Privacy Policy — Toveria
Version 2.0 — June 2026
Compliant with GDPR (EU) 2016/679, the Data Protection Act as amended
and applicable regulations on international data transfers
1. Identity of the data controller
Toveria — sole proprietorship (EI) operated by Kamel DOURA
12 Rue de la Part-Dieu, 69003 Lyon, France
SIRET: 978 781 227 00019 — RCS: 978 781 227 R.C.S. Lyon
📧 dpo@toveria.com
Kamel DOURA (EI Toveria) is the data controller for personal data collected via the Toveria platform (toveria.com) and its mobile application, in the context of a BtoC, CtoC, CtoB and BtoB marketplace operating from Europe to the rest of the world.
2. Data Protection Officer (DPO)
The DPO is your contact for any questions relating to the protection of your personal data.
3. Data collected
3.1 Registration data — All users
| Data | Mandatory | Purpose |
|---|---|---|
| First and last name | Yes | Identification, DAC7, invoicing |
| Date of birth | Yes (individuals) | Age verification, DAC7 |
| Email address | Yes | Authentication, notifications |
| Phone number | Yes | Identity verification, security, OTP |
| Complete postal address | Yes | Delivery, invoicing, DAC7 |
| Country of residence | Yes | Tax compliance, international VAT |
| Username | Yes | Display on the platform |
| Avatar | No | Personalisation |
| Biography | No | Public seller profile |
3.2 Additional data — Professional accounts
| Data | Mandatory | Purpose |
|---|---|---|
| Business name | Yes | Legal compliance, BtoB invoicing |
| Legal form | Yes | Legal compliance |
| SIRET / equivalent EU register | Yes | Business identity verification |
| Intra-community VAT number | Yes (if applicable) | VIES, BtoB invoicing |
| Country of goods storage | Yes | DAC7 compliance, VAT |
| Kbis or equivalent European document | Yes | Identity verification |
| IBAN (transfer account) | Via Stripe | Seller payment (Stripe Connect) |
| DAC7 certification | Yes | Regulatory obligation |
| Stripe KYC documents | Via Stripe | Connect identity verification |
3.3 Data collected during use
- Listings: title, description, price, photos, videos, category, location
- Transactions: purchase/sale history, amounts, payment references, carriers, tracking numbers
- Conversations: messages exchanged between members
- Behaviour: pages visited, searches, listings viewed, favourites
- Technical: IP address, device type, browser, OS, language, time zone
- Customs: information from CN22/CN23 declarations for international shipments
3.4 Payment data
Processed exclusively by Stripe. Toveria does not store banking data. Toveria receives only tokenised identifiers and transaction confirmations.
3.5 Data of international buyers
For buyers located outside the EU, Toveria collects only the data strictly necessary for the transaction: name, email, delivery address, country. This data is processed in compliance with GDPR and, where applicable, local data protection laws (Thailand PDPA, Brazil LGPD, Canada PIPEDA, etc.).
3.6 Tax identification number (TIN / Tax ID)
Collected for sellers exceeding DAC7 thresholds (30 transactions or €2,000/year). Also collected for BtoB transactions requiring an invoice with tax identification.
3.7 Push notification data
If you enable push notifications, a device identifier (FCM token) is generated by Firebase Cloud Messaging (Google) and retained to send you notifications related to your activity (messages, offers, sales, order tracking). This identifier contains no direct personal data. Activation is optional and based on your explicit consent (permission requested by your browser, preceded by information in the application); no identifier is transmitted to Google before this consent. You can disable notifications at any time from your device or the application menu.
4. Legal bases for processing
| Processing | Legal basis |
|---|---|
| Account management | Contract performance (art. 6.1.b) |
| Payment processing | Contract performance (art. 6.1.b) |
| Transactional notifications | Contract performance (art. 6.1.b) |
| BtoB invoicing | Contract performance + legal obligation |
| DAC7 compliance | Legal obligation (art. 6.1.c) |
| VIES VAT verification | Legal obligation (art. 6.1.c) |
| Customs declarations | Legal obligation (art. 6.1.c) |
| International sanctions compliance | Legal obligation (art. 6.1.c) |
| Fraud prevention | Legitimate interest (art. 6.1.f) |
| Service improvement | Legitimate interest (art. 6.1.f) |
| Marketing emails | Consent (art. 6.1.a) |
| Analytical cookies | Consent (art. 6.1.a) |
| Personalised recommendations | Consent (art. 6.1.a) |
| Push notifications (Firebase Cloud Messaging) | Consent (art. 6.1.a) |
5. Purposes of processing
5.1 Account management and authentication
Account creation, identity verification (email OTP, SMS OTP), secure login, multi-factor authentication (TOTP), account recovery.
5.2 Marketplace operation
Listing and management of advertisements, real-time messaging between members, transaction processing (all types: BtoC, CtoC, CtoB, BtoB), batch management, order history.
5.3 Payments and seller transfers
Secure payment processing (Stripe), receipt generation, fund transfers to sellers (Stripe Connect), Pro subscription management, boost invoicing.
5.4 BtoB invoicing
Automatic generation of compliant invoices (sequential number, complete tax data for both parties, applicable VAT) for transactions between professional accounts.
5.5 Regulatory compliance
DAC7 declarations to the DGFiP, VAT verification via VIES, DSA compliance, verification of international sanctions lists (via OpenSanctions, before payment), compliance with customs regulations. A geographic restriction also excludes countries under embargo (registration and delivery blocked), under applicable international sanctions (OFAC, EU, UN) and export controls; the country provided is processed for this purpose.
5.6 International transactions
Management of data necessary for customs declarations (CN22/CN23), calculation of applicable taxes (IOSS, customs duties), verification of export/import restrictions.
5.7 Security and anti-fraud
Detection of fraudulent behaviour, account authenticity verification, protection against unlawful content, referral anti-fraud controls, international sanctions verification.
5.8 Customer service and disputes
Processing of support requests, mediation between buyer and seller, archiving of exchanges necessary for dispute resolution, including for international disputes.
5.9 Commercial communication
Sending mandatory transactional emails, sending marketing emails with prior consent (revocable at any time).
6. Data recipients
6.1 Technical service providers (sub-processors)
| Service provider | Role | Location | Guarantees |
|---|---|---|---|
| Supabase | Database, auth, storage | EU (Frankfurt) | GDPR DPA contract |
| Stripe | Payments, KYC, Connect | United States | EU SCCs — Privacy Shield 2.0 |
| Resend | Transactional emails | United States | EU SCCs |
| Google (Firebase Cloud Messaging) | Push notifications | United States | EU SCCs |
| Anthropic | AI assistance (image search, listing description generation, support assistant), at user request | United States | EU SCCs |
| Vercel | Application hosting | United States / EU | EU SCCs |
| OpenSanctions | International sanctions list filtering (OFAC, UN, EU) before payment | EU (Germany) | Data limited to identity — GDPR DPA |
6.2 Public authorities
- DGFiP (France): annual DAC7 declarations
- ARCOM (France): DSA requests
- Customs authorities: data from CN22/CN23 declarations
- Competent authorities: response to judicial requests
- Regulators of third countries: if required by applicable local law for the transaction
6.3 Sharing between members
Only the public profile is visible: username, avatar, city, biography, rating, number of sales. Real name, address, email and phone are never shared directly with other members (delivery details are transmitted to the seller only after confirmed payment, solely for shipping purposes).
6.4 Buyers outside the EU
When a buyer located outside the EU makes a transaction, the data necessary for shipment (name, delivery address) is shared with the seller and, where applicable, with the carrier. This data may be subject to the customs regulations of the destination country.
7. Transfers outside the European Union
Transfers to third countries (notably the United States) are governed by:
- Standard contractual clauses (SCCs) approved by the European Commission (adequacy decision 2021/914)
- EU-US Privacy Shield 2.0 framework (Adequacy decision of July 2023) for transfers to the United States
For data of buyers residing outside the EU, Toveria applies the same protection standards as for European residents, to the extent permitted by applicable local laws.
8. Data retention periods
Each piece of data is retained for the duration strictly necessary for its purpose, then deleted or anonymised. In accordance with CNIL recommendations, certain data, after their active use phase, undergo intermediate archiving with restricted access (accessible only for compliance with legal obligations or dispute management) before final deletion.
| Category | Retention period |
|---|---|
| Active account data | Duration of account life |
| Account data after closure | Deletion of personal data upon closure; data subject to legal obligation retained separately for their own duration |
| Transaction / order data | 10 years (Commercial Code, CGI) |
| BtoB invoices | 10 years (Commercial Code) |
| Conversations (messages) | Active phase of 6 months after last message, then intermediate archiving with restricted access, then deletion: 24 months (conversation without order) or 5 years (conversation linked to an order) |
| Message attachments (photos) | Deleted with corresponding message |
| Listings deleted by member | Media removed immediately; final deletion of listing 180 days after |
| Listings sold / linked to an order | Retained as proof of transaction (up to 5 years / accounting obligations) |
| Reviews and ratings | Anonymisation after 5 years (rating and comment retained, author identity dissociated) |
| DAC7 and tax data | 10 years |
| Customs data | 5 years (Customs Code) |
| Technical logs (API errors) | 90 days (automatic daily purge) |
| Payment attempt log (anti-fraud) | 7 days (automatic daily purge) |
| Other security logs | 12 months maximum |
| Analytical cookies | 13 months maximum |
| Referral data | 3 years |
| Stripe KYC (identity documents) | Per Stripe obligations / 5 years |
| Push notification token (FCM) | Until deactivation or invalidation; expired tokens automatically purged |
Ongoing dispute or legal hold: any data necessary for dispute resolution, compliance with a legal obligation or a request from a competent authority is retained until the end of that obligation, by derogation from the periods above.
9. Your rights
In accordance with GDPR (EU residents) and, to the extent applicable, local data protection laws (non-EU residents), you have the following rights:
9.1 GDPR rights (EU residents)
- Access (art. 15) — receive a copy of your data
- Rectification (art. 16) — correct inaccurate data
- Erasure (art. 17) — deletion except where legal retention obligation applies
- Restriction (art. 18) — temporary suspension of processing
- Portability (art. 20) — export in structured format (JSON/CSV)
- Objection (art. 21) — objection to processing based on legitimate interest
- Withdrawal of consent — revocable at any time
9.2 Rights of non-EU residents
Toveria extends, to the extent possible, GDPR protections to non-EU residents. Residents of countries with specific legislation (Brazil LGPD, Thailand PDPA, Canada PIPEDA, California CCPA, etc.) may exercise the rights provided by their legislation by contacting dpo@toveria.com.
9.3 Exercising your rights
📧 dpo@toveria.com — Subject: [GDPR Rights] Your request
Response time: 30 days (extendable by 2 months for complex requests). A form of identification may be requested.
9.4 Recourse
CNIL — cnil.fr/fr/plaintes — CNIL, 3 place de Fontenoy, 75007 Paris
10. Cookies and tracers
Strictly necessary cookies (no consent required)
| Cookie | Purpose | Duration |
|---|---|---|
| Session auth | Maintain login | Session |
| User preferences | Language, display | 1 year |
| Cart / batch | Remember selection | Session |
| Security | CSRF, anti-fraud | Session |
Cookie consent (toveria_cookie_consent) | Remember your choice | 6 months |
Analytical cookies (with consent)
| Cookie | Purpose | Duration |
|---|---|---|
| Audience analysis | Service improvement | 13 months |
No analytical or advertising cookies are currently active: they will only be placed after your explicit consent.
For full details (categories, durations, withdrawal), see our Cookie Management Policy. Management is available at any time via the "Manage cookies" button (menu and bottom of each legal page).
11. Data security
- Encryption in transit: HTTPS / TLS 1.3
- Encryption at rest: Supabase database encrypted
- Authentication: email OTP + SMS OTP + TOTP (2FA)
- Access control: Row Level Security (RLS) Supabase
- Payments: Stripe PCI DSS Level 1
- Restricted access: personal data accessible only to authorised employees
- Logging: security logs retained for 12 months
- Anti-fraud: Stripe Radar, referral controls, sanctions verification
In the event of a data breach likely to create a risk, Toveria will inform you within 72 hours.
12. Data of minors
The platform is reserved for persons aged 18 and over. Report: dpo@toveria.com.
13. Modifications
Substantial modifications are notified by email with 30 days notice.
14. Contact
📧 dpo@toveria.com — Data protection
📧 dpo@toveria.com — Data Protection Officer
Toveria — European BtoC, CtoC, CtoB and BtoB marketplace
SIRET: [To be completed] — CNIL registration no.: [To be completed]
Last updated: June 2026
French version — in case of discrepancy with a translation, the French version prevails.