Privacy Policy – How Purasana protects your data

The protection of your personal data is an issue we take very seriously. Therefore, your personal data is always strictly confidential and processed in accordance with legal data protection regulations, as well as this data protection declaration.

1. Identity and Contact Information of the Data Controller

This privacy policy applies to all personal data processed by the Purasana, with its registered office at Nijverheidslaan 3, 8560 Wevelgem - Belgium & Vision Healthcare Group at Grote Markt 41, 8500 Kortrijk, company registration number BE 0685.849.188 acting as co-controller under the GDPR (hereafter called ‘Data Controller’).

The Data Controller places great importance on your privacy and processes your personal data in accordance with the European General Data Protection Regulation regarding the protection of natural persons concerning the processing of personal data (hereinafter referred to as "GDPR"), as well as any future or additional legislation implementing it, where applicable.

For further questions or comments regarding how we handle your personal data, you can always contact us, either by email at privacy@visionhealthcare.eu or by mail to the aforementioned postal address.

Our Data Protection Officer (DPO) can also be reached using the same contact information (please specify "Attention: DPO").

2. What does ‘processing of personal data’ mean?

The processing of personal data (hereinafter referred to as ‘data’) includes any handling of data that can identify you as a natural person. You can find information about the specific data involved in this Privacy Policy. The term ‘processing’ is very broad and encompasses activities such as collecting, storing, using your data, or sharing it with third parties.

3. What data do we process?

Below, we clarify the types of data that we may process from you. We may receive the following data either directly or indirectly from you.

We receive personal data directly from you when you make a purchase from one of the companies belonging to the Vision Healthcare Group, when you contact one of these companies, or when you contract as a service provider/supplier with one of the companies within the group.

It is also possible that we receive your personal data indirectly, through third parties. In such cases, these personal data are not provided directly by you to one of the companies belonging to the Vision Healthcare group. You may have given a third-party permission to further disclose your personal data to other parties, including one of the companies within the Vision Healthcare group.

3.1. Customer Data

3.1.1. Data — Customer Account

It is possible to create a personal customer account on our commercial sites, which allows for placing orders, making purchases, and keeping track of purchase history. By creating a customer account, you provide the data controller with the following information:

General identification data (name, first name, date of birth)
Contact information (name, first name, email address, address, telephone number)
Payment card details (account number, expiration date, cardholder name)
Order history
Company number and other company-related data insofar as they can lead to identification of a natural person
Delivery addresses (in case they differ from the provided residential address)
Shopping cart
Gender (optional)
Account details (username, password)

3.1.2. Data When Placing an Order Without an Account

When you place an order without creating an account, we process the data you provide during checkout, including:

General identification data (name, first name)
Contact information (email address, delivery address, telephone number)
Payment details necessary to process the transaction
Ordered products/services and order number

3.1.3. Data When Contacting Customer Service

For inquiries, complaints, or comments, you can always contact the customer service of the company where you placed your order. When you contact our customer service, we process the following data:

General identification data (name, first name)
Contact information (email address, and address if the reason for contacting is related to it)
Payment card details (to the extent that the reason for contacting customer service is related to it)
Ordered products/services and order number/customer number

3.1.4. Data in the Context of After-Sales Services, Contests, and Other Promotional Activities

Customer friendliness, optimal customer experience, and service are highly valued by Vision Healthcare Group. In this context, the data controller processes the following data:

General identification data (name, first name)
Contact information (email address, and address if relevant)
Ordered products/services and order number/customer number
Feedback on the products sold and, more generally, on the services provided

3.2. Suppliers’ Data

The Vision Healthcare group engages external service providers and suppliers for various services/products. In this context, the data controller processes the following personal data:

Contact information of the contact person within the supplier/service provider’s company (name, first name, email address, telephone number)
Company number and other company-related data insofar as they can lead to identification of a natural person
Contractual data (e.g., company name, address, VAT number, agreement, etc.)
Payment and billing data (e.g., payment card information, invoices, etc.)
Account information for the platform (e.g., account registration data)
Feedback, testimonials, quotes, and promotional content such as photos and videos

3.3. Candidate-Employees

We may process the following data from prospective employees, depending on what you choose to provide in the context of your job application:

Personal particulars (motivation letter, CV, diplomas) - necessary to assess the candidate’s qualifications and motivation
Work-related data (previous professional experience, CV) - necessary to evaluate professional experience and suitability
Personality data - processed based on the candidate’s freely given and explicit consent for personality or behavioural assessments
Photos - processed based on the candidate’s consent and used solely for identification during the recruitment process

3.4. Visitors of the Website

When you visit our website as a customer or non-customer, the following personal data may be processed, depending on your own personal preferences:

IP address, browser type, location data, how the individual arrived at the website, interests, and the way the individual navigates the web page (through strictly necessary, analytical, and marketing cookies)
Name, first name, email address, telephone number, subject of contact, and contact message (via the online contact form)
Email address (via the online newsletter subscription form)

Cookie details: For full information on the cookies we use — including cookie names, vendors, lifetimes, and the consent mechanism — please refer to our Cookie Policy, available on our website and accessible at any time via the Cookie Preferences link in the footer of our websites.

Depending on your consent, we may share information about your website interactions (e.g. pages viewed, products interacted with) with advertising platforms such as Google and Meta for the purpose of creating advertising audiences and personalising ads across Vision Healthcare brands.

4. For What Purposes Do We Process Your Data?

Personal data is processed exclusively within the framework of the company, specifically for the following purposes:

Within the scope of our main activities and webshops
After-sales service
Marketing and promotional activities
Compliance with administrative and tax obligations
Communication with customers and prospects
Employee recruitment procedures
Collecting customer feedback on products to improve our products and customer experience
Cross-brand personalised advertising: based on your consented interaction with this website, we may display personalised advertisements for products or services from other Vision Healthcare brands, including multi-brand carousel ads

5. On What Legal Grounds Do We Process Your Data?

Vision Healthcare processes personal data solely for the purposes described in Chapter 4 and only based on one or more of the legal grounds set out in Article 6 GDPR, as described below.

Where you have provided consent, hashed identifiers such as encrypted email addresses or phone number may be used for audience creation in advertising platforms, enabling personalised advertising across Vision Healthcare brands.

5.1 Performance of a Contract or Pre-Contractual Measures (Art. 6(1)(b) GDPR)

Personal data are processed where this is necessary for entering, performing, or terminating a contract with you, including for the following purposes:

Operating our webshops and core business activities
Creating and managing customer accounts
Processing orders, payments, and deliveries
Providing customer service and after-sales services
Communicating with customers and prospects in the context of a contractual relationship
Managing relationships with suppliers and service providers
Carrying out employee recruitment and selection procedures

5.2 Compliance with Legal Obligations (Art. 6(1)(c) GDPR)

Certain personal data are processed in order to comply with legal or regulatory obligations imposed on Vision Healthcare, including accounting and tax obligations, administrative obligations, and statutory retention obligations.

5.3 Legitimate Interests (Art. 6(1)(f) GDPR)

Certain personal data are processed based on the legitimate interests of the Vision Healthcare group, provided that these interests do not override the fundamental rights and freedoms of the data subjects. These legitimate interests include:

Marketing and promotional activities directed at existing customers
Improving the quality of our products and services
Maintaining customer relationships and ensuring customer satisfaction
Training employees and evaluating our activities
Compiling statistics and internal reporting related to our activities
Preserving and using evidence in the context of liability, disputes, or legal proceedings
Ensuring the security of our websites, IT systems, and company premises

5.4 Consent (Art. 6(1)(a) GDPR)

In certain cases, personal data are processed based on your prior consent, including for the following purposes:

Marketing activities that do not fall under legitimate interest
The use of analytical and marketing cookies
The use of photos, videos, testimonials, or other media on our website or social media channels
Participation in contests and promotional campaigns
Retention of job applicant data after the recruitment process for future vacancies

How to withdraw your consent:

Cookies: You can manage or withdraw your cookie consent at any time via the Cookie Preferences link in the footer of our websites.
Newsletter / marketing emails: You can unsubscribe at any time by clicking the unsubscribe link at the bottom of every marketing email we send you.
Other consent-based processing: Contact us at privacy@visionhealthcare.eu to withdraw any other specific consent.

Withdrawal of consent does not affect the lawfulness of processing carried out before such withdrawal.

5.5 Profiling and Personalised Advertising

In the context of our marketing and advertising activities, Vision Healthcare may engage in profiling within the meaning of Article 4(4) GDPR, where this is based on your prior consent. 

Profiling in this context means the automated processing of certain personal data relating to your interaction with our website (such as pages viewed, products consulted, search behaviour, add-to-cart actions or purchase events) in order to evaluate personal aspects relating to your preferences and interests for advertising purposes. 

How profiling works
In the context of our marketing and advertising activities, Vision Healthcare may engage in profiling within the meaning of Article 4(4) GDPR, where this is based on your prior consent. 

How profiling works 

If you consent to analytical and/or marketing cookies on a Brand Website: 

information about your interactions with that website may be collected through cookies or similar technologies; 
this information may be transmitted to advertising platforms such as Google and Meta; 
these platforms may use such information to create advertising audiences; 
based on these audiences, personalised advertisements may be displayed to you. 
Such advertisements may relate to: 
products or services offered by the Brand Website you visited; and/or 
products or services offered by other Vision Healthcare brands; 
advertisements that combine products from multiple Vision Healthcare brands within a single advertisement (for example, multi-brand carousel ads).

Hashed identifiers and audience matching
Where you have provided the relevant consent, we may use hashed identifiers (such as encrypted email addresses or telephone numbers) for the purpose of creating advertising audiences (for example via “Customer Match” or similar services). These identifiers are not shared in plain readable form. 

Purchase and conversion events

Where permitted by your consent, purchase or conversion events may be used to limit or exclude you from further personalised advertising (for example, to avoid showing advertisements for products you have already purchased). 

Automated decision-making
The profiling described above is limited to advertising personalisation and does not produce legal effects or similarly significant effects within the meaning of Article 22 GDPR. It does not affect your ability to purchase products, access services, or exercise your rights. 

Legal basis and withdrawal
Profiling for personalised advertising purposes is carried out exclusively on the basis of your prior consent (Article 6(1)(a) GDPR).

You may withdraw your consent at any time via the consent management tool available on the Brand Website where you originally provided your consent. Withdrawal of consent does not affect the lawfulness of processing carried out before such withdrawal.

Consent is collected and managed separately on each Brand Website. Consent provided on one Brand Website does not automatically apply to other Brand Websites.

6. Data Source

Most of the data we process from you has been obtained directly from you within the scope of our services. It is possible that we obtain data from you through external service providers or public sources. You can always contact us for more information about the sources of our data about you.

7. Who Do We Share Your Data With?

We do not share your data with third parties unless it is strictly necessary for the purposes mentioned above or if we are legally obliged to do so.

The Vision Healthcare Group and each enterprise that forms part of the Vision Healthcare Group act as joint data controllers within the meaning of the GDPR. An internal arrangement determining the respective responsibilities of the joint data controllers has been established in accordance with Article 26 GDPR. The essence of this arrangement is available upon request.

Where necessary, we rely on external service providers (processors) to support our operational purposes. They are contractually bound to ensure the confidentiality of your data through a data processing agreement.

We share your data, as relevant in your situation, with the following third parties:

Postal companies, transport and delivery companies if we need to send you something by mail
Payment service providers if we receive payments from you, or vice versa
External representatives and consultants or any other parties involved in the context of our main or ancillary activities
Processors who assist us in the field of IT in operating our organisation
Government authorities, judicial bodies, and practitioners of regulated professions such as accountants and lawyers, in order to comply with our legal obligations and defend our interests
User research and survey platform — used to collect feedback from customers

International transfers: Some of the processors we rely on may be located outside the European Economic Area (EEA). Where personal data is transferred outside the EEA, this will only take place in countries for which the European Commission has decided that they ensure an adequate level of protection, or where Standard Contractual Clauses (SCCs) have been implemented. Transfers to the United States only take place where recipients are certified under the EU–US Data Privacy Framework or where SCCs have been put in place.

8. For How Long Do We Store Your Data?

We do not retain your data for longer than necessary for the purpose for which the data was collected or processed. The storage period may vary depending on the category of data and the applicable legal basis. After the retention period expires, your data will be deleted or anonymised.

Category	Retention Period	Basis
Customer order data (invoices, payment records)	10 years from the date of the order	Legal obligation (accounting/tax)
Customer account data	Duration of the account, plus 3 years after last login or account closure	Contractual / Legitimate interest
Marketing consent & related data	Until consent is withdrawn, or maximum 3 years after last meaningful interaction	Consent
Recruitment / candidate data	Up to 6 months after end of recruitment process; up to 1 year with explicit consent for future vacancies	Pre-contractual / Consent
Supplier / service provider data	Duration of contract, plus 7 years after contract end	Legal obligation / Contractual
Cookie consent logs	Up to 1 year (renewed upon re-consent)	Legal obligation (ePrivacy)
Customer survey data	12 months after survey completion	Consent

Specific legislation may require us to retain certain data for a longer or shorter period. Our retention periods are always based on legal requirements and a balance of your rights and expectations with what is useful and necessary for fulfilling our purposes.

9. Where Do We Store Your Data and How Is It Protected?

We implement appropriate security measures on a technical and organisational level to prevent the destruction, loss, falsification, alteration, unauthorised access, or unlawful disclosure of your data, as well as any other unauthorised processing.

We also ensure that the processors we engage with implement appropriate security measures to minimise the risks of incidents as much as possible.

If your personal data is processed outside the EEA, this will only take place in countries for which the European Commission has decided that they ensure an adequate level of protection, or where appropriate safeguards are in place. Transfers to the United States only take place where recipients are certified under the EU–US Data Privacy Framework or where Standard Contractual Clauses have been implemented.

10. Technical and Organisational Measures (TOMs)

We implement appropriate technical and organisational security measures to prevent the destruction, loss, falsification, alteration, unauthorised access, or unlawful disclosure of your data. These measures include:

Encryption in transit: All personal data transmitted via our websites is protected using TLS (Transport Layer Security) encryption, ensuring that data exchanged between your browser and our servers cannot be intercepted.
Session management: Automatic deletion of session cookies and controlled use of other cookies in line with your preferences.
Password protection: Passwords are stored using secure one-way hashing with a strong, industry-standard algorithm (salted). Passwords are never stored in readable or reversible form.
Payment security: Payment card data is transmitted securely via trusted payment providers. Sensitive payment information is not stored by us.
Server logging: Our software automatically stores certain server log files to ensure smooth operation and security (browser information, referrer URL, IP address, server request time), retained only as long as necessary.

Organisationally, external service providers are contractually bound to ensure confidentiality and to process data only as necessary for their tasks. We retain data only as long as necessary for the purposes described in this policy and delete or anonymise it after the retention period.

11. What Are Your Rights?

You have various rights concerning the data we process about you. If you wish to exercise any of the following rights, please contact our GDPR representative using the contact details provided in Section 1.

Right of Access and Copy: You have the right to access your data and obtain a copy of it, including information about the categories of data processed and the purposes for which this is done.

Right of Rectification: You have the right to have inaccurate data rectified without undue delay.

Right to Erasure (Right to Be Forgotten): You have the right to request the erasure of your data. We may not always be able to fulfil such a request, particularly when we still need the data for an ongoing contract or when keeping certain data is legally required.

Right to Restriction of Processing: You have the right to request the temporary restriction of processing, for example while accuracy of data is being confirmed.

Right to Withdraw Your Consent: When processing is based on your consent, you have the right to withdraw it at any time. For marketing emails, click the unsubscribe link. For cookies, use the Cookie Preferences link in the footer of our websites.

Right to Object: You have the right to object to processing based on legitimate interest. You can also object to the use of your data for direct marketing. All marketing emails include an opt-out option.

Right to Data Portability: You have the right to obtain your data in electronic form and to request that we transmit it directly to another organisation where technically feasible.

Right to Lodge a Complaint with a Supervisory Authority: If you believe that we are processing your data incorrectly, you have the right to lodge a complaint with a data protection supervisory authority.

As Vision Healthcare Group is established in Belgium, the lead supervisory authority is:

Gegevensbeschermingsautoriteit (GBA) / Autorité de Protection des Données (APD)

Rue de la Presse 35, 1000 Brussels, Belgium

Website: www.gegevensbeschermingsautoriteit.be | Tel.: +32 (0)2 274 48 00

You may also contact the supervisory authority of the EU member state where you reside, work, or where the alleged infringement took place.

12. How to Exercise Your Rights

You can exercise your rights by contacting us at privacy@visionhealthcare.eu. We may ask you to provide documentation to prove your identity. Those documents will only be used to comply with your request in accordance with the GDPR.

13. May Children Use Our Website?

The Vision Healthcare Group and each of its subsidiaries does not offer or sell any products to minors. Products intended for children may only be purchased by adults. If you are not yet 18 years old, you may only buy products from us together with a parent or guardian.