Privacy Policy

Important before production

Before production, replace the placeholder details below with the real legal entity name, postal address, privacy email, and applicable retention periods for your jurisdiction.

Who controls the data

A GDPR privacy notice should identify the data controller and provide contact details. This project does not yet contain the final legal entity details in code, so this section remains a production checklist.

• Controller: Reintiler operator (replace with your legal entity before production).
• Privacy contact: privacy@your-domain.example (replace before production).
• If a DPO is appointed later, that contact should also be published here.

What data we process

Depending on whether a person browses the catalog, creates an account, or places an order, different categories of personal data may be processed.

• Account data: email, password in hashed form, user role, and account status.
• Profile and delivery data: first name, last name, phone, country, city, region, address, postal code, company, and VAT number.
• Order data: items, quantities, prices, fulfilment warehouse/store, delivery mode, payment mode, and order notes.
• Technical and security data: IP address, user agent, refresh sessions, request logs, and admin audit events.

Why we process data and the legal basis

GDPR requires both the processing purpose and the legal basis to be explained. For this storefront, several bases are likely to apply depending on the scenario.

• Article 6(1)(b) GDPR — account registration, login, profile management, cart handling, checkout, and order fulfilment as part of a contract or steps before entering into a contract.
• Article 6(1)(c) GDPR — compliance with tax, accounting, and other legal obligations, where applicable to your business setup.
• Article 6(1)(f) GDPR — platform security, abuse prevention, account protection, auditability of admin actions, and service integrity.
• Consent should be used separately if marketing emails, analytics, or advertising tools are added later. The current storefront does not enable those by default.

Who may receive the data

Access to personal data should not be broader than needed for the store to operate and orders to be fulfilled.

• Internal admins and warehouse staff, only to the extent needed for orders, returns, stock handling, and user support.
• Hosting and infrastructure providers acting as processors under your instructions.
• Public authorities, courts, tax, or law-enforcement bodies only where disclosure is legally required.

Transfers outside the EEA

If infrastructure or service providers are located outside the EEA, the transfer should rely on an adequacy decision or appropriate safeguards. If no such transfers take place, the production policy should say that explicitly.

How long we keep data

GDPR requires either retention periods or the criteria used to determine them. At the current project stage, criteria are the most accurate option until final production retention periods are approved.

• Account data — while the account remains active and as long as it is needed to provide the service.
• Order and related financial records — for as long as required by contractual, tax, accounting, and similar legal obligations.
• Security logs, refresh sessions, and audit records — for as long as needed for security, incident investigation, accountability, and internal policy enforcement.

User rights

Users should have a clear way to exercise their GDPR rights. The production policy should also include the exact request channel and handling process.

• Right of access.
• Right to rectification.
• Right to erasure where the data is no longer needed or the processing is unlawful.
• Right to restriction of processing.
• Right to data portability where applicable.
• Right to object where processing relies on legitimate interests.
• Right to lodge a complaint with a competent EU/EEA supervisory authority.

How to submit a request

The production version of this page should contain a real privacy contact channel. Until then, this document should be treated as a GDPR-oriented draft rather than a final legal publication.