Privacy Policy

Data controller

The data controller is Thastel BV, with registered office at Wijnegemsteenweg 43, 2160 Wommelgem, Belgium, VAT BE 0735.827.647.

For any privacy question or to exercise your rights, you can reach us by email at privacy@thastel.be or by post at the address above.

What data we collect

Account and identification data: first name, last name, business email address, phone number, login credentials (password is stored only as a hashed value).

Business and tax data: company name, business address, Belgian enterprise number (KBO/BCE), VAT status.

Order and commercial data: orders, deliveries, top-ups, e-Pin sales, commissions, invoices, payment status.

Payment data: amounts, currencies, transaction references and payment status. Full card details are never stored on our systems — they are collected by our payment provider SumUp.

Terminal data: which POS terminal you are paired with, terminal balance and transaction history relayed by our vendor partner E-Till.

Technical data: IP address, browser type, device identifier, time zone, application logs and security logs, used to operate, secure and improve the platform.

Legal basis for processing

We process personal data on the following legal bases under Article 6 GDPR:

Performance of a contract — to provide you with the Thastel platform, fulfil orders, process top-ups, settle commissions and provide customer support.

Compliance with a legal obligation — to issue and retain invoices, comply with Belgian tax and accounting law, and respond to lawful requests from public authorities.

Legitimate interest — to keep the platform secure, prevent fraud, monitor service quality and pursue overdue invoices.

Consent — for any communication or processing that is not covered by the above (e.g. optional marketing). You can withdraw your consent at any time.

How we use your data

We use your personal data to:

create and manage your account and authenticate logins; process and deliver your orders and top-ups; calculate and pay out commissions on e-Pin sales; issue invoices and recover unpaid invoices; send service emails about your account, orders and payments; operate, secure and continuously improve the platform; comply with our legal obligations (accounting, tax, anti-fraud).

Who we share data with

We never sell your personal data. We share it only with the parties and for the purposes described below, under written data processing agreements where required by the GDPR.

Payment providers — SumUp (and any successor) process online card payments on our behalf. They receive the data strictly necessary to complete a payment.

Vendor partners — E-Till receives the data needed to provision and operate your POS terminal, including merchant identifiers and top-up references.

Cloud and hosting providers — Amazon Web Services (AWS) hosts our infrastructure within the European Union (Frankfurt, Germany).

Email and notification providers — Amazon SES is used to send service emails; push notifications are delivered via Firebase Cloud Messaging.

Professional advisors and authorities — accountants, lawyers, debt-collection partners, and competent authorities when required by law.

How long we keep your data

We keep your account data for as long as your account is active.

After your account is closed, we delete personal data within six (6) months, except where a longer retention period is required by law.

Financial and tax records (invoices, accounting entries) are retained for seven (7) years in accordance with Belgian accounting and tax legislation.

Security and access logs are kept for up to twelve (12) months.

How we protect your data

We implement appropriate technical and organisational measures to protect your personal data, including TLS encryption in transit, encryption at rest for sensitive fields, hashed and salted passwords, access controls based on the principle of least privilege, network isolation of databases in private subnets, and regular review of security logs. Despite these measures, no system is completely secure; if a personal data breach occurs, we will notify the competent supervisory authority and, where required, the affected individuals in accordance with the GDPR.

Your rights

Under the GDPR, you have the right to:

access the personal data we hold about you and request a copy; have inaccurate or incomplete data corrected; request erasure of your data ("right to be forgotten") where the legal grounds for retention no longer apply; restrict or object to certain processing; request portability of the data you have provided to us, in a structured, machine-readable format; withdraw any consent you have given, at any time, without affecting the lawfulness of previous processing.

To exercise any of these rights, email privacy@thastel.be. We respond within thirty (30) days. We may ask you to confirm your identity before acting on a request.

You also have the right to lodge a complaint with the Belgian Data Protection Authority (Gegevensbeschermingsautoriteit / Autorité de protection des données — gegevensbeschermingsautoriteit.be).

Cookies

Our website and portals use only the cookies strictly necessary to operate the service — for example, to keep you logged in and to remember your language preference. We do not use third-party advertising or tracking cookies. If we ever add analytics or marketing cookies in the future, we will ask for your prior consent through a cookie banner.

Contact and updates

For any privacy question, request to exercise your rights, or to report a security concern, contact us at privacy@thastel.be. We may update this Privacy Policy from time to time to reflect changes to our services or to legal requirements. The "Last updated" date at the top of the page indicates when the current version came into effect.