Privacy Policy
**Effective date:** ‹effective_date›
---
1. Who We Are
**Controller.** The data controller for all personal data processed through the WAW365 platform is:
**‹controller_name›** ‹registered_address› Contact: ‹contact_email›
**Data Protection Officer.** Where required by applicable law, the designated Data Protection Officer (DPO) is:
‹dpo_name› ‹dpo_email›
You may contact the DPO directly for any question relating to the processing of your personal data or to exercise your rights.
{% if eu_representative %}
**Article 27 EU Representative.** Where ‹controller_name› is not established in a Member State of the European Union but offers goods or services to data subjects in the EU or monitors their behaviour, ‹controller_name› has designated an EU representative within the meaning of Article 27 of Regulation (EU) 2016/679 (GDPR):
‹eu_representative›
EU data subjects may contact the EU representative in addition to, or instead of, contacting ‹controller_name› directly, in all matters relating to processing of their personal data. The designation of the EU representative does not affect any rights or claims that may be exercised against ‹controller_name› directly.
{% endif %}
---
2. What Data We Collect and Why
WAW365 is a business-to-business (B2B) auto-parts marketplace. The categories of personal data we collect, the purposes for which we collect them, and the legal bases under Article 6 GDPR are set out below.
2.1 Account Registration and Profile
**Data collected:** Full name, business name, registered address, VAT or tax identification number, email address, telephone number, chosen password (stored in hashed form), account type (supplier or buyer), language and locale preferences.
**Purpose:** To create and maintain your user account; to authenticate you; to fulfil our contractual obligations to you as a platform user; to communicate service notices and transactional messages.
**Legal basis:** Article 6(1)(b) GDPR — processing is necessary for the performance of a contract to which the data subject is party, or in order to take steps at the request of the data subject prior to entering into a contract.
2.2 Supplier Profile and Catalogue Data
**Data collected:** Business trading name, logo, contact details published on the profile, locations, delivery regions, catalogue listings (part numbers, prices, stock levels), and any additional information voluntarily provided in the supplier profile.
**Purpose:** To display the supplier's offerings to prospective buyers on the marketplace; to enable search, filtering, and order placement; to maintain an accurate and current product catalogue.
**Legal basis:** Article 6(1)(b) GDPR — performance of the platform-usage contract. Where a supplier profile contains information relating to a named individual (e.g., a sole trader), processing is additionally justified on the same basis.
2.3 Orders, Transactions, and Invoicing
**Data collected:** Order details (part numbers, quantities, prices, delivery address, delivery notes), buyer and supplier identity, payment references ⚠ confirm which payment-provider data flows through WAW365 vs. directly to payment processor, invoice data, VAT numbers, and correspondence relating to order fulfilment.
**Purpose:** To process, fulfil, and record orders placed on the platform; to issue invoices and fiscal documents; to resolve disputes; to comply with accounting and tax obligations.
**Legal basis:** Article 6(1)(b) GDPR — performance of contract; Article 6(1)(c) GDPR — compliance with legal obligations (tax and accounting law) for records that must be retained beyond the contract period.
2.4 Messenger and Attachments
**Data collected:** Messages exchanged between buyers and suppliers through the in-platform messenger, including any files, images, or documents attached to those messages.
**Purpose:** To facilitate communication between counterparties in the context of a transaction or pre-transaction enquiry; to maintain a verifiable record of agreed terms and representations.
**Legal basis:** Article 6(1)(b) GDPR — performance of contract.
**Retention note:** Message content and attachments are stored for the duration of the account relationship and for a period thereafter ⚠ confirm retention period for messenger data, taking into account contractual dispute windows and applicable statutory limitation periods.
2.5 Price-List Uploads
**Data collected:** Files uploaded by suppliers for automated catalogue ingestion (typically spreadsheets or structured data files). These files may contain business contact information embedded in the document metadata.
**Purpose:** To parse and import product data into the supplier's catalogue; to detect and handle format errors.
**Legal basis:** Article 6(1)(b) GDPR — performance of contract.
**Processing note:** Price-list files are processed by an external document-processing service ⚠ identify the specific processor, confirm sub-processor agreement and data location. Only catalogue-relevant structured data is retained; raw files are deleted after successful ingestion ⚠ confirm deletion timeline for raw upload files.
2.6 IP Addresses, GeoIP, and Security Logs
**Data collected:** IP address at login and during active sessions, derived geolocation (country, city-level), browser and device metadata (user-agent string), session timestamps, and security-event logs (failed login attempts, rate-limit triggers, abuse signals).
**Purpose:** To protect the platform against unauthorised access, credential-stuffing, scraping, fraud, and other abuse; to enforce rate limits; to present region-appropriate content and currency defaults; to investigate security incidents.
**Legal basis:** Article 6(1)(f) GDPR — legitimate interests of the controller in maintaining the security, integrity, and availability of the platform. The processing is necessary and proportionate; the interest is not overridden by data-subject interests given the B2B context and the limited intrusiveness of network-level data collection.
**GeoIP note:** Country-level geolocation derived from IP address is used for currency selection and content localisation. City-level precision is used only for the initial city-selector default and is not stored beyond the session unless a user saves a location preference.
2.7 Referral and Attribution Data
**Data collected:** Referral source URL, UTM parameters, and referral codes where a user arrives via a tracked link.
**Purpose:** To attribute registrations to partner programmes or marketing campaigns; to administer referral rewards where applicable.
**Legal basis:** Article 6(1)(f) GDPR — legitimate interest in understanding acquisition channels and honouring referral agreements, subject to ⚠ assess whether referral attribution triggers ePrivacy obligations in the relevant jurisdictions and whether consent is required.
2.8 Vehicle Identification Numbers (VINs)
**Data collected:** VIN strings entered by buyers when searching for compatible parts.
**Purpose:** To decode vehicle specifications and filter catalogue results to compatible parts; to improve search relevance.
**Legal basis:** Article 6(1)(b) GDPR — performance of the search service at the data subject's request. VINs entered in search are not persistently linked to an identifiable individual beyond the session unless the user saves the vehicle to their account, in which case storage is for convenience at the user's direction.
**Note:** VINs may be capable of being traced back to a registered vehicle owner in some jurisdictions. We do not use VINs to identify individuals and do not share them with third parties for that purpose.
2.9 Analytics and Marketing Cookies (PENDING — Consent Required)
**Data collected:** Where the user has given explicit, informed consent, we may collect page-view and event data via Google Analytics 4 (GA4) and may serve or measure advertising via Google Ads.
**Purpose:** To understand aggregate platform usage; to measure marketing campaign performance; to improve the platform.
**Legal basis:** Article 6(1)(a) GDPR — consent, in conjunction with the requirements of the ePrivacy Directive as implemented in each relevant jurisdiction. **These cookies and the associated processing are activated only after the user has accepted analytics and/or marketing cookies through the cookie consent mechanism.** Consent may be withdrawn at any time; see Section 3.
**Status:** Google Analytics 4 and Google Ads integration are currently pending full deployment. This section will be updated when the integration is live. ⚠ confirm GA4/Ads go-live status and update this notice accordingly before publication
---
3. Cookies and Analytics
We use cookies and similar technologies on the WAW365 platform. Our use of cookies is governed by our separate **Cookie Policy**, which forms part of this Privacy Policy and is incorporated herein by reference.
In summary:
- **Strictly necessary cookies** are set without consent as they are essential to the operation of the platform (authentication sessions, CSRF protection, load-balancing).
- **Analytics cookies** (Google Analytics 4) are set only after you have provided explicit consent through our cookie-consent banner.
- **Marketing/advertising cookies** (Google Ads) are set only after you have provided explicit consent.
You may withdraw consent for non-essential cookies at any time by accessing the cookie-preference centre or by adjusting your browser settings. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.
For full details of the cookies we use, their purpose, and their lifetime, please refer to the Cookie Policy available at ⚠ insert Cookie Policy URL.
---
4. Recipients and Processors
We share personal data only where necessary and under appropriate contractual and legal safeguards. The categories of recipients are as follows.
4.1 Sub-processors (Data Processors)
We engage the following categories of processor acting on our instructions:
| Processor | Role | Location | |-----------|------|----------| | **Hetzner Online GmbH** | Cloud hosting and infrastructure (servers, storage, networking) | Germany / EEA | | **Mailu** (self-hosted mail server) | Transactional email delivery | ⚠ confirm Mailu deployment location and whether any relay/SMTP service is used | | **MinIO** (self-hosted object storage) | Storage of uploaded files, images, and attachments | In-stack, same infrastructure as Hetzner ⚠ confirm data-at-rest encryption and location | | **Google LLC** | Google Analytics 4 (analytics, consent-gated); Google Ads (advertising, consent-gated); Google Search Console (aggregated SEO data, no end-user PII) | United States (international transfer — see Section 5) | | **External price-list document processor** | Automated parsing and ingestion of supplier price-list uploads | ⚠ identify processor name, location, and contractual basis |
**Note on SEO catalog enrichment:** We use Abacus/OpenAI gateway services to generate multilingual descriptive text for parts in our product catalogue. This processing involves only product and catalogue data (part numbers, specifications, category names). No end-user personal data is transmitted to these services.
4.2 Other Recipients
- **Counterparties:** Suppliers and buyers on the platform see each other's business contact information and order details to the extent necessary to fulfil a transaction. This is inherent to the marketplace function and is covered by the platform contract.
- **Legal and regulatory authorities:** We disclose personal data to competent courts, law enforcement, or regulatory bodies where required by applicable law or a legally binding order.
- **Professional advisers:** Auditors, lawyers, and accountants acting under duties of confidentiality, to the extent necessary for their engagement.
We do not sell personal data to third parties. We do not share personal data with third parties for their own marketing purposes without explicit consent.
---
5. International Transfers
The primary infrastructure for WAW365 is hosted within the European Economic Area (Hetzner, Germany). However, certain processors are located outside the EEA, and data may be transferred to them in the course of providing their services.
5.1 Transfers to Google (United States)
Where Google Analytics 4 or Google Ads are active (subject to user consent, see Section 2.9), personal data including IP addresses and behavioural data may be transferred to Google LLC, located in the United States.
We rely on the following transfer mechanisms ⚠ confirm current applicable mechanism — EU-US Data Privacy Framework adequacy decision of July 2023 and/or Standard Contractual Clauses under Commission Implementing Decision (EU) 2021/914; verify that the Google DPA and SCCs are in place and current:
- The adequacy decision of the European Commission in respect of the EU-US Data Privacy Framework (DPF) to the extent Google LLC is a certified participant; and/or
- Standard Contractual Clauses (SCCs) adopted pursuant to Article 46(2)(c) GDPR.
⚠ verify that Google's current Data Processing Addendum and associated SCCs/DPF certification are in place for all Google services used; check for any updates following CJEU or supervisory-authority guidance
5.2 Transfers to the External Price-List Processor
⚠ once the external price-list document processor is identified, confirm whether it is located outside the EEA and, if so, document the applicable transfer mechanism (adequacy decision, SCCs, or other Article 46 safeguard)
5.3 Transfers to Ukraine
Where we share data with or about data subjects located in Ukraine, or where processing involves recipients in Ukraine, we rely on ⚠ Ukraine is not the subject of an EU adequacy decision as at the effective date; confirm applicable transfer mechanism — SCCs, binding corporate rules, or derogations under Article 49 GDPR — and note that any SCCs must be adapted for third-country transfers to Ukraine. Separate provisions applicable to Ukrainian data subjects are set out in Section 8.
---
6. How Long We Keep Your Data
We retain personal data only for as long as is necessary for the purposes for which it was collected, and in any event for no longer than required or permitted by applicable law.
The following indicative periods apply, subject to legal requirements ⚠ all retention periods must be confirmed by legal counsel against applicable accounting, tax, contract, and limitation-period law in each relevant jurisdiction (EU, Poland, Norway, Ukraine) before publication:
| Category | Indicative retention period | |----------|-----------------------------| | Account data (active account) | For the duration of the account relationship | | Account data (after account closure) | ⚠ e.g., 3 years from closure to cover contractual disputes — confirm against applicable limitation periods | | Order records and invoices | ⚠ tax and accounting law in Poland, Norway, and Ukraine mandates specific minimum retention periods for fiscal records — typically 5–10 years; confirm exact period per jurisdiction | | Messenger messages and attachments | ⚠ confirm — consider aligning with order-record retention for messages relating to transactions | | Security and access logs (IP addresses, login events) | ⚠ e.g., 12 months — confirm against legitimate-interest proportionality and any sector-specific obligation | | Price-list raw upload files | ⚠ confirm deletion timeline post-ingestion, e.g., 30 days | | Analytics data (GA4, consent-gated) | ⚠ GA4 default data retention; confirm and document the retention setting in the GA4 property | | Consent records (cookie consent) | ⚠ confirm retention period for consent logs — typically at least the life of the consent plus the applicable limitation period | | VINs (session searches, not saved) | Deleted at session end | | VINs (saved to account) | For the duration of the account relationship + account-closure retention period |
When data is no longer required, we delete or irreversibly anonymise it in accordance with our internal data-retention schedule.
---
7. Your Rights
7.1 Rights Under the GDPR
If you are located in the European Economic Area, or where GDPR otherwise applies to our processing, you have the following rights in relation to your personal data:
**Right of access (Article 15 GDPR).** You have the right to obtain confirmation as to whether we process personal data about you, and if so, to receive a copy of that data together with information about how it is processed.
**Right to rectification (Article 16 GDPR).** You have the right to require us to correct inaccurate personal data and to complete incomplete personal data without undue delay.
**Right to erasure (Article 17 GDPR).** You have the right to require us to delete your personal data where, for example, it is no longer necessary for the purposes for which it was collected, you withdraw consent and there is no other legal basis, or you object to processing under Article 21 and there are no overriding legitimate grounds. This right is subject to exceptions, including where processing is necessary for compliance with a legal obligation or for the establishment, exercise, or defence of legal claims.
**Right to restriction of processing (Article 18 GDPR).** You have the right to require us to restrict the processing of your personal data in certain circumstances, for example where you contest the accuracy of the data or where you have objected to processing pending verification of whether our legitimate grounds override yours.
**Right to data portability (Article 20 GDPR).** Where processing is based on your consent or on a contract and is carried out by automated means, you have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit it to another controller.
**Right to object (Article 21 GDPR).** Where processing is based on legitimate interests (Article 6(1)(f)), you have the right to object to that processing on grounds relating to your particular situation. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or where processing is necessary for legal claims. Where processing is for direct marketing purposes, you have an absolute right to object at any time.
**Right to withdraw consent (Article 7(3) GDPR).** Where processing is based on your consent (for example, analytics cookies), you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.
**Right to lodge a complaint.** You have the right to lodge a complaint with the competent supervisory authority. Our lead supervisory authority is ‹supervisory_authority› ⚠ confirm the competent lead supervisory authority — this should be the authority in the Member State of the controller's main establishment; if the controller is established outside the EU, identify the relevant authority. You may also lodge a complaint with the supervisory authority in the EU Member State of your habitual residence, place of work, or the place of the alleged infringement.
7.2 How to Exercise Your Rights
To exercise any of the rights set out above, please contact us at:
**‹contact_email›**
or by writing to us at ‹registered_address›.
We will respond to your request without undue delay and in any event within one calendar month of receipt. That period may be extended by a further two months where necessary, taking into account the complexity and number of requests; we will inform you of any such extension within one month of receipt of the request, together with the reasons for the delay.
We may require you to provide reasonable evidence of your identity before responding to a request in order to protect against unauthorised disclosure. We will not charge a fee for the exercise of your rights unless requests are manifestly unfounded or excessive.
---
8. Note for Data Subjects in Ukraine
This section provides additional information for individuals whose personal data is processed in connection with their use of WAW365 and who are located in, or whose data is processed under the law of, Ukraine.
**Applicable law.** The processing of personal data of Ukrainian data subjects is also governed by the Law of Ukraine "On Personal Data Protection" (Закон України «Про захист персональних даних», as amended) (the "UA Law").
**Controller registration.** ‹[[REVIEW: confirm whether {{controller_name}} is required to register as a personal data controller with the Ukrainian Commissioner for Human Rights (Уповноважений Верховної Ради України з прав людини) and, if so, confirm registration status]]›
**Your rights under Ukrainian law.** In addition to the GDPR rights described in Section 7 (which we apply as a baseline standard), Ukrainian data subjects have rights under the UA Law including the right to:
- know the location of the personal data database containing their data, its purpose, and the name and address of the controller;
- receive information about the conditions of access to personal data, including information about third parties to whom their data is transferred;
- access their personal data;
- receive a response as to whether personal data about them is processed and, if so, to receive the content of that data;
- present a reasoned objection to the processing of their personal data;
- require erasure or blocking of personal data that is processed unlawfully, incompletely, inaccurately, or is outdated;
- protect their personal data from unlawful processing and accidental loss, destruction, or damage;
- lodge a complaint about the processing of their personal data with the Ukrainian Commissioner for Human Rights or seek judicial protection.
**Contact for Ukrainian data subjects.** To exercise your rights under the UA Law, please contact us at ‹contact_email›. You may also contact the Ukrainian Commissioner for Human Rights (Уповноважений Верховної Ради України з прав людини) ⚠ insert current contact details and URL for the Commissioner's office.
**Cross-border transfer.** Transfer of personal data of Ukrainian data subjects to countries outside Ukraine is carried out in accordance with the requirements of the UA Law ⚠ confirm compliance with UA Law requirements on cross-border transfer, including whether the country of destination provides an adequate level of protection or whether other safeguards apply; note that the UA Law has its own adequacy list.
---
9. Security
We implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access, commensurate with the risks presented by the processing and the nature of the data.
Measures in place include, without limitation:
- Encryption of data in transit using TLS.
- Encryption of data at rest ⚠ confirm encryption-at-rest is implemented across all storage components including Hetzner volumes and MinIO.
- Access controls and role-based permissions restricting access to personal data to authorised personnel only.
- Hashed storage of passwords (plaintext passwords are never stored).
- Rate limiting and anti-abuse controls on authentication and API endpoints.
- Regular security reviews and dependency vulnerability scanning.
- Incident response procedures, including notification to competent supervisory authorities and affected data subjects in accordance with Articles 33 and 34 GDPR where a personal data breach meeting the relevant threshold occurs.
No method of transmission over the internet or method of electronic storage is completely secure. While we strive to protect personal data using commercially reasonable measures, we cannot guarantee absolute security.
---
10. Children
WAW365 is a B2B marketplace and is not directed at, or intended for use by, children. Our platform is designed for and available only to legal entities and adult individuals acting in a business capacity. We do not knowingly collect personal data from individuals under the age of 18 ⚠ confirm the applicable age threshold in each jurisdiction — e.g., 16 in some EU Member States for consent-based processing.
If we become aware that we have inadvertently collected personal data from a minor, we will take prompt steps to delete it. If you believe we may have collected personal data from or relating to a child, please contact us at ‹contact_email›.
---
11. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our processing activities, legal obligations, or regulatory guidance. Where changes are material, we will notify registered users by email or by a prominent notice on the platform prior to the change taking effect.
The version of this Privacy Policy in force at any given time is identified by the **Effective Date** at the top of the document. We encourage you to review this Policy periodically.
**Effective date of this version:** ‹effective_date›
---
*If you have any questions about this Privacy Policy or our data-protection practices, please contact us at ‹contact_email› or write to ‹controller_name›, ‹registered_address›.*