Privacy Policy

This policy explains how Euromart SAS collects, uses and protects your personal data when you use the Euromart platform. We are committed to full compliance with the EU General Data Protection Regulation (GDPR) — Regulation (EU) 2016/679.

Last updated

April 1, 2025

Data Controller Data We Collect How We Use It Legal Basis Data Sharing Retention Your Rights International Transfers Cookies Security Contact / DPO

GDPR — Your data, your rights

As an EU-based company, we are fully subject to GDPR. You have the right to access, correct, delete and port your personal data at any time. You may also withdraw consent or object to processing. See Section 7 — Your Rights for the full list.

1. Data Controller

Data Controller

Euromart SAS
Zone Industrielle de Bordeaux-Lac, Bordeaux, Gironde 33300, France
France

Data Protection Officer (DPO)

For all privacy-related enquiries, please contact our DPO:
privacy@euromartsuppliers.com

Euromart SAS is registered with the French data protection authority, CNIL(Commission Nationale de l'Informatique et des Libertés). You may also lodge a complaint with CNIL at cnil.fr.

2. Personal Data We Collect

Category	Data Points	Source
Identity	First name, last name, company name, job title	Provided by you at registration
Contact	Email address, phone number, WhatsApp, WeChat ID	Provided by you
Account	Username, password (hashed), account type, verification status	Generated at registration
Address	Billing address, shipping address, country, postcode	Provided by you at checkout
Financial	Payment method type, last 4 digits, transaction IDs (no full card numbers stored)	Payment processor (MaxelPay)
Transaction	Orders, order items, amounts, dates, shipping addresses, invoices	Generated when you place orders
Communications	Messages, inquiries, quotation requests, support tickets	Generated when you contact suppliers or support
Technical	IP address, browser type, device type, OS, session tokens, cookies	Collected automatically when you use the platform
Usage	Pages viewed, search queries, clicks, product views, time on site	Collected automatically via analytics
Supplier-specific	Business registration, VAT/GST number, trade licence, certifications, bank details for payouts	Provided by suppliers during onboarding

We do not collect or store full payment card numbers. Card data is handled exclusively by our PCI-DSS certified payment processor, MaxelPay. We receive only a tokenised reference.

3. How We Use Your Data

Platform Operation

Creating and managing your account, processing orders, facilitating buyer–supplier communications, issuing invoices and receipts.

Payments & Payouts

Processing payments, issuing supplier payouts, detecting and preventing fraud, complying with anti-money-laundering (AML) obligations.

Shipping & Logistics

Transmitting your shipping address and contact details to our carrier partners for delivery of your orders.

Customer Support

Responding to enquiries, resolving disputes, processing returns and exchanges.

Platform Improvement

Analysing usage data and performance metrics to improve features, fix bugs and optimise user experience.

Marketing (opt-in only)

Sending you promotional emails, newsletters and personalised product recommendations — only if you have explicitly opted in. You may unsubscribe at any time.

Legal Compliance

Fulfilling our obligations under applicable law, including tax reporting, anti-fraud, GDPR data subject request handling and court orders.

Security

Monitoring for unauthorised access, abuse or fraudulent activity on the platform.

4. Legal Basis for Processing (GDPR Article 6)

Processing Activity	Legal Basis
Account creation and management	Contract (Art. 6(1)(b)) — necessary to provide the service
Processing orders and payments	Contract (Art. 6(1)(b))
Transmitting data to shipping carriers	Contract (Art. 6(1)(b))
Fraud detection and platform security	Legitimate Interest (Art. 6(1)(f))
Improving the platform via analytics	Legitimate Interest (Art. 6(1)(f))
Sending marketing communications	Consent (Art. 6(1)(a)) — opt-in only; withdrawable at any time
Tax, accounting and legal obligations	Legal Obligation (Art. 6(1)(c))
Processing supplier business documents	Contract (Art. 6(1)(b)) + Legal Obligation (Art. 6(1)(c))
Profiling for personalised recommendations	Legitimate Interest (Art. 6(1)(f)) — you may object at any time

5. Data Sharing & Third Parties

We do not sell your personal data to third parties. We share data only where necessary to provide the service, comply with law, or protect our legitimate interests:

Recipient	Data Shared	Purpose	Location
Shipping carriers (Colissimo, DHL, FedEx, UPS, etc.)	Name, address, phone, order contents	Delivery of orders	EU / Global (with safeguards)
MaxelPay (payment processor)	Payment data, transaction amounts	Payment processing	EU
Supabase (database & auth)	All platform data	Hosting and infrastructure	EU (Frankfurt)
Vercel (hosting)	Web server logs, IP addresses	Application hosting	EU / USA (SCCs applied)
Google (Analytics, Merchant)	Anonymised usage data, product feed	Analytics, search visibility	USA (SCCs applied)
Aramex	Name, address, phone	Delivery to MENA / Africa	UAE / Global
Legal authorities	As required by law	Legal compliance, court orders	France / EU
Suppliers on Euromart	Name, company, order details	Order fulfilment and communication	Global (seller location)

All third-party processors are bound by Data Processing Agreements (DPAs) that require them to process your data only on our documented instructions and in compliance with GDPR.

6. Data Retention

Data Category	Retention Period	Reason
Account data	Duration of account + 3 years	Contractual relationship
Order & transaction data	10 years	French commercial law (Code de commerce, Art. L123-22)
Invoice & financial data	10 years	French accounting and tax law
Support communications	3 years after closure	Dispute resolution and legal claims
Marketing consent records	3 years from last interaction	GDPR consent record-keeping
Session & log data	13 months	CNIL guidelines for web analytics
Cookie consent records	13 months	CNIL guidelines
Deleted account data	Anonymised within 30 days	GDPR right to erasure

When your account is deleted, personal identifiers are anonymised. Aggregated, non-identifiable data (e.g. total platform order volumes) may be retained indefinitely for statistical purposes.

7. Your Rights Under GDPR

Right of Access (Art. 15)

Request a copy of all personal data we hold about you. We will respond within 30 days.

Right to Rectification (Art. 16)

Ask us to correct inaccurate or incomplete data. You can also update most data directly in Account Settings.

Right to Erasure (Art. 17)

Request deletion of your personal data ("right to be forgotten"), subject to our legal retention obligations.

Right to Restriction (Art. 18)

Ask us to pause processing of your data in specific circumstances, e.g. while accuracy is contested.

Right to Portability (Art. 20)

Receive your data in a structured, machine-readable format (JSON/CSV) to transfer to another service.

Right to Object (Art. 21)

Object to processing based on legitimate interest, including profiling and direct marketing.

Withdraw Consent (Art. 7)

Withdraw marketing consent at any time via the unsubscribe link in any email or via Account Settings.

Lodge a Complaint

File a complaint with CNIL (cnil.fr) or any EU supervisory authority if you believe your rights have been violated.

To exercise any of the above rights, email privacy@euromartsuppliers.com with the subject line "GDPR Data Request" and your account email address. We will verify your identity before processing the request and respond within 30 days (extendable to 90 days for complex requests, with notice).

8. International Data Transfers

Some of our service providers are located outside the European Economic Area (EEA). When we transfer personal data internationally, we ensure adequate protection through:

Standard Contractual Clauses (SCCs)

EU Commission-approved contractual clauses binding the recipient to GDPR-equivalent protections. Used for transfers to the USA (Vercel, Google).

Adequacy Decisions

Transfers to countries the EU Commission has recognised as providing equivalent data protection (e.g. UK, Switzerland).

Binding Corporate Rules (BCRs)

Used where applicable for intra-group transfers within multinational processors.

Explicit Consent

For transfers to non-adequate countries where no other mechanism applies, we will obtain your explicit informed consent.

9. Cookies & Tracking Technologies

We use cookies and similar technologies. You can manage your preferences via our Cookie Banner or at any time through your browser settings. See our Cookie Policy for full details.

Cookie Type	Purpose	Consent Required?	Retention
Essential	Session management, authentication, security (CSRF)	No — strictly necessary	Session / up to 1 year
Functional	Language preference, currency, recently viewed products	Yes	Up to 1 year
Analytics	Usage statistics, page performance (Google Analytics)	Yes	13 months
Marketing	Personalised ads, retargeting (Google Ads, Meta Pixel)	Yes	Up to 2 years

10. Data Security

Encryption in Transit

All data is transmitted over TLS 1.2+ encrypted connections (HTTPS). No data is sent over plain HTTP.

Encryption at Rest

Database storage is encrypted at rest using AES-256. Supabase (hosted in EU-Frankfurt) manages the encryption keys.

Access Control

Row-Level Security (RLS) policies ensure users can only access their own data. Admin access is role-based and audited.

Breach Notification

In the event of a personal data breach, we will notify the CNIL within 72 hours and affected users without undue delay, as required by GDPR Art. 33–34.

Password Security

Passwords are hashed using bcrypt. We never store plaintext passwords. Multi-factor authentication (MFA) is available.

Vendor Security

All processors are vetted and bound by DPAs. Infrastructure runs on SOC 2 Type II certified platforms.

No method of transmission over the internet is 100% secure. While we implement industry-standard safeguards, we cannot guarantee absolute security. If you suspect your account has been compromised, change your password immediately and contact privacy@euromartsuppliers.com.

11. Children's Privacy

Euromart is a B2B marketplace intended for use by businesses and adults aged 18 or over. We do not knowingly collect personal data from children under 16. If we become aware that a child under 16 has provided personal data, we will delete that data promptly. If you believe a child has registered, please contact privacy@euromartsuppliers.com.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

Update the "Last updated" date at the top of this page
Send a notification to your registered email address
Display a banner on the platform for significant changes

Continued use of the platform after the effective date constitutes acceptance of the updated policy. If you do not agree with the changes, you may close your account before the effective date.

Privacy enquiries & Data Subject Requests

Contact our Data Protection Officer. We respond within 30 days as required by GDPR.

Contact DPO privacy@euromartsuppliers.com

This Privacy Policy is compliant with Regulation (EU) 2016/679 (GDPR), the French Data Protection Act (Loi Informatique et Libertés), and CNIL guidelines. Last reviewed April 1, 2025. Euromart SAS reserves the right to update this policy at any time; the current version is always published at this URL.