🕯️ Candle Direct

Privacy Policy

Last updated: 8 July 2026

1. Who we are (data controller)

The controller for the personal data processed through candle.direct is Gintronics BV, Tategemstraat 22, 8790 Waregem, Belgium, company/VAT number BE 0554.684.305. For any privacy question or to exercise your rights, contact privacy@candle.direct.

2. Scope

This policy explains what personal data we process when you visit candle.direct, light a candle, subscribe, or contact us, and what your rights are under the EU General Data Protection Regulation (GDPR).

3. What data we collect

Data you give us. The optional name and intention you add to a candle; the good cause you select; your email address if you subscribe, ask for a receipt, or contact us. Payment details are entered with our payment provider — we receive confirmation of payment, not your full card number.

Data collected automatically. Basic technical data such as your IP address, browser and device type, and pages viewed with timestamps, through server logs and strictly necessary cookies, to keep the site secure and working.

Data kept in your browser. Your favourites and the candles you have lit are stored locally in your browser (local storage), not on our servers, unless you use a subscription/account. Clearing your browser storage removes them.

A note on intentions. An intention is free text and may reveal personal or sensitive information (for example about health or religious beliefs), and may be shown publicly on the candle wall and on a shareable candle page. Please share only what you are comfortable making visible. By submitting an intention you consent to us processing and displaying it for that purpose; you can ask us to remove it at any time.

4. Why we process it, and our legal basis

  • Providing the service and lighting your candle — performance of a contract.
  • Processing payments and keeping accounting records — contract and legal obligation.
  • Managing subscriptions and renewals — contract.
  • Showing your name/intention publicly and sharing — your consent.
  • Keeping the service secure and preventing fraud/abuse — legitimate interest.
  • Responding to your questions — legitimate interest / contract.
  • Complying with the law — legal obligation.

5. Who we share it with

We do not sell your personal data. We share it only with the processors needed to run the service — our hosting/infrastructure provider, our payment provider, and our email provider — each bound by a data-processing agreement and acting on our instructions. We may disclose data where required by law. Where you choose to support a good cause, only the information necessary for that contribution is passed on.

6. International transfers

We aim to keep data within the European Economic Area (EEA). Where a provider processes data outside the EEA, we ensure appropriate safeguards are in place, such as the European Commission’s Standard Contractual Clauses.

7. How long we keep it

We keep personal data only as long as necessary for the purposes above. Payment and invoice records are kept for the statutory accounting period (in Belgium, generally seven years). Server logs are kept for a limited period for security. Names and intentions are kept while the related candle record exists or until you ask us to remove them. Data stored in your browser stays until you clear it.

8. Security

We take appropriate technical and organisational measures to protect personal data against unauthorised access, loss or misuse, including encryption in transit (HTTPS) and access controls, and we review these measures regularly.

9. Data breaches

If a personal-data breach is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours where required, and inform you without undue delay where the breach is likely to result in a high risk.

10. Automated decision-making

We do not use automated decision-making or profiling that produces legal or similarly significant effects on you.

11. Children

The service is intended for a general audience and is not directed at young children. Where we rely on consent, a minor below the age set by national law should have the involvement of a parent or guardian. If you believe a child has provided personal data without such consent, contact us and we will remove it.

12. Your rights

Under the GDPR you have the right to:

  • access your personal data;
  • have inaccurate data corrected;
  • have your data erased;
  • restrict processing;
  • data portability;
  • object to processing based on legitimate interests;
  • withdraw consent at any time (without affecting processing already carried out).

To exercise any of these, email privacy@candle.direct. You also have the right to lodge a complaint with the Belgian Data Protection Authority (Gegevensbeschermingsautoriteit / Autorité de protection des données), Drukpersstraat 35, 1000 Brussels, contact@apd-gba.be, gegevensbeschermingsautoriteit.be, or with the authority in your country of residence.

13. Cookies

We use only strictly necessary cookies and local browser storage. See our Cookie Policy for details.

14. Changes to this policy

We may update this policy and will post the new version here with an updated date.