​Website Privacy Notice (GDPR)
(Version v2.0 — Effective date: 10 November 2025)
 
1. Who We Are (Controller)
La Maison Arbor (SRL) acts as data controller for website visitors and prospects and may act as processor for certain client data under a separate Data Processing Addendum (see Annex A).
Contact: [info@lamaisonarbor.com]
Postal: [Rue Saint-Georges 1D/11]
EU Representative (if outside EU): [Name / Address]
Data Protection Officer (if appointed): [Name / Contact]
For projects involving external vendors or suppliers, La Maison Arbor acts as an independent controller sharing only the information necessary for coordination. Each vendor is itself an independent controller responsible for its own compliance.
 
2. What Data We Collect
• Identification & contact data (name, email, phone, address, company, role).
• Household / project details (premises addresses, inventory notes, preferences, schedules, instructions, guest details).
• Financial & billing information (invoice data, payment identifiers handled by PCI-compliant processors, VAT numbers).
• Website & device data (IP address, device identifiers, logs, pages viewed, cookies).
• Security logistics (project-based): access codes, alarm details (only if necessary and with appropriate safeguards).
• Special categories: we avoid collecting special category data (health, biometrics, religion) unless strictly necessary and with explicit consent or another Art. 9 GDPR basis.
 
3. Sources
We obtain personal data directly from you; from your authorised representatives / household staff; from public sources; and from vetted service partners.
 
4. Purposes & Legal Bases (Art. 6 GDPR)
• Service delivery and client management (contract performance, Art. 6(1)(b));
• Quotations and pre-contractual steps (Art. 6(1)(b));
• Billing, accounting and compliance (including AML) (legal obligation, Art. 6(1)(c));
• Security, fraud prevention and safety of premises (legitimate interests, Art. 6(1)(f));
• Direct marketing to existing clients (legitimate interests, Art. 6(1)(f));
• Direct marketing to prospects via email / SMS (consent where required by e-privacy rules, Art. 6(1)(a));
• Website analytics and cookies (consent for non-essential cookies; legitimate interests for strictly necessary cookies);
• Sharing limited personal data (contact details, preferences, schedules, dietary restrictions) with independent vendors engaged directly by the client for coordination of services (legitimate interests, Art. 6(1)(f)).
Where we rely on legitimate interests, we balance those against your interests and rights.
 
5. Retention
We keep personal data only as long as necessary for the purposes above:
• Project records: 10 years (civil prescription / insurance).
• Accounting records: 7 – 10 years (legal obligations).
• Marketing consents / preferences: until withdrawn or after 3 years of inactivity.
• Access credentials: deleted or rotated immediately upon project completion unless longer retention is required for security or legal reasons.
We anonymise or securely delete data after retention periods.
 
6. Recipients & Categories of Recipients
• Independent vendors or suppliers engaged directly by the client, strictly on a need-to-know basis for coordination;
• IT, hosting, communications and payment service providers;
• Professional advisers and insurers;
• Public authorities where legally required.
Each independent vendor acts as its own data controller and must provide its own privacy notice.
 
7. International Transfers
If data is transferred outside the EEA, we use a valid transfer mechanism (e.g. EU Standard Contractual Clauses, adequacy decisions, or Binding Corporate Rules) and implement supplementary measures where appropriate.
Copies of relevant safeguards are available on request (with redactions where necessary).
 
8. Your Rights (Arts. 15 – 22 GDPR)
You have the right to access, rectify, erase, restrict, object (including to direct marketing), and port your data, and the right to withdraw consent at any time (without affecting prior processing).
To exercise rights, contact [info@lamaisonarbor.com]. We will respond within one month (extendable by two months for complex requests).
 
9. Complaints
You may lodge a complaint with your local authority. In Belgium:
Autorité de protection des données / Gegevensbeschermingsautoriteit
Rue de la Presse 35, 1000 Bruxelles / Drukpersstraat 35, 1000 Brussel
www.dataprotectionauthority.be
 
10. Security
We apply technical and organisational measures appropriate to the risk, including access controls, confidentiality undertakings, encryption in transit, secure premises protocols, vendor due diligence and regular reviews.
You must also protect any temporary credentials provided to us.
When we share data with vendors for coordination, we transmit only the minimum necessary information and request that they maintain equivalent confidentiality and security standards.
 
11. Children and Family Information
Our Services are intended for adults, but we may need to process limited personal data relating to children or family members (e.g. names, ages, dietary restrictions, preferences) solely for the purpose of organising household events, travel arrangements, or related bespoke services.
Such data are always provided to us by the parents or legal guardians, treated with strict confidentiality, and processed only as necessary for service delivery and safety.
We do not collect information directly from minors, nor do we use such data for any other purpose.
 
12. Marketing Preferences
You can opt out of marketing at any time by using unsubscribe links or contacting us. We respect e-privacy consent rules for email / SMS marketing to non-clients.
 
13. Cookies (Summary)
We use essential cookies to operate the site and (subject to consent) performance / analytics and functional cookies. See our Cookie Policy for details, including cookie names, providers, purposes and lifetimes. A compliant cookie banner will obtain consent before setting non-essential cookies and will let you manage preferences.
 
14. Changes to This Notice
We may update this Notice. Material changes will be highlighted for at least 30 days on our website. Continued use after the effective date indicates acknowledgement of the updated version.