Privacy Policy for bjosephson.com
Effective date: 24 July 2025
1 Purpose and Scope
This Privacy Policy (“Policy”) explains in detail how B. Josephson (Eddy Boone Josephson) (“B. Josephson”, “we”, “our”, or “us”) collects, uses, stores, discloses and otherwise processes your personal data when you interact with bjosephson.com (the “Website”), purchase artwork or merchandise from our web‑shop, sign up to our newsletter, engage with us on social media, visit our studios, or otherwise communicate with us.
We recognise that the lawful and transparent handling of personal data is fundamental to our relationship with collectors, galleries, curators, suppliers, service providers and visitors worldwide. We therefore process personal data strictly in accordance with:
Regulation (EU) 2016/679 – the General Data Protection Regulation (“GDPR”);
The Belgian Act of 30 July 2018 on the protection of natural persons with regard to the processing of personal data;
Any other applicable local law that implements or supplements the GDPR or governs privacy, electronic communications or direct marketing (“Applicable Law”).
By using our Website or providing us with personal data, you acknowledge that you have read and understood this Policy. If you are acting on behalf of a company or organisation, you confirm that you are authorised to accept this Policy on its behalf.
2 Identity of the Controller
Controller:
B. Josephson (Eddy Boone Josephson)
Vandenpeereboomstraat 336
1501 Halle, Belgium
VAT‑BE - BE 0880.816.319
Email: edbuun@gmail.com
For the purposes stated herein, we are the “Controller” as defined in Article 4(7) GDPR, meaning we determine the purposes and means of processing personal data collected through or in connection with the Website and our business activities.
3 Definitions
“Personal data” means any information relating to an identified or identifiable natural person (a “data subject”) as defined in Article 4(1) GDPR.
“Processing” covers any operation or set of operations performed on personal data (Art. 4(2) GDPR), such as collection, recording, storage, consultation, disclosure, or erasure.
“Recipient” means a natural or legal person to whom personal data is disclosed, whether a third party or not (Art. 4(9) GDPR).
“Processor” means a natural or legal person that processes personal data on behalf of the controller (Art. 4(8) GDPR).
“Third Country” means a country outside the European Economic Area (“EEA”).
All other GDPR definitions apply mutatis mutandis.
4 Principles of Processing
We commit to processing personal data in accordance with the fundamental principles laid down in Article 5 GDPR:
Lawfulness, fairness and transparency – we only process data when a valid legal basis exists and we inform you clearly about our processing.
Purpose limitation – data is collected for specified, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes.
Data minimisation – we limit processing to what is strictly necessary for each purpose.
Accuracy – we keep data accurate and up to date.
Storage limitation – we retain data no longer than necessary or as required by law.
Integrity and confidentiality – we secure data with appropriate technical and organisational measures.
Accountability – we are able to demonstrate compliance with these principles.
5 Categories of Personal Data We Collect
5.1 Data you provide directly
Identification and Contact Data – first and last name, billing and shipping address, nationality, email address, telephone number.
Order and Contract Data – products ordered, unique order ID, purchase date and time, quantities, special instructions, delivery tracking numbers, returns, warranty claims.
Payment Data – transaction amount, currency, masked card details (last four digits), PayPal account identifier, payment status, charge‑back information. Complete card or banking credentials are handled exclusively by our payment partners Stripe Payments Europe and PayPal (Europe) S.à r.l. and never reach our servers.
Communications – the content of emails, contact‑form enquiries, social‑media messages, telephone notes, studio-visit guest books, testimonials or reviews.
Marketing Preferences – newsletter opt‑in/opt‑out status, cookie consent choices, preferred language, interests in specific artworks or series.
5.2 Data we collect automatically
When you browse the Website, we automatically collect, through cookies and similar technologies, certain technical and usage data:
Device Information – IP address (truncated where possible), browser type and version, operating system, device identifier, screen resolution.
Usage Data – referring URLs, pages viewed, links clicked, time spent on each page, session timestamps, download errors.
Approximate Location – derived from IP address solely to present localised content and detect suspicious activity (e.g. fraud).
5.3 Data from third‑party sources
We may receive personal data about you from:
Payment processors confirming successful payments or charge‑backs;
Delivery companies providing delivery status updates;
Social‑media platforms (e.g. Meta/Facebook, Instagram) when you interact with our sponsored posts or message us through their services;
Publicly available records or art databases for due‑diligence or provenance checks.
We combine such information with data you give us where relevant and lawful.
6 Legal Bases and Purposes of Processing
We always rely on at least one of the legal bases in Article 6 GDPR. Below we match each purpose to its primary legal basis; in some cases multiple bases may apply:
Contract Performance (Art. 6 (1)(b))
Accepting and fulfilling orders, arranging payment, providing digital or physical delivery, issuing invoices, processing returns and after‑sales support.
Communicating with you about your purchase or requested service.
Legal Obligation (Art. 6 (1)(c))
Maintaining accounting records, VAT ledgers and transaction logs for seven fiscal years under Belgian law.
Responding to lawful requests by supervisory authorities, courts or law‑enforcement agencies.
Screening transactions to comply with anti‑money‑laundering (“AML”) and counter‑terrorist‑financing regulations where applicable.
Legitimate Interests (Art. 6 (1)(f))
Developing, securing and optimising the Website, including statistical analytics via Google Analytics (with IP anonymisation) and server‑log analysis.
Preventing fraud, resolving disputes, enforcing our terms of sale or defending legal claims.
Building lasting relationships with collectors and industry professionals by sending carefully tailored updates about new collections, events or fairs (so‑called “soft opt‑in” for existing customers, compliant with e‑Privacy rules).
Ensuring the physical security of artworks and facilities (e.g. CCTV on studio premises, visitor logs).
Balancing test: We have weighed our interests against your fundamental rights and freedoms and believe they are not overridden, especially given the safeguards described in Sections 8 and 9. You have the right to object to processing based on legitimate interests at any time (see Section 10).
Consent (Art. 6 (1)(a))
Sending newsletters to subscribers who are not yet customers.
Deploying non‑essential cookies such as the Meta/Facebook Pixel to serve personalised ads.
Publishing customer testimonials, photographs or case studies that identify you.
Recording your studio visit on video or photo for promotional purposes.
Where we rely on consent, you may withdraw it at any time without detriment (see Section 10).
7 Disclosure of Personal Data
7.1 Processors acting on our behalf
We engage carefully selected third‑party service providers who act as Processors under written data‑processing agreements (Art. 28 GDPR). They may access personal data solely to perform the services instructed by us and must apply appropriate security measures. These include:
Stripe Payments Europe, Ltd. – payment gateway and fraud prevention;
PayPal (Europe) S.à r.l. et Cie – alternative payment method;
Brevo (Sendinblue SAS) – email marketing and transactional mailouts;
Google Ireland Ltd. – cloud infrastructure and Google Analytics (pseudonymised);
Web‑hosting provider (located in the EU) – storage of the Website and databases;
IT‑security consultants – vulnerability testing, incident response.
7.2 Independent controllers
Certain partners receive data and process it as independent controllers under their own privacy policies, e.g.:
Logistics companies – PostNL, Bpost, UPS, DHL and their subcontractors process delivery addresses, phone numbers and email addresses to provide shipping services and notifications.
Meta Platforms Ireland Ltd. – when you consent to the Meta/Facebook Pixel, usage data is transmitted to Meta for ad personalisation across its platform family.
Public authorities – the Belgian tax administration, customs authorities (for international shipments), courts or regulatory bodies if we are legally compelled to share data.
7.3 International transfers
Some Recipients are located in “Third Countries” that may not offer an identical level of data protection. Whenever we transfer personal data outside the EEA, we ensure one of the following safeguards applies (Art. 44–49 GDPR):
An adequacy decision by the European Commission;
Standard Contractual Clauses (SCCs) adopted by the Commission, supplemented where necessary by additional technical or organisational measures;
Your explicit consent for the transfer;
The transfer is necessary for the performance of the contract between you and us, or for the implementation of pre‑contractual measures taken at your request (e.g. shipping to a non‑EEA address).
You may obtain a copy of the relevant safeguards by contacting us (see Section 11).
8 Cookies and Similar Technologies
Cookies are small text files stored on your device that allow us to recognise your browser or store information. We categorise them as follows:
Strictly Necessary Cookies – for core site functionality such as session management, CSRF protection and shopping‑cart retention. These are always active because the Website cannot operate properly without them.
Functional Cookies – remember preferences (e.g. language, currency) and enhance user experience. Disabling them may reduce convenience but the site remains usable.
Analytical / Performance Cookies – e.g. _ga and _gid set by Google Analytics. They collect aggregated statistics to understand how visitors navigate our pages. We configure Google Analytics with IP anonymisation, disable “User‑ID” tracking and accept the Data Processing Terms offered by Google Ireland.
Advertising / Tracking Cookies – e.g. the Meta Pixel which enables cross‑site tracking for personalised advertising on Facebook and Instagram. These cookies are only set after you grant consent in our cookie banner.
8.1 Consent management
On your first visit, a banner asks you to accept, reject or customise non‑essential cookies. Your choice is stored for 12 months (or until you clear cookies) and can be changed at any time via the “Cookie Settings” link in the site footer. You may also disable cookies through your browser settings. Note, however, that opting out from all cookies may impair certain functionalities and our ability to improve the Website.
8.2 Third‑party cookies and embedded content
Our pages may incorporate content hosted by third parties (e.g. embedded Instagram feeds, YouTube videos, Google Maps, Artland 3‑D gallery tours). When this content loads, the third party may place cookies or read cookies already present on your device. We have no access to or control over these cookies. We recommend you review the privacy policies of the relevant providers for more information.
9 Data Retention
We keep personal data in an identifiable form only for as long as necessary for the purposes described in this Policy or as required by Applicable Law:
Accounting, tax and contract records – minimum 7 full fiscal years following the close of the financial year (Art. 60 Royal Decree on Accounts).
Customer service records and general correspondence – normally 2 years from last interaction, unless needed longer to defend legal claims.
Newsletter mailing list – until you unsubscribe. Afterwards your email is moved to a suppression list to ensure future mailings are blocked.
Cookie identifiers – retained for the lifespan indicated in our cookie banner (max 12 months for analytics cookies; up to 180 days for Meta Pixel).
CCTV footage (if you visit our studio/gallery) – overwritten after 30 days, unless an incident requires longer retention.
When the retention period ends we either securely delete the data or irreversibly anonymise it so that it is no longer personal data under the GDPR.
10 Your Rights and How to Exercise Them
Subject to the conditions and exceptions set out in the GDPR, you have the following rights:
Right of access (Art. 15) – obtain confirmation whether we process your personal data and receive a copy.
Right to rectification (Art. 16) – correct inaccurate or incomplete data.
Right to erasure (Art. 17) – request deletion where, for example, the data is no longer necessary, you withdraw consent, or processing is unlawful.
Right to restriction (Art. 18) – have processing suspended while we verify contested data or consider an objection.
Right to data portability (Art. 20) – receive data you provided to us in a structured, commonly‑used, machine‑readable format and transmit it to another controller where technically feasible.
Right to object (Art. 21) –
to processing based on legitimate interests, including profiling;
at any time to processing for direct‑marketing purposes, after which we will stop.
Right to withdraw consent (Art. 7 (3)) – at any time and without negative consequences. Withdrawal does not affect the lawfulness of processing prior to withdrawal.
Right to lodge a complaint with your local supervisory authority (Art. 77).
10.1 Procedure
To exercise any right, please:
Email edbuun@gmail.com or write to the postal address in Section 11, stating which right you invoke and the context (e.g. order number).
Prove your identity. We may request reasonable additional information (e.g. a copy of your ID card with photo and serial number masked) to prevent unauthorised disclosure.
We will respond within one month of receiving a complete request. This period may be extended by a further two months for complex or numerous requests; in that case we will inform you within the first month and explain the reasons for delay.
If we reject your request, we will state the legal basis and inform you of your right to lodge a complaint.
11 Data Security Measures
We implement state‑of‑the‑art security in line with Art. 32 GDPR:
Encryption in transit – all pages and APIs are served exclusively over HTTPS with TLS 1.3; HSTS is enabled.
Encryption at rest – server disks and database backups are encrypted.
Least‑privilege access – staff accounts are role‑based; MFA is enforced on privileged accounts.
Hardening – regular patch management, firewall rules, intrusion‑prevention systems, continuous vulnerability scans.
Data‑processing agreements – every Processor must guarantee confidentiality, data‑breach notification and technical safeguards.
Incident response – documented procedures for detecting, investigating and mitigating data breaches, including 72‑hour notification to the supervisory authority and promptly to data subjects where required.
Training and awareness – periodic staff training on GDPR, phishing and secure handling of personal data.
Pseudonymisation / anonymisation – we aggregate analytics data and truncate IP addresses wherever feasible.
No internet transmission or storage system is completely secure; nonetheless we work continuously to upgrade defences and minimise residual risk.
12 Children’s Privacy
Our Website and services are not directed at children under 16 years of age. We do not knowingly process the personal data of minors without parental consent. If we discover that a minor has provided personal data without such consent, we will delete the data promptly and block the account or transaction where possible. Parents or guardians who believe their child has provided personal data may contact us (Section 13).
13 Contact Information
If you have questions, requests or complaints regarding this Policy or our processing of your personal data, please contact:
B. Josephson (Boone Eddy Josephson)
Attn: Privacy Officer
Vandenpeereboomstraat 336, 1501 Halle, Belgium
Email: edbuun@gmail.com
Tel.: +32 489 572 707
14 Supervisory Authority
You have the right to lodge a complaint with the competent supervisory authority in the Member State of your habitual residence, place of work or alleged infringement. Our lead authority is:
Gegevensbeschermingsautoriteit (Belgian Data Protection Authority)
Drukpersstraat 35, 1000 Brussels, Belgium
Tel.: +32 (0)2 274 48 00
Email: contact@apd-gba.be
Website: https://www.gegevensbeschermingsautoriteit.be/
15 Amendments to This Policy
We may modify this Policy from time to time to reflect changes in law, technology or our business operations. The “Effective date” at the top shows when the latest version entered into force. If we make material changes that affect your rights, we will provide conspicuous notice on the Website or by email where feasible. We encourage you to review this Policy periodically. By continuing to use the Website after such notice, you accept the revised Policy.
