Privacy Policy
This privacy policy explains how Lavendel Lab collects, uses, and protects your personal data when you use our website and services. We are committed to safeguarding your privacy in accordance with the General Data Protection Regulation (GDPR).
Last updated: March 2026
1. Who We Are
Lavendel Lab is a sole proprietorship (eenmanszaak / ZZP) registered in the Netherlands. We develop and sell professional software tools for electronics repair technicians.
| Company name | Lavendel Lab |
| Legal form | Eenmanszaak (sole proprietorship) |
| Chamber of Commerce (KVK) | 98057111 |
| VAT number (BTW) | NL005318759B63 |
| Location | Heerhugowaard, Noord-Holland, the Netherlands |
| info@lavendellab.dev | |
| Website | lavendellab.dev |
Lavendel Lab is both the data controller and data processor for the personal data described in this policy. We do not have a Data Protection Officer (DPO), as this is not required for our type and scale of processing.
2. What Data We Collect
We collect the following categories of personal data when you use our website and services:
- Account data: name, email address, and password (stored as a salted hash; we never store plaintext passwords)
- Payment data: processed securely by Stripe; we store your Stripe customer ID and license status but never your card number or bank details
- License and device data: license key, device fingerprint (a hardware-derived hash), activation status, and activation timestamps
- Technical data: IP address, browser type, operating system, and pages visited
- Communication data: the content and metadata of messages you send to us via email or our contact form
We do not collect any special categories of personal data (such as health data, racial or ethnic origin, political opinions, or biometric data).
3. Why We Use Your Data
We use your personal data for the following purposes:
- Account management: creating and maintaining your user account
- Order processing: processing your software license purchase and managing your license
- License verification: activating, validating, and managing your software license on your device
- Payment processing: handling payments, refunds, and invoicing via Stripe
- Communication: responding to your inquiries and sending transactional emails (order confirmations, license keys, license updates)
- Service improvement: analysing usage patterns to improve our website and products
- Security: detecting and preventing fraud, abuse, and unauthorized access
- Legal compliance: meeting our obligations under Dutch tax and accounting law
4. Legal Basis for Processing
We process your personal data on the following legal grounds under Article 6 of the GDPR:
- Performance of a contract (Art. 6(1)(b)): processing your order, managing your account, and delivering your software license
- Legal obligation (Art. 6(1)(c)): complying with Dutch tax and accounting regulations (we are required to retain financial records for 7 years)
- Legitimate interest (Art. 6(1)(f)): improving our services, ensuring security, and preventing fraud; we have balanced these interests against your rights and concluded that they do not override your fundamental rights
- Consent (Art. 6(1)(a)): placing non-essential cookies; you can withdraw your consent at any time
5. Data Retention
We do not retain your personal data longer than necessary for the purposes described in this policy:
- Account data: retained for as long as your account is active; deleted within 30 days of account deletion
- Payment and invoice data: retained for 7 years after the transaction, as required by Dutch fiscal legislation (Algemene wet inzake rijksbelastingen)
- License and device data: retained for the duration of your license plus 90 days; device fingerprints are deleted upon license deactivation
- Technical logs (IP addresses): retained for a maximum of 90 days
- Communication data: retained for 2 years after the last contact, unless a longer period is required for ongoing support or legal matters
6. Third Parties
We share your data only with the following third parties, and only to the extent necessary to provide our services:
- Stripe (San Francisco, USA) — payment processing. Stripe is certified under the EU-US Data Privacy Framework. Stripe processes your payment details directly; we never receive or store your card data. Stripe Privacy Policy
- Hostinger (Kaunas, Lithuania) — website and server hosting. Our website and API are hosted on Hostinger infrastructure within the EU. Hostinger Privacy Policy
- Moneybird (Amsterdam, the Netherlands) — accounting and invoicing. Customer name, email, and invoice data are synced to Moneybird for our financial administration. Moneybird Privacy Policy
We do not sell, rent, or trade your personal data to any third party. We do not use your data for profiling or automated decision-making.
7. Cookies
Our website uses a limited number of cookies. We do not use tracking or advertising cookies.
| Cookie | Type | Purpose |
|---|---|---|
ll_cookie_consent |
Functional | Stores your cookie consent preference |
ll_lang |
Functional | Stores your preferred language (EN/NL/UK) |
| WordPress session cookies | Strictly necessary | Required for login and account functionality |
Functional and strictly necessary cookies do not require consent under the GDPR, as they are essential for the website to operate. You can disable cookies through your browser settings, but this may affect website functionality.
8. Your Rights
Under the GDPR, you have the following rights regarding your personal data:
- Right of access (Art. 15): you can request a copy of the personal data we hold about you
- Right to rectification (Art. 16): you can ask us to correct inaccurate or incomplete data
- Right to erasure (Art. 17): you can ask us to delete your data, unless we are legally required to retain it
- Right to restriction (Art. 18): you can ask us to temporarily restrict the processing of your data
- Right to data portability (Art. 20): you can request your data in a structured, machine-readable format
- Right to object (Art. 21): you can object to the processing of your data based on legitimate interest
- Right to withdraw consent (Art. 7): where processing is based on consent, you can withdraw it at any time without affecting the lawfulness of prior processing
To exercise any of these rights, please contact us at info@lavendellab.dev. We will respond to your request within 30 days. If you are not satisfied with our response, you have the right to file a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at autoriteitpersoonsgegevens.nl.
9. Security
We take appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These measures include:
- Encrypted connections (TLS/SSL) for all data in transit
- Passwords stored using industry-standard salted hashing algorithms
- Restricted access to personal data on a need-to-know basis
- Regular security updates for our server infrastructure
- HMAC-based application-level authentication for license verification
- Rate limiting on sensitive API endpoints
While we strive to protect your data, no method of transmission or storage is 100% secure. If you discover a security vulnerability, please report it to info@lavendellab.dev.
10. Changes to This Policy
We reserve the right to update this privacy policy to reflect changes in our practices or applicable legislation. The most recent version is always available on this page. If we make significant changes that affect your rights, we will notify you by email or through a prominent notice on our website.
11. Contact
If you have any questions about this privacy policy or the way we handle your personal data, please contact us:
Lavendel Lab
Email: info@lavendellab.dev
Website: lavendellab.dev