Privacy Policy

Last updated: January 15, 2026

nothing but the grain (“we,” “us,” or “our”) operates the website https://www.nbtg.dev (the “Site”). This Privacy Policy explains how we collect, use, and protect your information when you visit our Site or use our services.

We believe in data minimization. We collect only what is necessary to operate a professional film lab and to communicate with our customers. We process personal data in accordance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and applicable Dutch privacy law.

1. Who We Are

Data Controller:
nothing but the grain
Netherlands

Contact email: [email protected]

2. Personal Data We Process

a. Customer and Contact Data

We may process the following data when you place an order or contact us:

  • Name
  • Email address
  • Billing and shipping address
  • Order and service details
  • Communications with us

b. Film, Scans, and Image Data

When you submit photographic film for processing and scanning, we necessarily process image data in order to perform the requested service.

This includes:

  • Developing film
  • Digitising negatives or slides
  • Viewing images during the scanning process
  • Performing technical and visual adjustments such as exposure correction, colour balancing, contrast adjustment, cropping, and dust removal

Where images contain identifiable individuals, this constitutes personal data under the GDPR. We process such data solely for the purpose of fulfilling the scanning and development service requested by the customer.

We do not:

  • Use images for marketing, training, analytics, or automated analysis
  • Publish or share images with third parties
  • Retain images beyond what is necessary for delivery, quality control, and short-term operational backup

Scans are stored temporarily and deleted in accordance with our retention practices.

c. Technical and Usage Data

When you visit the Website, we may automatically collect:

  • IP address
  • Browser and device information
  • Pages visited and referring URLs

This data is used only for security, diagnostics, and basic website analytics.

3. Legal Bases for Processing

We process personal data under the following GDPR legal bases:

PurposeLegal Basis
Order fulfillment and film processingPerformance of a contract (Art. 6(1)(b))
Customer communicationPerformance of a contract / Legitimate interest (Art. 6(1)(b), (f))
Website security and functionalityLegitimate interest (Art. 6(1)(f))
Legal and tax complianceLegal obligation (Art. 6(1)(c))

We do not rely on consent unless explicitly stated.

4. Data Sharing and Processors

We only share personal data with third parties when necessary to operate our services, including:

  • Payment service providers
  • Shipping and logistics providers
  • IT and hosting providers
  • Data transfers

For delivery of digital scans, we may use secure third-party file transfer services. Where such services are located outside the EEA, appropriate safeguards apply.

All third parties act as data processors under GDPR and are contractually bound to:

  • Process data only on our instructions
  • Implement appropriate security measures
  • Not use data for their own purposes

We do not sell personal data.

5. International Data Transfers

Where personal data is transferred outside the European Economic Area (EEA), we ensure appropriate safeguards, such as:

  • EU adequacy decisions, or
  • Standard Contractual Clauses (SCCs)

6. Data Retention

We retain personal data only as long as necessary:

  • Order and customer data: retained in accordance with Dutch tax and accounting laws
  • Film scans and digital files: stored temporarily for service delivery, then deleted
  • Website logs: retained for security and diagnostics for a limited period

You may request earlier deletion where legally permissible.

7. Your Rights Under GDPR

You have the right to:

  • Access your personal data (Art. 15)
  • Rectification of incorrect data (Art. 16)
  • Erasure (“right to be forgotten”) (Art. 17)
  • Restriction of processing (Art. 18)
  • Data portability (Art. 20)
  • Object to processing based on legitimate interests (Art. 21)

You also have the right to lodge a complaint with the Autoriteit Persoonsgegevens.

8. Cookies and Analytics

We use only:

  • Strictly necessary cookies, and
  • Privacy-respecting analytics (where applicable)

We do not use tracking cookies for advertising purposes.

Where consent is required under EU cookie law, it will be requested explicitly.

9. Data Security

We implement appropriate technical and organisational measures to protect personal data against loss, misuse, or unauthorised access. However, no system is completely secure.

10. Children’s Data

Our services are not targeted at children under 16, and we do not knowingly process their personal data.

11. Changes to This Policy

We may update this Privacy Policy from time to time. The latest version will always be available on this page.

12. Contact

For privacy-related questions or requests:

nothing but the grain
Email: [email protected]
Website: https://www.nbtg.dev