Crown FieldsCrown Fields

Legal

Privacy Policy

Last updated: June 2026. This policy describes how Crown Fields B.V. ("Crown Fields", "we", "us") collects, uses and protects personal data in compliance with the EU General Data Protection Regulation (GDPR) and Dutch implementing law.

1. Controller

Crown Fields B.V., Weena 690, 3012 CN Rotterdam, The Netherlands. KvK 88456710. Contact: info@crownfields.nl. We are the data controller for the personal data described below.

2. Data we process

Depending on how you interact with us, we process:

  • Identification & contact data — name, job title, business email, business phone, company, country.
  • Account data — login email, hashed password, language and notification preferences, audit-log records of significant actions.
  • Commercial data — orders, quotes, invoices, payment status, delivery addresses, claims.
  • Communications — emails, WhatsApp messages and call notes you exchange with us.
  • Technical data — IP address, device, browser, pages viewed, timestamps, security logs.

3. Purposes & legal bases

  • Performing our contract with your company — quotes, orders, deliveries, invoicing, support (Art. 6(1)(b) GDPR).
  • Complying with legal obligations — tax, food-safety traceability under Regulation (EC) 178/2002, accounting retention (Art. 6(1)(c)).
  • Our legitimate interests — securing the portal, preventing fraud, improving our service, direct B2B communication with existing customers (Art. 6(1)(f)).
  • Consent — optional analytics cookies and marketing communications you can opt in/out of (Art. 6(1)(a)).

4. Recipients & sub-processors

We share personal data only with parties that need it to deliver our service:

  • Hosting & infrastructure: Supabase (EU region), Cloudflare.
  • Accounting & invoicing: our accounting platform.
  • Payments: Stripe Payments Europe Ltd. (when prepayment is required).
  • Email & messaging: Mailgun, Meta (WhatsApp Business).
  • Logistics partners strictly for the delivery of your orders.
  • Public authorities where legally required.

All sub-processors are bound by GDPR-compliant data-processing agreements.

5. International transfers

Data is stored within the EU/EEA wherever possible. Where a sub-processor processes data outside the EEA (e.g. Meta), the transfer is covered by the European Commission's Standard Contractual Clauses (2021/914) and supplementary technical measures.

6. Retention

  • Account data: while your account is active, plus 12 months after closure.
  • Commercial records (invoices, orders): 7 years (Dutch tax law).
  • Traceability data on produce lots: 5 years.
  • Marketing consent records: 3 years from last interaction.
  • Security and audit logs: 12 months.

7. Your rights

You have the right to: access, rectify, erase, restrict or object to processing, and to data portability. You may also withdraw consent at any time. To exercise these rights, email info@crownfields.nl with proof of identity. We respond within 30 days.

Authenticated portal users can export or request deletion of their data directly from Account → Privacy in the buyer portal. You may also lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, autoriteitpersoonsgegevens.nl).

8. Cookies

We use strictly necessary cookies (session, CSRF, language) and — with your consent — analytics cookies to understand portal usage. You can change your choice at any time via the cookie banner.

9. Security

We apply industry-standard measures: TLS in transit, encryption at rest, role-based access control, row-level security in the database, audit logs on admin actions, and regular backup verification.

10. Changes

We may update this policy. Material changes will be notified in the portal at least 14 days before they take effect.