Datenschutzerklaerung

This privacy notice is a product implementation draft for lawyer review, not final legal advice. It must be completed with the final company details, service providers, data locations, retention schedule, and lawyer-reviewed wording before public launch.

Controller

The controller is the future German operating company of FromAsia Foods: [legal company name, address, representative, contact email to be added].

Suppliers and buyers normally act as independent controllers for their own business contacts and transaction records. If FromAsia Foods processes data strictly on behalf of another party, the role and data processing agreement must be reviewed separately.

Data we process

• Account data: name, company, role, email, phone, credentials, permissions.
• Registration and verification data: business licence files, VAT certificates, food-business registration evidence, review notes, approval status, rejection reasons, and reviewer metadata.
• B2B transaction data: enquiries, order requests, order status, buyer and supplier notes.
• Uploaded data: business licences, company logos, product images, supplier documents, certificates, company evidence, contact data, and HTTPS file references.
• Product and supplier content: product names, descriptions, images, SKUs, ingredients, allergens, storage instructions, delivery regions, profile text, and supplier storefront content.
• Technical data: IP address, browser/device data, login timestamps, security logs, necessary cookies.
• Notification data: account, transaction, approval, and security messages.

Purposes and legal bases

• Platform accounts, enquiries, order requests, and transaction notifications: GDPR Art. 6(1)(b).
• Company verification, supplier review, B2B trust, product integrity checks, and marketplace rule enforcement: GDPR Art. 6(1)(b) and Art. 6(1)(f), depending on the context.
• Tax, accounting, and commercial record obligations: GDPR Art. 6(1)(c).
• Security, fraud prevention, access control, B2B customer support, and diagnostics: GDPR Art. 6(1)(f).
• Consent-based processing: not used by default. Marketing email, advertising pixels, or non-essential analytics require a separate opt-in before use.

Order request model

The platform stores order requests, supplier confirmations, status updates, order notes, estimated delivery details, payment and delivery terms, and invoice links where suppliers provide them. Under the default launch model, FromAsia Foods does not process online payments, issue supplier invoices, or perform delivery fulfilment. Buyer and supplier transaction records may be retained for commercial documentation, support, compliance, and dispute handling.

No marketing newsletter

The platform does not send newsletters or promotional email by default. Email is limited to account, transaction, approval, operational, and security notices.

Data hosting and service providers

Production data is intended to be stored only in Germany or the European Union. Hosting, email, payment, customer support, CRM, and error-monitoring providers are not selected yet. Before any provider is connected, FromAsia Foods must record the provider, purpose, location, data categories, retention period, and data processing agreement status.

Uploads and backups must be included in the same provider review. Each processor must be covered by a data processing agreement where required. If a provider acts as an independent controller or joint controller, that role must be documented separately before production use.

US or other non-EU providers are not part of the default setup. If they are introduced later, transfer safeguards, SCCs, and transfer impact assessment requirements must be reviewed first.

Default retention

• Account master data: active account lifetime, then 3 years after closure.
• Enquiries, order requests, and chat records: 6 years by default.
• Accounting, invoice, payment, and tax-relevant records: 10 years.
• Supplier documents and review files: active supplier lifetime, then 3 years, unless longer retention is legally required.
• Product images and product data: active listing lifetime, then 12 months, unless linked to historical orders.
• Transaction email records: 6 years; technical delivery logs: 30 to 90 days.
• Security and login logs: 90 days by default; security incidents may be retained for 180 days or up to 3 years after resolution.

Your rights

Users can request access, correction, deletion, restriction, portability, and objection where the GDPR grants those rights. Requests should be sent to the privacy contact email once the company contact details are final.

Requests should be logged with receipt date, requester identity check, affected account/company, action taken, response date, and any lawful reason for refusing or limiting a request.

Security incidents

Suspected personal-data breaches must be recorded, triaged, and escalated. The operator must assess whether notification to a supervisory authority, affected users, service providers, or business partners is required. The final incident-response owner and contact channel must be added before public launch.

Operational safeguards

• Admin actions for accounts, approvals, permissions, and orders should be audit logged.
• Supplier certificates and contact data may only be used for supplier review, transaction trust, and platform compliance.
• Uploaded documents and chats must not be retained indefinitely.
• Access to personal data must be role-based and limited to operational need.
• Exports, backups, and local support copies must be minimized, protected, and deleted when no longer needed.

Legal references

This notice is based on GDPR Articles 6 and 13 and the European Commission GDPR overview. Final text should be checked against the exact launch setup.