Last updated: 3 July 2026
Thomas Super Store, operated by Westerman ("we", "us", "our"), protects customer data according to the GDPR / AVG principles of data minimisation, purpose limitation, storage limitation and appropriate security. This policy explains what we collect, why we need it, how long we keep it, and which suppliers help us run the webshop.
We do not store full card or bank details. Payments are handled by Mollie. Customer and order data that must be stored for checkout, fulfilment, invoicing and service is protected with HTTPS, restricted access and encrypted storage where technically available in our Netlify backend.
1. Data Controller
The data controller responsible for your personal data is:
Westerman (WETO Media)
Jadestraat 49
9743 HB Groningen
The Netherlands
KvK: 96618043
Email: info@thomassuperstore.com
Website: thomassuperstore.com
If you have any questions about this Privacy Policy or how we handle your data, you can contact us at the email address above.
2. What Personal Data We Collect
We collect the following categories of personal data:
2.1 Information You Provide
- Checkout and order data: Name, email address, phone number, shipping address, country, chosen shipping method, cart contents, discounts, order status and tracking information.
- Payment information: Selected payment method and payment status. Full payment details are processed directly by Mollie and are not stored by us.
- Customer profile: If you choose to save details on this device, profile and preference data can be stored locally in your browser so checkout is faster next time.
- Communication: Messages you send via email/contact forms and service notes needed to answer your request.
- Notifications: Email address and product reference for back-in-stock alerts or abandoned cart reminders.
2.2 Information Collected Automatically
- Technical data: Basic server logs such as IP address, request time, browser type and error information, mainly for security and troubleshooting.
- Functional browser storage: Cart contents, language, wishlist, recently viewed products and saved checkout preferences.
- Cookies: See Section 8 below.
- Referral and partner code data: When you use a partner or discount link, we store the code needed to apply the discount and attribute the order.
3. Why We Collect Your Data
We process your personal data for the following purposes:
- Order processing: To process, fulfil, ship and support your order.
- Customer service: To answer questions, handle returns and solve delivery issues.
- Transactional communication: To send order confirmations, payment reminders, invoices, back-in-stock alerts and shipping updates.
- Marketing: To send newsletters or promotional content only when you have opted in.
- Website improvement: To improve stock display, checkout, search and product availability.
- Legal obligations: To comply with tax, accounting and consumer-law obligations.
- Fraud and abuse prevention: To detect suspicious orders and protect the webshop.
4. Legal Basis for Processing
We process your personal data based on the following legal grounds under the GDPR:
- Contract performance (Art. 6(1)(b) GDPR): Processing necessary to fulfil our contract with you, including order processing, shipping, and returns.
- Legitimate interest (Art. 6(1)(f) GDPR): Processing necessary for our legitimate business interests, such as fraud prevention, website analytics, and improving our services, provided these interests do not override your rights.
- Consent (Art. 6(1)(a) GDPR): Processing based on your explicit consent, such as marketing emails and non-essential cookies. You can withdraw consent at any time.
- Legal obligation (Art. 6(1)(c) GDPR): Processing required to comply with legal obligations, such as tax and accounting regulations.
5. Third Parties & Data Sharing
We share your data with the following trusted third parties, only to the extent necessary for providing our services:
- Netlify (hosting, serverless functions and encrypted webshop storage) — hosts the website and backend functions.
- Mollie B.V. (payments) — processes payments securely. Mollie does not share full payment details with us. Mollie Privacy Policy
- Moneybird (accounting and invoices) — stores invoice and administration records needed for Dutch accounting rules.
- Monta or another fulfilment/logistics partner (shipping) — receives the delivery details needed to pack and ship your order.
- Resend (transactional email) — sends order, payment reminder and stock-notification emails.
- Cloudflare Worker / stock sync where configured — helps keep product availability up to date.
We do not sell, rent, or trade your personal data to any third party. We only share data when it is necessary for the services described above or when required by law.
6. Data Retention
We retain your personal data only for as long as necessary for the purposes described in this policy:
- Order and invoice data: Kept for 7 years where required for Dutch tax/accounting administration.
- Fulfilment and tracking data: Kept as long as needed for delivery, returns, warranty and customer service, then minimised where possible.
- Abandoned cart reminders: Automatically cleaned up. Active cart reminders are kept for a short period, normally no longer than 30 days; closed or sent reminders are normally removed after 14 days.
- Back-in-stock alerts: Waiting alerts are kept until the product returns or for up to 12 months; notified or cancelled alerts are normally removed after 30 days.
- Browser storage: Cart, wishlist and saved checkout profile data remain on your own device until you clear them or use the logout/remove options.
- Communication records: Kept as long as needed to handle the request and protect legal/customer-service interests.
7. Your Rights
Under the GDPR, you have the following rights regarding your personal data:
- Right of access: You can request a copy of all personal data we hold about you.
- Right to rectification: You can request that we correct any inaccurate or incomplete data.
- Right to erasure ("right to be forgotten"): You can request that we delete your personal data, unless we have a legal obligation to retain it.
- Right to restriction: You can request that we restrict the processing of your data in certain circumstances.
- Right to data portability: You can request your data in a structured, commonly used, machine-readable format and have it transferred to another controller.
- Right to object: You can object to the processing of your data based on legitimate interest, including direct marketing.
- Right to withdraw consent: Where processing is based on consent, you can withdraw it at any time without affecting the lawfulness of prior processing.
To exercise any of these rights, please contact us at info@thomassuperstore.com. We will respond to your request within 30 days, as required by the GDPR.
You also have the right to file a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at autoriteitpersoonsgegevens.nl.
8. Cookie Policy
Our website uses cookies to ensure proper functionality and to improve your experience. Cookies are small text files stored on your device.
8.1 Types of Cookies We Use
- Essential cookies: Required for the website to function correctly (e.g., shopping cart, login session). These cannot be disabled. Duration: session or up to 1 year.
- Functional cookies: Remember your preferences such as language and currency settings. Duration: up to 1 year.
- Privacy-friendly first-party analytics: Help us understand how visitors interact with our website (e.g., product views, cart additions, device category and broad location such as country/city). We do not store IP addresses, raw user-agent strings, customer names, email addresses or full referrer URLs in analytics. Analytics events are kept for up to 90 days.
- Marketing cookies: Used to show relevant advertisements on other platforms, only with your explicit consent. Duration: up to 1 year.
For limited analytics, we use aggregated first-party measurements to improve the store and stock planning. If you choose "Necessary Only", we do not store a persistent analytics identifier; the store can still count anonymous product and cart events without building an individual visitor profile.
8.2 Managing Cookies
When you first visit our website, you will be shown a cookie banner where you can choose which types of cookies to accept. You can change your cookie preferences at any time through your browser settings or by contacting us.
Please note that disabling essential cookies may affect the functionality of our website (e.g., you may not be able to add items to your cart).
9. Data Security
We take appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, or misuse. These measures include:
- SSL/TLS encryption on all pages of the website.
- Secure payment processing through Mollie; full payment credentials are not stored by us.
- Encryption of sensitive customer/order fields in backend storage where the Thomas Super Store backend stores them directly.
- No-store cache headers for checkout, account, tracking and backend API responses containing customer data.
- Automatic cleanup of temporary abandoned-cart, stock-alert and expired reservation records.
- Access controls and admin tokens for backend actions that expose or change operational data.
- Data minimisation: we only ask for the fields needed to process the order, notification or support request.
10. International Data Transfers
Your personal data is primarily processed within the European Economic Area (EEA). If we transfer data outside the EEA (e.g., through third-party service providers), we ensure adequate protection through:
- EU adequacy decisions
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Other appropriate safeguards under the GDPR
11. Children's Privacy
Our website and services are not directed at children under the age of 16. We do not knowingly collect personal data from children under 16 without parental consent. If you believe we have inadvertently collected data from a child under 16, please contact us and we will promptly delete it.
12. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or applicable laws. The updated version will be posted on this page with a revised "Last updated" date. We encourage you to review this page periodically.
If we make significant changes that affect how we process your data, we will notify you via email or a prominent notice on our website.
13. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
Westerman (operating Thomas Super Store)
Email: info@thomassuperstore.com
The Netherlands
We aim to respond to all privacy-related enquiries within 30 days.