA, such as in the United States. When Personal Data is processed or stored outside the European Economic Area (EEA), we ensure that appropriate safeguards—such as the European Commission’s Standard Contractual Clauses or adequacy decisions—are in place to enable such transfers. In order to protect your Personal Data and comply with our legal obligations, we will only engage third parties for processing if those third parties offer sufficient guarantees for the protection of your Personal Data.
When we share Personal Data with third-party service providers, we do so only after we entered into agreements with these third parties to ensure that your Personal Data is adequately protected.These third parties may only process the Personal Data within the scope of the assignment we have given them, and not for other purposes.
We may also disclose Personal Data to competent authorities, regulators, or law enforcement officials when required to comply with legal or regulatory obligations.
17. Updates or changes to this privacy statement
The way in which we process Personal Data, and the composition of the data we process, may change from time to time. We therefore reserve the right to change this privacy statement at any time. For this reason, we encourage you to check the privacy statement regularly to stay informed of any changes.
18. Your rights
In the context of our processing of your Personal Data, you have the following rights, among others:
- The right to access the Personal Data we process about you.
- If you have given your consent to the processing of your Personal Data, you also have the right to withdraw this consent.
- The right to exercise data portability.
- The right to have errors corrected.
- The right to have outdated Personal Data deleted.
- The right to object to a particular use of Personal Data.
If you wish to exercise these rights, please contact us. We request that you describe as clearly as possible in your request which Personal Data (processing) the request relates to.
You can only exercise your rights to the extent that the law grants you these rights. To ensure that a request has been made by you, we may ask you to send a copy of your ID with your request and/or provide relevant Pseudonymous ID. We will only ask for this if we deem it necessary to identify you. We will delete the copy of your ID immediately after we have identified you.
19. Miscellaneous
This Privacy Statement does not apply to third-party websites that are linked to our websites. We cannot guarantee that these third parties will handle your Personal Data in a reliable or secure manner. We recommend that you read the privacy statements of these websites.
20. Complaints
If you have a complaint about the way we process your Personal Data, please contact us. We will then try to find a solution together.
You also have the right to file a complaint with the supervisory authority. In the Netherlands, this is the Dutch Data Protection Authority.
21. BeadPainter
If you have any questions or comments about the processing of your Personal Data by BeadPainter, please contact us using the contact details below:
BeadPainter
Donaublauw 27
2718 JM Zoetermeer
The Netherlands
privacy@beadpainter.nl
Dutch Company Registration Number: 97281573