Privacy policy

At Nesté, we take your privacy seriously. This Privacy Policy explains what personal data we collect, why we collect it, how we use and protect it, and what rights you have in relation to it.

This policy applies to all personal data processed through our website nestesleep.com and any related communications with us.

Nesté operates in accordance with the General Data Protection Regulation (EU) 2016/679 (GDPR) and applicable Dutch data protection law.

1. Who We Are (Data Controller)

Nesté is the data controller responsible for your personal data.

Email: support@nestesleep.com

Website: nestesleep.com

Country of establishment: Netherlands

If you have any questions about how we handle your data, please contact us at the address above.

2. What Data We Collect

2.1 Data You Provide to Us

– Identity data: first name, last name

– Contact data: email address, phone number

– Delivery data: shipping address, billing address

– Payment data: payment method type and transaction reference (we do not store full card numbers — these are handled by our payment processor)

– Account data: username and password (if you create an account)

– Communications data: the content of messages you send us via email or contact forms

2.2 Data We Collect Automatically

– Technical data: IP address, browser type and version, operating system, device type

– Usage data: pages visited, time spent on pages, referring URLs, clicks

– Cookie data: preferences and session information (see Section 8 — Cookies)

2.3 Data We Receive from Third Parties

– Payment processors (e.g. Shopify Payments, Stripe, PayPal): transaction confirmation and fraud signals

– Shipping carriers: delivery status updates

– Analytics providers: aggregated usage statistics

3. Why We Collect Your Data (Legal Basis)

Under the GDPR, we must have a valid legal basis for processing your personal data. We rely on the following:

Purpose	Data Used	Legal Basis
Processing and fulfilling your order	Identity, contact, delivery, payment data	Contract (Art. 6(1)(b) GDPR)
Communicating about your order	Identity, contact data	Contract (Art. 6(1)(b) GDPR)
Fraud prevention and security	Identity, payment, technical data	Legitimate interests (Art. 6(1)(f) GDPR)
Improving our website and services	Usage, technical data	Legitimate interests (Art. 6(1)(f) GDPR)
Marketing emails (if opted in)	Identity, contact data	Consent (Art. 6(1)(a) GDPR)
Complying with legal obligations	Identity, financial data	Legal obligation (Art. 6(1)(c) GDPR)
Cookie analytics and tracking	Cookie, technical data	Consent (Art. 6(1)(a) GDPR)

We will never use your data for purposes incompatible with the purpose for which it was originally collected.

4. How We Use Your Data

Specifically, we use your personal data to:

– Process, manage, and deliver your orders

– Send order confirmations, shipping updates, and delivery notifications

– Respond to your enquiries, complaints, or support requests

– Prevent fraudulent transactions and ensure payment security

– Comply with our legal and tax obligations

– Send you marketing communications about our products and promotions, if you have opted in (you may withdraw consent at any time — see Section 9)

– Analyse how our website is used in order to improve the customer experience

– Personalise your experience on our website (e.g. remembering your preferences)

5. Who We Share Your Data With

We do not sell, rent, or trade your personal data to third parties for their own marketing purposes.

We share your data only where necessary with the following categories of trusted third parties, all of whom are bound by data processing agreements and applicable law:

– Shopify Inc. — our e-commerce platform provider (data may be processed in the US under standard contractual clauses)

– Payment processors (e.g. Stripe, PayPal) — for secure payment handling

– Shipping carriers and fulfilment partners — to deliver your order

– Email service providers — to send transactional and marketing emails

– Analytics providers (e.g. Google Analytics) — for website performance analysis, using anonymised or pseudonymised data where possible

– Legal and regulatory authorities — where required to comply with a legal obligation, court order, or regulatory request

Where any third-party processor is located outside the European Economic Area (EEA), we ensure appropriate safeguards are in place, such as EU Standard Contractual Clauses (SCCs) or adequacy decisions, as required by the GDPR.

6. International Data Transfers

Some of our service providers are based outside the EEA, including in the United States. When we transfer your data internationally, we ensure it is protected by:

– Adequacy decisions by the European Commission, or

– Standard Contractual Clauses (SCCs) approved by the European Commission, or

– Other legally recognised transfer mechanisms under the GDPR

You may request information about the specific safeguards in place for any international transfer by contacting us at support@nestesleep.com.

7. How Long We Keep Your Data

We retain your personal data only for as long as necessary for the purpose for which it was collected, or as required by law.

Data Type	Retention Period
Order and transaction data	7 years (Dutch tax/accounting law)
Customer account data	Duration of account + 2 years after last activity
Email marketing data	Until you unsubscribe or withdraw consent
Support communications	2 years from resolution
Website analytics data	26 months (anonymised after 14 months)
Cookie data	As specified in our Cookie Policy

After the applicable retention period, data is securely deleted or anonymised.

8. Cookies

We use cookies and similar tracking technologies on our website to:

– Enable essential website functionality (e.g. your shopping cart)

– Remember your preferences and settings

– Analyse how visitors use our website (analytics)

– Show you relevant advertising (if applicable)

Types of cookies we use:

– Strictly necessary cookies — required for the website to function; no consent needed

– Preference/functionality cookies — remember your choices (e.g. language, currency)

– Analytics cookies — help us understand usage patterns (consent required)

– Marketing/tracking cookies — used for advertising personalisation (consent required)

You can manage or withdraw your consent to non-essential cookies at any time via our Cookie Settings banner or your browser settings. Withdrawing consent does not affect the lawfulness of any processing based on consent before withdrawal.

For full details on the cookies we use, their purpose, and their duration, please refer to our Cookie Policy.

9. Your Rights Under the GDPR

As a data subject under the GDPR, you have the following rights in relation to your personal data:

– Right of access (Art. 15): You have the right to request a copy of the personal data we hold about you.

– Right to rectification (Art. 16): You have the right to request correction of inaccurate or incomplete data.

– Right to erasure (Art. 17): You have the right to request deletion of your data (“right to be forgotten”), subject to certain legal exceptions.

– Right to restrict processing (Art. 18): You have the right to request that we limit how we use your data in certain circumstances.

– Right to data portability (Art. 20): You have the right to receive your data in a structured, commonly used, machine-readable format.

– Right to object (Art. 21): You have the right to object to processing based on legitimate interests or for direct marketing purposes.

– Right to withdraw consent (Art. 7(3)): Where processing is based on consent (e.g. marketing emails, analytics cookies), you may withdraw your consent at any time without affecting the lawfulness of prior processing.

– Right not to be subject to automated decision-making (Art. 22): We do not make solely automated decisions that have significant effects on you.

How to exercise your rights: Contact us at support@nestesleep.com with your full name and, where applicable, your order number or account email. We will respond within 30 days. We may need to verify your identity before processing your request.

Right to lodge a complaint: If you believe your data is being processed unlawfully, you have the right to lodge a complaint with the Dutch data protection authority:

Autoriteit Persoonsgegevens (AP)

Website: https://www.autoriteitpersoonsgegevens.nl

Tel: +31 88 1805 250

10. Marketing Communications

If you have opted in to receive marketing emails from us, we may send you information about our products, promotions, and updates. You can unsubscribe at any time by:

– Clicking the “Unsubscribe” link at the bottom of any marketing email, or

– Contacting us directly at support@nestesleep.com

We will process your unsubscribe request promptly and within 10 business days at most. Unsubscribing from marketing communications does not affect transactional emails related to your orders.

11. How We Protect Your Data

We implement appropriate technical and organisational security measures to protect your personal data against unauthorised access, loss, destruction, or alteration. These measures include:

– SSL/TLS encryption for all data transmitted to and from our website

– Secure, access-controlled systems for storing order and customer data

– Limited access to personal data on a need-to-know basis

– Regular review of our data processing practices and security procedures

While we take every reasonable precaution, no method of data transmission or storage is 100% secure. In the unlikely event of a data breach that affects your rights and freedoms, we will notify you and the relevant authorities in accordance with our legal obligations under the GDPR.

12. Children’s Privacy

Our website and products are not directed at children under the age of 16. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data without parental consent, please contact us at support@nestesleep.com and we will promptly delete such data.

13. Links to Third-Party Websites

Our website may contain links to third-party websites. This Privacy Policy applies only to nestesleep.com. We are not responsible for the privacy practices of any third-party sites and encourage you to review their respective privacy policies.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. The updated version will always be published on this page with a revised “Last updated” date. We encourage you to check this page periodically. Where changes are material, we will notify you by email or via a prominent notice on our website.

15. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: