GDPR Policy — Toveria
Version 2.0 — June 2026
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016
European BtoC, CtoC, CtoB and BtoB Marketplace — Sales from Europe to the world
| |
|---|
| Data controller | Kamel DOURA (Toveria sole proprietorship) |
| Legal form | Sole proprietorship (EI) |
| Address | 12 Rue de la Part-Dieu, 69003 Lyon, France |
| SIRET | 978 781 227 00019 |
| RCS | 978 781 227 R.C.S. Lyon |
| VAT number | FR 45 978 781 227 |
| DPO email | dpo@toveria.com |
| GDPR email | dpo@toveria.com |
| Supervisory authority | CNIL — 3 place de Fontenoy, 75007 Paris — cnil.fr |
2. Data Protection Officer (DPO)
Toveria has appointed a Data Protection Officer (DPO) in accordance with Article 37 of the GDPR.
DPO contact:
📧 dpo@toveria.com
📮 Toveria — DPO (Kamel DOURA), 12 Rue de la Part-Dieu, 69003 Lyon, France
The DPO is your primary contact for any questions relating to the protection of your personal data. The DPO is also the contact point for the CNIL.
3. Record of processing activities (art. 30 GDPR)
3.1 User account management
| Field | Detail |
|---|
| Purpose | Account creation, authentication and management |
| Legal basis | Contract performance (art. 6.1.b) |
| Data processed | First name, surname, email, telephone, date of birth, address, country, username, avatar |
| Recipients | Supabase (database host), Twilio (SMS verification) |
| Retention period | Account lifetime + 3 years after closure |
| Transfer outside EU | Twilio (United States) — SCCs |
3.2 Telephone identity verification (OTP)
| Field | Detail |
|---|
| Purpose | Verification of telephone number during registration and profile modification |
| Legal basis | Contract performance (art. 6.1.b) + partial KYC legal obligation |
| Data processed | Telephone number (E.164 format), verification timestamp |
| Recipients | Twilio Verify (United States) |
| Retention period | Account lifetime |
| Transfer outside EU | Twilio (United States) — SCCs |
3.3 Multi-factor authentication (2FA/TOTP)
| Field | Detail |
|---|
| Purpose | Account security enhancement |
| Legal basis | Legitimate interest — security (art. 6.1.f) |
| Data processed | TOTP secret (encrypted), backup codes (SHA-256 hashed), activation timestamp |
| Recipients | Supabase (encrypted storage) |
| Retention period | Account lifetime |
| Transfer outside EU | No |
3.4 Listing publication and management
| Field | Detail |
|---|
| Purpose | Publication and management of sales listings |
| Legal basis | Contract performance (art. 6.1.b) |
| Data processed | Title, description, price, photos, videos, category, location (city, country), hashtags, item condition |
| Recipients | Supabase Storage (photos), Supabase CDN |
| Retention period | Duration of publication. After deletion by member: media removed immediately, listing permanently deleted at 180 days. Listing linked to an order: retained for 5 years (transaction proof). |
3.5 Transaction and payment processing
| Field | Detail |
|---|
| Purpose | Secure payment processing, escrow, seller transfers |
| Legal basis | Contract performance (art. 6.1.b) |
| Data processed | Amounts (item, fees, shipping), payment reference, order status, delivery address, buyer name, country |
| Recipients | Stripe Inc. (payments, seller KYC Connect) |
| Retention period | 10 years (Commercial Code) |
| Transfer outside EU | Stripe (United States) — SCCs + Privacy Shield 2.0 |
3.6 Seller KYC verification (Stripe Connect)
| Field | Detail |
|---|
| Purpose | Verification of seller identity for transfers (AML/CFT obligation) |
| Legal basis | Legal obligation (art. 6.1.c) — Anti-money laundering Directive |
| Data processed | Identity document, IBAN, SIRET, tax data — processed exclusively by Stripe |
| Recipients | Stripe Connect |
| Retention period | 5 years after Stripe Connect account closure (Stripe obligation) |
| Transfer outside EU | Stripe (United States) — SCCs |
3.7 Messaging and conversations
| Field | Detail |
|---|
| Purpose | Connection between buyers and sellers |
| Legal basis | Contract performance (art. 6.1.b) |
| Data processed | Text messages, shared photos, price offers, timestamp |
| Recipients | Supabase Realtime |
| Retention period | Active phase of 6 months after last message, then intermediate archiving with restricted access, then deletion: 24 months (without order) or 5 years (with order). |
| Transfer outside EU | No (EU servers) |
3.8 Transactional email notifications
| Field | Detail |
|---|
| Purpose | Sending order, shipment, offer notifications, etc. |
| Legal basis | Contract performance (art. 6.1.b) |
| Data processed | Email, first name, data of the relevant transaction |
| Recipients | Resend Inc. (United States) |
| Retention period | Send logs: 30 days |
| Transfer outside EU | Resend (United States) — SCCs |
3.9 Push notifications
| Field | Detail |
|---|
| Purpose | Sending web push notifications |
| Legal basis | Consent (art. 6.1.a) — optional, revocable |
| Data processed | Device identifier (OneSignal Player ID), notification preferences |
| Recipients | OneSignal Inc. (United States) |
| Retention period | Account lifetime |
| Transfer outside EU | OneSignal (United States) — SCCs |
3.10 DAC7 compliance — Tax declarations
| Field | Detail |
|---|
| Purpose | Annual declaration to the DGFiP of sellers exceeding legal thresholds |
| Legal basis | Legal obligation (art. 6.1.c) — Directive (EU) 2021/514 |
| Data processed | First name, surname, address, date of birth, NIF, SIRET, VAT, annual income, number of transactions |
| Recipients | DGFiP (France) |
| Retention period | 10 years |
| Transfer outside EU | No |
3.11 VAT verification (VIES)
| Field | Detail |
|---|
| Purpose | Verification of intra-community VAT number validity |
| Legal basis | Legal obligation (art. 6.1.c) |
| Data processed | VAT number, verification result |
| Recipients | VIES API — European Commission |
| Retention period | Professional account lifetime |
| Transfer outside EU | No |
3.12 Reviews and ratings management
| Field | Detail |
|---|
| Purpose | Trust system between members |
| Legal basis | Legitimate interest (art. 6.1.f) |
| Data processed | Rating (1-5), comment, transaction reference, timestamp |
| Recipients | Supabase |
| Retention period | Anonymisation after 5 years (rating and comment retained, author identity dissociated). |
| Transfer outside EU | No |
3.13 Referral programme
| Field | Detail |
|---|
| Purpose | Management of referral rewards |
| Legal basis | Contract performance (art. 6.1.b) |
| Data processed | Referral code, referrer/referee identifier, reward history |
| Recipients | Supabase |
| Retention period | 3 years |
| Transfer outside EU | No |
3.14 Dispute system
| Field | Detail |
|---|
| Purpose | Mediation and resolution of disputes between buyers and sellers |
| Legal basis | Contract performance (art. 6.1.b) + legitimate interest |
| Data processed | Dispute reason, exchanged messages, evidence provided, resolution decision |
| Recipients | Supabase, Toveria moderation team |
| Retention period | 5 years after dispute closure |
| Transfer outside EU | No |
3.15 International sanctions verification
| Field | Detail |
|---|
| Purpose | Compliance with OFAC/EU/UN embargoes and sanctions |
| Legal basis | Legal obligation (art. 6.1.c) |
| Data processed | First name, surname, country (comparison with sanctions lists) |
| Recipients | OpenSanctions API (Europe) |
| Retention period | Alerts: 5 years |
| Transfer outside EU | No (European API) |
3.16 Security logs and fraud prevention
| Field | Detail |
|---|
| Purpose | Detection of fraudulent behaviour and platform security |
| Legal basis | Legitimate interest (art. 6.1.f) |
| Data processed | IP address, connection timestamps, suspicious actions, Stripe Radar data |
| Recipients | Supabase, Stripe Radar |
| Retention period | Technical error logs: 90 days. Payment attempts (fraud prevention): 7 days. Daily automatic purge. Other security logs: 12 months. |
| Transfer outside EU | Stripe (United States) — SCCs |
3.17 Cookies and trackers
| Field | Detail |
|---|
| Purpose | Platform operation (mandatory) + audience analytics (optional) |
| Legal basis | Technical necessity (mandatory) / Consent (analytics) |
| Data processed | User session, preferences, analytics identifier |
| Recipients | Supabase (session), analytics service (if enabled) |
| Retention period | Session (functional) / 13 months max (analytics) |
| Transfer outside EU | Depending on analytics service used |
3.18 Marketing communications (optional)
| Field | Detail |
|---|
| Purpose | Sending newsletters and promotional communications |
| Legal basis | Consent (art. 6.1.a) — separate opt-in checkbox at registration |
| Data processed | Email, first name, communication preferences |
| Recipients | Resend Inc. |
| Retention period | Until unsubscribe + 3 years |
| Transfer outside EU | Resend (United States) — SCCs |
4. Sub-processors (art. 28 GDPR)
All sub-processors have signed a data processing agreement compliant with art. 28.
| Sub-processor | Role | Country | Guarantee |
|---|
| Supabase Inc. | Database, auth, storage, realtime | 🇩🇪 Germany (eu-west-3) | GDPR DPA signed |
| Stripe Inc. | Payments, Billing, Connect, Radar | 🇺🇸 United States | SCCs + Privacy Shield 2.0 |
| Resend Inc. | Transactional emails | 🇺🇸 United States | SCCs |
| OneSignal Inc. | Push notifications | 🇺🇸 United States | SCCs |
| Vercel Inc. | Web application hosting | 🇺🇸/🇪🇺 | SCCs |
| Twilio Inc. | SMS OTP (Twilio Verify) | 🇺🇸 United States | SCCs |
| OpenSanctions | Sanctions list verification | 🇩🇪 Germany | Native GDPR |
5. Transfers outside the European Union (art. 44-49 GDPR)
Transfers to the United States are governed by:
- Standard Contractual Clauses (SCCs) — Commission Implementing Decision (EU) 2021/914
- EU-US Data Privacy Framework — Adequacy decision of 10 July 2023
For each transfer, Toveria ensures that the sub-processor provides sufficient data protection guarantees.
6. Rights of data subjects
6.1 Rights table
| Right | Legal basis | Conditions | Deadline |
|---|
| Access (art. 15) | — | Identification required | 30 days |
| Rectification (art. 16) | — | — | 30 days |
| Erasure (art. 17) | — | Except legal retention obligations | 30 days |
| Restriction (art. 18) | — | During dispute or complaint | 30 days |
| Portability (art. 20) | Contract or consent | JSON/CSV format | 30 days |
| Objection (art. 21) | Legitimate interest or public task | Legitimate grounds to assert | 30 days |
| Withdrawal of consent | Consent | At any time, without retroactive effect | Immediate |
| Post-mortem directives | French Data Protection Act | — | — |
6.2 How to exercise your rights
By email: dpo@toveria.com
Suggested subject: [GDPR Right] Your name — Type of request
By post:
Toveria — GDPR Service
12 Rue de la Part-Dieu, 69003 Lyon, France
Identity document: a copy may be requested to verify your identity (scanned, without document number if preferred).
Response deadline: 30 calendar days. Extendable by 60 additional days for complex requests, with prior notice.
6.3 Right to lodge a complaint with the CNIL
If you believe your rights are not being respected:
CNIL — National Commission for Computing and Freedoms
🌐 cnil.fr/en/complaints
📮 3 place de Fontenoy — TSA 80715 — 75334 Paris Cedex 07
📞 +33 (0)1 53 73 22 22
7. Retention periods
| Category | Period | Basis |
|---|
| Active account data | Account lifetime | Contract |
| Account data (after closure) | Deletion at closure (data under legal obligation retained separately) | Minimisation / legal obligations |
| Transaction data | 10 years | Commercial Code (art. L.123-22) |
| BtoB invoices | 10 years | General Tax Code |
| DAC7 and tax data | 10 years | DAC7 Directive |
| Customs data | 5 years | Union Customs Code |
| Listings deleted by member | 180 days (media removed immediately) | Minimisation |
| Listings sold / linked to an order | Up to 5 years | Transaction proof |
| Conversations between members | 6 months active, then intermediate restricted archiving, then deletion at 24 months (without order) / 5 years (with order) | Minimisation / civil limitation period |
| Reviews and ratings | Anonymisation after 5 years | Legitimate interest |
| Disputes | 5 years after closure | Legal limitation period |
| Technical logs (API errors) | 90 days (daily auto purge) | Minimisation |
| Payment attempts (fraud prevention) | 7 days (daily auto purge) | Minimisation |
| Other security logs | 12 months | CNIL recommendation |
| KYC documents (Stripe) | 5 years | Stripe obligation / AML/CFT |
| Sanctions alerts | 5 years | Regulatory obligation |
| Analytics cookies | 13 months maximum | CNIL recommendation |
| Consents (marketing opt-in) | 3 years after last interaction | CNIL recommendation |
Intermediate archiving (CNIL): after their active phase, conversations move to restricted access archive (reserved for legal obligations / disputes) before final deletion.
Legal hold: any data linked to an open dispute, legal obligation or authority request is retained until the end of that obligation, by derogation from the periods above.
8. Data security (art. 32 GDPR)
8.1 Technical measures
| Measure | Implementation |
|---|
| Encryption in transit | HTTPS / TLS 1.3 on all communications |
| Encryption at rest | Supabase database encrypted (AES-256) |
| Database access control | Row Level Security (RLS) — access by row according to authenticated user |
| Authentication | Email OTP + SMS OTP mandatory at registration |
| Multi-factor authentication | TOTP (Google Authenticator compatible) — optional for users |
| 2FA backup codes | SHA-256 hashed in database |
| Payment data | Delegated to Stripe (PCI DSS Level 1) — never stored by Toveria |
| JWT tokens | Supabase Auth — limited lifetime |
| Session cleanup | Deletion of 15 localStorage keys + cookies on logout |
| Webhook signature verification | HMAC-SHA256 on all incoming webhooks (Stripe) |
8.2 Organisational measures
| Measure | Detail |
|---|
| Access to personal data | Limited to authorised employees only, on least privilege basis |
| Training | GDPR awareness training for all staff with data access |
| Audit | Supabase RLS audit planned before commercial launch |
| Logging | Access logs for sensitive data retained 12 months |
| Penetration testing | Pentest planned before launch (budget €3,000-10,000) |
| Bug bounty | Responsible disclosure programme in development |
8.3 Data breach notification procedure
In accordance with art. 33 GDPR, Toveria commits to notify the CNIL within 72 hours of discovering a data breach likely to result in a risk to the rights and freedoms of individuals.
If the breach is likely to result in a high risk, data subjects are also informed without undue delay (art. 34 GDPR).
Internal procedure:
- Detection → immediate DPO alert
- Risk assessment (< 4h)
- CNIL notification if necessary (< 72h)
- Data subject notification if high risk (< 72h)
- Incident documentation (breach register)
9. Impact Assessment (DPIA — art. 35 GDPR)
A Data Protection Impact Assessment is required for processing presenting a high risk.
| Processing | DPIA required | Status |
|---|
| Sanctions verification (scoring) | Yes — profiling | ⏳ To be carried out |
| Tax data DAC7 | Yes — sensitive data + large scale | ⏳ To be carried out |
| Seller KYC (identity document) | Yes — potential biometric data | ⏳ Delegated to Stripe |
| Behavioural tracking (if analytics) | Yes — if deployed | To be assessed |
10. Minors' data
The Toveria platform is strictly reserved for persons aged 18 and over.
Date of birth is collected at registration to verify majority. Any registration of a minor results in immediate account deletion and associated data deletion.
Report: dpo@toveria.com — Subject: [Minor]
11. Cookies and trackers
Strictly necessary cookies (no consent required)
| Cookie | Purpose | Duration |
|---|
sb-auth-token | Supabase authentication session | Session / 1 week |
toveria-ref | Referral link | 30 days |
toveria-lang | Display language | 1 year |
toveria-mr-rates | Carrier rates (localStorage) | Until deletion |
Analytics cookies (with prior consent)
To be enabled only after implementation of a CNIL-compliant cookie banner (CNIL recommendation of 1 October 2020).
12. Modifications to this policy
Substantial modifications are notified by email with 30 days notice.
The date of last update appears in the header. Continued use of the platform after entry into force constitutes acceptance.
European BtoC, CtoC, CtoB and BtoB Marketplace — Sales from Europe to the world
Sales from Europe to the world
CNIL registration number: [To be completed after declaration]
Last updated: June 2026
English version — in case of discrepancy with a translation, the French version prevails.
