Skip to main content
ACME Marketplace
Sign inCreate account
Legal · Privacy

Privacy policy.

This policy describes what data Rekyndo collects, why, how long we retain it, and the rights you have under the GDPR. It applies to rekyndo.com and our platform APIs.

Last updated: 2026-04-23
Effective from: 2026-05-01
Version: 4.0

1. Who we are

My Company(“we”, “us”, “our”) is a private limited company that operates an industrial B2B marketplace at rekyndo.com. We act as a data controller for personal data relating to our customers and visitors.

We comply with the General Data Protection Regulation (GDPR) and data protection laws. By using our services, you accept the collection and use of information in accordance with this policy.

2. What data we collect

We collect the following categories of personal data, organised by how you interact with us:

Account & organization data

  • Name, work email, telephone, job title
  • Organization legal name, VAT number, registered address
  • Identity verification documents (Stripe Identity)
  • Banking details for payouts (via Stripe Connect)

Transaction data

  • Listings, orders, bids, offers, tenders, messages between parties
  • Payment records, payout schedules, dispute records
  • Shipping addresses and customs declarations for cross-border orders

Usage data

  • IP address, browser, device, session logs, page views
  • API request logs and authentication events
  • Cookie preferences (see our Cookie policy)

3. Why we process

We use your data only for specific, named purposes:

  • Providing the service — accounts, verification, listings, orders, payouts.
  • Trust & safety — fraud detection, KYC/AML, sanctions screening, disputes.
  • Operating transactions — payments via Stripe, invoicing, customs documents.
  • Improving the product — aggregate analytics, A/B testing (anonymised).
  • Customer support — responding to tickets, investigating issues.
  • Legal & regulatory — tax, sanctions, CSRD reporting on your behalf.

We do not sell your personal data. Ever.

Plain-English summary
We collect data to run the marketplace, prevent fraud, process payments, and satisfy the law. We share only with sub-processors necessary to operate; never with advertisers or data brokers.

4. Legal bases (GDPR Art. 6)

Our processing is grounded in the following GDPR legal bases:

  • Contract (Art. 6(1)(b)) — for providing the marketplace service to your organization.
  • Legal obligation (Art. 6(1)(c)) — for KYC/AML, tax, sanctions, accounting retention.
  • Legitimate interests (Art. 6(1)(f)) — fraud prevention, service improvement, security.
  • Consent (Art. 6(1)(a)) — optional marketing emails and non-essential cookies.

5. Sharing & sub-processors

We share personal data only with vetted sub-processors under a Data Processing Agreement. Our current list:

  • Stripe Payments Europe Ltd. — payments, payouts, identity verification
  • Vercel Inc. — application hosting and edge compute
  • Cloudflare Inc. — CDN, DDoS protection, web security
  • Sentry.io (Functional Software Inc.) — error monitoring (EU region)
  • Configurable email provider (Resend, Mailjet, or SMTP per tenant) — transactional email

Visit your account settings or contact us for the dated current list. We notify customers 30 days before any material change.

6. International transfers

Personal data is stored within the European Economic Area. Where a sub-processor operates outside the EEA (currently: Stripe, Cloudflare, Sentry), transfers are made under the European Commission’s Standard Contractual Clauses (2021/914) and supplemented by the safeguards described in our Data Processing Addendum.

7. How long we keep your data

  • Account data — for the lifetime of your account, then 30 days after closure
  • Transaction records — up to 10 years (fiscal retention requirement, jurisdiction-dependent)
  • KYC records — 5 years after the end of the business relationship (AML rules)
  • Support tickets — 3 years
  • Server logs — 90 days
  • Marketing preferences — until withdrawn

8. Your rights

Under GDPR you can exercise the following rights free of charge:

  • Access — a copy of your personal data
  • Rectification — correction of inaccurate data
  • Erasure — deletion (subject to legal retention)
  • Restriction — pause processing in specific circumstances
  • Portability — machine-readable export of data you provided
  • Objection — to legitimate-interest processing
  • Complaint — with the

Email [email protected]. We respond within 30 days.

9. Security

All data is encrypted in transit (TLS 1.3) and at rest (AES-256). Access is least-privilege via PostgreSQL row-level security (RLS) and per-environment role boundaries. We run regular security reviews, log every admin action via the audit trail, and report confirmed breaches to the supervisory authority within 72 hours per Art. 33.

10. Contact & DPO

Data Protection Officer: [email protected]. Postal: My Company, attn. DPO, .

We may update this Privacy Policy from time to time. Significant changes are communicated by email and posted with an updated “Last updated” date. Continued use of our services after changes constitutes acceptance of the revised policy.

See also: Terms of Service · Cookie policy.