GDPR Policy — Toveria
Version 2.0 — June 2026
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016
European BtoC, CtoC, CtoB and BtoB Marketplace — Sales from Europe to the rest of the world
| |
|---|
| Data controller | Kamel DOURA (Toveria sole proprietorship) |
| Legal form | Sole proprietorship (EI) |
| Address | 12 Rue de la Part-Dieu, 69003 Lyon, France |
| SIRET | 978 781 227 00019 |
| RCS | 978 781 227 R.C.S. Lyon |
| VAT number | FR 45 978 781 227 |
| DPO Email | dpo@toveria.com |
| GDPR Email | dpo@toveria.com |
| Supervisory authority | CNIL — 3 place de Fontenoy, 75007 Paris — cnil.fr |
2. Data Protection Officer (DPO)
Toveria has appointed a Data Protection Officer (DPO) in accordance with Article 37 of the GDPR.
DPO Contact:
📧 dpo@toveria.com
📮 Toveria — DPO (Kamel DOURA), 12 Rue de la Part-Dieu, 69003 Lyon, France
The DPO is your primary contact for any questions relating to the protection of your personal data. The DPO is also the contact point for the CNIL.
3. Record of processing activities (art. 30 GDPR)
3.1 User account management
| Field | Detail |
|---|
| Purpose | Account creation, authentication and management |
| Legal basis | Contract performance (art. 6.1.b) |
| Data processed | First name, last name, email, telephone, date of birth, address, country, username, avatar |
| Recipients | Supabase (database host), Twilio (SMS verification) |
| Retention period | Account lifetime + 3 years after closure |
| Transfer outside EU | Twilio (United States) — SCCs EU |
3.2 Telephone identity verification (OTP)
| Field | Detail |
|---|
| Purpose | Verification of telephone number during registration and profile modification |
| Legal basis | Contract performance (art. 6.1.b) + partial KYC legal obligation |
| Data processed | Telephone number (E.164 format), verification timestamp |
| Recipients | Twilio Verify (United States) |
| Retention period | Account lifetime |
| Transfer outside EU | Twilio (United States) — SCCs EU |
3.3 Multi-factor authentication (2FA/TOTP)
| Field | Detail |
|---|
| Purpose | Account security enhancement |
| Legal basis | Legitimate interest — security (art. 6.1.f) |
| Data processed | TOTP secret (encrypted), backup codes (SHA-256 hashed), activation timestamp |
| Recipients | Supabase (encrypted storage) |
| Retention period | Account lifetime |
| Transfer outside EU | No |
3.4 Listing publication and management
| Field | Detail |
|---|
| Purpose | Publishing and managing sales listings |
| Legal basis | Contract performance (art. 6.1.b) |
| Data processed | Title, description, price, photos, videos, category, location (city, country), hashtags, item condition |
| Recipients | Supabase Storage (photos), Supabase CDN |
| Retention period | Duration of publication. After deletion by member: media removed immediately, listing permanently deleted at 180 days. Listing linked to an order: retained for 5 years (transaction proof). |
3.5 Transaction and payment processing
| Field | Detail |
|---|
| Purpose | Secure payment processing, escrow, seller transfers |
| Legal basis | Contract performance (art. 6.1.b) |
| Data processed | Amounts (item, fees, shipping), payment reference, order status, delivery address, buyer name, country |
| Recipients | Stripe Inc. (payments, seller KYC Connect) |
| Retention period | 10 years (Commercial Code) |
| Transfer outside EU | Stripe (United States) — SCCs EU + Privacy Shield 2.0 |
3.6 Seller KYC verification (Stripe Connect)
| Field | Detail |
|---|
| Purpose | Verification of seller identity for transfers (AML/CFT obligation) |
| Legal basis | Legal obligation (art. 6.1.c) — Anti-money laundering Directive |
| Data processed | Identity document, IBAN, SIRET, tax data — processed exclusively by Stripe |
| Recipients | Stripe Connect |
| Retention period | 5 years after Stripe Connect account closure (Stripe obligation) |
| Transfer outside EU | Stripe (United States) — SCCs EU |
3.7 Messaging and conversations
| Field | Detail |
|---|
| Purpose | Connecting buyers and sellers |
| Legal basis | Contract performance (art. 6.1.b) |
| Data processed | Text messages, shared photos, price offers, timestamp |
| Recipients | Supabase Realtime |
| Retention period | Active phase of 6 months after last message, then intermediate archiving with restricted access, then deletion: 24 months (without order) or 5 years (with order). |
| Transfer outside EU | No (EU servers) |
3.8 Transactional email notifications
| Field | Detail |
|---|
| Purpose | Sending order, shipment, offer notifications, etc. |
| Legal basis | Contract performance (art. 6.1.b) |
| Data processed | Email, first name, data of the relevant transaction |
| Recipients | Resend Inc. (United States) |
| Retention period | Send logs: 30 days |
| Transfer outside EU | Resend (United States) — SCCs EU |
3.9 Push notifications
| Field | Detail |
|---|
| Purpose | Sending web push notifications |
| Legal basis | Consent (art. 6.1.a) — optional, revocable |
| Data processed | Device identifier (OneSignal Player ID), notification preferences |
| Recipients | OneSignal Inc. (United States) |
| Retention period | Account lifetime |
| Transfer outside EU | OneSignal (United States) — SCCs EU |
3.10 DAC7 compliance — Tax declarations
| Field | Detail |
|---|
| Purpose | Annual declaration to the French tax authority (DGFiP) of sellers exceeding legal thresholds |
| Legal basis | Legal obligation (art. 6.1.c) — Directive (EU) 2021/514 |
| Data processed | First name, last name, address, date of birth, tax ID, SIRET, VAT, annual income, number of transactions |
| Recipients | DGFiP (France) |
| Retention period | 10 years |
| Transfer outside EU | No |
3.11 VAT verification (VIES)
| Field | Detail |
|---|
| Purpose | Verification of intra-Community VAT number validity |
| Legal basis | Legal obligation (art. 6.1.c) |
| Data processed | VAT number, verification result |
| Recipients | VIES API — European Commission |
| Retention period | Professional account lifetime |
| Transfer outside EU | No |
3.12 Reviews and ratings management
| Field | Detail |
|---|
| Purpose | Trust system between members |
| Legal basis | Legitimate interest (art. 6.1.f) |
| Data processed | Rating (1-5), comment, transaction reference, timestamp |
| Recipients | Supabase |
| Retention period | Anonymization after 5 years (rating and comment retained, author identity dissociated). |
| Transfer outside EU | No |
3.13 Referral program
| Field | Detail |
|---|
| Purpose | Management of referral rewards |
| Legal basis | Contract performance (art. 6.1.b) |
| Data processed | Referral code, referrer/referred identifier, reward history |
| Recipients | Supabase |
| Retention period | 3 years |
| Transfer outside EU | No |
3.14 Dispute system
| Field | Detail |
|---|
| Purpose | Mediation and resolution of disputes between buyers and sellers |
| Legal basis | Contract performance (art. 6.1.b) + legitimate interest |
| Data processed | Dispute reason, exchanged messages, provided evidence, resolution decision |
| Recipients | Supabase, Toveria moderation team |
| Retention period | 5 years after dispute closure |
| Transfer outside EU | No |
3.15 International sanctions verification
| Field | Detail |
|---|
| Purpose | Compliance with OFAC/EU/UN embargoes and sanctions |
| Legal basis | Legal obligation (art. 6.1.c) |
| Data processed | First name, last name, country (comparison against sanctions lists) |
| Recipients | OpenSanctions API (Europe) |
| Retention period | Alerts: 5 years |
| Transfer outside EU | No (European API) |
3.16 Security logs and fraud prevention
| Field | Detail |
|---|
| Purpose | Detection of fraudulent behavior and platform security |
| Legal basis | Legitimate interest (art. 6.1.f) |
| Data processed | IP address, connection timestamps, suspicious activities, Stripe Radar data |
| Recipients | Supabase, Stripe Radar |
| Retention period | Technical error logs: 90 days. Payment attempts (fraud prevention): 7 days. Daily automatic purge. Other security logs: 12 months. |
| Transfer outside EU | Stripe (United States) — SCCs EU |
3.17 Cookies and trackers
| Field | Detail |
|---|
| Purpose | Platform operation (mandatory) + audience analytics (optional) |
| Legal basis | Technical necessity (mandatory) / Consent (analytics) |
| Data processed | User session, preferences, analytics identifier |
| Recipients | Supabase (session), analytics service (if enabled) |
| Retention period | Session (functional) / 13 months max (analytics) |
| Transfer outside EU | Depending on analytics service used |
3.18 Marketing communications (optional)
| Field | Detail |
|---|
| Purpose | Sending newsletters and promotional communications |
| Legal basis | Consent (art. 6.1.a) — separate opt-in checkbox at registration |
| Data processed | Email, first name, communication preferences |
| Recipients | Resend Inc. |
| Retention period | Until unsubscribe + 3 years |
| Transfer outside EU | Resend (United States) — SCCs EU |
4. Processors (art. 28 GDPR)
All processors have signed a data processing agreement compliant with art. 28.
| Processor | Role | Country | Guarantee |
|---|
| Supabase Inc. | Database, auth, storage, realtime | 🇩🇪 Germany (eu-west-3) | GDPR DPA signed |
| Stripe Inc. | Payments, Billing, Connect, Radar | 🇺🇸 United States | SCCs EU + Privacy Shield 2.0 |
| Resend Inc. | Transactional emails | 🇺🇸 United States | SCCs EU |
| OneSignal Inc. | Push notifications | 🇺🇸 United States | SCCs EU |
| Vercel Inc. | Web application hosting | 🇺🇸/🇪🇺 | SCCs EU |
| Twilio Inc. | SMS OTP (Twilio Verify) | 🇺🇸 United States | SCCs EU |
| OpenSanctions | Sanctions list verification | 🇩🇪 Germany | Native GDPR |
5. Transfers outside the European Union (art. 44-49 GDPR)
Transfers to the United States are governed by:
- Standard Contractual Clauses (SCCs) — Commission Implementing Decision (EU) 2021/914
- EU-US Data Privacy Framework — Adequacy decision of 10 July 2023
For each transfer, Toveria ensures that the processor provides sufficient data protection guarantees.
6. Rights of data subjects
6.1 Rights table
| Right | Legal basis | Conditions | Deadline |
|---|
| Access (art. 15) | — | Identification required | 30 days |
| Rectification (art. 16) | — | — | 30 days |
| Erasure (art. 17) | — | Except legal retention obligations | 30 days |
| Restriction (art. 18) | — | During dispute or complaint | 30 days |
| Portability (art. 20) | Contract or consent | JSON/CSV format | 30 days |
| Objection (art. 21) | Legitimate interest or public task | Legitimate grounds to assert | 30 days |
| Withdrawal of consent | Consent | At any time, no retroactive effect | Immediate |
| Post-mortem directives | French Data Protection Act | — | — |
6.2 How to exercise your rights
By email: dpo@toveria.com
Suggested subject: [GDPR Right] Your name — Type of request
By mail:
Toveria — GDPR Service
12 Rue de la Part-Dieu, 69003 Lyon, France
Identity document: a copy may be requested to verify your identity (scanned, without document number if preferred).
Response deadline: 30 calendar days. Extendable by 60 additional days for complex requests, with prior notice.
6.3 Right to lodge a complaint with the CNIL
If you believe your rights are not being respected:
CNIL — National Commission for Computing and Freedoms
🌐 cnil.fr/fr/plaintes
📮 3 place de Fontenoy — TSA 80715 — 75334 Paris Cedex 07
📞 +33 (0)1 53 73 22 22
7. Retention periods
| Category | Period | Basis |
|---|
| Active account data | Account lifetime | Contract |
| Account data (after closure) | Deletion at closure (data subject to legal obligation retained separately) | Minimization / legal obligations |
| Transaction data | 10 years | Commercial Code (art. L.123-22) |
| BtoB invoices | 10 years | General Tax Code |
| DAC7 and tax data | 10 years | DAC7 Directive |
| Customs data | 5 years | Union Customs Code |
| Listings deleted by member | 180 days (media removed immediately) | Minimization |
| Listings sold / linked to order | Up to 5 years | Transaction proof |
| Conversations between members | 6 months active, then intermediate restricted archiving, then deletion at 24 months (without order) / 5 years (with order) | Minimization / civil limitation period |
| Reviews and ratings | Anonymization after 5 years | Legitimate interest |
| Disputes | 5 years after closure | Legal limitation period |
| Technical logs (API errors) | 90 days (daily auto purge) | Minimization |
| Payment attempts (fraud prevention) | 7 days (daily auto purge) | Minimization |
| Other security logs | 12 months | CNIL recommendation |
| KYC documents (Stripe) | 5 years | Stripe obligation / AML/CFT |
| Sanctions alerts | 5 years | Regulatory obligation |
| Analytics cookies | 13 months maximum | CNIL recommendation |
| Consents (marketing opt-in) | 3 years after last interaction | CNIL recommendation |
Intermediate archiving (CNIL): after their active phase, conversations move to an archive with restricted access (reserved for legal obligations / disputes) before final deletion.
Legal hold: any data linked to an open dispute, legal obligation or authority request is retained until the end of that obligation, as an exception to the periods above.
8. Data security (art. 32 GDPR)
8.1 Technical measures
| Measure | Implementation |
|---|
| Encryption in transit | HTTPS / TLS 1.3 on all communications |
| Encryption at rest | Supabase database encrypted (AES-256) |
| Database access control | Row Level Security (RLS) — access by row according to authenticated user |
| Authentication | Email OTP + SMS OTP mandatory at registration |
| Multi-factor authentication | TOTP (Google Authenticator compatible) — optional for users |
| 2FA backup codes | SHA-256 hashed in database |
| Payment data | Delegated to Stripe (PCI DSS Level 1) — never stored by Toveria |
| JWT tokens | Supabase Auth — limited lifetime |
| Session cleanup | Deletion of 15 localStorage keys + cookies on logout |
| Webhook signature verification | HMAC-SHA256 on all incoming webhooks (Stripe) |
8.2 Organizational measures
| Measure | Detail |
|---|
| Access to personal data | Limited to authorized employees only, according to least privilege principle |
| Training | GDPR awareness training for all staff with data access |
| Audit | Supabase RLS audit planned before commercial launch |
| Logging | Access logs for sensitive data retained 12 months |
| Penetration testing | Pentest planned before launch (budget €3,000-10,000) |
| Bug bounty | Responsible disclosure program in development |
8.3 Data breach notification procedure
In accordance with art. 33 GDPR, Toveria commits to notifying the CNIL within 72 hours of discovering a data breach likely to create a risk to the rights and freedoms of individuals.
If the breach is likely to create a high risk, individuals are also informed without undue delay (art. 34 GDPR).
Internal procedure:
- Detection → immediate DPO alert
- Risk assessment (< 4h)
- CNIL notification if necessary (< 72h)
- Individual notification if high risk (< 72h)
- Incident documentation (breach register)
9. Impact Assessment (DPIA — art. 35 GDPR)
A Data Protection Impact Assessment is required for processing presenting a high risk.
| Processing | DPIA required | Status |
|---|
| Sanctions verification (scoring) | Yes — profiling | ⏳ To be conducted |
| Tax data DAC7 | Yes — sensitive data + large scale | ⏳ To be conducted |
| Seller KYC (identity document) | Yes — potential biometric data | ⏳ Delegated to Stripe |
| Behavioral tracking (if analytics) | Yes — if deployed | To be assessed |
10. Data of minors
The Toveria platform is strictly reserved for persons aged 18 or over.
Date of birth is collected at registration to verify majority. Any registration of a minor results in immediate account deletion and associated data deletion.
Report: dpo@toveria.com — Subject: [Minor]
11. Cookies and trackers
Strictly necessary cookies (no consent required)
| Cookie | Purpose | Duration |
|---|
sb-auth-token | Supabase authentication session | Session / 1 week |
toveria-ref | Referral link | 30 days |
toveria-lang | Display language | 1 year |
toveria-mr-rates | Carrier rates (localStorage) | Until deletion |
Analytics cookies (with prior consent)
To be enabled only after implementation of a CNIL-compliant cookie banner (CNIL recommendation of 1 October 2020).
12. Modifications to this policy
Substantial modifications are notified by email with 30 days notice.
The date of last update appears in the header. Continued use of the platform after entry into force constitutes acceptance.
European BtoC, CtoC, CtoB and BtoB Marketplace — Sales from Europe to the rest of the world
Sales from Europe to the rest of the world
CNIL registration no.: [To be completed after declaration]
Last updated: June 2026
French version — in case of discrepancy with a translation, the French version prevails.
