Privacy Policy
Version 1.0·Effective November 20, 2025
BM-PRIVACY-v1.0
Want to exercise your data rights?
You can request access, rectification, erasure, restriction, portability, or object to marketing — see the summary on the Legal page.
View your data rights →1. INTRODUCTION
1.1 About This Policy
This Privacy Policy explains how Berry Marketplace ("we," "us," "our"), operated by Nuvagra S.R.L., collects, uses, stores, and protects your personal data when you use our platform.
This Privacy Policy is a standalone legal document that you must accept separately during registration.
Your acceptance of this policy is recorded with your typed name, timestamp, and IP address.
1.2 Data Controller
Nuvagra S.R.L. is the data controller for personal data processed through Berry Marketplace.
Contact Details:
- Company: Nuvagra S.R.L.
- CUI: RO52940093
- Trade Registry: J2025089412007
- EUID: ROONRC.J2025089412007
- Address: Strada Pădurii, Nr. 6, Bl. IAS, Scara B, Ap. 1, Iași, Județul Iași, Romania
- Email: support@berry-marketplace.com
- Data Protection Officer: support@berry-marketplace.com
1.3 Legal Framework
We process personal data in accordance with:
- EU General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679)
- Romanian Law No. 190/2018 on GDPR implementation
- ePrivacy Directive (2002/58/EC)
- Romanian Law 506/2004 on electronic communications privacy
2. DATA WE COLLECT
2.1 Account Registration Data
| Data Type | Examples | Purpose |
|---|---|---|
| Personal Information | Name, email, phone number | Account creation, communication |
| Company Information | Legal name, registration number, VAT number | Verification, invoicing |
| Address Information | Registered address, delivery addresses | Verification, logistics |
| Role Information | Job title, department | Authorization levels |
2.2 Verification Data
| Data Type | Examples | Purpose |
|---|---|---|
| Identity Documents | Passport, ID card (via Sumsub) | KYB verification |
| Company Documents | Registration certificates, VAT certificates | Company verification |
| Certifications | Food safety certificates, organic certifications | Product compliance |
2.3 Transaction Data
| Data Type | Examples | Purpose |
|---|---|---|
| Listings | LOTs, RFQs, Tender Requests | Platform functionality |
| Offers | Prices, quantities, terms | Trade execution |
| Contracts | Signed contracts, amendments | Legal record-keeping |
| Communications | Messages between parties | Transaction support |
2.4 Technical Data
| Data Type | Examples | Purpose |
|---|---|---|
| Device Information | IP address, browser type, device type | Security, analytics |
| Usage Data | Pages visited, features used, timestamps | Service improvement |
| Log Data | Login times, actions performed | Security, audit trails |
| Signature Metadata | Signing timestamps, IP addresses, typed names | Legal validity |
2.5 Financial Data
| Data Type | Examples | Purpose |
|---|---|---|
| Billing Information | Company billing details | Commission invoicing |
| Payment Methods | Card details (processed by Stripe) | Commission payment |
| Transaction History | Invoices, payments | Financial records |
2.6 Consent Records
| Data Type | Examples | Purpose |
|---|---|---|
| T&C Acceptance | Typed name, timestamp, IP, checkboxes | Legal compliance |
| Privacy Policy Acceptance | Typed name, timestamp, IP | GDPR compliance |
| Marketing Consent | Opt-in/opt-out status, timestamp | Marketing compliance |
| Cookie Preferences | Category selections, timestamp | ePrivacy compliance |
3. HOW WE USE YOUR DATA
3.1 Legal Bases for Processing
| Purpose | Legal Basis (GDPR Art. 6) | Details |
|---|---|---|
| Account operation | Contract performance (Art. 6(1)(b)) | Required to provide services |
| Transaction processing | Contract performance (Art. 6(1)(b)) | Required to facilitate trades |
| Commission billing | Contract performance (Art. 6(1)(b)) | Required to collect fees |
| KYB verification | Legal obligation (Art. 6(1)(c)) | Anti-money laundering compliance |
| Security monitoring | Legitimate interest (Art. 6(1)(f)) | Platform and user protection |
| Service improvement | Legitimate interest (Art. 6(1)(f)) | Better user experience |
| Risk profiling | Legitimate interest (Art. 6(1)(f)) | Platform integrity |
| Marketing communications | Consent (Art. 6(1)(a)) | Only with explicit opt-in |
| Legal compliance | Legal obligation (Art. 6(1)(c)) | Regulatory requirements |
3.2 Specific Uses
Platform Operation:
- Creating and managing your account
- Processing listings, offers, and contracts
- Facilitating communication between trading parties
- Providing quality control workflows
- Generating and storing contracts
Verification & Security:
- Verifying company and user identity
- Preventing fraud and unauthorized access
- Maintaining audit trails
- Ensuring platform integrity
Risk Profiling & Platform Integrity:
- Assessing counterparty risk
- Detecting fraud and abuse patterns
- Calculating reputation scores
- Identifying suspicious activities
- Protecting the platform ecosystem
Commercial Purposes:
- Calculating and collecting Commission
- Generating invoices and receipts
- Managing subscription and premium features
Communication:
- Sending transaction notifications (required)
- Providing customer support (required)
- Sending service updates (required)
- Sending marketing communications (consent-based, optional)
Analytics & Improvement:
- Analyzing platform usage patterns
- Improving user experience
- Developing new features
- Market research (anonymized)
4. MARKETING COMMUNICATIONS
4.1 Consent Requirement
Marketing communications require your separate, explicit consent. Marketing consent is:
- Optional – Not required for registration or platform use
- Specific – Separate from T&C and Privacy Policy acceptance
- Revocable – Can be withdrawn at any time
- Recorded – Your consent decision is logged with timestamp
4.2 What Marketing Includes
With your consent, we may send:
- Product updates and new features
- Industry news and market insights
- Promotional offers and discounts
- Partner offers (only from Berry Marketplace, not third parties)
- Invitations to events and webinars
4.3 What Marketing Does NOT Include
The following are NOT marketing and do not require consent:
- Transaction confirmations and notifications
- Security alerts and account notifications
- Contract and delivery reminders
- QC and dispute communications
- Invoice and payment reminders
- Required legal or regulatory notices
- Customer support responses
4.4 Managing Marketing Preferences
You can manage marketing preferences:
- During registration (opt-in checkbox)
- In Account Settings at any time
- Via unsubscribe links in any marketing email
- By contacting support@berry-marketplace.com
4.5 Withdrawal of Consent
You may withdraw marketing consent at any time. Withdrawal:
- Takes effect immediately
- Does not affect your account or platform access
- Does not affect lawfulness of processing before withdrawal
- Is logged for compliance records
5. DATA SHARING
5.1 Trading Counterparties
When you enter into transactions, we share relevant information with your trading counterparties:
| Data Shared | Purpose |
|---|---|
| Company name and details | Contract formation |
| Contact information | Transaction coordination |
| Delivery addresses | Logistics |
| Quality certifications | Compliance verification |
| Reputation scores | Trust and transparency |
5.2 Service Providers
| Provider Category | Provider | Purpose | Data Shared |
|---|---|---|---|
| Verification | Sumsub | KYB verification | Identity documents, company data |
| Payments | Stripe | Commission processing | Billing information, payment methods |
| Database | Supabase | Data hosting | All platform data (encrypted) |
| Resend | Email delivery | Email addresses, notification content | |
| Hosting | Vercel | Application hosting | Technical data, logs |
5.3 Legal Disclosures
We may disclose data when required by:
- Court orders or legal process
- Regulatory authorities (e.g., ANSPDCP, financial regulators)
- Law enforcement agencies
- Tax authorities (for Commission invoicing)
5.4 Regulatory Cooperation & Financial Crime Prevention
We may share data with:
- Anti-money laundering authorities
- Fraud prevention agencies
- Financial crime investigation units
- Sanctions screening services
This sharing is based on legal obligation or legitimate interest in preventing financial crime.
5.5 Business Transfers
In the event of a merger, acquisition, or sale of assets:
- Personal data may be transferred to the successor entity
- We will notify you before your data is transferred
- The successor must honor existing privacy commitments
- You may object to the transfer
6. INTERNATIONAL TRANSFERS
6.1 Transfer Locations
Your data may be processed in:
- Romania (primary data center)
- European Union (Supabase EU region)
- United States (certain service providers with appropriate safeguards)
6.2 Transfer Safeguards
For transfers outside the EU/EEA, we ensure protection through:
- EU Standard Contractual Clauses (SCCs)
- Data Processing Agreements with all providers
- Technical and organizational security measures
- Adequacy decisions where applicable
7. DATA RETENTION
7.1 Retention Periods
| Data Type | Retention Period | Reason |
|---|---|---|
| Account Data | Duration of account + 7 years | Legal/tax requirements |
| Contract Data | 10 years from contract date | Commercial law requirements |
| Signature Records | 10 years | eIDAS compliance |
| Consent Records | 10 years | GDPR accountability |
| Transaction Logs | 10 years | Audit requirements |
| Communication Records | 7 years | Dispute resolution |
| Technical Logs | 90 days | Security monitoring |
| Marketing Preferences | Until consent withdrawn + 3 years | Compliance records |
7.2 KYB Rejection Data
If your KYB verification is rejected:
- Partial account data is retained for 3 years
- Reason: Fraud prevention and regulatory compliance
- You may request deletion after 3 years
7.3 Deletion
Upon account termination:
- Active data is archived
- Data is retained for required periods
- Data is securely deleted after retention periods expire
- Anonymized data may be retained indefinitely for analytics
8. YOUR RIGHTS
8.1 GDPR Rights
| Right | Description | How to Exercise |
|---|---|---|
| Access (Art. 15) | Obtain a copy of your personal data | Email support@berry-marketplace.com |
| Rectification (Art. 16) | Correct inaccurate or incomplete data | Account settings or email us |
| Erasure (Art. 17) | Request deletion of your data | Email support@berry-marketplace.com |
| Restriction (Art. 18) | Limit how we process your data | Email support@berry-marketplace.com |
| Portability (Art. 20) | Receive your data in structured format | Email support@berry-marketplace.com |
| Objection (Art. 21) | Object to processing based on legitimate interests | Email support@berry-marketplace.com |
| Withdraw Consent | Withdraw marketing consent at any time | Account settings or unsubscribe link |
| Complaint | Lodge a complaint with supervisory authority | See Section 8.4 |
8.2 Exercising Your Rights
To exercise your rights:
- Email: support@berry-marketplace.com
- Use the privacy settings in your account
- Contact our DPO: support@berry-marketplace.com
We will:
- Verify your identity before processing requests
- Respond within 30 days (extendable by 60 days for complex requests)
- Provide information free of charge (fees may apply for manifestly unfounded requests)
8.3 Limitations
Some rights may be limited where:
- We have legal obligations to retain data
- Data is necessary for contract performance
- Deletion would affect other parties' data
- Retention is required for legal claims
- National security or public interest applies
8.4 Supervisory Authority
You have the right to lodge a complaint with:
Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)
- Website: www.dataprotection.ro
- Address: B-dul G-ral. Gheorghe Magheru 28-30, Sector 1, Bucharest, Romania
- Email: anspdcp@dataprotection.ro
You may also complain to the supervisory authority in your country of residence or work.
9. DATA SECURITY
9.1 Technical Measures
We implement:
- Encryption in transit (TLS 1.3)
- Encryption at rest (AES-256)
- Secure authentication (multi-factor available)
- Regular security audits
- Intrusion detection and monitoring
- Access controls and logging
- Regular security testing
9.2 Organizational Measures
We maintain:
- Staff training on data protection
- Access limited to authorized personnel on need-to-know basis
- Confidentiality agreements with all staff
- Incident response procedures
- Regular security assessments
- Vendor security requirements
9.3 Breach Notification
In the event of a personal data breach:
- We will notify ANSPDCP within 72 hours where required
- We will notify affected individuals without undue delay if there is high risk
- We will document all breaches and remediation actions
- We will take steps to mitigate harm
10. COOKIES AND TRACKING
10.1 Cookie Categories
| Category | Purpose | Consent Required |
|---|---|---|
| Strictly Necessary | Platform functionality, security | No (essential) |
| Functional | Remember preferences, settings | Yes |
| Analytics | Usage patterns, service improvement | Yes |
| Marketing | Targeted advertising (if applicable) | Yes |
10.2 Cookie Details
| Cookie | Category | Duration | Purpose |
|---|---|---|---|
| session_id | Necessary | Session | Authentication |
| csrf_token | Necessary | Session | Security |
| preferences | Functional | 1 year | User settings |
| analytics_id | Analytics | 2 years | Usage tracking |
10.3 Cookie Management
You can manage cookies through:
- Our cookie consent banner (shown on first visit)
- Browser settings
- Account privacy settings
10.4 Consent Withdrawal
You may withdraw cookie consent at any time via:
- Cookie settings in footer
- Browser cookie deletion
- Account privacy settings
11. AUTOMATED DECISION-MAKING
11.1 Automated Processes
| Process | Purpose | Human Review Available |
|---|---|---|
| Fraud detection | Security | Yes, on request |
| Risk scoring | Platform integrity | Yes, on request |
| Offer matching | Recommendations | Not applicable |
| Rating calculations | Reputation | Yes, for disputes |
| Commission calculations | Billing | Yes, for disputes |
11.2 Profiling
We create risk profiles based on:
- Transaction history
- QC claim patterns
- Payment behavior
- Verification results
These profiles affect:
- Search ranking visibility
- Access to certain features
- Risk warnings to counterparties
11.3 Your Rights
You have the right to:
- Obtain human review of automated decisions
- Express your point of view
- Contest decisions
Contact support@berry-marketplace.com to exercise these rights.
12. CHILDREN'S PRIVACY
Berry Marketplace is a B2B platform intended for business use. We do not knowingly collect data from individuals under 18.
If we discover we have collected data from a minor, we will delete it promptly.
13. CHANGES TO THIS POLICY
13.1 Notification
We will notify you of material changes to this policy by:
- Email notification to your registered address
- Prominent notice on the platform
- Requiring re-acceptance for significant changes (with typed name)
13.2 Review
We review this policy annually and update it as needed.
13.3 Version History
| Version | Date | Changes |
|---|---|---|
| 1.0 | 20 November 2025 | Initial version |
14. CONTACT US
For privacy inquiries:
Email: support@berry-marketplace.com
Data Protection Officer: Email: support@berry-marketplace.com
Postal Address: Nuvagra S.R.L. Attn: Data Protection Officer Strada Pădurii, Nr. 6, Bl. IAS, Scara B, Ap. 1 Iași, Județul Iași, Romania
Supervisory Authority: Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)
Website: www.dataprotection.ro
Access to Legal Documents:
- Current Privacy Policy: https://berry-marketplace.com/legal/privacy
- All legal documents: https://berry-marketplace.com/legal
- Document archive: https://berry-marketplace.com/legal/archive
15. ACCEPTANCE
By clicking "I Accept" and typing your full legal name, you acknowledge that you have read and understood this Privacy Policy.
Your acceptance is recorded with:
- Your typed full name
- Timestamp
- IP address
- Device information
This record serves as proof of your informed consent to our data practices.