Privacy Policy

(Version of 22 October 2025)

1. Purpose

This Policy is established by ANNA THYS, located Rue Julien d'Andrimont 1/62, 4000 Liège, Belgium, registered with the Crossroads Bank for Enterprises under the number 1018876320(hereinafter referred to as the“Data Controller”).

The purpose of this Policy is to inform the visitors of the website hosted at the following address: www.annathys.com (hereinafter referred to as the “Site”) about how their personal data is collected and processed by the Data Controller.

This Policy is part of the Data Controller's commitment to act transparently, in accordance with the Regulation (EU) 2016/679 of 27 April 2016 (GDPR)and Belgian legislation on data protection.

This Policy complements the General Terms and Conditions of Sale available on the Site.

The Data Controller places particular importance on data confidentiality and is committed to implementing all reasonable measures to protect personal data against loss, theft, disclosure or unauthorised use.

The “personal data”refers to any information that allows for the direct or indirect identification of a natural person.

For any questions regarding this Policy, the User can contact the Data Controller using the contact details provided in the section "Contact Data"below.

2. Data Collected

The Data Controller may collect and process the following data:

• the domain automatically detected by the server (including the dynamic IP address) ;
• the User's email address, when voluntarily provided (for example via a form, an order, a contact or a registration) ;
• the information regarding the pages viewed on the Site ;
• any data voluntarily provided by the User (for example during surveys, registrations or participation in promotional programmes).

Non personal data (statistics, browsing behaviour, preferences) may also be collected to improve the Site, products and services.

If this data is combined with personal data, it will then be treated as personal data.

3. Methods of Collection

Data may be collected by the following means:

• web forms (account creation, contact, order, etc.) ;
• cookies and trackers (see our Cookie Policy) ;
• direct exchanges via email or through the Site.

4. Legal Basis for Processing

The processing of personal data is based, in certain cases, on the following legal grounds:

• the performance of a contract(fulfilment of an order, invoicing, delivery);
• compliance with a legal obligation(accounting, tax obligations, etc.);
• the consent of the User(subscription to the newsletter, commercial prospecting);
• the legitimate interest of the Data Controller(securing the Site, improving services).

5. Purposes of processing

Data is collected for the following purposes:

• management of orders, deliveries and invoicing;
• sending promotional information and newsletters;
• responding to Users' requests or questions;
• improving the quality of the Site and services;
• conducting internal statistics;
• identifying Users' preferences and interests;
• commercial prospecting and marketing communication (subject to prior consent).

If a new purpose is to be considered, the Data Controller would inform Users before any reuse of their data.

6. Legitimate interests

Certain processing is based on the legitimate interest of the Data Controller, particularly for the prevention of fraud, the security of the Site, and the management of customer relations.

These treatments remain proportionate and do not infringe on the rights and freedoms of Users.

7. Retention period

Personal data is retained for as long as necessary for the purposes for which it was collected, and in accordance with legal obligations.

Data related to an order is retained for up to 10 years from the end of the contractual relationship (notably for accounting and tax reasons).

At the end of these periods, it is deleted or anonymised..

Data from prospects (people who have not yet made a purchase) is retained for a maximum period of 3 years from the last contact from them, then deleted or anonymised, unless renewed consent is given.

8. Users' rights

In accordance with the GDPR, the User has the following rights:

• Right of access: to obtain a copy of the personal data concerning them.
• Right of rectification: to correct or complete inaccurate or incomplete data.
• Right of opposition: to object at any time to processing based on legitimate interest or for marketing purposes.
• Right to restriction of processing: to request the temporary suspension of processing in certain cases.
• Right to erasure (‘right to be forgotten’): request the deletion of their data when legally possible.
• Right to data portability: receive their data in a structured and commonly used format, or request its transfer to another data controller.

Any request can be sent via the contact details provided in the section « Contact data ».

The Data Controller will respond within a maximum of one (1) month, in accordance with the regulations.

9. Recipients of the data

The collected data is intended for the exclusive use of the Data Controller and, where applicable, their trusted service providers and subcontractors(hosting provider, carriers, payment service providers, marketing tools, etc.).

These third parties act only on the instruction of ANNA THYS and are bound by confidentiality and security commitments.

10. Transfer of data outside the European Union

Personal data is primarily hosted and processed within the European Union.

However, some technical service providers used by ANNA THYS (for example: payment solutions, emailing, audience analysis or online advertising) may transfer data to countries located outside the European Economic Area, notably to the United States.

In this case, these transfers are governed by appropriate safeguards compliant with the GDPR, such as:

• the standard contractual clauses adopted by the European Commission, or
• a adequacy decision(e.g.: EU–US Data Privacy Framework).

ANNA THYS ensures that these providers offer a level of protection equivalent to that required in the EU.

No unregulated transfer will be made without prior information to the user.

11. Data Security

The Data Controller implements all appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 of the GDPR.

Data transmissions are protected by recognised encryption protocols, and access to IT systems is limited to authorised personnel only.

In the event of a security incident involving personal data, the Data Controller commits to informing the User and taking all necessary measures to remedy the situation.

12. Complaints and Remedies

In the event of disagreement with the way their data is processed, the User may:

1. Contact the Data Controller directly (see below);

2. Lodge a complaint with the Data Protection Authority (DPA) :

   • Website: https://www.autoriteprotectiondonnees.be
   • Address: Rue de la Presse 35, 1000 Brussels, Belgium
3. Or exercise a remedy before the competent courts of the district of Liège.

13. Contact details

Data controller: ANNA THYS

Address: Rue Julien d'Andrimont 1/62, 4000 Liège, Belgium

Email: privacy@annathys.com

14. Modification of the Policy

The data controller reserves the right to modify this Policy at any time.

Any new version comes into effect as soon as it is published on the Site.

The version in force is always the one indicated by the date at the header.

15. Applicable law and competent jurisdiction

This Policy is governed by Belgian law.

Any dispute relating to its interpretation or execution falls under the exclusive jurisdiction of the courts of the judicial district of Liège, without prejudice to the mandatory rights of the consumer.

Version: 22/10/2025

© ANNA THYS® – All rights reserved