Privacy Policy

1. Introduction

Shutterclix is committed to protecting your privacy. This Privacy Policy explains how I collect, use, disclose, and safeguard your personal information when you use this marketplace platform.

This policy complies with the EU General Data Protection Regulation (GDPR) and other applicable data protection laws.

2. Data Controller

Service Name: Shutterclix

Operator: Individual hobby project

Location: Stockholm, Sweden

Contact: privacy@shutterclix.com

Shutterclix is operated by an individual as a hobby project. As the sole operator, I act as both the data controller and data protection contact for GDPR purposes.

3. Information We Collect

3.1 Account Information

When you register, we collect:

• Name: For identification and communication
• Email address: For account access and notifications
• Password: Stored as a hashed value (we never see your actual password)
• Phone number: For verification and security
• Profile photo: Optional, for user identification

3.2 Business Account Information

For business accounts, we additionally collect:

• VAT number: Validated via EU VIES system
• Company name: As registered with tax authorities
• Business address: For tax compliance and verification
• Company registration number: If applicable

3.3 Listing Information

• Product descriptions and titles
• Product images (stored on Bunny.net)
• Pricing and availability
• Product condition and specifications
• Serial numbers (if provided)

3.4 Transaction Information

• Purchase and sales history
• Offer negotiations and messages
• Shipping addresses
• Transaction amounts and dates
• Payment status (NOT payment card details - handled by Stripe)

3.5 Payment Information

Important: We do NOT store payment card information. All payment data is processed and stored by Stripe, our payment processor. We only receive:

• Last 4 digits of card (for your reference)
• Card brand (Visa, Mastercard, etc.)
• Payment status
• Stripe customer ID (encrypted reference)

3.6 Communication Data

• Messages between buyers and sellers
• Customer support inquiries
• Email correspondence
• Reviews and ratings

3.7 Technical Data

• IP address
• Browser type and version
• Device information
• Operating system
• Referring URLs
• Pages viewed and time spent
• Cookies and similar technologies (see Cookie Policy)

3.8 Verification Data

• Phone verification status and timestamps
• VAT validation results (for business accounts)
• Identity verification documents (if provided)
• Bank account information (stored by Stripe Connect)

4. How We Use Your Information

4.1 To Provide Services

• Create and manage your account
• Process transactions and payments
• Enable communication between users
• Display your listings to potential buyers
• Provide customer support

4.2 To Ensure Security and Prevent Fraud

• Verify user identities
• Detect and prevent fraudulent transactions
• Monitor for suspicious activity
• Enforce our Terms of Service
• Resolve disputes

4.3 To Improve Our Platform

• Analyze usage patterns and trends
• Improve search and recommendation algorithms
• Enhance user experience
• Test new features
• Fix bugs and technical issues

4.4 To Communicate With You

• Send transactional emails (order confirmations, shipping updates)
• Notify you of new messages or offers
• Provide customer support responses
• Send important account or policy updates
• Marketing communications (only with your consent)

4.5 Legal Compliance

• Comply with legal obligations (tax reporting, law enforcement requests)
• Validate VAT numbers via EU VIES
• Maintain transaction records as required by law
• Respond to legal processes

5. Legal Basis for Processing (GDPR)

Under GDPR, we process your data based on:

5.1 Contract Performance

Processing necessary to provide our services and fulfill our contract with you (account management, transactions, customer support).

5.2 Legal Obligation

Processing required by law (VAT validation, tax reporting, maintaining transaction records, responding to legal requests).

5.3 Legitimate Interest

Processing necessary for our legitimate interests (fraud prevention, platform security, improving services, analytics) where not overridden by your rights.

5.4 Consent

Processing based on your explicit consent (marketing emails, optional features, cookies). You can withdraw consent at any time.

6. How We Share Your Information

6.1 With Other Users

When you create a listing or make a transaction:

• Buyers see your public profile, name, and ratings
• Transaction parties see each other's names, ratings, and shipping addresses
• Your messages are visible to the other party

6.2 With Service Providers

We share data with trusted third parties who help us operate:

Stripe (Payment Processing):

• Payment card information (processed directly by Stripe)
• Transaction amounts and details
• Bank account information for payouts
• Stripe Privacy Policy: https://stripe.com/privacy

Bunny.net (Image Hosting & CDN):

• Product images you upload
• Profile photos
• Bunny.net Privacy Policy: https://bunny.net/privacy

Twilio (Phone Verification - Optional):

• Phone numbers for SMS verification (if phone verification is enabled)
• Twilio Privacy Policy: https://www.twilio.com/legal/privacy

EU VIES (VAT Validation):

• VAT numbers for business account validation
• Company registration information

Scaleway (Email Service):

• Email addresses for transactional and notification emails
• Names for personalization
• Scaleway Privacy Policy: https://www.scaleway.com/en/privacy-policy/

6.3 Legal Requirements

We may disclose your information if required by law or to:

• Comply with legal process (subpoenas, court orders)
• Enforce our Terms of Service
• Protect the rights, property, or safety of Shutterclix, our users, or the public
• Investigate fraud or security issues

6.4 Business Transfers

If Shutterclix is involved in a merger, acquisition, or sale of assets, your information may be transferred. We will notify you before your information becomes subject to a different privacy policy.

6.5 We Do NOT Sell Your Data

We do not sell, rent, or trade your personal information to third parties for marketing purposes.

7. International Data Transfers

Shutterclix operates primarily in the European Union. However, some of our service providers (Stripe) may process data in the United States or other countries. Bunny.net processes data within the EU (Slovenia).

When we transfer data outside the EU, we ensure appropriate safeguards:

• Standard Contractual Clauses (SCCs) approved by the EU Commission
• Service providers certified under EU-US Data Privacy Framework
• Adequate data protection as determined by the EU Commission

8. Data Retention

We retain your information for as long as necessary to:

• Active accounts: Duration of your account plus 30 days after deletion
• Transaction records: 7 years (required for tax/accounting compliance)
• Legal disputes: Until resolution plus applicable statute of limitations
• Marketing data: Until you withdraw consent or 2 years of inactivity
• Technical logs: 90 days for security and debugging

After retention periods expire, we securely delete or anonymize your data.

9. Your Rights Under GDPR

You have the following rights regarding your personal data:

9.1 Right of Access

Request a copy of all personal data we hold about you. We will provide this within 30 days.

9.2 Right to Rectification

Correct any inaccurate or incomplete personal data. You can update most information in your account settings.

9.3 Right to Erasure ("Right to be Forgotten")

Request deletion of your personal data, subject to legal retention requirements. Note:

• We must retain transaction records for 7 years (legal requirement)
• You cannot delete your account with active transactions
• Some data may be retained in anonymized form for analytics

9.4 Right to Data Portability

Receive your data in a structured, machine-readable format (JSON) and transfer it to another service.

9.5 Right to Object

Object to processing based on legitimate interests or for direct marketing purposes.

9.6 Right to Restriction

Request that we limit how we use your data in certain circumstances (e.g., while disputing accuracy).

9.7 Right to Withdraw Consent

Where processing is based on consent, you can withdraw it at any time (e.g., unsubscribe from marketing emails).

9.8 Right to Lodge a Complaint

File a complaint with your local data protection authority if you believe we've mishandled your data.

Sweden: Integritetsskyddsmyndigheten (IMY) - www.imy.se

How to Exercise Your Rights

To exercise any of these rights, contact us at:

• Email: privacy@shutterclix.com
• Data Export: Visit Account Settings → Privacy → Download My Data
• Account Deletion: Visit Account Settings → Privacy → Delete Account

We will respond within 30 days. We may need to verify your identity before processing requests.

10. Data Security

We implement industry-standard security measures to protect your data:

Technical Measures

• HTTPS encryption for all data in transit (TLS 1.3)
• Encrypted storage for sensitive data at rest
• Password hashing using bcrypt
• Regular security monitoring
• Rate limiting to prevent abuse

Data Breach Notification

In the event of a data breach that poses a risk to your rights and freedoms, I will:

• Notify the Swedish Data Protection Authority (IMY) within 72 hours of becoming aware
• Notify affected users via email without undue delay
• Provide details about the nature of the breach and steps taken to mitigate harm
• Offer guidance on how you can protect yourself

Your Responsibilities

• Use a strong, unique password
• Keep your login credentials confidential
• Log out of shared devices
• Report suspicious activity immediately to privacy@shutterclix.com

Note: While I implement strong security measures, no system is 100% secure. I cannot guarantee absolute security of your data. As a hobby project, resources are limited compared to commercial platforms.

11. Cookies and Tracking

We use cookies and similar technologies. For detailed information, please see our Cookie Policy.

Types of Cookies We Use

• Essential: Required for authentication and security (cannot be disabled)
• Functional: Remember your preferences (language, currency)
• Analytics: Understand how you use our platform (can be disabled)
• Marketing: Deliver relevant ads (only with your consent)

You can manage cookie preferences in our cookie consent banner or your browser settings.

12. Children's Privacy

Shutterclix is not intended for users under 18 years old. We do not knowingly collect personal information from children.

If we discover that we have collected data from a child under 18, we will delete it immediately. If you believe we have collected such information, please contact us at privacy@shutterclix.com.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of material changes by:

• Updating the "Last Updated" date at the top of this policy
• Sending you an email notification (for significant changes)
• Displaying a prominent notice on the Platform

Continued use of the Platform after changes constitutes acceptance of the updated policy. For material changes, we may require your explicit consent.

14. Contact Us

For questions about this Privacy Policy or to exercise your rights, contact:

Privacy & Data Protection: privacy@shutterclix.com

General Support: support@shutterclix.com

Shutterclix is operated by an individual as a hobby project based in Stockholm, Sweden. I respond to all privacy requests personally within the GDPR-required 30-day timeframe.