Legal

Privacy Policy

Effective 12 May 2026 · Version 1.0

This Privacy Policy explains how MaoGon collects, uses, and protects personal data when you use the MaoGon website and sourcing platform. We process personal data in accordance with the EU General Data Protection Regulation 2016/679 ("GDPR") and Belgian law.

1. Who we are (Data Controller)

The data controller is Jasper Derieuw, sole proprietor, trading as MaoGon, with registered office at Aartrijkestraat 101, 8820 Torhout, Belgium, principal place of business in Ghent, Belgium, VAT BE1032392180.

Privacy contact: info@maogon.com.

MaoGon does not have a formal Data Protection Officer (DPO) as one is not required under GDPR Article 37 for our scale and processing activities. The privacy contact above handles all GDPR-related requests.

2. Personal data we collect

2.1 Data you provide directly

  • Identification — name, job title, company, VAT number
  • Contact — email, phone, business address
  • Account & authentication — encrypted password, session tokens, language preference
  • Sourcing requests — product specifications, quantities, budgets, delivery addresses, compliance notes, attachments
  • Order & financial — quote acceptance, invoice amounts, Mollie payment IDs, payment status
  • Communications — messages exchanged on the platform, support emails

2.2 Data collected automatically

  • IP address (anonymised where possible)
  • Browser type and version, operating system
  • Pages visited, time spent on pages, referring URL
  • Device type and screen resolution
  • Error logs and security events

We do not intentionally process special-category data (health, race, political opinions, biometrics, etc.). Please do not submit such data through the website or platform.

3. Purposes and legal bases

Under GDPR Article 6, we process your personal data on the following legal bases:

  • Contract performance (Art. 6(1)(b)) — to provide the platform, fulfil sourcing services, process payments via Mollie, send transactional emails (order updates, invoices), and provide support.
  • Legal obligation (Art. 6(1)(c)) — to comply with EU customs, VAT, accounting, tax, sanctions, and product-safety regulations.
  • Legitimate interest (Art. 6(1)(f)) — to operate and improve our services, prevent fraud and abuse, secure our systems, defend legal claims, and approve registrations (KYC and sanctions screening).
  • Consent (Art. 6(1)(a)) — for optional service emails based on your notification preferences (adjustable in Settings) and any future marketing communications. You may withdraw consent at any time.

4. Who we share data with

We do not sell personal data and do not use it for advertising profiling. We share data only with carefully selected processors and recipients:

  • Supabase Inc. — database, authentication, file storage, edge functions (EU / Frankfurt region)
  • Cloudflare, Inc. — hosting, CDN, DDoS protection, TLS (global edge / EU)
  • Resend.com — transactional email delivery (EU / US, SCCs)
  • Mollie B.V. — payment processing (EU / Netherlands)
  • Anthropic PBC — AI-assisted drafting for admin tools only; outputs are reviewed by a human before being sent (US, SCCs)
  • Asian sourcing partners — only the minimum data needed (product specs, delivery info). Supplier identities are not disclosed to clients and client identities are not disclosed to suppliers without consent
  • Belgian tax & accounting authorities — where required by law

All processors are bound by data-processing agreements requiring confidentiality, security, and GDPR compliance.

5. International transfers

Where personal data is transferred outside the European Economic Area (e.g. to AI providers in the US or to sourcing partners in Asia), we rely on appropriate safeguards under GDPR Art. 46 — in particular the European Commission's Standard Contractual Clauses (SCCs) and, where applicable, supplementary measures such as encryption at rest and in transit.

6. Retention

  • Account data (active accounts) — for as long as your account is active
  • Account data after deletion request — deleted within 30 days, except as required by law
  • Invoices and accounting records — 7 years (Belgian tax law)
  • Order & compliance records — 10 years (EU customs, post-import compliance, GPSR)
  • Server logs / security events — 12 months
  • Waitlist entries — until application is processed or you request deletion

7. Your rights

Subject to GDPR, you have the right to:

  • Access (Art. 15) — receive a copy of the personal data we hold
  • Rectify (Art. 16) — correct inaccurate or incomplete data
  • Erase (Art. 17) — "right to be forgotten", subject to legal retention obligations
  • Restrict (Art. 18) — limit processing in certain situations
  • Data portability (Art. 20) — receive your data in a machine-readable format
  • Object (Art. 21) — to processing based on legitimate interest
  • Withdraw consent (Art. 7(3)) — at any time, without affecting prior processing
  • Lodge a complaint with the Belgian Data Protection Authority — www.dataprotectionauthority.be

To exercise any right, email info@maogon.com. We respond within 30 days (extendable to 60 days for complex requests, with notice). Identity verification may be required.

8. Cookies

MaoGon uses only essential cookies and similar technologies to operate the website and platform (authentication session, security, language preference). We do not use advertising or analytics cookies. See our full Cookie Policy for the complete list.

9. Security

We implement industry-standard technical and organisational measures: TLS encryption in transit, encryption at rest, row-level security in the database, principle-of-least-privilege access, audit logging of administrative actions, and regular reviews. No system is 100% secure; if we become aware of a personal-data breach, we will notify you and the Belgian DPA within 72 hours as required by GDPR Art. 33–34.

10. Automated decision-making

We do not make decisions with significant legal effect on you solely by automated means within the meaning of GDPR Art. 22. AI tools may assist our admins in drafting communications, but all client-facing outputs are reviewed by a human before being sent.

11. Children

The platform is offered to businesses and adult consumers (18+). We do not knowingly collect personal data from anyone under 18.

12. Changes

We may update this Privacy Policy from time to time. Material changes will be notified by email and via in-platform notice. The "Effective" date at the top reflects the latest version.

13. Contact

Jasper Derieuw — trading as MaoGon
Aartrijkestraat 101, 8820 Torhout, Belgium
VAT BE1032392180
info@maogon.com

You also have the right to lodge a complaint with the Belgian Data Protection Authority at www.dataprotectionauthority.be.

Karst mountains at twilight
© 2026 MaoGon. All rights reserved.
Designed in Belgium