Privacy policy

Last updated: 11 April 2026

Karpet24 (part of CNL Handel BV) attaches great importance to the protection of your personal data. In this privacy policy we explain which data we collect, why we do so, how long we keep it and what rights you have. We do this in plain language — so you know exactly where you stand.

This privacy policy has been drawn up in accordance with the General Data Protection Regulation (GDPR) and the Dutch GDPR Implementation Act (UAVG).

1. Who is responsible for your data?

CNL Handel BV (trading as Karpet24) is the data controller within the meaning of the GDPR.

CNL Handel BV
Vareseweg 135, 3047 AT Rotterdam, the Netherlands

KvK: 82820228
VAT: NL8626.15.756.B01
Email: info@karpet24.nl
Phone: +31 (0)10 299 08 60

2. What data do we collect?

2.1 Data you provide to us

When you place an order, create an account or contact us, we process, among other things:

  • Identification details: first name and surname
  • Contact details: email address, phone number
  • Address details: billing address, delivery address
  • Order details: which products you ordered, prices, date
  • Payment details: payment method and transaction details (we never see the full credit card or bank details — these are processed directly by our payment provider)
  • Communication data: the content of emails or messages you send to us

2.2 Data collected automatically

When you visit our website, we and our service providers automatically collect technical data, such as:

  • IP address
  • Browser type and version
  • Operating system
  • Pages visited and times
  • Referring website
  • Device information (mobile/desktop, screen size)

This is done via cookies and similar technologies — see also our Cookie Policy further on in this document.

3. Why do we process your data?

We process your personal data solely for the following clearly defined purposes:

Purpose Legal basis
Fulfilling your order (payment, shipping, customer service) Performance of contract
Sending order confirmations and track & trace information Performance of contract
Complying with legal obligations (e.g. tax retention requirements) Legal obligation
Handling questions, complaints and returns Performance / legitimate interest
Improving our website and services Legitimate interest
Preventing fraud and abuse Legitimate interest
Sending marketing emails (newsletters, offers) Consent
Placing analytics and marketing cookies Consent

4. Who do we share your data with?

We never sell your data to third parties. We only share it with parties we need in order to fulfil your order properly or to comply with legal obligations:

  • Shopify Inc. — our e-commerce platform that hosts and supports our online shop
  • Payment providers — for the secure handling of payments via the methods offered at checkout (iDEAL, Wero, Apple Pay, Google Pay, Klarna, Visa and Mastercard)
  • UPS and GLS — our carriers for delivering your order (which carrier delivers your parcel depends on the destination and the size of your rug)
  • Email marketing tools (only if you have signed up for our newsletter)
  • Bookkeeper and accountant — for administrative and tax obligations
  • IT service providers — that manage and secure our systems
  • Authorities — when we are legally required to do so

Where necessary, we have entered into data processing agreements with all these parties to ensure that your data is handled securely and in accordance with the GDPR.

Transfers outside the EU

Some of our service providers (including Shopify) also process data outside the European Economic Area (EEA), for example in the United States or Canada. In such cases, we ensure appropriate safeguards through Standard Contractual Clauses (SCCs) approved by the European Commission, so that your data continues to enjoy equivalent protection.

5. How long do we keep your data?

We do not keep your personal data longer than necessary:

  • Customer data and order information: 7 years after the last order (statutory tax retention period)
  • Account details: for as long as your account is active, then a maximum of 2 years thereafter
  • Email marketing: until you unsubscribe, then immediately removed from our mailing lists
  • Contact form / customer service: a maximum of 2 years after the matter is resolved
  • Website analytics (cookies): a maximum of 26 months

After these periods, your data is deleted or irreversibly anonymised.

6. Your rights under the GDPR

Under the GDPR, you have the following rights with regard to your personal data:

  • Right of access — you may request the data we hold about you
  • Right to rectification — you can have inaccurate data corrected
  • Right to erasure ("right to be forgotten") — you can ask for your data to be deleted, insofar as we are not legally required to keep it
  • Right to restriction — you can ask us to temporarily stop processing
  • Right to data portability — you can receive a copy of your data in a common digital format
  • Right to object — you can object to processing based on legitimate interest
  • Right to withdraw consent — if you have previously given consent (for example for marketing), you can withdraw it at any time

Would you like to exercise any of these rights? Send an email to info@karpet24.nl with your request. We will respond within one month. To prevent fraud, we may ask you for additional identification.

Filing a complaint

Are you not satisfied with how we handle your data? Please contact us first so we can resolve the matter together. You also always have the right to file a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, autoriteitpersoonsgegevens.nl).

7. Security of your data

We take appropriate technical and organisational measures to protect your personal data against loss, misuse, unauthorised access, unwanted disclosure and unauthorised modification. These include:

  • Encrypted connections (HTTPS/SSL) across our entire website
  • Access to customer data limited to staff who need it
  • Regular updates and security patches of our systems
  • Payment data is handled directly by PCI-DSS certified parties
  • Backups and secure storage

If something does go wrong, we will report a data breach to the Dutch Data Protection Authority as required and — where necessary — to you personally.

8. Cookie Policy

Our website uses cookies. A cookie is a small text file that is placed on your device's hard drive when you visit the website.

8.1 Types of cookies we use

  • Functional cookies (always active): necessary for the website to function, such as remembering your shopping basket, language choice and login status. No consent is required for these.
  • Analytical cookies (only with consent): we measure anonymously how visitors use our website so that we can improve it.
  • Marketing cookies (only with consent): for showing you relevant advertisements on other websites and social media, and to measure the effect of our marketing.

8.2 Managing your cookie preferences

On your first visit, we ask via a cookie banner which cookies you accept. You can change your choice at any time via the "Cookie preferences" link at the bottom of every page.

You can also delete or block cookies via your browser settings. Please be aware that some features of our website may then no longer work properly.

9. Changes to this privacy policy

We may update this privacy policy from time to time, for example due to new legislation or changes to our services. The most recent version is always available on this page, with the date of the latest change at the top. We will announce major changes via our website or — where appropriate — by email to customers.

10. Contact

Do you have questions about this privacy policy or about how we handle your data? Please feel free to contact us:

Post: CNL Handel BV, attn. Privacy, Vareseweg 135, 3047 AT Rotterdam

Karpet24 is a trading name of CNL Handel BV
Vareseweg 135, 3047 AT Rotterdam
KvK: 82820228 · VAT: NL8626.15.756.B01

Legal basis for processing (GDPR art. 6)

We process your personal data only on the basis of a valid legal ground under the General Data Protection Regulation (GDPR):

  • Performance of a contract (art. 6(1)(b) GDPR) — for processing orders, deliveries, returns, customer service and warranty.
  • Legal obligation (art. 6(1)(c) GDPR) — for retaining financial records (7 years, Dutch tax law) and complying with consumer protection and product safety regulations.
  • Consent (art. 6(1)(a) GDPR) — for marketing cookies, newsletters and personalised offers. You can withdraw consent at any time via your account settings or the unsubscribe link.
  • Legitimate interest (art. 6(1)(f) GDPR) — for fraud prevention, system security and aggregated site-usage analysis.