Aller au contenu
Skip to content

ASBL Productions Associées · Nivelles · BCE BE 0896.755.397

contact@k7forever.be
FR EN
K7 Forever Analog digitization · est. 2026 · Brussels

Privacy policy

Legal · GDPR

Privacy policy

Data collected, named sub-processors, retention, exercisable rights. GDPR compliant.

Last updated : 2026-05-06

Last updated: 28 April 2026

This policy describes, in the clearest terms possible, how K7 Forever processes your personal data when you use our site or order our services. If anything is unclear, or if you wish to exercise a right, you can write to us at any time at contact@k7forever.be.

1. Who is the data controller?

The data controller within the meaning of Regulation (EU) 2016/679 (GDPR) and the Belgian law of 30 July 2018 is:

  • ASBL Productions Associées — operating the K7 Forever brand
  • Company number: BE 0896.755.397
  • Activity code: 31175
  • Operational seat: Allée de la longue haie 16/8, 1400 Nivelles, Belgium
  • Legal representative: Frédéric Guariento
  • GDPR contact: contact@k7forever.be

Our activity does not require the appointment of a Data Protection Officer (DPO) under article 37 of the GDPR. Your GDPR requests are handled directly by the management of the non-profit.

2. What data do we collect, and why?

2.1 To place an order

  • Identity: first and last name
  • Contact details: email, phone, postal address (delivery and billing)
  • Customer account (optional): hashed password (never in cleartext), order history
  • Order details: media submitted, tier chosen, special instructions
  • Payment data: K7 Forever stores no bank card or PayPal account data. Payment is processed by Mollie, Stripe or PayPal, who alone hold this information.

Legal basis: performance of the contract (art. 6.1.b GDPR).

2.2 To meet our accounting obligations

Belgian law (Code of economic law, art. III.86) requires us to keep accounting records (invoices, supporting documents) for 10 years. This includes your name, billing address, and amounts paid.

Legal basis: legal obligation (art. 6.1.c GDPR).

2.3 For the digitized files

Files produced by digitizing your media may contain personal data (your voice, your image, those of your loved ones). These files are:

  • Stored temporarily on our infrastructure during the production phase
  • Delivered via the method you chose (cloud, USB, hard drive, in-person)
  • Deleted according to the retention periods listed in section 4 below

Legal basis: performance of the contract (art. 6.1.b GDPR). You remain the sole owner of the captured content.

2.4 For site security

  • IP address, browser user-agent (server logs)
  • Failed login attempts (Wordfence)
  • Session cookies to keep you logged in (see cookie policy)

Legal basis: legitimate interest (art. 6.1.f GDPR) — protecting the site against attacks and preserving the security of your data.

2.5 For commercial communication (only with your consent)

If you write to us via the contact form or by email, we keep your message for as long as needed to reply. We do not send any newsletter without your explicit opt-in, and unsubscribing is possible at any time from each email.

Legal basis: consent (art. 6.1.a GDPR), revocable at any time.

3. With whom do we share your data?

We work with the following sub-processors, each strictly bound by a Data Processing Agreement (DPA) under article 28 GDPR:

Sub-processorRoleData sharedLocation
OVHcloud (BE/FR)Hosting of the contact@k7forever.be mailbox and DNS zoneEmails exchanged, DNS metadataEuropean Union
Mollie (NL)Payment gateway (Bancontact, cards)Amount, identity, email for invoicingEuropean Union
Stripe (US/IE)Payment gateway (cards, Bancontact)Amount, identity, email for invoicingEU (Stripe Payments Europe Ltd subsidiary), with US transfers covered by SCCs
PayPal (LU)Payment gatewayAmount, identity, emailEuropean Union
Backblaze B2 (US)Cloud storage of delivered files (download option)Digitized files, AES-256 encryptedUnited States — transfers covered by SCCs + end-to-end encryption
Our Belgian photo digitization partnerSub-processing of photographic media digitizationOriginals submitted, identity of the ordererBelgium
Bpost (BE)Transport of originals and physical delivery mediaPostal address, nameBelgium

We never sell, rent or transfer your personal data to third parties for marketing or advertising purposes.

Transfers outside the European Union

Two sub-processors are headquartered or operate outside the EU (Stripe for some group operations, Backblaze for storage). These transfers are covered by the European Commission’s Standard Contractual Clauses (decision 2021/914), which contractually require GDPR-equivalent protection.

For Backblaze, in addition to SCCs, your files are encrypted at rest in AES-256, providing an extra layer of security.

4. How long do we keep your data?

Here is precisely what is kept, where, and for how long:

DataRetentionReason
Customer account (email, credentials, order history)Until you request deletion, or 3 years after the last orderAllowing access to history and easing future orders
Billing data (name, address, amounts)10 years from the close of the financial yearLegal obligation (Belgian Code of economic law, art. III.86)
Physical originals (your tapes, records, photos)Returned systematically after digitization, within 3-4 weeks (video/audio) or 4-6 weeks (photo)You stay the owner; we keep no original
Digitized files — working copy (during production)The strictly necessary time for digitization and QA (typically 1 to 4 weeks)Service production
Digitized files — Backblaze cloud deliveryExactly 90 days from when the link is sentAutomatic lifecycle on Backblaze; you have ample time to download
Digitized files — backup copy (physical delivery)30 days after shipment of the physical mediaIn case the parcel is lost — past that date, permanent deletion
Server logs (IP, user-agent)12 monthsSecurity and debugging; legitimate interest
Encrypted backups of the site and database14 days (DB) or 4 weeks (files)Disaster recovery
Email exchanges (support, quote requests)3 yearsTracking prospect and customer relationships; legitimate interest
Non-essential cookies (if ever enabled)See cookie policy

You can request earlier deletion of working copies or backup copies at any time. The only data we cannot delete before the deadline is billing data, which is mandated by Belgian law.

5. What are your rights?

The GDPR gives you several rights you can exercise with us, free of charge, at any time:

  • Right of access (art. 15) — obtain a copy of all data we hold about you
  • Right to rectification (art. 16) — correct inaccurate or outdated data
  • Right to erasure or « right to be forgotten » (art. 17) — except for data subject to legal obligation (billing)
  • Right to restriction of processing (art. 18) — block the use of your data in certain cases
  • Right to portability (art. 20) — receive your data in a structured, machine-readable format
  • Right to object (art. 21) — object to processing based on legitimate interest
  • Right to withdraw consent (art. 7.3) — for any processing based on consent (newsletter, non-essential cookies)
  • Right to set post-mortem instructions on your data (Belgian law of 30 July 2018, art. 76)

To exercise a right, write to us at contact@k7forever.be. We respond within a maximum of 30 days (art. 12.3 GDPR), often much faster.

6. Right to lodge a complaint with the supervisory authority

If you feel we are not handling your data properly, you have the right to lodge a complaint with the Belgian Data Protection Authority (APD):

We do encourage you to contact us first — most situations are resolved quickly via direct exchange.

7. Data security

We implement the following technical and organizational measures to protect your data:

  • Mandatory TLS 1.2+ encryption across the whole site
  • Two-factor authentication (TOTP) on all administrator accounts
  • Application firewall (Wordfence) under continuous monitoring
  • AES-256 encrypted backups (UpdraftPlus → Backblaze B2)
  • Automatic security updates (WordPress core, plugins)
  • Passwords stored as bcrypt hashes (never in cleartext)
  • Physical hosting of servers in Belgium, in access-controlled premises
  • Access logs kept for 12 months to allow incident detection

8. Data breach notification

In the event of a personal data breach with risk to your rights and freedoms, we will notify the APD within 72 hours (art. 33 GDPR) and inform you directly without undue delay if the breach is likely to result in a high risk (art. 34 GDPR).

9. Changes to this policy

This policy may evolve (new sub-processor, new feature, regulatory change). Any substantial change is notified by email if you have a customer account, and the update date at the top of this page is always revised. Previous versions are archived and available on request.

Questions about this document?

Contact us