Privacy Policy

1. Data controller

This English version is provided for information only. The French version (vintradex.com/fr/legal) is the authoritative legal version and shall prevail in case of any discrepancy.

The controller of personal data collected on the Vintradex Platform is: Djaadane Selsabil, Sole Trader (Entrepreneur Individuel), SIREN 101 027 274, 11 Rue des Francs Maçons, 42100 Saint-Étienne, France.

In accordance with the GDPR (EU Regulation 2016/679) and the French Data Protection Act of 6 January 1978 as amended, you can exercise your rights with the Personal Data Officer at the following address: contact@vintradex.com (please indicate "For the attention of the personal data officer").

2. Data collected and purposes

Account registration

Email, password (Argon2id hashed, never in clear text), surname, first name, date of acceptance of the Terms of Use

Enriched profile

Username, bio, city, interests, profile picture

Shipping address

Name, address, postcode, city, country, phone

Transactions

Purchase history, sales, amounts, delivery methods, internal references

KYC PRO (professional seller)

ID document, KBIS, proof of address, SIRET, RIB, VAT number

Vault

List of entrusted items, descriptions, photos, declared value, entry/exit date

Messaging

Conversations between users (moderated after publication if reported)

Technical data

IP address, user-agent, connection date, audit log (action, entity, timestamp)

Payment data

No payment card data stored — delegated to Stripe Payments Europe Limited

3. Legal bases for processing

Performance of the contract (art. 6.1.b GDPR)

Registration, transactions, delivery, support

Legal obligation (art. 6.1.c)

Invoicing, accounting, LCB-FT (KYC PRO), 10-year retention of accounting documents

Legitimate interest (art. 6.1.f)

Fraud prevention, moderation, IT security, service improvement

Consent (art. 6.1.a)

Analytics cookies, newsletter, push notifications (optional)

4. Recipients

Data is intended for authorised Vintradex staff and its technical processors only, strictly within the limits of their intervention needs:

Stripe Payments Europe Limited

Ireland — payment processing

Infomaniak Network SA

Switzerland — web hosting (server located in Europe, framed transfer)

Mondial Relay SA

France — labels and pickup points

Boxtal SAS

France — multi-carrier quotes (optional)

LiveKit Inc. (self-hosted)

Drops video streaming, self-hosted on Vintradex server

Cloudflare Inc.

USA — anti-bot protection (Turnstile, optional, DPA framework)

5. Retention periods

Active account

As long as the account exists

Deleted account (anonymisation)

30 days after request, then permanent deletion

Accounting documents (invoices, transactions)

10 years (Commercial Code obligation, art. L.123-22)

KYC PRO (ID, KBIS, supporting documents)

5 years after last transaction (LCB-FT obligation)

Audit logs (logins, critical actions)

6 months

Newsletter / consents

3 years from last contact

6. Your rights

In accordance with articles 15 to 22 of the GDPR, you have the following rights regarding your personal data:

Right of access

Obtain a copy of your processed data

Right of rectification

Correct inaccurate or incomplete data

Right to erasure ("right to be forgotten")

Apart from legal retention obligations

Right to restriction

Temporarily restrict processing

Right to portability

Receive your data in a structured and readable format

Right to object

Refuse processing based on legitimate interest

Right to withdraw consent

For any processing based on consent

To exercise these rights, write to contact@vintradex.com with proof of identity (ID card or passport). Vintradex responds within 1 month (extendable to 3 months in case of complexity).

You also have the right to lodge a complaint with the CNIL (3 place de Fontenoy, 75007 Paris, www.cnil.fr) if you consider that your rights are not being respected.

7. Security

Vintradex implements appropriate technical and organisational measures to protect data: HTTPS/TLS 1.2+, Argon2id password hashing (brute-force resistant), detection of compromised passwords (HIBP), available two-factor authentication, access logging, encrypted daily backups, magic-bytes validation for uploaded files (ID, KBIS), anti-malicious-script scan in PDFs, download sandbox, Cloudflare Turnstile anti-bot, limitation of login attempts (Redis rate limit).

In the event of a personal data breach posing a risk to users, Vintradex will notify the CNIL within 72 hours and inform the affected individuals without undue delay, in accordance with articles 33 and 34 of the GDPR.

8. Transfers outside the EU

The main Vintradex server is hosted in Europe (Infomaniak, Switzerland — a country benefiting from a European Commission adequacy decision). Transfers to the USA (Stripe, Cloudflare) are framed by Standard Contractual Clauses (SCCs) approved by the European Commission (decision 2021/914).

9. Minors

Vintradex is not intended for persons under 18 years of age. If you become aware that a child has created an account without parental consent, contact contact@vintradex.com for immediate deletion.