With the support of
Privacy policy
Privacy Policy
MishMash – a brand of Mmmornings BV
May 2026
1. Introduction
This Privacy Policy describes how Mmmornings BV, a private limited liability company incorporated under Belgian law, with its registered office at Oude Gentweg 100, 9840 De Pinte, Belgium, registered with the Crossroads Bank for Enterprises under number 1022.897.761, VAT number BE1022.897.761, trading under the brand name MishMash (hereinafter “MishMash”, “we”, “us” or “our”), collects, uses and discloses your personal data when you visit or use our website mishmashfood.com (the “Website”), place an order, or otherwise communicate with us.
MishMash is the data controller within the meaning of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the “GDPR”).
Please read this Privacy Policy carefully. By using the Website, you acknowledge that you have read and understood the collection, use and disclosure of your personal data as described herein. In the event of any conflict between this Privacy Policy and our General Terms and Conditions of Sale, this Privacy Policy shall prevail with respect to the processing of personal data.
MishMash reserves the right to update this Privacy Policy at any time. The updated version will be published on the Website with a revised date. We encourage you to review this Privacy Policy periodically.
2. Personal Data We Collect
Depending on how you interact with the Website, we may collect the following categories of personal data:
2.1 Data you provide directly
• Contact details: your name, email address, billing address, shipping address, and telephone number.
• Payment information: payment card details and transaction information, processed securely through our payment service provider. MishMash does not store full payment card data.
• Account information: username, password, and account preferences, if you create an account.
• Communications: the content of any messages you send us, including customer service enquiries.
2.2 Data collected automatically
• Device and usage information: your IP address, browser type, operating system, referring URLs, pages visited, and time spent on the Website.
• Transaction data: products viewed, added to cart, or purchased, and your order history.
• Cookie data: information collected through cookies and similar tracking technologies, as further described in Section 8 below.
2.3 Data from third parties
We may receive personal data about you from third-party service providers (such as payment processors, logistics partners and analytics providers) and from Shopify, which hosts our Website. For more information on how Shopify processes your data, please refer to Section 6 below.
3. Legal Bases and Purposes of Processing
We process your personal data on the following legal bases and for the following purposes:
3.1 Performance of a contract (Article 6(1)(b) GDPR)
• Processing your orders, payments and returns.
• Arranging delivery and handling logistics.
• Managing your account and responding to order-related enquiries.
• Sending transactional communications (order confirmations, shipping notifications).
3.2 Compliance with a legal obligation (Article 6(1)(c) GDPR)
• Complying with applicable tax, accounting and consumer protection legislation.
• Responding to requests from competent public authorities or law enforcement.
3.3 Legitimate interests (Article 6(1)(f) GDPR)
• Fraud detection and prevention, and maintaining the security of the Website.
• Improving and optimising the Website and our services.
• Defending or exercising our legal rights in the event of a dispute.
3.4 Consent (Article 6(1)(a) GDPR)
• Sending marketing and promotional communications by email, where you have opted in to receive such communications. You may withdraw your consent at any time by clicking the unsubscribe link in any marketing email or by contacting us at hello@mishmashfood.com.
• Placing non-essential cookies, as described in Section 8 below.
4. Disclosure of Personal Data
MishMash does not sell, rent or trade your personal data. We may disclose your personal data to the following categories of recipients, solely for the purposes described in this Privacy Policy:
• Service providers acting as data processors on our behalf, including payment processors, shipping and logistics providers, IT and hosting providers, and email service providers. These parties are bound by confidentiality obligations and may only process your data in accordance with our instructions.
• Shopify Inc., which hosts our Website and processes certain data in connection with the provision of its platform. See Section 6 below.
• Competent authorities, courts or regulators, where required by law or to protect our legal rights.
• Acquirers or successors in the event of a merger, acquisition, reorganisation or sale of assets, subject to appropriate confidentiality undertakings.
5. International Transfers of Personal Data
Your personal data may be transferred to and processed in countries outside the European Economic Area (“EEA”), including by Shopify and other service providers. Where such transfers occur, MishMash ensures that appropriate safeguards are in place in accordance with Chapter V of the GDPR, including the use of Standard Contractual Clauses approved by the European Commission, or reliance on an adequacy decision.
6. Relationship with Shopify
The Website is hosted and operated on the Shopify platform. Shopify Inc. collects and processes certain personal data about your access to and use of the Website in order to provide and improve the platform. In certain circumstances, Shopify acts as an independent data controller with respect to data processed across its merchant network. For further information on how Shopify processes your personal data and on the rights you may exercise directly against Shopify, please consult the Shopify Consumer Privacy Policy and the Shopify Privacy Portal.
7. Data Retention
We retain your personal data for as long as necessary to fulfil the purposes for which it was collected, including to comply with legal obligations, resolve disputes, and enforce our agreements. The following indicative retention periods apply:
• Order and transaction data: retained for ten (10) years in accordance with Belgian accounting and tax law.
• Account data: retained for the duration of your account and deleted upon request, subject to any overriding legal retention obligations.
• Marketing preferences and communications: retained until you withdraw consent or opt out, and in any event no longer than three (3) years after your last interaction with us.
• Customer service communications: retained for two (2) years following closure of the relevant interaction.
When personal data is no longer required and no legal obligation requires its retention, we will delete, anonymise or destroy it securely.
8. Cookies and Similar Technologies
The Website uses cookies and similar tracking technologies to enhance your browsing experience, analyse Website traffic, and support our marketing activities. Cookies are small text files stored on your device when you visit the Website.
We use the following categories of cookies:
• Strictly necessary cookies: required for the Website to function correctly (e.g. shopping cart, session management). These cookies do not require your consent.
• Analytical cookies: used to collect aggregated information about how visitors use the Website, enabling us to improve its performance and content. These cookies are only placed with your consent.
• Marketing cookies: used to deliver relevant advertising and track the effectiveness of our campaigns. These cookies are only placed with your consent.
You can manage your cookie preferences through the cookie consent banner displayed upon your first visit to the Website, or by adjusting your browser settings. Please note that disabling certain cookies may affect the functionality of the Website.
9. Security of Your Personal Data
MishMash implements appropriate technical and organisational measures to protect your personal data against unauthorised access, accidental loss, destruction, alteration or disclosure. These measures are regularly reviewed and updated in line with evolving security standards.
Please be aware that no method of transmission over the internet or method of electronic storage is completely secure. We cannot guarantee absolute security. You are responsible for maintaining the confidentiality of any account credentials you use to access the Website.
10. Children
The Website is not directed at children under the age of sixteen (16). We do not knowingly collect personal data from children. If you believe that a child has provided us with personal data without appropriate parental consent, please contact us at hello@mishmashfood.com and we will take steps to delete such data promptly.
11. Your Rights
As a data subject under the GDPR, you have the following rights with respect to your personal data. These rights may be subject to conditions and limitations provided by applicable law.
11.1 Right of access (Article 15 GDPR)
You have the right to obtain confirmation of whether we process personal data about you, and if so, to receive a copy of that data together with information about how it is processed.
11.2 Right to rectification (Article 16 GDPR)
You have the right to request the correction of inaccurate personal data and the completion of incomplete personal data we hold about you.
11.3 Right to erasure (Article 17 GDPR)
You have the right to request the deletion of your personal data where it is no longer necessary for the purposes for which it was collected, where you have withdrawn consent (and no other legal basis applies), or where the data has been unlawfully processed, among other grounds.
11.4 Right to restriction of processing (Article 18 GDPR)
You have the right to request that we restrict the processing of your personal data in certain circumstances, such as where you contest the accuracy of the data or where you have objected to processing pending verification of our legitimate grounds.
11.5 Right to data portability (Article 20 GDPR)
Where processing is based on consent or the performance of a contract and is carried out by automated means, you have the right to receive your personal data in a structured, commonly used and machine-readable format, and to transmit it to another controller.
11.6 Right to object (Article 21 GDPR)
You have the right to object at any time to the processing of your personal data where such processing is based on our legitimate interests. You also have an unconditional right to object to the processing of your personal data for direct marketing purposes, including profiling for marketing purposes.
11.7 Right to withdraw consent
Where processing is based on your consent, you have the right to withdraw that consent at any time without affecting the lawfulness of processing carried out prior to withdrawal.
To exercise any of the above rights, please contact us at hello@mishmashfood.com. We may need to verify your identity before processing your request. We will respond within one (1) month of receipt of your request, subject to any extension permitted under the GDPR.
12. Complaints
If you have concerns about how we process your personal data, we encourage you to contact us first at hello@mishmashfood.com. You also have the right to lodge a complaint with the Belgian supervisory authority, the Gegevensbeschermingsautoriteit (GBA): www.gegevensbeschermingsautoriteit.be, Drukpersstraat 35, 1000 Brussels, contact@apd-gba.be.
13. Third-Party Websites
The Website may contain links to third-party websites. This Privacy Policy does not apply to those websites. We are not responsible for the privacy practices or content of any third-party sites and encourage you to review their respective privacy policies before providing any personal data.
14. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements or operational needs. We will publish the updated version on the Website and update the “Last updated” date at the top of this page. Where changes are material, we will notify you by email or by a prominent notice on the Website prior to the changes taking effect.
Contact
Mmmornings BV (trading as MishMash)
Oude Gentweg 100
9840 De Pinte
Belgium
Email: hello@mishmashfood.com
Website: mishmashfood.com
KBO/CBE: 1022.897.761
VAT: BE1022.897.761