Privacy Policy

1. Who is responsible for your data

The data controller for instihivtest.com is:

2. What personal data we collect

When you visit our website or place an order, we collect the following categories of personal data:

When you place an order

• Name, billing address, delivery address
• Email address
• Telephone number (if provided)
• Payment information (processed by our payment providers — see section 4)
• Order details and order history

When you contact us

• Name, email address, and the content of your message

When you visit our website

• IP address and approximate location
• Browser type and device information
• Pages visited, time on site, referral source
• Cookie data (see our Cookie Declaration for details)

3. Why we use your data and on what legal basis

We process your personal data for the following purposes, based on the following GDPR legal grounds:

To process your order and fulfil our contract with you (Article 6(1)(b) GDPR)

• Process payment, ship your order, send order confirmations and tracking information
• Handle returns, refunds, or warranty claims

To comply with our legal obligations (Article 6(1)(c) GDPR)

• Keep accounting records (Dutch tax law requires 7 years)
• Respond to legitimate requests from authorities

To pursue our legitimate interests (Article 6(1)(f) GDPR)

• Respond to your customer service enquiries
• Improve our website and services through aggregated analytics
• Prevent fraud and protect website security

With your consent (Article 6(1)(a) GDPR)

• Place non-essential cookies (analytics, marketing — see Cookie Declaration)
• Send marketing emails (only if you actively opt in)

You can withdraw consent at any time by contacting us at customer@one-self.nl or by adjusting your cookie preferences.

4. Who we share your data with

We do not sell your personal data to third parties. We share data only with carefully selected service providers who help us run our business. All providers process data on our behalf under data processing agreements that comply with GDPR.

Payment processing

• Mollie B.V. (Netherlands) — processes iDEAL, credit card, Bancontact and other payments. Mollie's privacy policy: https://www.mollie.com/privacy
• PayPal (Europe) S.à r.l. et Cie, S.C.A. (Luxembourg) — processes PayPal payments. PayPal's privacy policy: https://www.paypal.com/privacy

Order fulfilment

Our shipping partners deliver your orders. They receive your delivery address and contact details only for delivery purposes.

Email and IT services

• Our website is hosted on secure servers within the European Economic Area (EEA).
• We use email service providers to send order confirmations and customer service replies.

Analytics and website tools

See our Cookie Declaration for the current list of analytics, advertising, and other tracking tools.

Legal authorities

We may share data with authorities when required by law (e.g. tax, fraud investigations).

5. How long we keep your data

We keep personal data only as long as necessary for the purposes described above:

• Order and invoice data: 7 years (Dutch tax law requirement)
• Customer service correspondence: up to 2 years after last contact
• Website analytics data: up to 14 months (see Cookie Declaration for details)
• Marketing email subscribers: until you unsubscribe
• Account data (if you create an account): until you request deletion

After these periods, we securely delete or anonymise your data.

6. Your rights under GDPR

As a data subject, you have the following rights regarding your personal data:

• Right of access — request a copy of the personal data we hold about you
• Right to rectification — correct inaccurate or incomplete data
• Right to erasure ("right to be forgotten") — request deletion of your data, subject to legal retention requirements
• Right to restrict processing — limit how we use your data
• Right to data portability — receive your data in a machine-readable format
• Right to object — object to processing based on legitimate interests
• Right to withdraw consent — for any processing based on your consent
• Right to lodge a complaint — with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at autoriteitpersoonsgegevens.nl

To exercise these rights, contact us at customer@one-self.nl. We will respond within 30 days. Identification may be required to protect your data from unauthorised disclosure.

7. How we protect your data

We take appropriate technical and organisational measures to protect your personal data, including:

• SSL/TLS encryption for all data transmitted to and from our website
• Secure hosting infrastructure within the EEA
• Access controls limiting who can access personal data
• Regular security updates and monitoring
• Data processing agreements with all third-party service providers

Despite these measures, no system is completely secure. If a data breach occurs that affects your personal data, we will notify you and the relevant authorities as required by GDPR.

8. International data transfers

Your data is processed primarily within the European Economic Area (EEA). Some of our service providers (e.g. PayPal) may transfer data outside the EEA. In such cases, we ensure appropriate safeguards are in place — typically through Standard Contractual Clauses approved by the European Commission — to protect your data to GDPR standards.

9. Cookies and similar technologies

Our website uses cookies and similar tracking technologies. For details about the specific cookies we use, why we use them, and how you can manage your preferences, please see our Cookie Declaration.

10. Children's privacy

The INSTI HIV Self Test is intended for adults aged 18 or older. We do not knowingly collect personal data from children under 16. If you believe we have collected data from a child, please contact us and we will delete it promptly.

11. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. The "Last updated" date at the top of this page indicates when the policy was last revised. Significant changes will be communicated via the website or by email where appropriate.

12. Questions or concerns

If you have any questions about this Privacy Policy or how we handle your data, please contact us at customer@one-self.nl. We aim to respond within 1 working day.

If you are not satisfied with our response, you have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) — https://www.autoriteitpersoonsgegevens.nl