Juridisch

Privacy policy

cardworld.be

Last updated: 5 May 2026

CARDWORLD (cardworld.be) processes personal data when you visit our website, create an account, place an order, take part in livestreams, or contact us. We take privacy seriously and are transparent about what we do with your data. This policy explains in plain language what data we collect, why, how long we keep it, who we share it with, and what rights you have.

1. Who are we?

Data controller:

  • CARDWORLD
  • Address: Violastraat 4, 3660 Oudsbergen, Belgium
  • Company registration (KBO/BCE): 1037.470.923
  • VAT: BE 1037.470.923
  • Privacy contact: hello@cardworld.be
  • Phone: +32 498 72 76 61

We are not required to appoint a Data Protection Officer (DPO), but you can always reach hello@cardworld.be for any privacy-related question. Please mention "Privacy" in the subject line.

2. What data do we collect?

When you create an account or place an order

  • Name, email address, phone number
  • Shipping and billing address
  • Order history (which cards/products you bought and when)
  • Password (encrypted, never readable to us or third parties)
  • Optionally your Twitch username (for Rip & Ship orders)

When you pay

  • Payment method (Bancontact, card, etc.) — processed by Mollie. We never see your full card number or banking details.
  • Transaction confirmation and invoice number

When you visit our website

  • Technical data: IP address, browser, device, language, time of visit
  • Which pages you view and how long
  • Cookie data (see section 7 below)

When you sign up for the newsletter or take part in promotions

  • Email address + date of consent
  • Which emails you open or click on (to make our newsletters more relevant)

When you take part in a livestream (Rip & Ship)

  • Important: Rip & Ship orders are opened live on stream. During the stream we often mention your first name or Twitch username. The stream archive remains available on Twitch and may also appear as a highlight on YouTube or social media.
  • You explicitly agree to this when ordering a Rip & Ship product.

CARDWORLD+ loyalty programme

  • Your annual spend is tracked to determine your tier (Explorer, Rival, or Legend) and assign benefits.

3. Why do we process this data?

We only use your data for specific purposes, always based on a legal basis (GDPR art. 6):

Purpose Legal basis
Process and deliver your orderPerformance of contract
Customer service + answering questionsPerformance of contract
Bookkeeping and invoicingLegal obligation (Belgian tax law, 7 years)
Sending newsletters and marketing emailsConsent (you can unsubscribe at any time)
Vault storage (sealed cards stored up to 3 months)Performance of contract
Live opening of Rip & Ship productsPerformance of contract (your order)
CARDWORLD+ loyalty + tier assignmentConsent at account registration
Site analytics (which pages are popular)Legitimate interest (improving Services)
Fraud prevention and account securityLegitimate interest

4. Who do we share your data with?

We never sell your data to third parties. We only share what is strictly necessary with our partners (processors) who help us run the shop:

Partner Purpose Location
Shopify Inc.E-commerce platform, accounts, ordersCanada / EU
Mollie B.V.Payment processingNetherlands (EU)
Klaviyo, Inc.Sending emails (marketing + transactional like OTP codes and order confirmations)USA (DPF-certified)
Bpost / DPDPackage deliveryEU (Belgium)
Twitch Interactive (Amazon)Livestream hosting + embedding on our siteUSA
Media hostingHosting photos and videosEU
Google (Analytics)Site analytics (anonymised)USA (DPF-certified)
Cloud hostingOur admin and dashboard serversEU

For partners outside the EU (such as Klaviyo, Twitch, Google), we rely on either the EU-US Data Privacy Framework (DPF) certification or the European Commission's Standard Contractual Clauses. This way you remain protected by GDPR-level guarantees, even when data is processed outside Europe.

We also share data with government agencies when legally required (for example under a court order).

5. How long do we keep your data?

  • Orders and invoices: 7 years (Belgian tax obligation)
  • Customer account: as long as you are active. After 3 years of inactivity we automatically anonymise your profile.
  • Newsletter subscription: until you unsubscribe (one click in every email)
  • Vault orders: 3 months free storage, then automatic shipping or extension
  • Personalised media (audio/video with your first name): kept while your account is active, automatically deleted on account closure or on request
  • Server logs: 90 days for debugging and security
  • Customer service conversations: 2 years

6. Security

We take your data security seriously:

  • All connections over HTTPS (TLS encryption)
  • Passwords stored with scrypt hashing — we never know your password
  • Two-factor authentication available for admin accounts
  • Restricted access: only authorised staff can access customer data, with audit logs of every action
  • Regular security audits of our infrastructure

Still, we cannot guarantee 100% security. In the event of a data breach posing a high risk to you, we will notify you and the Belgian Data Protection Authority (GBA) within 72 hours, in accordance with GDPR art. 33-34.

7. Cookies and tracking technologies

When you visit our site, we place cookies (small text files) on your device. Some are essential (login, cart), others are for statistics or marketing.

On your first visit you will see a cookie consent banner where you can choose which categories you accept. You can always change your choice later.

Important: Twitch livestreams

Our homepage and livestream pages contain an embedded Twitch player. When this player loads, Twitch (Amazon) may place its own cookies to personalise your viewing experience and run their own analytics. We have no control over these cookies. Want to avoid them? Don't view the Twitch content or use your browser's "do not track" setting.

Read Twitch's privacy policy here: twitch.tv/p/legal/privacy-notice

8. Marketing communications

During account registration or via a separate signup, you can give consent to receive marketing emails from CARDWORLD (drops, discounts, restock alerts, exclusive deals).

  • Your consent is fully voluntary
  • You can unsubscribe at any time via the link at the bottom of every marketing email or by emailing hello@cardworld.be
  • Transactional emails (order confirmation, OTP codes for shipping, invoices) are always sent regardless of your marketing preference, because they are necessary to fulfil your order

9. Your rights under GDPR

You have the following rights regarding your personal data. For any request, email hello@cardworld.be with "Privacy" in the subject. We respond within 30 days (free of charge):

  • Right of access: request what data we hold on you
  • Right to rectification: have incorrect data corrected (you can also do this in your account settings)
  • Right to erasure ("right to be forgotten"): ask us to delete your data. We will, except where we are legally required to keep data (e.g. invoices)
  • Right to restriction: temporarily pause processing of your data
  • Right to data portability: receive an export of your data in a readable format (JSON or CSV) so you can take it to another service
  • Right to object: object to processing based on legitimate interest or for direct marketing
  • Right to withdraw consent: where processing is based on consent, you can withdraw it at any time

Filing a complaint

Not happy with how we handle your data? Try contacting us first (we usually resolve issues within 1 working day). If that fails, you can file a complaint with the Belgian supervisory authority:

Gegevensbeschermingsautoriteit (GBA / Belgian DPA)
Drukpersstraat 35, 1000 Brussels
Phone: +32 (0)2 274 48 00
Email: contact@apd-gba.be
Website: www.gegevensbeschermingsautoriteit.be

10. Automated decision-making

We do not use fully automated decision-making with legal effects. CARDWORLD+ tier assignment happens automatically based on your purchase spend, but you can always reach out manually for review.

11. Children under 13

Trading card games are popular among minors, but our shop is intended for users 13 years and older. We do not knowingly collect personal data from children under 13 without parental consent.

If you suspect a child < 13 has an account with us, email hello@cardworld.be and we will delete it as soon as possible.

12. International disputes (ODR platform)

Have a dispute over an online purchase? The European Commission offers an Online Dispute Resolution platform: ec.europa.eu/consumers/odr

13. Changes to this privacy policy

We may update this policy when our services or legislation change. For significant changes we will notify you by email (if you have an account) or via a banner on the site. The date at the top ("Last updated") always reflects the most recent version.

14. Contact

Questions, complaints, or requests? Email us at hello@cardworld.be with "Privacy" in the subject, or call +32 498 72 76 61.

CARDWORLD
Violastraat 4
3660 Oudsbergen
Belgium

Vragen over dit beleid? Neem contact op via hello@cardworld.be