Privacy Policy
title: Privacy Policy lastUpdated: 2026-07-04 status: DRAFT
DRAFT — PENDING LEGAL COUNSEL REVIEW, NOT LEGAL ADVICE. This notice is tailored to DEPOT's real architecture but every entity-, jurisdiction-, and retention-specific clause below is marked
> COUNSEL:and must be confirmed by a qualified EU data-protection lawyer before publication. Placeholders in{{ }}must be filled once the EU establishment entity is chosen (see the entity brief indocs/audit/).
Privacy Policy
DEPOT is a curated multi-vendor resale marketplace for fashion. This policy explains what personal data we process, why, on what legal basis, who we share it with, how long we keep it, and the rights you have under the EU General Data Protection Regulation (GDPR).
1. Who is the controller
The data controller is {{DEPOT_LEGAL_ENTITY_NAME}}, {{REGISTERED_ADDRESS}}, {{MEMBER_STATE}}, company registration {{REG_NUMBER}}, VAT {{VAT_NUMBER}}.
- Privacy contact / Data Protection point of contact: {{PRIVACY_EMAIL}}
- EU legal representative (Digital Services Act, Art. 13): {{DSA_LEGAL_REP_NAME}}, {{DSA_LEGAL_REP_EMAIL}}, {{DSA_LEGAL_REP_MEMBER_STATE}}
COUNSEL: The controlling entity does not yet exist — its member state (Ireland / Netherlands / Estonia) is an open founder+counsel decision. Confirm whether a formal DPO appointment under GDPR Art. 37 is required (likely not mandatory at this scale, but the KYC/identity + payment processing should be assessed). Confirm the DSA Art. 13 legal representative placement.
2. What personal data we process
Everyone (buyers and sellers)
- Account data: email address (used for passwordless magic-link sign-in), display name, and any profile details you provide.
- Technical data: authentication session cookies, IP address, device/browser information, and security logs generated when you use the service.
Buyers
- Order data: items purchased, price, delivery/tracking status, dispute and refund records.
- Payment data: handled by Stripe — DEPOT never receives or stores your full card number. We store a payment reference (Stripe PaymentIntent ID) and the order amount.
- Delivery data: the shipping address you provide for an order.
Sellers ("traders")
- Storefront data: business/trading name, handle, bio, logo, banner.
- Compliance / identity data (collected to meet EU platform obligations — see §4): legal name or legal entity name, registered address, date of birth (individuals), place of birth, business registration number, VAT number, tax-residence country, national tax identification number (TIN), and bank account details (IBAN + account holder) for payouts.
- Verification status set by our team (Know-Your-Business-Customer review).
We do not intentionally collect special categories of personal data (Art. 9 GDPR). Please do not submit such data in free-text fields (e.g. listing descriptions, messages).
3. Cookies
We use strictly-necessary cookies to keep you signed in and to secure the service. These do not require consent.
COUNSEL: If any analytics, advertising, or other non-essential cookies/trackers are added (e.g. Vercel Analytics, Umami, or a marketing pixel), a consent mechanism (banner/CMP) and a standalone Cookie Policy become mandatory under the ePrivacy Directive as implemented in {{MEMBER_STATE}}. Confirm the deployed analytics stack before launch.
4. Why we process your data and the legal basis
| Purpose | Data | Lawful basis (GDPR Art. 6) |
|---|---|---|
| Create and operate your account; passwordless sign-in | Email, session data | Art. 6(1)(b) — performance of a contract |
| List, sell, buy, ship, and complete orders | Order, delivery, storefront data | Art. 6(1)(b) — performance of a contract |
| Hold funds in escrow and pay out sellers | Order amount, Stripe reference, seller IBAN | Art. 6(1)(b) — contract; Art. 6(1)(c) — legal obligation (financial record-keeping) |
| Trader identification and traceability (DSA Art. 30/31) | Seller legal name, address, VAT/registration | Art. 6(1)(c) — legal obligation |
| Tax reporting on sellers (DAC7 / Directive 2021/514) | Seller TIN, tax-residence, address, revenue/transaction totals | Art. 6(1)(c) — legal obligation |
| Security, fraud prevention, dispute resolution | Technical logs, order + dispute records | Art. 6(1)(f) — legitimate interests (a secure, trustworthy marketplace) |
| Meeting consumer-protection obligations (returns/withdrawal) | Order + delivery data | Art. 6(1)(c) — legal obligation |
COUNSEL: Confirm the legitimate-interests balancing test for §fraud/security, and confirm the lawful-basis mapping for the KYC/DAC7 identity fields (we have relied on legal obligation).
We do not use your compliance/identity data for marketing. Any future marketing communications will rely on separate, freely-given consent (Art. 6(1)(a)) that you can withdraw at any time.
5. Who we share data with (processors and sub-processors)
We use a small number of carefully-selected processors. The current sub-processor register is
maintained at docs/legal/sub-processor-register.md; the key processors are:
- Supabase — database, authentication, file storage, and backend hosting for the service. Personal data hosted in the EU region. Acts as our processor under a Data Processing Agreement.
- Stripe — payment processing, escrow (separate charges & transfers), and seller payouts via Stripe Connect. Stripe is an independent controller for its own payment/KYC obligations and our processor for the payment flow.
- {{HOSTING_PROVIDER}} — application hosting/CDN for the storefront.
- {{EMAIL_PROVIDER}} — delivery of transactional email (magic-link sign-in, order notifications).
COUNSEL: Confirm the final hosting provider (Vercel staging vs. Hetzner production) and the transactional-email provider, and that a signed DPA (and, where relevant, EU Standard Contractual Clauses for any non-EEA transfer) is in place with each before launch. Stripe's controller/processor split for the KYC data should be characterised precisely.
We do not sell your personal data. We disclose data to public authorities (e.g. tax authorities under DAC7, or a Digital Services Coordinator under the DSA) only where legally required.
6. International transfers
Our primary data store is in the EU region. Where a processor transfers data outside the EEA (for example, certain Stripe processing), that transfer is covered by an adequacy decision or EU Standard Contractual Clauses.
COUNSEL: Confirm the transfer mechanism for each sub-processor; document the SCCs / adequacy basis.
7. How long we keep data
| Data | Retention |
|---|---|
| Account data | For the life of your account, then deleted or anonymised {{ACCOUNT_DELETION_WINDOW}} after closure |
| Order / transaction / payout records | Retained for statutory financial-record and tax periods |
| DAC7 seller identity/tax data | At least 5 years from year-end of the reporting period (DAC7 minimum) |
| Rejected seller-application data | Maximum 90 days after rejection, then deleted/anonymised, unless you re-apply |
| Security logs | {{LOG_RETENTION}} |
COUNSEL: Confirm the exact statutory retention periods for financial records in {{MEMBER_STATE}}, the DAC7 minimum, and the account-closure deletion window. The 90-day rejected-applicant purge and a retention/anonymisation schedule must be operationalised (see the audit's action list).
8. Your rights
Under the GDPR you have the right to: access your data; rectify inaccurate data; erase data ("right to be forgotten", subject to our legal-retention obligations); restrict or object to processing; data portability; and to withdraw consent where processing is consent-based. You also have the right to lodge a complaint with your local supervisory authority ({{LEAD_SUPERVISORY_AUTHORITY}} is our lead authority).
To exercise any right, contact {{PRIVACY_EMAIL}}. We respond within one month.
COUNSEL: Note the tension between erasure requests and DAC7/financial legal-retention duties — confirm the standard response (retain the minimum legally required, erase the rest).
9. Automated decision-making
We do not make decisions producing legal or similarly significant effects about you based solely on automated processing. Seller approval and dispute resolution involve human review.
COUNSEL: If AI-assisted listing generation or visual-similarity features later touch personal data or affect seller outcomes, re-assess Art. 22 and update this section.
10. Changes to this policy
We will post material changes here and update the "last updated" date.