Qreative

Privacy Policy

1. Introduction

Qreative SRL (hereinafter “Qreative” or “we”) places great importance on respecting your privacy and protecting your personal data. This Privacy Policy is intended to inform you about how we collect, use, retain, and safeguard the personal information we may collect about you, as well as your rights in this regard. We process your data in compliance with applicable regulations, and in particular with Regulation (EU) 2016/679 – the General Data Protection Regulation (GDPR) – and Belgian data protection legislation.

This policy applies to our various interactions with you: when you visit our website qreative.be, when you contact us, or when you use our services. By using our website or services, you acknowledge that you have read and understood the terms of this Policy. We may update it periodically (see section 11).

2. Identity of the Data Controller

The data controller of your personal data is: Qreative SRL, whose full contact details are as follows:

Postal address: Rue Demulder 39, 1400 Nivelles, Belgium.
Email: hello@qreative.be
Phone: +32 (0)67 22 26 67
Company number (BCE): 0738.708.151

Qreative SRL, represented by its manager Mr. Jérôme Hunincq, determines the purposes and means of the processing of personal data carried out in the course of its activities (website design, digital marketing, etc.). As such, it acts as the data controller. We have not appointed an official Data Protection Officer (DPO), as our company is not required to do so. However, for any questions or requests relating to personal data, you may contact us using the details above. We will do our best to respond promptly.

3. Personal Data Collected

We make sure to collect only the data that is relevant and necessary in light of the purposes described (see section 4). Different types of data may be collected at various times:

3.1. Data you provide to us directly:

Contact and identity details: for example, when you fill out a contact form or request a quote on our site, or when you contact us via email/phone, we may ask you to provide your first and last name, email address, phone number, company name, job title, etc. This information allows us to identify you and get back in touch.

Information related to your project: if you request our services, you may provide details about your project (e.g. your company’s business sector, objectives of the website or campaign, graphic preferences, content to be integrated). This information may indirectly include personal data (e.g. the name of a contact person within your company, or any personal data appearing in the text/images you provide).

Data required to perform the contract: if you become a client, we collect the information necessary for managing our business relationship: e.g. billing address, VAT number, contact details of people involved in the project, access credentials provided (such as hosting login details, administrator credentials for your existing website, access to your advertising or social media accounts if you authorize us to work on them), etc.

Newsletter subscription or marketing communications: if we offer a newsletter and you voluntarily subscribe (opt-in), we collect your email address (and possibly your name) in order to send you updates, blog articles, or promotional offers. You can unsubscribe at any time (see section 9 on your rights).

3.2. Data automatically collected during your visit to the site:

Technical data: when you browse our website, some data is automatically collected via your browser or device. This includes, for example, your device’s IP address, the type of browser used, your operating system version, the date and time of access, the pages viewed, time spent on each page, etc. This technical information (connection logs) helps us ensure site security and compile anonymous or aggregated usage statistics (e.g. number of daily visitors, most visited pages).

Cookies and trackers: we use cookies (see our separate Cookie Policy) and similar technologies that may collect certain browsing data. Depending on their nature, these cookies may remember your preferences (e.g. language choice) or track your browsing for audience analysis purposes. Non-essential cookies (analytics, marketing) are only placed with your consent. Data collected via audience measurement cookies (such as Google Analytics) is anonymized as much as possible (for example, we anonymize your IP address) and used only for global statistical purposes.

Social media interactions: if you interact with our social media profiles (Facebook, Instagram, LinkedIn…), for example by sending us a message or commenting on our posts, we may have access to certain information from your public profile (name, photo, contact details) depending on your privacy settings on those platforms. However, we do not export this data into our own databases without your consent; it remains within the social network environment, subject to its own privacy policy.

Note: We do not intentionally collect any so-called “sensitive” data about you (such as information about your health, religious beliefs, racial or ethnic origin, political opinions, criminal record, etc.). We kindly ask you not to provide us with such data. If such information is accidentally shared with us (e.g. appearing inadvertently in a project document), we will treat it with the utmost confidentiality and delete it if it is not relevant to the service being provided.

4. Purposes of Processing and Legal Bases

We process your personal data for specific, explicit, and legitimate purposes. For each processing activity, we ensure that there is a valid legal basis in accordance with Article 6 of the GDPR. Below are the main purposes for which we use your data and the corresponding legal grounds:

Initial contact and pre-contractual communication: The information you provide via the contact form, a quote request, or any preliminary exchange is used to respond to your inquiry, assess your needs, provide you with information about our services, or draft a proposal.
Legal basis: such processing is justified by the performance of pre-contractual measures taken at your request (Article 6(1)(b) GDPR) or by our legitimate interest in responding to incoming requests (Article 6(1)(f) GDPR).

Performance of the service contract: Once you become a client, we use your data to manage the contractual relationship: communication throughout the project (e.g. email exchanges, sending of mockups), technical execution (use of your content and provided access to create your website or manage your campaigns), handling of requests, internal project management, invoicing, and accounting.
Legal basis: this processing is necessary for the performance of the contract you have entered into with us (Article 6(1)(b) GDPR).

Administrative management and legal obligations: We retain and process certain data to comply with our legal obligations, particularly accounting and tax-related (e.g. storing invoices and supporting documents that may contain your contact details), or to respond to legitimate requests from authorities (e.g. anti-money laundering requirements, although rarely applicable to us, or maintaining a GDPR-compliant processing register).

Information delivery, customer retention, and direct marketing: If you are already a client, Qreative may occasionally send you information about its services, updates, or events that may be of interest to you (e.g. major updates to a web technology, limited-time promotional offers).
Legal basis: Qreative’s legitimate interest in maintaining relationships with its clients (Article 6(1)(f) GDPR). We ensure that such communication is reasonable and non-intrusive, and you may object to it at any time (see section 9).

Newsletter and communications based on consent: If you are not yet a client or have voluntarily subscribed to our newsletter, we process your email address to send you news or promotional communications.
Legal basis: your explicit consent (Article 6(1)(a) GDPR), which you can withdraw at any time (unsubscribe link included in each message or by contacting us).

Website traffic analysis: To improve our website and understand how it is used, we use audience analysis tools (like Google Analytics) that collect browsing data (pages viewed, navigation paths, etc.).
Legal basis: your consent (Article 6(1)(a) GDPR) for the use of analytical cookies. If you decline these cookies, we will not collect such data. This information is used in an aggregated manner (general statistics) to evaluate website performance and guide improvements.

Site security and abuse prevention: Technical data (logs) are processed to ensure the security of the site and our systems, detect anomalies or malicious attempts (e.g. suspicious login attempts, DDoS attacks, spam through forms), and prevent abuse.
Legal basis: Qreative’s legitimate interest in protecting its infrastructure (Article 6(1)(f) GDPR). In case of suspected criminal activity, we may retain certain logs for a longer period and share them with authorities upon request – this processing would then be based on a legal obligation or our legitimate interest in defending our rights.

Recruitment (where applicable): If you send us an unsolicited application or apply for a job offer, we will use your data (CV, cover letter, contact details) solely for recruitment purposes and to assess potential future hiring needs.
Legal basis: Qreative’s legitimate interest in evaluating incoming applications (Article 6(1)(f) GDPR) and/or your implied consent by submitting this information. If we wish to keep a CV in our database for future roles, we will ask for your permission.

We do not use your data for purposes incompatible with those described above. If we need to use your data for a new purpose, we will inform you beforehand and, where required by law, obtain your consent.

5. Data Retention Period

We retain your personal data for a limited time, not exceeding what is necessary for the purposes for which it was collected, while complying with legal retention requirements. Below are our main retention policies:

Prospects and contact requests (without resulting contract): Data from individuals who contacted us (e.g. via the contact form or a quote request) and who do not become clients are retained for the time needed to process the request, then archived for a maximum of 12 months from the last interaction. This allows us to keep a record in case of follow-up. After this period, the data is deleted or anonymized, unless you have agreed to stay in touch (e.g. newsletter subscription).

Clients: For clients with whom a contract is concluded, we retain the data throughout the active contractual relationship, then archive the necessary information (e.g. invoices, quotes, important correspondence) for 10 years after the end of the contract, in order to comply with legal obligations (in particular, accounting records must be kept for 7 to 10 years) and to have proof in case of a dispute (standard contractual statute of limitations in Belgium can be up to 10 years). Technical data (such as provided access credentials) will be deleted or rendered inaccessible shortly after the end of the contract, unless the client wishes us to retain a backup for safety purposes (with agreement and specific terms).

Newsletter and marketing: We retain your subscription data (email address, name) until you unsubscribe or after a prolonged period of inactivity. Concretely, if you do not interact with any of our communications for 2 years, we may remove you from the mailing list. In any case, if you unsubscribe or withdraw your consent, we will stop sending you newsletters and will delete or anonymize your data from the distribution list (while possibly keeping a record of your unsubscription to avoid future unwanted messages).

Browsing data: Data collected via server logs is retained for a few months (generally no more than 6 months) for security purposes. Website traffic statistics collected through Google Analytics are retained for 14 months (aggregated data), according to the settings we have configured, then automatically deleted.

Applications: If we receive a CV/application and it does not result in a hire, we may keep your information for up to 1 year after the recruitment process to contact you again if applicable. Upon simple request, we will delete your application data earlier.

Beyond the durations mentioned above, data may be deleted or irreversibly anonymized. In certain cases, if legally required or to defend our rights, we may retain some data for a longer period (e.g. during legal proceedings).

6. Recipients of Personal Data

Your personal data is processed internally by Qreative (our manager and/or employees authorized to access it as part of their duties, such as the sales or technical team assigned to your project). We may also need to share some of your data with trusted third parties, under the following conditions:

Technical service providers and subcontractors:

Qreative uses external service providers for certain technical support operations or services related to its activity. These may include, for example:

the hosting provider for our website and online tools, which stores your contact data if you fill out a form or data generated during your browsing;

our software providers (e.g. a newsletter delivery platform, a project management service, or an online CRM) through which your information may pass or be securely stored;

specialized subcontractors we engage for part of the service (e.g. a freelance developer, graphic designer, or external photographer). These parties will only have access to the data strictly necessary for their assignment and act under our responsibility.

In all cases, we sign data processing agreements with our subcontractors that comply with GDPR requirements.

Data recipients: Your personal data is accessible internally to authorized members of the Qreative team who need it to perform their tasks (for example, the sales department, the project manager, the developer in charge of your website, etc.). Externally, we may share certain data with trusted partners or providers, strictly for the purposes outlined:

Technical subcontractors: These are companies that process data on our behalf and according to our instructions. For example: our web host (which stores data from our site and databases), our online tools (emailing solution for sending newsletters, project management or invoicing software). We ensure these subcontractors provide sufficient guarantees regarding data protection. They are contractually bound to confidentiality and security requirements (processing agreements in compliance with Article 28 of the GDPR).

External partners involved in the service: If the project requires the involvement of a third party (for example, a freelancer or partner agency for a specific part of the project), that third party may have access to certain client information, always under confidentiality and solely within the scope of the assignment. Likewise, if we register a domain name on your behalf or interact with a third-party provider (e.g. hosting service, advertising network) for your project, the necessary data will be shared with the relevant parties (e.g. your name and address for domain registration with the registrar).

Legal obligations, authorities, and advisors: We may be required to disclose your data if mandated by law or upon a legitimate request from an authority (e.g. court order, tax audit). Similarly, in the event of a dispute, we may share necessary information with our legal advisors (lawyer) or with the courts. These situations remain exceptional and are governed by the law.

We emphasize that your data is never sold or transferred to third parties for commercial purposes without your consent. Any transfer of data to a third party occurs only for the uses listed above or in accordance with your instructions.

7. Data Transfers Outside the European Union

As a general rule, we prioritize hosting your data within the European Union. However, some of our providers or partners may be located outside the European Economic Area (EEA) or may access your data from abroad. For example, data collected via Google Analytics may be processed by Google in the United States; similarly, the use of cloud or emailing services may involve servers located outside the EU.

In such cases, we ensure that appropriate safeguards are in place to govern the transfer: either the destination country benefits from an adequacy decision by the European Commission (which means it offers an adequate level of protection), or we sign Standard Contractual Clauses approved by the European Commission with the provider, possibly supplemented with additional measures, to ensure an equivalent level of data protection to that of the EU.

Where applicable, some U.S. providers may also be certified under the EU-U.S. Data Privacy Framework (the new data protection framework adopted in 2023). You may contact us for more details regarding the transfer of your data and the associated safeguards.

In any case, we ensure that all our partners and subcontractors, wherever they are located, respect the core principles of confidentiality and data security in accordance with the GDPR.

8. Data Security

Qreative is committed to protecting your personal data against unauthorized access, use, or disclosure. We implement appropriate technical and organizational security measures, taking into account the nature of the data and the risks associated with its processing. These measures include, among others: storing data on secure servers, protecting our IT systems with firewalls and antivirus software, using encrypted connections (HTTPS) on our website, implementing restrictive access control procedures (only employees or subcontractors who need access to your data are authorized), and raising staff awareness of best practices in data protection.

If part of the processing is outsourced, we contractually require our subcontractors to maintain an adequate level of security. Should a data breach (security incident) occur that poses a high risk to your rights and freedoms (e.g. leakage or loss of sensitive data), we will notify you as soon as possible, as well as the Data Protection Authority, in accordance with our legal obligations.

However, it is important to note that no method of transmission over the Internet or method of electronic storage is 100% secure. Therefore, we cannot guarantee absolute security.

You also play a role in protecting your data: we encourage you, for example, to choose strong passwords and not to share them.

9. Your Rights

In accordance with personal data regulations, you have several rights concerning your data, which you may exercise at any time:

Right of access: You have the right to ask whether we hold personal data about you and to receive it in an intelligible form, along with information about the purposes of processing, the categories of data processed, the recipients, the retention period, etc. (subject to the rights and freedoms of third parties).

Right to rectification: If you notice that personal data about you is inaccurate or incomplete, you may request that it be corrected or completed free of charge and as soon as possible.

Right to erasure (right to be forgotten): Under certain conditions, you may request the deletion of your personal data—for example, if it is no longer necessary for the purposes for which it was collected, if you withdraw your consent (and no other legal basis exists), or if you object to processing and there is no overriding legitimate reason to continue. Note: this right is not absolute—we may retain certain data if legally required (e.g. invoices) or if necessary for the establishment, exercise, or defense of legal claims.

Right to restriction of processing: You may request that we temporarily suspend the use of some of your data—for example, while we verify a dispute (about the accuracy of data or the lawfulness of processing) or if you need it to establish, exercise, or defend legal claims. While processing is restricted, we may not use the data (except to store it) without your consent or for legal reasons.

Right to object: You have the right to object at any time, on grounds relating to your particular situation, to the processing of your data based on our legitimate interest. If you exercise this right, we will stop the processing unless we can demonstrate compelling legitimate grounds that override your rights (e.g. the need to retain certain data for legal obligations or to defend our rights in court).
Important: when your data is processed for direct marketing purposes (e.g. sending newsletters or promotional emails), you may object at any time and without justification, and we will immediately stop such communications.

Right to data portability: For processing based on your consent or a contract and carried out by automated means, you may request to receive the personal data you have provided to us in a structured, commonly used, machine-readable format, in order to transfer it to another controller. Where technically feasible, you may also ask us to transfer this data directly to that third party.

Right to withdraw your consent: Where processing is based on your consent (e.g. voluntary newsletter subscription, consent to analytical cookies), you may withdraw this consent at any time. The withdrawal will not have retroactive effect and will not affect the lawfulness of processing already carried out, but we will stop using your data for that purpose moving forward. For example, if you unsubscribe from a newsletter, we will no longer send you marketing emails.

To exercise your rights, you may contact us and provide proof of your identity (to prevent a third party from gaining access to your data): preferably by email at hello@qreative.be, or by post at our head office address (see section 2). We will respond as promptly as possible and in any case within the legal deadline of one month from receipt of your request (extendable by two months if necessary due to the complexity or number of requests—in which case, you will be informed).

The exercise of these rights is generally free of charge. However, if your requests are manifestly unfounded or excessive (e.g. repetitive), we may either charge a reasonable fee (reflecting the administrative cost of handling them) or refuse to comply, in accordance with the GDPR.

10. Right to Lodge a Complaint with the Authority

If you believe that we have not respected your rights or our obligations regarding your personal data, and after contacting us in an attempt to resolve the issue, you have the right to lodge a complaint with the competent supervisory authority. In Belgium, the supervisory authority is the Data Protection Authority (Autorité de Protection des Données – APD). Contact details for the APD:

Address: Rue de la Presse 35, 1000 Brussels, Belgium.
Website: https://www.autoriteprotectiondonnees.be
Phone: +32 (0)2 274 48 00
Email: contact@apd-gba.be

The APD will provide information about your rights and can process your complaint if necessary. However, we encourage you to contact us directly first— in most cases, a conversation with us can quickly resolve your request.

11. Changes to the Privacy Policy

We may update this Privacy Policy from time to time, for example to reflect changes in our practices or to comply with legal and regulatory developments. In the event of a substantial update, we will inform you via our website (and/or by email if we have your address), and we will update the “last modified” date below. We therefore invite you to consult this page periodically to stay informed of the latest privacy practices.

In any case, we will not reduce your rights as guaranteed by this Policy without your explicit consent.

Last updated: April 25, 2025.