Legal

Privacy Policy

Effective date: 01.06.2026 · Last updated: 01.06.2026

Company name

Dolcelu

KvK number

95616632

PART 1Who we are

Dolcelu ("we", "us", "our"), registered in the Netherlands (KvK: 95616632), is the data controller for your personal data. This Privacy Policy explains how we collect, use, store, and protect your data in compliance with the General Data Protection Regulation (GDPR) EU 2016/679 and the Dutch Uitvoeringswet AVG.

PART 2What data we collect

We collect only data necessary to deliver our product and service:

Identity: first name, last name — for contract performance
Contact: email address — for contract performance
Payment: payment method, transaction ID (no card data stored by us) — for contract performance and legal obligation
Health & wellbeing: self-reported check-in responses (energy, strength, brain fog) — collected with your explicit consent, solely to verify refund eligibility
Usage: website visits, pages viewed, session duration (anonymised) — for legitimate interests
Communications: support emails, feedback messages — for legitimate interests

Your check-in responses qualify as health-related data under GDPR Article 9. We collect them solely to verify eligibility for our money-back guarantee and for no other purpose. We will never sell, share, or use this data for marketing.

PART 3How we use your data

To process and fulfil your order
To deliver the 4-week programme and send check-in reminders
To process refund requests and verify guarantee eligibility
To provide customer support
To comply with Dutch and EU tax and accounting obligations (7-year retention)
To send transactional emails (order confirmation, shipping, check-in prompts)
To send marketing emails only with your explicit, separate consent

PART 4Who we share your data with

We do not sell personal data. We share data only with trusted processors under a Data Processing Agreement:

Payment processors (e.g. Stripe, Mollie) — to handle payments securely
Email platform (e.g. Klaviyo, Mailchimp) — to send transactional and programme emails
Web analytics (e.g. Plausible or Google Analytics with IP anonymisation) — to understand website performance

All processors are GDPR-compliant. Data is processed within the EEA or under Standard Contractual Clauses.

PART 5Cookies

We use essential cookies (required for the website to function) and, with your consent, analytics and marketing cookies. You can manage your preferences via our cookie banner at any time.

PART 6Retention periods

Order and transaction records: 7 years (Dutch fiscal obligation)
Customer account data: 3 years after last activity, then deleted
Check-in / health self-reports: 90 days after refund period expires, then deleted
Marketing consent records: until consent is withdrawn + 1 year
Support correspondence: 2 years

PART 7Your rights under GDPR

You can exercise these rights free of charge by emailing contact.rebuild4@gmail.com:

Right of access (Art. 15) — receive a copy of your personal data
Right to rectification (Art. 16) — have inaccurate data corrected
Right to erasure (Art. 17) — request deletion ("right to be forgotten")
Right to restriction (Art. 18) — limit how we process your data
Right to portability (Art. 20) — receive your data in machine-readable format
Right to object (Art. 21) — object to processing based on legitimate interests or for direct marketing
Right to withdraw consent — withdraw any consent at any time

We will respond within 30 days. If unsatisfied, you may complain to:

Autoriteit Persoonsgegevens (AP)
www.autoriteitpersoonsgegevens.nl
Bezuidenhoutseweg 30, 2594 AV Den Haag

PART 8Security

We implement appropriate technical and organisational measures to protect your personal data, including TLS encryption, access controls, and regular security reviews.

PART 9Changes to this policy

We may update this policy to reflect changes in law or our practices. We will notify you by email and post the updated policy on our website with a new effective date. Continued use after 30 days constitutes acceptance.