Sushi Soya

Privacy Policy

Last updated: 18 May 2026

This Privacy Policy explains how Sushi SOYA (Nataliia Leliukh, James Ensorgalerij 32, 8400 Oostende, Belgium — KBO 1034.441.949) collects and processes your personal data in accordance with the General Data Protection Regulation (EU) 2016/679 (GDPR) and the Belgian Data Protection Act of 30 July 2018.

1. Data controller

Nataliia Leliukh (Sushi SOYA), KBO 1034.441.949. Contact for data requests: info@sushisoya.com.

2. What data we collect

  • Order data: name, surname, email, phone, delivery address, order content, order notes.
  • Payment data: processed by Mollie B.V. We do not store full card details.
  • Account data (if you register): username, password (hashed), preferred language.
  • Technical data: IP address, browser, device type, pages visited (via cookies).
  • Communications: messages you send by email or contact form.

3. Purposes and legal basis

  • Order fulfilment and delivery — Art. 6(1)(b) GDPR (performance of contract).
  • Compliance with tax and accounting obligations — Art. 6(1)(c) GDPR (legal obligation, retention 7 years).
  • Customer support — Art. 6(1)(b)/(f) GDPR.
  • Service improvement and security — Art. 6(1)(f) GDPR (legitimate interest).
  • Marketing communications (only if you opt in) — Art. 6(1)(a) GDPR (consent). You may withdraw consent at any time.

4. Recipients and processors

  • Mollie B.V. (NL) — payment processing.
  • Hosting provider — storage of the website and database.
  • Google Maps (Google Ireland Ltd.) — map embed on the contact section.
  • WPMU DEV / Smush — image optimisation.
  • Polylang — language preference cookie.
  • Telegram — order notifications to staff (no customer data shared beyond what is required to fulfil the order).
  • Accountant and tax authority — for legally required reporting.

We do not sell personal data. Transfers outside the EEA, where they occur, rely on Standard Contractual Clauses or equivalent safeguards.

5. Retention

  • Order and invoice data — 7 years (Belgian tax law).
  • Account data — until the account is deleted.
  • Marketing data — until consent is withdrawn.
  • Technical logs — up to 12 months.

6. Your rights

You have the right to: access, rectify, erase, restrict, object, and obtain a portable copy of your personal data. To exercise these rights write to info@sushisoya.com. We respond within one month.

If you believe your rights have been violated, you may lodge a complaint with the Belgian Data Protection Authority (Gegevensbeschermingsautoriteit, Rue de la Presse 35, 1000 Brussels, www.gegevensbeschermingsautoriteit.be).

7. Security

The website is served over HTTPS (TLS). Passwords are hashed. Payment data is handled directly by Mollie and never reaches our servers.

8. Cookies

For information about cookies, see our Cookie Policy.

Sushi Soya
James Ensorgalerij 32, 8400 Oostende