Get Summer Ready | save 10% on everything | Code: SUMMER

Privacy Policy – How VitaminExpress Protects Your Data

Last updated: April 2026  |  Version 2.0

This Privacy Policy applies to the following Vision Healthcare brand websites: alphafoods.de, vitaminexpress.org, vitamaze.com, baerbel-drexel.de. These brands may use data for cross-brand personalised advertising as described in this policy. 

The protection of your personal data is an issue we take very seriously. Therefore, your personal data is always treated with due care and confidentiality and processed in accordance with legal data protection regulations, as well as this data protection declaration. 

1. Identity and Contact Information of the Data Controller

This privacy policy applies to all personal data processed by the Vision Healthcare Group at Grote Markt 41, 8500 Kortrijk, company registration number BE 0685.849.188, acting as data controller under the GDPR (hereafter called ‘Data Controller’). 

The Data Controller places great importance on your privacy and processes your personal data in accordance with the European General Data Protection Regulation (GDPR), as well as any future or additional legislation implementing it, where applicable. 

For further questions or comments regarding how we handle your personal data, you can contact us by email at privacy@visionhealthcare.eu or by mail to the postal address above. 

Our Data Protection Officer (DPO) can also be reached using the same contact information (please specify “Attention: DPO”). 

1.1 Legal Entities by Brand Website 

The Vision Healthcare Group operates through multiple legal entities across its brand websites. Each entity acts as data controller or co-controller for the processing activities described in this policy as they relate to the respective brand. The table below provides an overview of the legal entities responsible for each brand website. 

Brand / Website 

Legal Entity 

Address 

Registration 

VAT / Other IDs 

Contact 

alphafoods.de 

Alpha Foods BV 

Xavier De Cocklaan 24 

9831 Sint-Martens-Latem 

Belgium 

KBO/CBE: 0745.397.092 

VAT: BE 0745.397.092 

mail@organicalpha.de 

vitaminexpress.org 

(website operator) 

VitaminExpress LLC 

17 State Street, Battery Park 

New York, NY 10004 

USA 

 

EIN 38 – 4117478 

 

info@vitaminexpress.org 

vitaminexpress.org 

(sales & fulfilment) 

Vision Healthcare BV 

Oerkapkade 5 

2031 EN Haarlem 

The Netherlands 

KVK: 60858613 

NL854090988B01 

 

See VitaminExpress contact page 

vitamaze.com 

Vitamaze GmbH 

Weberstraße 6 

69120 Heidelberg 

Germany 

Amtsgericht Mannheim 

HRB 722299 

USt.-IdNr.: DE 300385539 

 

service@vitamaze.com 

Tel: 0800 91 91 992 

baerbel-drexel.de 

Bärbel Drexel GmbH 

Landsberger Straße 442 

81241 München 

Germany 

Amtsgericht München 

HRB 298373 

USt.-IdNr.: DE 237583956 

info@baerbel-drexel.de 

Tel: 08276 518 0 

 

2. What does ‘processing of personal data’ mean?

The processing of personal data (hereinafter referred to as ‘data’) includes any handling of data that can identify you as a natural person. You can find information about the specific data involved in this Privacy Policy. The term ‘processing’ is very broad and encompasses activities such as collecting, storing, using your data, or sharing it with third parties.

3. What data do we process?

Below, we clarify the types of data that we may process from you. We may receive the following data either directly or indirectly from you.

We receive personal data directly from you when you make a purchase from one of the companies belonging to the Vision Healthcare group, when you contact one of these companies, or when you contract as a service provider/supplier with one of the companies within the group.

It is also possible that we receive your personal data indirectly, through third parties. In such cases, these personal data are not provided directly by you to one of the companies belonging to the Vision Healthcare group. You may have given a third-party permission to further disclose your personal data to other parties, including one of the companies within the Vision Healthcare group.

3.1. Customer data

3.1.1. Data customer account

It is possible to create a personal customer account through this website, which allows for placing orders, making purchases, and keeping track of purchase history. By creating such a customer account, you provide the data controller with the following information:

  • General identification data (name, first name, date of birth);
  • Contact information (name, first name, email address, address, telephone number);
  • Payment card details (account number, expiration date, cardholder name);
  • Order history;
  • Company number and other company-related data insofar as they can lead to identification of a natural person;
  • Delivery addresses (in case they differ from the provided residential address);
  • Shopping cart;
  • Gender (optional);
  • Account details (username, password).

3.1.2. Data when placing an order without an account

When you place an order without creating an account, we process the data you provide during checkout, including:

  • General identification data (name, first name);
  • Contact information (name, first name, email address, and address);
  • Payment card details;
  • Delivery address (in case it differs from the billing address).

3.1.3. Data when contacting customer service

For inquiries, complaints, comments, etc., you can always contact the customer service of the company. When you contact our customer service, we process the following data:

  • General identification data (name, first name);
  • Contact information (name, first name, email address, and address if the reason for contacting customer service is related to it);
  • Payment card details (to the extent that the reason for contacting customer service is related to it);
  • Ordered products/services and order number/customer number.

3.1.4. Data in the context of after-sales services, contests, and other promotional activities

Customer friendliness, optimal customer experience, and service are highly valued by Vision Healthcare Group. In the context of these activities, the data controller processes the following data:

  • General identification data (name, first name);
  • Contact information (name, first name, email address, and address if relevant);
  • Ordered products/services and order number/customer number;
  • Feedback on the products sold and, more generally, on the services provided.

3.2. Suppliers’ data

The Vision Healthcare group engages external service providers and suppliers for various services/products. In this context, the data controller processes the following personal data:

  • Contact information of the contact person within the supplier/service provider's company (name, first name, email address, telephone number);
  • Company number and other company-related data insofar as they can lead to identification of a natural person;
  • Contractual data (e.g., company name, address, VAT number, agreement, etc.);
  • Payment and billing data (e.g., payment card information, invoices, etc.);
  • Account information for the platform (e.g., account registration data);
  • Feedback, testimonials, quotes, promotional content such as photos and videos (e.g., reviews and experiences related to our collaboration, testimonials, quotes, presence at events, etc.).

3.3. Candidate-employees

We may process the following data from prospective employees, depending on what you choose to provide in the context of your job application: 

  • Personal particulars (motivation letter, CV, diplomas) — necessary to assess the candidate’s qualifications and motivation 
  • Work-related data (previous professional experience, CV) — necessary to evaluate professional experience and suitability 
  • Personality data — processed based on the candidate’s freely given and explicit consent for personality or behavioural assessments 
  • Photos — processed based on the candidate’s consent and used solely for identification during the recruitment process 

3.4. Visitors of the website

When you visit our website as a customer or non-customer, the following personal data may be processed, depending on your own personal preferences:

  • IP address, browser type, location data, how the individual arrived at the website, interests, and the way the individual navigates the web page (through strictly necessary, analytical, and marketing cookies);
  • Name, first name, email address, telephone number, subject of contact, and contact message (via the online contact form);
  • Email address (via the online newsletter subscription form).

Cookie details: For full information on the cookies we use — including cookie names, vendors, lifetimes, and the consent mechanism — please refer to our Cookie Policy, available on our website and accessible at any time via the Cookie Preferences link in the footer of our websites. 

Depending on your consent, we may share information about your website interactions (e.g. pages viewed, products interacted with) with advertising platforms such as Google and Meta for the purpose of creating advertising audiences and personalising ads across Vision Healthcare brands. 

4. For what purposes do we process your data?

Personal data is processed exclusively within the framework of the company, specifically for the following purposes:

  • Within the scope of our main activities and webshops;
  • Aftersales service;
  • Marketing and promotional activities;
  • Compliance with administrative and tax obligations;
  • Communication with customers and prospects;
  • Employee recruitment procedures.

5. On what legal grounds do we process your data?

Vision Healthcare processes personal data solely for the purposes described in Chapter 4 and only on the basis of one or more of the legal grounds set out in Article 6 GDPR, as described below. 

Where you have provided consent, hashed identifiers such as encrypted email address or phone number may be used for audience creation in advertising platforms, enabling personalised advertising across Vision Healthcare brands. 

5.1 Performance of a Contract or Pre-Contractual Measures (Art. 6(1)(b) GDPR) 

Personal data are processed where this is necessary for entering into, performing, or terminating a contract with you, including for the following purposes: 

  • Operating our webshops and core business activities 
  • Creating and managing customer accounts 
  • Processing orders, payments, and deliveries 
  • Providing customer service and after-sales services 
  • Communicating with customers and prospects in the context of a contractual relationship 
  • Managing relationships with suppliers and service providers 
  • Carrying out employee recruitment and selection procedures 

5.2 Compliance with Legal Obligations (Art. 6(1)(c) GDPR) 

Certain personal data are processed in order to comply with legal or regulatory obligations imposed on Vision Healthcare, including accounting and tax obligations, administrative obligations, and statutory retention obligations. 

5.3 Legitimate Interests (Art. 6(1)(f) GDPR) 

Certain personal data are processed based on the legitimate interests of the Vision Healthcare group, provided that these interests do not override the fundamental rights and freedoms of the data subjects. These legitimate interests include: 

  • Marketing and promotional activities directed at existing customers 
  • Improving the quality of our products and services 
  • Maintaining customer relationships and ensuring customer satisfaction 
  • Training employees and evaluating our activities 
  • Compiling statistics and internal reporting related to our activities 
  • Preserving and using evidence in the context of liability, disputes, or legal proceedings 
  • Ensuring the security of our websites, IT systems, and company premises 

5.4 Consent (Art. 6(1)(a) GDPR) 

In certain cases, personal data are processed on the basis of your prior consent, including for the following purposes: 

  • Marketing activities that do not fall under legitimate interest 
  • The use of analytical and marketing cookies 
  • The use of photos, videos, testimonials, or other media on our website or social media channels 
  • Participation in contests and promotional campaigns 
  • Retention of job applicant data after the recruitment process for future vacancies 

How to withdraw your consent: 

  • Cookies: You can manage or withdraw your cookie consent at any time via the Cookie Preferences link in the footer of our websites. 
  • Newsletter / marketing emails: You can unsubscribe at any time by clicking the unsubscribe link at the bottom of every marketing email we send you. 
  • Other consent-based processing: Contact us at privacy@visionhealthcare.eu to withdraw any other specific consent. 

Withdrawal of consent does not affect the lawfulness of processing carried out before such withdrawal. 

5.5 Profiling and Personalised Advertising 

In the context of our marketing and advertising activities, Vision Healthcare may engage in profiling within the meaning of Article 4(4) GDPR, where this is based on your prior consent.  

Profiling in this context means the automated processing of certain personal data relating to your interaction with our website (such as pages viewed, products consulted, search behaviour, add-to-cart actions or purchase events) in order to evaluate personal aspects relating to your preferences and interests for advertising purposes.  

How profiling works 
In the context of our marketing and advertising activities, Vision Healthcare may engage in profiling within the meaning of Article 4(4) GDPR, where this is based on your prior consent.  

Profiling in this context means the automated processing of certain personal data relating to your interaction with our website (such as pages viewed, products consulted, search behaviour, add-to-cart actions or purchase events) in order to evaluate personal aspects relating to your preferences and interests for advertising purposes.  

How profiling works  

If you consent to analytical and/or marketing cookies on a Brand Website:  

  • information about your interactions with that website may be collected through cookies or similar technologies;  
  • this information may be transmitted to advertising platforms such as Google and Meta;  
  • these platforms may use such information to create advertising audiences;  
  • based on these audiences, personalised advertisements may be displayed to you.  
  • Such advertisements may relate to:  
  • products or services offered by the Brand Website you visited; and/or  
  • products or services offered by other Vision Healthcare brands;  
  • advertisements that combine products from multiple Vision Healthcare brands within a single advertisement (for example, multi-brand carousel ads). 

Hashed identifiers and audience matching 
Where you have provided the relevant consent, we may use hashed identifiers (such as encrypted email addresses or telephone numbers) for the purpose of creating advertising audiences (for example via “Customer Match” or similar services). These identifiers are not shared in plain readable form.  

Purchase and conversion events  

Where permitted by your consent, purchase or conversion events may be used to limit or exclude you from further personalised advertising (for example, to avoid showing advertisements for products you have already purchased).  

Automated decision-making 
The profiling described above is limited to advertising personalisation and does not produce legal effects or similarly significant effects within the meaning of Article 22 GDPR. It does not affect your ability to purchase products, access services, or exercise your rights.  

Legal basis and withdrawal 
Profiling for personalised advertising purposes is carried out exclusively on the basis of your prior consent (Article 6(1)(a) GDPR).  
 
You may withdraw your consent at any time via the consent management tool available on the Brand Website where you originally provided your consent. Withdrawal of consent does not affect the lawfulness of processing carried out before such withdrawal.  

Consent is collected and managed separately on each Brand Website. Consent provided on one Brand Website does not automatically apply to other Brand Websites.  

6. Data source

Most of the data we process from you has been obtained directly from you. Within the scope of our services. It is possible that we obtain data from you through external service providers or public sources. You can always contact us for more information about the sources of our data about you.

7. Who do we share your data with?

We do not share your data with third parties unless it is strictly necessary for the purposes mentioned above or if we are legally obliged to do so. 

The Vision Healthcare Group and each enterprise that forms part of the Vision Healthcare Group act as joint data controllers within the meaning of the GDPR. An internal arrangement determining the respective responsibilities of the joint data controllers has been established in accordance with Article 26 GDPR. The essence of this arrangement is available upon request. 

Where necessary, we rely on external service providers (processors) to support our operational purposes. They are contractually bound to ensure the confidentiality of your data through a data processing agreement. 

We share your data, as relevant in your situation, with the following third parties: 

  • Postal companies, transport and delivery companies if we need to send you something by mail;
  • Payment service providers if we receive payments from you, or vice versa;
  • External representatives and consultants or any other parties involved in the context of our main or ancillary activities;
  • Processors who assist us in the field of IT in operating our organization, with a view to secure and efficient digital data management within our organization;
  • Government authorities, judicial bodies, and practitioners of regulated professions such as accountants and lawyers, in order to comply with our legal obligations and defend our interests, as required.

International transfers: 

Some of the processors we rely on may be located outside the European Economic Area (EEA). Where personal data is transferred outside the EEA, this will only take place in countries for which the European Commission has decided that they ensure an adequate level of protection, or where Standard Contractual Clauses (SCCs) have been implemented. Transfers to the United States only take place where recipients are certified under the EU–US Data Privacy Framework or where SCCs have been put in place.

 

8. For how long do we store your data?

We do not retain your data for longer than necessary for the purpose for which the data was collected or processed. The storage period may vary depending on the category of data and the applicable legal basis. After the retention period expires, your data will be deleted or anonymised. 

Category 

Retention Period 

Basis 

Customer order data (invoices, payment records) 

7 years from the date of the order 

Legal obligation (accounting/tax) 

Customer account data 

Duration of the account, plus 3 years after last login or account closure 

Contractual / Legitimate interest 

Marketing consent & related data 

Until consent is withdrawn, or maximum 3 years after last meaningful interaction 

Consent 

Recruitment / candidate data 

Up to 6 months after end of recruitment process; up to 1 year with explicit consent for future vacancies 

Pre-contractual / Consent 

Supplier / service provider data 

Duration of contract, plus 7 years after contract end 

Legal obligation / Contractual 

Cookie consent logs 

Up to 1 year (renewed upon re-consent) 

Legal obligation (ePrivacy) 

 

Specific legislation may require us to retain certain data for a longer or shorter period. Our retention periods are always based on legal requirements and a balance of your rights and expectations with what is useful and necessary for fulfilling our purposes. 

9. Where do we store your data and how is your data protected?

We implement appropriate security measures on a technical and organizational level to prevent, within the scope of our activities, the destruction, loss, falsification, alteration, unauthorized access, or unlawful disclosure to third parties, as well as any other unauthorized processing of this data.

We also ensure that the processors we engage with also implement appropriate security measures to minimize the risks of incidents as much as possible.

If your personal data is processed outside the EEA, this will only take place in countries for which the European Commission has decided that they ensure an adequate level of protection, or where appropriate safeguards are in place. Transfers to the United States only take place where recipients are certified under the EU–US Data Privacy Framework or where Standard Contractual Clauses have been implemented.

10. Technical and Organisational Measures (TOMs) 

We implement appropriate technical and organisational security measures to prevent the destruction, loss, falsification, alteration, unauthorised access, or unlawful disclosure of your data. These measures include: 

  • Encryption in transit: All personal data transmitted via our websites is protected using TLS (Transport Layer Security) encryption, ensuring that data exchanged between your browser and our servers cannot be intercepted. 
  • Session management: Automatic deletion of session cookies and controlled use of other cookies in line with your preferences. 
  • Password protection: Passwords are stored using secure one-way hashing with a strong, industry-standard algorithm (salted). Passwords are never stored in readable or reversible form. 
  • Payment security: Payment card data is transmitted securely via trusted payment providers. Sensitive payment information is not stored by us. 
  • Server logging: Our software automatically stores certain server log files to ensure smooth operation and security (browser information, referrer URL, IP address, server request time), retained only as long as necessary. 

Organisationally, external service providers are contractually bound to ensure confidentiality and to process data only as necessary for their tasks. We retain data only as long as necessary for the purposes described in this policy and delete or anonymise it after the retention period. 

11. What are your rights?

You have various rights concerning the data we process about you. If you wish to exercise any of the following rights, please contact our GDPR representative using the contact details provided in the first section of this Privacy Policy.

Right of Access and Copy:

You have the right to access your data and obtain a copy of it. This right also includes the ability to request further information about the processing of your data, including the categories of data processed about you and the purposes for which this is done.

Right of Rectification:

You have the right to have your data rectified if you believe that we hold inaccurate data.

Right to Erasure (Right to Be Forgotten):

You have the right to request that we erase your data without undue delay. We may not always be able to fulfill such a request, particularly when we still need the data for an ongoing contract or when keeping certain data for a specified period is legally required.

Right to Restriction of Processing:

You have the right to restrict the processing of your data. This temporarily suspends the processing until, for example, its accuracy is confirmed.

Right to Withdraw Your Consent:

When processing is based on your consent, you have the right to withdraw it at any time. For marketing emails, click the unsubscribe link. For cookies, use the Cookie Preferences link in the footer of our websites.

Right to Object:

You have the right to object to processing based on legitimate interest. You can also object to the use of your data for direct marketing. All marketing emails include an opt-out option.

Right to Data Portability:

You have the right to obtain your data in electronic form and to request that we transmit it directly to another organisation where technically feasible. 

Right to Lodge a Complaint with a Supervisory Authority: 

If you believe that we are processing your data incorrectly, you have the right to lodge a complaint with a data protection supervisory authority. 

Competent supervisory authority:

Gegevensbeschermingsautoriteit (GBA) / Autorité de Protection des Données (APD) 

Rue de la Presse 35, 1000 Brussels, Belgium 

Website: www.gegevensbeschermingsautoriteit.be  |  Tel.: +32 (0)2 274 48 00 

Users in Germany may also contact the relevant German Landesbehörde (state data protection authority). Users in the Netherlands may contact the Autoriteit Persoonsgegevens (AP) at www.autoriteitpersoonsgegevens.nl. 

You may also contact the supervisory authority of the EU member state where you reside, work, or where the alleged infringement took place. 

12. How to exercise your rights

You can exercise your rights by contacting us by email at privacy@visionhealthcare.eu. It is possible that we will ask you to provide us some documentation to prove your identity. Those documents will only be used to comply to your request in accordance with the GDPR.

13. May Children Use Our Website? 

The Vision Healthcare Group and each of its subsidiaries does not offer or sell any products to minors. Products intended for children may only be purchased by adults. If you are not yet 18 years old, you may only buy products from us together with a parent or guardian. 

14. Questions Regarding Data Protection 

If you have any questions about any of the privacy or data protection issues, please contact us via: 

  • General privacy queries: privacy@visionhealthcare.eu 
  • Postal address: Vision Healthcare Group, Grote Markt 41, 8500 Kortrijk, Belgium