This Privacy Policy explains how Composerie collects, uses, shares and protects personal data when you use our product-personalization platform, our websites and our related services (together, the Service). We are committed to handling personal data lawfully, fairly and transparently in accordance with the EU General Data Protection Regulation (GDPR), the UK GDPR and applicable Dutch law.
1. Who We Are
The data controller responsible for personal data processed in connection with your Composerie account is:
Composerie
Registered with the Dutch Chamber of Commerce (KvK) under number 80513573
Markerkant 13-11, 1314 AL Almere, Flevoland
VAT: NL003449094B70
The Netherlands
Email: [email protected]
Our two roles. For data about our merchant customers and their account (such as your name, email and billing details), we act as a controller. For data that merchants and their shoppers submit through the personalization tools we provide (such as the text, images and design choices used to personalize a product), we act as a processor on the merchant's behalf — the merchant is the controller of that data. A Data Processing Agreement is available to merchants on request.
2. Who This Policy Covers
- Merchants — businesses and the individuals who register, configure and operate a Composerie account.
- Shoppers / end customers — people who personalize products on a merchant's store using tools powered by Composerie. We process their data on the merchant's instructions.
- Website visitors — people who browse our public websites.
3. Information We Collect
We collect information you provide directly and information generated through your use of the Service. The categories of personal data we process include:
3.1 Account information
- Name and email address
- Company name and business details
- Account credentials (passwords are stored only in hashed form)
- Profile, language and accessibility preferences
3.2 Connected platform data
- Your store URL and the access tokens needed to connect your e-commerce platform (for example Shopify); tokens are encrypted at rest
- Product catalog data synchronized from your store
- Order information for personalized products
3.3 Design and personalization content
- Product templates and design files you create
- Images, fonts and media you upload
- Personalization content submitted by shoppers (such as text and images), processed on the merchant's behalf
3.4 Billing information
- Billing address, company and tax/VAT details
- Payment card details are collected and stored directly by our payment processor; we do not store full card numbers
- Transaction history and invoices
3.5 Usage and technical data
- Pages visited, features used and actions taken within the platform
- Device type, browser and operating system
- IP address and approximate (city-level) location
- Timestamps and diagnostic logs
4. Legal Bases for Processing
Under the GDPR, we rely on the following legal bases:
- Performance of a contract (Art. 6(1)(b)) — to provide the Service, manage your account, process payments and meet our obligations to you.
- Legitimate interests (Art. 6(1)(f)) — for security, fraud prevention, service improvement and analytics, balanced against your rights.
- Legal obligation (Art. 6(1)(c)) — to comply with tax, accounting and other applicable laws.
- Consent (Art. 6(1)(a)) — where required, such as for optional marketing communications. You may withdraw consent at any time.
5. How We Use Your Information
- Provide, maintain, secure and improve the Composerie platform
- Process transactions, send invoices and manage subscriptions
- Generate production-ready print files from personalizations and route orders to fulfillment partners
- Send service and security notices and respond to support requests
- Monitor performance, diagnose issues and improve reliability
- Detect, prevent and address fraud, abuse and security incidents
- Comply with legal obligations and enforce our terms
6. Service Providers We Work With
We do not sell your personal data. We share it only with vetted service providers who process it on our behalf, under contract and only as instructed by us. Rather than listing individual vendors (which can change), we describe the categories of providers we rely on:
- Cloud hosting & storage — to run our application and securely store files and databases, primarily in the European Union.
- Payment processing — to handle subscription billing and payments securely (card data is handled by the provider, not stored by us).
- Email delivery — to send transactional and (where you opt in) marketing emails.
- AI-assisted image processing — to power optional design tools such as background removal and image generation.
- Error monitoring & product analytics — to detect faults and understand aggregate usage so we can improve the Service.
- Print & fulfillment partners — to produce and ship personalized products that merchants choose to fulfill through them.
A current list of the specific sub-processors we use is available to merchants on request. We also disclose information where required by law, to protect our rights, or in connection with a corporate transaction (subject to equivalent protections).
7. International Data Transfers
Your data is primarily stored within the European Economic Area (EEA). Where data is transferred outside the EEA, we put appropriate safeguards in place — such as European Commission adequacy decisions or Standard Contractual Clauses (SCCs) together with any supplementary measures required under the GDPR.
8. Data Security
We apply technical and organizational measures appropriate to the risk, including:
- Encryption in transit (TLS) and encryption at rest for sensitive data
- Encryption of connected-platform access tokens
- Role-based access controls and the principle of least privilege
- Hashed password storage and CSRF protection
- Automated monitoring, logging and regular security review
No method of transmission or storage is completely secure, but we work continuously to protect your data and will notify you and the relevant authority of a personal data breach where legally required.
9. Data Retention
We keep personal data only as long as necessary for the purposes described in this policy, then delete or anonymize it:
Account dataDuration of the account + 30 days after closure
Design and personalization filesDuration of the account + 30 days
Order history7 years (legal / tax obligation)
Payment & invoice records7 years (legal / tax obligation)
Usage analytics26 months (then aggregated / anonymized)
Support communications3 years after the last interaction
10. Your Rights
Subject to applicable law, you have the right to:
- Access (Art. 15) — obtain a copy of the personal data we hold about you.
- Rectification (Art. 16) — correct inaccurate or incomplete data.
- Erasure (Art. 17) — request deletion of your personal data.
- Restriction (Art. 18) — limit how we process your data in certain cases.
- Portability (Art. 20) — receive your data in a structured, machine-readable format.
- Object (Art. 21) — object to processing based on legitimate interests or to direct marketing.
- Withdraw consent (Art. 7) — at any time, where processing is based on consent.
To exercise any of these rights, contact us at [email protected]. We will respond within 30 days. If you are a shopper exercising rights in relation to a merchant's store, we may direct your request to that merchant as the controller.
11. AI Features & Automated Decision-Making
Composerie offers optional AI-assisted design tools (for example, background removal and image generation). When you use these tools:
- We process only the content needed to perform the requested task.
- We do not use your or your shoppers' personal data or content to train our own or third-party general-purpose AI models.
- Outputs are suggestions you remain in control of and can edit or discard.
We use limited automated processing for fraud detection and, during beta, for prioritizing onboarding. These do not produce legal or similarly significant effects on you, and you may request human review of any automated decision by contacting us.
12. Cookies
We take a privacy-first approach to cookies. Our marketing website uses privacy-respecting analytics that do not require tracking cookies, and the application uses only essential and preference cookies — no advertising or cross-site tracking cookies. For details, see our Cookie Policy.
13. Children's Privacy
Composerie is a business-to-business service intended for users aged 18 and over. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.
14. Supervisory Authority
You have the right to lodge a complaint with a data protection authority. Our lead supervisory authority is:
Autoriteit Persoonsgegevens (Dutch Data Protection Authority)
Postbus 93374, 2509 AJ The Hague, The Netherlands
Website: autoriteitpersoonsgegevens.nl
15. Changes to This Policy
We may update this Privacy Policy from time to time. For material changes we will give notice — by email and/or a notice on our website — at least 30 days before they take effect. The current version is always available on this page, with the effective date shown at the top.