Privacy

This privacy policy applies to all personal data collected and used by Cosy when you visit or use our website, place an order, contact us, or engage with us through social media or other means. "Personal data" refers to any information through which we can identify you, as further described below.

Who We Are

Cosy ("Cosy", "we", "us", or "our") is a fashion brand based in the Netherlands. Cosy is responsible, as data controller, for the processing of your personal data in accordance with the General Data Protection Regulation (GDPR).

Company details:

Cosy legal entity name, e.g. Cosy.co B.V., Verhammestraat 10, 1964TG Heemskerk

The Netherlands KvK number: 42075202

Email: hey@feelcosy.co

Personal Data We Collect

We may collect the following categories of personal data:

- Contact details: name, address, telephone number and email address.
- Account and technical data: login details, IP address, browser type, device identifiers, geographic location, pages visited and session duration.
- Purchase information: ordered products, order history, delivery address, payment method and payment status.
- Communication data: messages you send us via email, social media or customer service.
- Marketing preferences: your consent and preferences for receiving updates and promotions.
- Social media activity: your engagement with our content on social platforms.
- Cookies and tracking technologies: see our Cookie Policy for more information.

Purpose and Legal Basis of Processing

We process your personal data on the following legal bases under the GDPR. We process your data to fulfil orders, process payments and provide customer support on the basis of the performance of a contract (Art. 6(1)(b) GDPR). We send you marketing communications on the basis of your consent (Art. 6(1)(a) GDPR). We carry out website analytics, improve our services, and perform fraud prevention and security monitoring on the basis of our legitimate interests (Art. 6(1)(f) GDPR). We comply with our legal and tax obligations on the basis of a legal obligation (Art. 6(1)(c) GDPR).

Our legitimate interests include improving your customer experience, securing our services, and understanding website performance. We have carefully balanced these interests against your privacy rights.

Marketing Communications

You will receive marketing communications only if you have given your explicit consent. You can unsubscribe at any time by clicking the link in any marketing email or by contacting us.

Cookies

Our website uses cookies and similar technologies to provide functionality, analyse traffic and personalise content. Non-essential cookies (such as analytics and advertising cookies) are used only after we obtain your consent via our cookie banner. You can manage your cookie preferences at any time through your browser settings or our Cookie Settings page. See our full Cookie Policy for details.

How We Share Your Data

We do not sell your personal data. We may share it with trusted third parties, including: service providers (such as hosting, analytics, email/SMS delivery and customer service); payment and logistics partners that process orders and deliver products; marketing and affiliate partners, but only with your consent; and competent authorities where required by law. We also work with platform vendors such as Klaviyo, Shopify and Meta. as necessary to provide our services. All third parties act under Data Processing Agreements (DPAs) to ensure GDPR-compliant handling of your data.

International Data Transfers

Some of our service providers are located outside the European Economic Area (EEA), including in the United States. In such cases, we ensure your data is protected by implementing Standard Contractual Clauses (SCCs) approved by the European Commission, or by working with partners certified under an appropriate transfer framework.

Data Security

We take appropriate technical and organisational measures to secure your data, including SSL encryption, access controls and authentication, regular audits and vulnerability assessments, and secure data storage practices.

Data Retention

We retain your personal data only for as long as necessary for the purposes listed above or to meet our legal obligations:

- Order and account information: 7 years, as required by Dutch tax law.
- Marketing consent: until you opt out or withdraw your consent.
- Customer service interactions: up to 2 years from your last contact.
- Analytics and cookies: as defined in our Cookie Policy.

Your Rights Under the GDPR

You have the following rights regarding your personal data:

- Right of access – to view your personal data.
- Right to rectification – to correct inaccurate or incomplete data.
- Right to erasure – to request deletion of your data.
- Right to restrict processing – to limit how we use your data.
- Right to data portability – to receive your data in a usable format.
- Right to object – to processing based on legitimate interest or for marketing.
- Right to withdraw consent – at any time, for marketing or optional data collection.

To exercise your rights, contact us at hey@feelcosy.co.

You also have the right to lodge a complaint with the Dutch Data Protection Authority:

Autoriteit Persoonsgegevens Website: https://autoriteitpersoonsgegevens.nl

Changes to This Policy

We may update this privacy policy from time to time. Any material changes will be communicated via our website. Please check this page regularly for updates.

Last updated: June 18, 2026