Privacy Policy
Last updated: 2026-02-15
At UMAPLACE, we place the utmost importance on the protection of your personal data. This privacy policy aims to inform you transparently about the collection, use and protection of your personal information in accordance with the General Data Protection Regulation (GDPR) and the French Data Protection Act (Loi Informatique et Libertés).
1. Data Controller
The data controller for personal data is:
- [Company Name]
- Legal form: [Legal Form]
- Registration number: [SIRET/SIREN Number]
- Registered office address: [Address]
- Contact email: [Contact Email]
- Data Protection Officer (DPO): [DPO Name]
- DPO email: [DPO Email]
2. Personal Data Collected
In the course of using our marketplace platform, we collect the following categories of data:
Identity Data
Last name, first name, date of birth, postal address, email address, phone number
Account Data
Login credentials, password (encrypted), account preferences, login history
Transaction Data
Order history, transaction amounts, delivery information, billing details
Payment Data
Payment information (card number, expiration date) is processed directly by our payment provider Stripe. UMAPLACE never stores your complete banking data.
Technical Data
IP address, browser type, operating system, pages visited, visit duration, cookies
Seller Data (where applicable)
Business information, SIRET number, bank details for transfers (via Stripe Connect), product/service catalog
3. Purposes and Legal Bases for Processing
Your personal data is processed for the following purposes:
Contract Performance
- Management of your user account; Processing and tracking of your orders; Payment management via Stripe; Communications regarding your orders; Connecting buyers and sellers
Legitimate Interest
- Improvement of our services and user experience; Fraud prevention and platform security; Usage statistics and analytics; Customer support
Consent
- Sending newsletters and marketing communications via Brevo; Non-essential cookies (analytics, marketing); Content personalization
Legal Obligation
- Retention of billing data; Response to requests from competent authorities; Tax and accounting obligations
4. Sharing Data with Third Parties
Your personal data may be shared with the following service providers, strictly within the scope of the purposes described above:
Stripe (Payments)
Secure payment processing and seller account management via Stripe Connect. Stripe is PCI DSS Level 1 certified.
Supabase (Hosting and Database)
Platform hosting and data storage. Servers are located in the European Union (EU region).
Brevo (Transactional and Marketing Emails)
Sending order confirmation emails, notifications and newsletters. Brevo is GDPR compliant and based in France.
We never sell your personal data to third parties. We only share your data with service providers necessary for the operation of the platform.
5. Data Retention Periods
Your personal data is retained for the following periods:
- Account data: for the duration of your registration, then 3 years after your last activity
- Transaction data: 10 years from the transaction (accounting and tax obligation)
- Cookie data: maximum 13 months in accordance with CNIL recommendations
- Marketing data: 3 years after your last contact or interaction
- Connection logs: 1 year (legal obligation)
Upon expiration of these periods, your data is deleted or irreversibly anonymized.
6. Your Rights
In accordance with the GDPR, you have the following rights:
Right of Access
You may request a copy of all personal data we hold about you.
Right to Rectification
You may request the correction of inaccurate or incomplete data.
Right to Erasure
You may request the deletion of your personal data, subject to our legal retention obligations.
Right to Data Portability
You may receive your data in a structured, commonly used and machine-readable format.
Right to Restriction of Processing
You may request the restriction of processing of your data in certain cases.
Right to Object
You may object to the processing of your data on legitimate grounds, particularly for commercial prospecting.
Withdrawal of Consent
Where processing is based on your consent, you may withdraw it at any time.
To exercise your rights, you can contact us at: [Contact Email] or by mail at: [Address]. We commit to responding within one month. In case of dispute, you may file a complaint with the CNIL (Commission Nationale de l'Informatique et des Libertés).
7. Data Security
We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure or destruction. These measures include:
- Data encryption in transit (HTTPS/TLS); Password encryption (bcrypt); Secure authentication via Supabase Auth; Row Level Security policies on the database; Restricted data access based on the principle of least privilege; Continuous monitoring and regular security audits
8. International Data Transfers
Your data is primarily hosted in the European Union. In the event that a transfer to a third country is necessary (for example, via certain Stripe services), we ensure that appropriate safeguards are in place in accordance with the GDPR (standard contractual clauses, adequacy decision, etc.).
9. Protection of Minors
Our platform is not intended for persons under 16 years of age. We do not knowingly collect personal data from minors under 16. If you are a parent or guardian and believe your child has provided us with personal data, please contact us immediately.
10. Policy Changes
We reserve the right to modify this privacy policy at any time. In the event of a substantial change, we will inform you by email or by a notice on our platform. The date of the last update is indicated at the top of this page.
11. Contact
For any questions regarding this privacy policy or the processing of your personal data, you can contact us:
- By email: [Contact Email]
- By mail: [Address]
- DPO: [DPO Email]
- In case of unresolved dispute, you may contact the CNIL: www.cnil.fr