Privacy statement
1. Introduction
Trade Chemicals Europe BV ("TCE," "we," "us," or "our") is committed to protecting the privacy and personal data of our customers, suppliers, website visitors, and other stakeholders. This Privacy Policy explains how we collect, use, store, share, and protect your personal data when you interact with us through our website, ordering platform, or other business channels.
This Privacy Policy applies to all personal data processed by TCE in connection with our B2B chemical wholesale operations, including data collected through our online platform at tce.b2bwave.com.
Legal Framework: This Privacy Policy complies with the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the ePrivacy Directive 2002/58/EC, and the Dutch GDPR Implementation Act (Uitvoeringswet AVG / UAVG). Where applicable, we also follow guidance from the European Data Protection Board (EDPB) and the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).
2. Data Controller
The data controller responsible for the processing of your personal data is:
| Company Name | Trade Chemicals Europe BV |
| Registered Office | Pannekoekendijk 23a, 7887 EV Erica, The Netherlands |
| German Branch | Königsborner Straße 26a, 39175 Biederitz, Germany |
| KvK (Chamber of Commerce) | 83230068 |
| VAT Number | NL862781310B01 |
| [email protected] | |
| Phone | +31 (0)85 888 3500 |
| Website | https://tce.b2bwave.com/ |
For any questions or concerns regarding the processing of your personal data, please contact us at [email protected].
3. Personal Data We Collect
As a B2B wholesale chemical supplier, the personal data we collect primarily relates to business contacts and representatives of our corporate customers and partners. Below is an overview of the categories of personal data we process:
3.1 Account & Contact Data
| Data Category | Examples |
|---|---|
| Identity Data | Full name, job title, department of business contact persons |
| Business Contact Data | Business email address, business phone number, company name |
| Company Registration Data | VAT number, Chamber of Commerce number, DUNS number, company address |
| Account Credentials | Username, encrypted password, account preferences |
3.2 Order & Transaction Data
| Data Category | Examples |
|---|---|
| Order Information | Order history, product selections, quantities, delivery addresses |
| Payment Data | Payment method, billing address, transaction references (full payment card details are processed exclusively by our payment provider Stripe and are never stored by TCE) |
| Shipping Data | Delivery addresses, delivery instructions, carrier tracking information |
| Financial Records | Invoices, credit notes, outstanding balances |
3.3 Chemical Safety & Compliance Data
| Data Category | Examples |
|---|---|
| REACH Compliance | Downstream user information required under REACH Regulation (EC 1907/2006) |
| Safety Documentation | Records of Safety Data Sheet (SDS) distribution, exposure scenario acknowledgements |
| End-Use Declarations | Intended use information required for chemical supply chain compliance |
3.4 Technical & Usage Data
| Data Category | Examples |
|---|---|
| Device Information | IP address, browser type and version, operating system, device identifiers |
| Usage Data | Pages visited, time spent, click patterns, referral sources |
| Cookie Data | Cookie identifiers, session data, preference settings (see Section 10) |
3.5 Communication Data
| Data Category | Examples |
|---|---|
| Correspondence | Email exchanges, contact form submissions, chat messages |
| Support Records | Customer service enquiries, complaint records, feedback |
| Marketing Preferences | Newsletter opt-in/opt-out status, communication preferences |
Note on Payment Card Data: TCE does not collect, store, or have access to your full credit/debit card details. All payment transactions are securely processed by our PCI DSS Level 1 certified payment provider, Stripe. We only receive a transaction reference and confirmation of payment.
4. Purposes & Legal Bases for Processing
We process your personal data only when we have a valid legal basis under Article 6 of the GDPR. The table below outlines our processing purposes and corresponding legal bases:
| Purpose | Legal Basis (Art. 6 GDPR) | Retention |
|---|---|---|
| Account creation & management Creating and maintaining your B2B customer account on our platform |
Contract Art. 6(1)(b) — Performance of a contract |
Duration of business relationship + 2 years |
| Order processing & fulfilment Processing orders, deliveries, returns, and invoicing |
Contract Art. 6(1)(b) — Performance of a contract |
7 years (Dutch fiscal retention obligation) |
| Payment processing Facilitating secure payment transactions via Stripe |
Contract Art. 6(1)(b) — Performance of a contract |
7 years (Dutch fiscal retention obligation) |
| Chemical safety & regulatory compliance REACH downstream user obligations, SDS distribution, CLP compliance |
Legal Obligation Art. 6(1)(c) — Compliance with a legal obligation |
10 years after last supply (REACH Art. 36) |
| Tax & accounting obligations Maintaining financial records, VAT compliance, audit trails |
Legal Obligation Art. 6(1)(c) — Compliance with a legal obligation |
7 years (Dutch General Tax Act, Algemene wet inzake rijksbelastingen) |
| Customer communication Responding to enquiries, providing support, sending transactional emails |
Contract Art. 6(1)(b) — Performance of a contract |
Duration of business relationship + 2 years |
| Direct marketing (B2B) Sending product updates, industry news, and promotional communications to business contacts |
Legitimate Interest Art. 6(1)(f) — Legitimate interests of TCE |
Until opt-out or end of relationship + 1 year |
| Newsletter & marketing communications Sending marketing emails where consent has been given |
Consent Art. 6(1)(a) — Consent |
Until consent is withdrawn |
| Website analytics & improvement Analysing website usage to improve our services and user experience |
Legitimate Interest Art. 6(1)(f) — Legitimate interests of TCE |
26 months (analytics data) |
| IT security & fraud prevention Protecting our systems, detecting and preventing fraud or misuse |
Legitimate Interest Art. 6(1)(f) — Legitimate interests of TCE |
12 months (security logs) |
| Legal claims & dispute resolution Establishing, exercising, or defending legal claims |
Legitimate Interest Art. 6(1)(f) — Legitimate interests of TCE |
Duration of applicable limitation period |
Legitimate Interest Assessments: Where we rely on legitimate interests as a legal basis, we have conducted a balancing test to ensure our interests do not override your fundamental rights and freedoms. You have the right to object to processing based on legitimate interests at any time (see Section 7).
5. Data Retention
We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. The specific retention periods are outlined in the table above (Section 4). Below is a summary of our key retention periods:
| Data Type | Retention Period | Reason |
|---|---|---|
| Account data | Duration of business relationship + 2 years | Contract performance & potential reactivation |
| Order & invoice data | 7 years from end of fiscal year | Dutch fiscal retention obligation (AWR Art. 52) |
| Payment transaction records | 7 years from end of fiscal year | Dutch fiscal retention obligation |
| REACH/chemical compliance data | 10 years after last supply | REACH Regulation Art. 36 |
| Communication records | 3 years after last interaction | Customer service & dispute resolution |
| Marketing consent records | Duration of consent + 1 year | Demonstrating valid consent (accountability) |
| Website analytics data | 26 months | Website improvement & performance analysis |
| Security & access logs | 12 months | IT security & incident investigation |
After the applicable retention period expires, personal data is securely deleted or anonymised. Where anonymised data is retained for statistical or analytical purposes, it can no longer be linked to you.
6. Data Sharing & Third-Party Processors
We do not sell your personal data. We may share your personal data with the following categories of recipients, exclusively for the purposes described in this Privacy Policy:
6.1 Third-Party Service Providers (Data Processors)
We engage trusted third-party service providers who process personal data on our behalf, under our instructions and subject to Data Processing Agreements (DPAs) compliant with Art. 28 GDPR:
| Service Provider | Purpose | Data Processed |
|---|---|---|
| B2BWave | E-commerce platform hosting our online ordering system | Account data, order data, product preferences |
| Stripe, Inc. | Secure payment processing (PCI DSS Level 1 certified) | Payment details, billing address, transaction data |
| Email service provider(s) | Transactional and marketing email delivery | Email address, name, communication preferences |
| Analytics provider(s) | Website analytics and performance monitoring | Anonymised/pseudonymised usage data, IP address |
| Cloud hosting provider(s) | Secure data storage and infrastructure | All data categories as required for storage |
| Shipping & logistics partners | Order delivery and transport of chemical products | Delivery address, contact name, phone number |
6.2 Other Recipients
We may also share personal data with:
- Tax & regulatory authorities: Dutch Tax Authority (Belastingdienst), customs authorities, and chemical safety regulators (e.g., ECHA) — as required by law.
- Professional advisors: Accountants, auditors, and legal counsel — bound by professional secrecy obligations.
- Law enforcement: When required by a valid legal process, court order, or to protect our legitimate rights.
- Business transfers: In the event of a merger, acquisition, or sale of assets, your data may be transferred to the acquiring entity, with appropriate safeguards in place.
7. Your Rights Under the GDPR
Under the GDPR and the Dutch UAVG, you have the following rights regarding your personal data. You may exercise these rights free of charge by contacting us at [email protected].
- Right of Access (Art. 15) — You have the right to obtain confirmation as to whether we process your personal data and to receive a copy of that data.
- Right to Rectification (Art. 16) — You have the right to request correction of inaccurate personal data or completion of incomplete data.
- Right to Erasure (Art. 17) — You have the right to request deletion of your personal data ("right to be forgotten"), subject to legal retention obligations.
- Right to Restriction (Art. 18) — You have the right to request restriction of processing in certain circumstances (e.g., while we verify the accuracy of data).
- Right to Data Portability (Art. 20) — You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller.
- Right to Object (Art. 21) — You have the right to object to processing based on legitimate interests or direct marketing at any time.
- Right to Withdraw Consent (Art. 7(3)) — Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of prior processing.
- Right Not to Be Subject to Automated Decision-Making (Art. 22) — You have the right not to be subject to decisions based solely on automated processing, including profiling, that produce legal or similarly significant effects.
How to Exercise Your Rights: Send your request to [email protected] with the subject line "Data Subject Request". We will verify your identity and respond within one month of receipt. In complex cases, this period may be extended by a further two months, in which case we will notify you within the first month.
Limitations: Certain rights may be limited where we have a legal obligation to retain data (e.g., fiscal records for 7 years, REACH data for 10 years) or where data is necessary for establishing, exercising, or defending legal claims.
8. International Data Transfers
Your personal data is primarily processed within the European Economic Area (EEA). However, some of our third-party service providers may process data outside the EEA (for example, Stripe, Inc. is headquartered in the United States).
Where personal data is transferred outside the EEA, we ensure that appropriate safeguards are in place, including:
- Adequacy decisions — Transfers to countries recognised by the European Commission as providing an adequate level of data protection (e.g., the EU-US Data Privacy Framework).
- Standard Contractual Clauses (SCCs) — EU Commission-approved contractual clauses that provide appropriate safeguards for international transfers (as per Art. 46(2)(c) GDPR).
- Supplementary measures — Additional technical and organisational measures where required by the Transfer Impact Assessment, in line with the EDPB's post-Schrems II guidance.
You may request a copy of the safeguards in place for international data transfers by contacting us at [email protected].
9. Data Security
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These measures include, but are not limited to:
- Encryption: Data is encrypted in transit (TLS/SSL) and at rest where technically feasible.
- Access controls: Strict role-based access controls ensuring only authorised personnel can access personal data on a need-to-know basis.
- Secure payment processing: Payment data is handled exclusively by Stripe (PCI DSS Level 1 certified); TCE never stores full payment card details.
- Regular security assessments: Periodic reviews and testing of our security infrastructure and processes.
- Employee training: Staff are trained on data protection obligations and security best practices.
- Incident response: We have procedures in place to detect, report, and investigate data breaches in accordance with Art. 33 and Art. 34 GDPR.
- Secure data destruction: Personal data is securely deleted or anonymised when no longer required.
Data Breach Notification: In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) within 72 hours. If the breach is likely to result in a high risk, we will also notify you directly without undue delay.
10. Cookies & Tracking Technologies
Our website uses cookies and similar tracking technologies to ensure proper functionality, analyse usage, and improve your experience. Below is an overview of the types of cookies we use:
| Cookie Type | Purpose | Legal Basis | Duration |
|---|---|---|---|
| Strictly Necessary | Essential for website operation (session management, security, shopping cart) | Exempt from consent (Art. 5(3) ePrivacy Directive) | Session / up to 1 year |
| Functional | Remembering your preferences (language, region, display settings) | Exempt from consent (required for requested service) | Up to 1 year |
| Analytics | Understanding website usage, traffic sources, and page performance | Consent | Up to 26 months |
| Marketing / Third-party | Tracking across websites for advertising and remarketing purposes | Consent | Varies by provider |
10.1 Managing Your Cookie Preferences
When you first visit our website, you will be presented with a cookie consent banner allowing you to accept or decline non-essential cookies. You can change your cookie preferences at any time by:
- Adjusting your browser settings to block or delete cookies.
- Using our cookie preference centre (if available on our platform).
- Contacting us at [email protected] for assistance.
Please Note: Disabling strictly necessary cookies may impair the functionality of our website, including the ability to log in, place orders, or use the shopping cart.
11. Children's Privacy
Our website and services are intended for businesses and professionals. We do not knowingly collect personal data from children under the age of 16 (the age threshold under the Dutch UAVG). Our B2B platform requires account registration with verifiable business credentials.
If we become aware that we have inadvertently collected personal data from a child under 16 without appropriate parental or guardian consent, we will take steps to delete that data promptly. If you believe we may have collected information from a child, please contact us immediately at [email protected].
12. Automated Decision-Making & Profiling
TCE does not engage in automated decision-making or profiling that produces legal effects or similarly significant effects on data subjects as described in Art. 22 GDPR.
We may use basic data analysis for business purposes such as order trend analysis and inventory management, but these processes do not involve automated individual decision-making and do not affect your rights.
13. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our processing activities, legal requirements, or best practices. When we make material changes, we will:
- Update the "Last Updated" date at the top of this page.
- Notify registered account holders by email of significant changes.
- Post a prominent notice on our website when required.
We encourage you to review this Privacy Policy periodically. Continued use of our services after the effective date of changes constitutes acceptance of the updated policy, where legally permissible.
14. Right to Lodge a Complaint
If you are dissatisfied with how we handle your personal data or how we respond to your data subject request, you have the right to lodge a complaint with a supervisory authority. As TCE is established in the Netherlands, the lead supervisory authority is:
| Authority | Autoriteit Persoonsgegevens (Dutch Data Protection Authority) |
| Address | Bezuidenhoutseweg 30, 2594 AV Den Haag, The Netherlands |
| Phone | +31 (0)70 888 8500 |
| Website | https://autoriteitpersoonsgegevens.nl |
If our German branch is involved in the processing, you may also contact the competent German supervisory authority (Landesbeauftragte für den Datenschutz Sachsen-Anhalt).
We would appreciate the opportunity to address your concerns before you approach a supervisory authority. Please contact us first at [email protected] so we can try to resolve the matter.
Contact Us — Data Protection Enquiries
For any questions, requests, or concerns relating to this Privacy Policy or the processing of your personal data:
| Company | Trade Chemicals Europe BV |
| Address (NL) | Pannekoekendijk 23a, 7887 EV Erica, The Netherlands |
| Address (DE) | Königsborner Straße 26a, 39175 Biederitz, Germany |
| [email protected] | |
| Phone | +31 (0)85 888 3500 |
| Website | tce.b2bwave.com |
| KvK | 83230068 |
| VAT | NL862781310B01 |
Data protection enquiries are typically responded to within 5 business days