Privacy policy

This website is operated by TWOZERO®. Throughout this policy, the terms “we”, “us” and “our” refer to TWOZERO B.V. We take the privacy of our customers and website visitors seriously. This Privacy Policy explains what personal data we collect, why we collect it, how we use it, with whom we share it, and what rights you have.

This Privacy Policy applies to all personal data processed through www.drinktwozero.com, including data collected during purchases, account registration, newsletter sign-ups, and general website use. By using our website or placing an order, you acknowledge that you have read and understood this Privacy Policy.

TWOZERO B.V. is the data controller within the meaning of the General Data Protection Regulation (GDPR) and other applicable privacy legislation.

 

1 - Who we are

Legal name: TWOZERO B.V.
Registered address: P.O. Box 93504, 1090 EA Amsterdam, The Netherlands
KvK-nummer: 97886726
BTW-nummer: NL868275803B01
Website: www.drinktwozero.com
Privacy contact: help@drinktwozero.com

TWOZERO® does not have a formally appointed Data Protection Officer (DPO). For all privacy-related questions, requests, or concerns, please contact us at help@drinktwozero.com.

 

2 - Personal data we collect

We collect personal data in the following situations:

2.1 When you place an order

In order to process and deliver your order, we collect the following data:

  • First and last name
  • Delivery address and billing address
  • Email address
  • Phone number (if provided)
  • Payment information (processed directly and securely by our payment providers; TWOZERO® does not store full payment details)
  • Order history and transaction data

2.2 When you create an acount

If you create a customer account on www.drinktwozero.com, we additionally store:

  • Account login credentials (email address and encrypted password)
  • Order history linked to your account
  • Subscription details, if applicable

2.3 When you sign up for our newsletter

If you subscribe to the TWOZERO® newsletter via the sign-up form in the footer of our website, we collect:

  • Your email address
  • Your opt-in confirmation and the date and time of subscription


Newsletter communications are sent via Klaviyo. You can unsubscribe at any time by clicking the unsubscribe link in any newsletter email, or by contacting us at help@drinktwozero.com.

2.4 When you contact us

If you contact TWOZERO® via email, WhatsApp, or our contact form, we collect:

  • Your name and contact details
  • The content of your message
  • Any additional information you choose to share with us

2.5 Automatically collected data (website us)

When you visit www.drinktwozero.com, we automatically collect certain technical data via cookies and similar technologies, including

  • IP address
  • Browser type and version
  • Device type and operating system
  • Pages visited and time spent on the website
  • Referring URL (the website you came from)
  • Clicks, scrolling behaviour, and interaction data


This data is collected via Shopify’s built-in analytics, Google Analytics, and Meta Pixel. See Article 6 (Cookies) for more information.

3 - Legal basis for processing

TWOZERO ® processes personal data only where a valid legal basis exists under the GDPR. Depending on the purpose of processing, we rely on one or more of the following legal bases:

3.1 Performance of a contract (Art. 6(1)(b) GDPR)

We process your personal data where it is necessary to fulfil a purchase agreement with you. This includes processing your order, arranging delivery, handling payments, managing your subscription, and communicating with you about your order or account.

3.2 Legal obligation (Art. 6(1)(c) GDPR)

We are required to process and retain certain data in order to comply with legal obligations, including Dutch and European tax law, accounting requirements, and consumer protection legislation. Financial and order data is retained for a minimum of 7 years in accordance with Dutch tax law (Belastingdienst).

3.3 Legitimate interests (Art. 6(1)(f) GDPR)

We process certain data on the basis of our legitimate business interests, provided these interests are not overridden by your rights and freedoms. This includes:

  • Fraud detection and prevention
  • Website security and abuse prevention
  • Website analytics and performance optimisation (via Google Analytics)
  • Improving the customer experience and our product offering
  • Retargeting website visitors with relevant advertisements (via Meta Pixel), subject to your cookie consent)


3.4 Legitimate interests (Art. 6(1)(f) GDPR)

Where we rely on your consent as the legal basis for processing, you have the right to withdraw that consent at any time without affecting the lawfulness of processing carried out prior to withdrawal. We rely on consent for:

  • Sending you our newsletter and marketing emails via Klaviyo
  • Placing non-essential cookies, including analytics and advertising cookies (Google Analytics, Meta Pixel)


You can withdraw your newsletter consent by clicking “unsubscribe” in any email. You can manage your cookie preferences via our cookie banner or browser settings.

 

4 - How we use your personal data

We use the personal data we collect for the following purposes:

  • Processing and fulfilling orders, including payment processing and delivery coordination
  • Managing customer accounts and subscriptions
  • Communicating with you about your order, shipment, or any enquiry you submit
  • Sending transactional emails such as order confirmations, shipping notifications, and payment receipts (via Shopify and Klaviyo)
  • Sending automated email flows, such as welcome emails, abandoned cart reminders, and post-purchase follow-ups (via Klaviyo), where you have opted in to marketing communications
  • Sending our newsletter to subscribers who have explicitly opted in
  • Improving our website, products, and services through analytics and behavioural data
  • Displaying personalised advertisements to website visitors and lookalike audiences on Meta platforms (Facebook and Instagram), subject to your cookie consent
  • Complying with our legal and financial obligations
  • Detecting, investigating, and preventing fraudulent transactions and other misuse


TWOZERO® does not use your personal data for automated decision-making or profiling that produces legal or similarly significant effects.

 

5 - Sharing personal data with third parties

TWOZERO® does not sell, rent, or trade your personal data to third parties for commercial purposes. We share your data only with trusted third-party service providers where strictly necessary for the operation of our business and the delivery of our services. All third parties acting on our behalf are contractually bound to process your data securely, confidentially, and only for the purposes we specify.

The following third parties may process your personal data on our behalf:

Shopify Inc.

Our webshop runs on Shopify’s e-commerce platform. Shopify processes order data, customer account data, and payment data on our behalf. Shopify is certified under international data security standards (PCI-DSS). For more information, see: https://www.shopify.com/legal/privacy

Klaviyo Inc.

We use Klaviyo for email marketing and automated email flows. Klaviyo receives your email address and, where applicable, order data in order to send relevant communications. Klaviyo stores this data on servers in the United States. Appropriate transfer safeguards are in place (Standard Contractual Clauses). For more information, see: https://www.klaviyo.com/legal/privacy-notice

Firmhouse

We use Firmhouse to manage our subscription service. Firmhouse processes customer data related to recurring orders, billing cycles, and subscription management. For more information, see Firmhouse’s privacy documentation.

Mollie B.V.

We use Mollie as one of our payment service providers. Mollie processes payment data to authorise and complete transactions. Mollie is a licensed payment institution regulated by De Nederlandsche Bank (DNB). For more information, see: https://www.mollie.com/en/privacy

Shopify Payments

For certain payment methods, payments are processed directly through Shopify Payments, a service provided by Shopify Inc. Shopify Payments complies with PCI-DSS standards.

Meta Platforms Ireland Ltd. (Meta Pixel)

We use the Meta Pixel on our website to measure the effectiveness of our advertising campaigns on Facebook and Instagram, and to serve relevant ads to website visitors and custom audiences. The Meta Pixel collects behavioural data from website visitors. This processing is subject to your cookie consent. Meta may transfer data to the United States under Standard Contractual Clauses. For more information, see: https://www.facebook.com/privacy/policy

Google LLC (Google Analytics)

We use Google Analytics to analyse website traffic and understand how visitors interact with our website. Google Analytics collects anonymised usage data, including page views, session duration, and traffic sources. We have enabled IP anonymisation. This processing is subject to your cookie consent. Google may transfer data to the United States under Standard Contractual Clauses. For more information, see: https://policies.google.com/privacy

In addition, TWOZERO® may share personal data with third parties where required to do so by law, court order, or regulatory authority, or where necessary to protect the legal rights of TWOZERO® or its customers.

 

6 - Cookies and tracking technologies

TWOZERO® uses cookies and similar tracking technologies on www.drinktwozero.com. Cookies are small text files placed on your device when you visit our website. They help us operate the website effectively, understand how it is used, and deliver relevant advertising.

We obtain your consent for non-essential cookies via our cookie banner when you first visit the website. You can adjust your preferences at any time via the cookie settings on our website, or by adjusting your browser settings. Please note that disabling certain cookies may affect the functionality of the website.

6.1 Categories of cookies we use

Essential cookies

These cookies are strictly necessary for the website to function and cannot be disabled. They include cookies set by Shopify for session management, shopping cart functionality, and checkout processing. No consent is required for essential cookies.

Analytics cookies

We use Google Analytics to collect anonymised information about how visitors use our website, such as which pages are visited most frequently and how users navigate the site. This data helps us improve the website experience. Analytics cookies are placed only with your consent.

  • Provider: Google LLC (Google Analytics)
  • Data transferred to: United States (Standard Contractual Clauses)
  • Retention: up to 26 months

Marketing and advertising cookies

We use the Meta Pixel to track website visitor behaviour for the purpose of measuring advertising performance and serving personalised advertisements on Facebook and Instagram. Marketing cookies are placed only with your consent.

  • Provider: Meta Platforms Ireland Ltd.
  • Data transferred to: United States (Standard Contractual Clauses)
  • Retention: up to 180 days

Functional cookies

These cookies remember your preferences and settings to enhance your experience on subsequent visits, such as your language preference or region. They are placed only with your consent.

6.2 Managing your cookie preferences

You can manage or withdraw your cookie consent at any time in the following ways:

  • Via the cookie settings banner on www.drinktwozero.com
  • By adjusting the cookie settings in your browser (see your browser’s help documentation)
  • By using a browser plugin such as the Google Analytics Opt-out Browser Add-on: https://tools.google.com/dlpage/gaoptout


Withdrawing your consent for cookies does not affect the lawfulness of any processing carried out prior to your withdrawal.

 

7 - International data transfers

Some of our third-party service providers, including Klaviyo, Google, and Meta, are based outside the European Economic Area (EEA) and may process your personal data in countries such as the United States. The European Commission has not issued an adequacy decision for the United States as a whole.

Where personal data is transferred outside the EEA, TWOZERO® ensures that appropriate safeguards are in place to protect your data in accordance with the GDPR. These safeguards include:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Compliance with the EU-U.S. Data Privacy Framework, where applicable


You can request more information about the specific safeguards in place for international transfers by contacting us at help@drinktwozero.com.


8 - Data retention

TWOZERO® retains personal data for no longer than is necessary for the purposes for which it was collected, taking into account our legal obligations and legitimate business interests. The following retention periods apply:

Order and financial data: 7 years from the date of the transaction, in accordance with Dutch tax law (Belastingwet, art. 52 AWR).

Customer account data: Retained for as long as your account remains active. If you request deletion of your account, your data will be removed within 30 days, subject to any legal retention obligations.

Newsletter subscriber data: Retained for as long as you remain subscribed. Upon unsubscribing, your data will be removed from our active mailing list within 30 days. Anonymised statistical data may be retained for analytical purposes.

Contact and customer service data: Retained for up to 2 years from the date of the last interaction.

Website analytics data: Retained in accordance with the settings of the relevant tool (Google Analytics: up to 26 months).

After the applicable retention period, personal data is securely deleted or anonymised.


9 - Children and minors

TWOZERO®’s website and products are not specifically directed at children. However, as our website is publicly accessible, we acknowledge that visitors of any age may browse our website. Our analytics and advertising tools (Google Analytics and Meta Pixel) may collect data from visitors regardless of age, subject to cookie consent.

TWOZERO® does not knowingly collect personal data from children under the age of 16 for the purpose of direct marketing or account registration without verifiable parental consent. If you are a parent or guardian and believe that your child has provided us with personal data without your consent, please contact us at help@drinktwozero.com and we will delete the relevant data promptly.

10 - Your rights

Under the GDPR and applicable Dutch privacy legislation, you have the following rights with respect to your personal data. TWOZERO® will respond to all requests within one month of receipt. In complex or high-volume cases, this period may be extended by a further two months, in which case we will notify you.

10.1 Right of access (Art. 15 GDPR)

You have the right to request a copy of the personal data we hold about you, as well as information about how and why we process it.

10.2 Right to rectification (Art. 16 GDPR)

You have the right to request correction of inaccurate or incomplete personal data we hold about you.

10.3 Right to erasure (Art. 17 GDPR)

You have the right to request deletion of your personal data (“right to be forgotten”), for example where the data is no longer necessary for the purpose for which it was collected, or where you withdraw consent. This right is subject to certain exceptions under applicable law, including our legal obligation to retain financial records.

10.4 Right to restriction of processing (Art. 18 GDPR)

You have the right to request that we restrict the processing of your personal data in certain circumstances, for example while a dispute about the accuracy of your data is being resolved.

10.5 Right to data portability (Art. 20 GDPR)

You have the right to receive the personal data you have provided to us in a structured, commonly used, and machine-readable format, and to transmit that data to another controller where technically feasible.

10.6 Right to object (Art. 21 GDPR)

You have the right to object to the processing of your personal data where we rely on legitimate interests as the legal basis. You also have the absolute right to object at any time to the processing of your data for direct marketing purposes, including profiling related to direct marketing.

10.7 Right to withdraw consent (Art. 7(3) GDPR)

Where processing is based on your consent, you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing based on consent before its withdrawal.

10.8 How to exercise your rights

To exercise any of the above rights, please contact us at:

Email: help@drinktwozero.com

TWOZERO B.V.
P.O. Box 93504
1090 EA Amsterdam
The Netherlands

We may ask you to verify your identity before processing your request. Account deletion and data erasure requests cannot be processed through the website directly – please contact us as described above.

10.9 Right to lodge a complaint

If you believe that TWOZERO® has not handled your personal data in accordance with applicable privacy legislation, you have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens):

Autoriteit Persoonsgegevens
Postbus 93374, 2509 AJ Den Haag
www.autoriteitpersoonsgegevens.nl

You also have the right to lodge a complaint with the supervisory authority in your country of residence within the EU.


11 - Security

TWOZERO® takes the security of your personal data seriously and implements appropriate technical and organisational measures to protect it against unauthorised access, loss, misuse, disclosure, alteration, or destruction. These measures include:

  • SSL/TLS encryption for all data transmitted via the website
  • Secure, access-controlled storage of personal data
  • Use of PCI-DSS compliant payment providers (Mollie, Shopify Payments)
  • Regular review of our data processing practices and security controls
  • Limiting access to personal data to authorised personnel only


While we take every reasonable precaution to protect your data, no method of transmission over the internet or method of electronic storage is completely secure. In the unlikely event of a data breach that poses a risk to your rights and freedoms, TWOZERO® will notify the relevant supervisory authority within 72 hours and, where required, notify affected individuals without undue delay.

 

12 - Third-party websites and links

Our website may contain links to third-party websites, social media platforms, or external services. This Privacy Policy applies only to www.drinktwozero.com. TWOZERO® is not responsible for the privacy practices or content of any third-party websites. We encourage you to review the privacy policies of any external websites you visit before sharing personal information.

 

13 - Changes to this privacy policy

TWOZERO® reserves the right to update or amend this Privacy Policy at any time, for example to reflect changes in our data processing practices, new legal requirements, or new services. The most current version will always be available at www.drinktwozero.com/privacy-policy. The date of the most recent update is stated at the top of this document.

For significant changes that materially affect the way we process your personal data, we will notify registered customers by email in advance of the change taking effect. Your continued use of the website after the effective date of any changes constitutes your acceptance of the updated Privacy Policy.

 

14 - Changes to this privacy policy

For any questions, requests, or concerns relating to this Privacy Policy or the processing of your personal data, please contact us:

TWOZERO B.V.
P.O. Box 93504
1090 EA Amsterdam
The Netherlands

Email: help@drinktwozero.com
Website: www.drinktwozero.com

We aim to respond to all privacy-related enquiries within 5 business days.