Privacy & Cookie Policy
Last updated: April 2026
This policy describes how Patricia Faucon, operating under the name .WORKS (hereinafter “the Studio”) collects, uses, and protects personal data, in accordance with Regulation (EU) 2016/679 (GDPR) and the Belgian law of July 30, 2018, on the protection of natural persons with regard to the processing of personal data.
1. Data Controller
Patricia Faucon / .WORKS
Rue des Garennes, 1170 Watermael-Boitsfort, Brussels, Belgium
Company number: BE 1026.631.073
Email for data-related inquiries: patricia@faucon.works
The Studio is not required to appoint a Data Protection Officer (DPO) under Article 37 of the GDPR. Data protection requests are handled directly by Patricia Faucon.
2. Dual role of the Studio
The Studio acts in two distinct roles under the GDPR:
As a data controller — for the data it collects directly (site visitors, prospects, clients, business contacts, potential candidates).
As a data processor (Article 28 GDPR) — for personal data entrusted to it by its clients as part of a mission (e.g., contact database integrated into a delivered website or automation). In this case, the client remains the data controller, and the processing conditions are governed by a Data Processing Agreement (DPA) signed between the Studio and the client.
This policy only covers the first role. Commitments relating to the second role are defined in the DPAs concluded with each client.
3. Collected data and purposes
| Purpose | Data concerned | Legal basis | Retention period |
|---|---|---|---|
| Responding to requests via the contact form | Name, email, message, phone (optional) | Pre-contractual measures (Art. 6.1.b GDPR) | 3 years after last contact |
| Customer relationship management and service execution | Identity, contact details, billing data, project communications | Contract execution (Art. 6.1.b) | Contract duration + 10 years (accounting obligations) |
| Billing and accounting / tax obligations | Identity, address, VAT number, payment data | Legal obligation (Art. 6.1.c) | 10 years (Art. 60 Belgian VAT Code) |
| Sending commercial information / newsletter | Email, first name | Consent (Art. 6.1.a) | Until consent is withdrawn |
| Site improvement and audience measurement | Anonymized or pseudonymized technical data | Legitimate interest (Art. 6.1.f) or consent (non-essential cookies) | Maximum 13 months |
| Targeted B2B prospecting | Professional name, professional email | Legitimate interest (Art. 6.1.f) | 3 years after last contact |
No sensitive data within the meaning of Article 9 of the GDPR is collected.
4. Data sources
Data comes directly from the data subject (contact form, email exchanges, contracts). The Studio does not practice data enrichment from third-party databases.
5. Recipients and processors
Data may be communicated to the following processors, strictly for the purposes described:
| Processor | Service | Server location | Framework |
|---|---|---|---|
| Hostinger International Ltd. | Website hosting, n8n infrastructure | Cyprus (EU) | DPA |
| Copilhost | Client website hosting | France (EU) | DPA |
| Airtable, Inc. | Database / project management | United States | EU-US Data Privacy Framework and Standard Contractual Clauses |
| n8n | Workflow automation | Self-hosted on Hostinger (EU) | DPA |
| Google Ireland Ltd. (Google Workspace / Sheets) | Storage of client files and business documents | European Union with possible transfers to the US | EU-US Data Privacy Framework and Standard Contractual Clauses |
| Partena Professional | Social insurance fund | Belgium | Legal relationship |
| P&V Assurances | Professional liability insurance | Belgium | Insurance contract |
| Accountable Belgium SA | Electronic invoicing, Peppol issuance, accounting and tax assistance | Belgium / European Union | Accountable DPA |
No data is sold, rented, or transferred to third parties for commercial purposes.
6. Transfers outside the European Union
Transfers outside the EU are only made with an adequate level of protection guaranteed by:
- an adequacy decision by the European Commission (e.g., EU-US Data Privacy Framework for certified US processors); or
- failing this, the conclusion of the European Commission’s Standard Contractual Clauses (SCCs), supplemented by additional measures where necessary.
For projects involving clients or beneficiaries located outside the EU (notably the Democratic Republic of the Congo), cross-border data flows are governed by the applicable SCCs.
7. Data security
Proportionate technical and organizational measures are implemented: strong and unique passwords, two-factor authentication on critical tools, encryption of exchanges (HTTPS/TLS), regular backups, access limited only to necessary personnel, periodic review of access and processors.
In the event of a data breach likely to result in a risk to your rights and freedoms, the Studio will notify the DPA within 72 hours and inform the data subjects in accordance with Articles 33 and 34 of the GDPR.
8. Your rights
In accordance with Articles 15 to 22 of the GDPR, you have the following rights:
- Right of access: to obtain confirmation that your data is being processed and to receive a copy of it.
- Right to rectification: to have any inaccurate or incomplete data corrected.
- Right to erasure (“right to be forgotten”): in the cases provided for by the GDPR.
- Right to restriction of processing.
- Right to data portability: to receive your data in a structured, commonly used, and machine-readable format.
- Right to object, particularly to commercial prospecting (exercisable at any time, without providing a reason).
- Right to withdraw your consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
- Right to define guidelines regarding the fate of your data after your death.
- Right not to be subject to an automated decision producing legal effects concerning you.
To exercise these rights, send a request to patricia@faucon.works, accompanied by any element allowing to justify your identity. A response will be provided within one month, extendable by two months in case of complexity.
Right to lodge a complaint: you may at any time lodge a complaint with the Data Protection Authority (DPA), Rue de la Presse 35, 1000 Brussels — www.dataprotectionauthority.be — contact@apd-gba.be — +32 2 274 48 00.
9. Cookies and trackers
9.1. What is a cookie?
A cookie is a small file placed on your device when you visit a site, which helps ensure its proper functioning, measure its audience, or personalize content.
9.2. Types of cookies used
Strictly necessary cookies (no consent required): guarantee the functioning of the site, security, and the memorization of choices regarding cookies.
Audience measurement cookies (consent required, except exemption for strictly limited audience measurement): aggregated visit statistics.
Marketing and social media cookies (consent required): used only if such services are integrated.
9.3. Consent management
During your first visit, a consent banner allows you to:
– accept all cookies;
– reject all (except strictly necessary cookies);
– customize your choice by purpose.
Your choice is kept for a maximum of 13 months. You can modify it at any time via the “Manage my cookies” link accessible in the footer.
10. Changes to this policy
This policy may be updated to reflect legal, technical, or organizational developments. The applicable version is the one displayed on the site on the date of your visit. Substantial changes will be subject to appropriate notification.