Privacy Policy
Last updated: February 2026
1. Introduction
Kiweal ("we", "our") is committed to protecting the privacy of its users. This policy describes how we collect, use, and protect your personal data in accordance with GDPR.
Data Controller:
Kiweal
30 rue de Courcelles, 51100 Reims, France
Email: support@kiweal.com
2. Data Collected
2.1 Registration Data
- First and last name
- Email address
- Password (hashed)
2.2 Profile Data
- Display name
- Shipping address
- Phone number (optional)
2.3 Verification Data (KYC)
For sellers and buyers, via Stripe Identity:
- ID document
- Photo (selfie)
- Verification result
Note: This data is processed by Stripe. Kiweal does not store identity documents.
2.4 Transaction Data
- Purchase and sale history
- Transaction amounts and dates
- Shipping addresses
2.5 Banking Data (Sellers)
- IBAN (for payouts)
Note: Buyer credit card data is processed directly by Stripe. Kiweal has no access to it.
2.6 Browsing Data
- IP address
- Pages visited
- Session duration
- Browser and device type
3. Processing Purposes
| Purpose | Legal Basis |
|---|---|
| Account management | Contract performance |
| Transaction processing | Contract performance |
| Identity verification (KYC) | Legal obligation |
| Fraud prevention | Legitimate interest |
| Service improvement | Legitimate interest |
| Communication (transactional emails) | Contract performance |
| Anonymized statistics | Legitimate interest |
4. Data Sharing
4.1 Service Providers
We share your data with:
| Provider | Purpose | Location |
|---|---|---|
| Supabase | Database, authentication | EU (Frankfurt) |
| Stripe | Payments, KYC | USA (Privacy Shield) |
| Resend | Transactional emails | USA |
| Vercel | Hosting, analytics | USA |
4.2 Other Users
During a transaction, the following information is shared:
- To seller: No buyer personal data (Kiweal handles final shipping)
- To buyer: No seller personal data
4.3 Authorities
We may disclose your data if required by law (fraud, money laundering, court order).
5. Data Retention
| Data Type | Retention Period |
|---|---|
| Active account | Duration of relationship |
| Deleted account | 3 years (legal obligations) |
| Transactions | 10 years (accounting obligations) |
| Connection logs | 1 year |
| Verification photos (cards) | 6 months |
6. Your Rights
Under GDPR, you have the following rights:
6.1 Right of Access
Obtain a copy of your personal data.
6.2 Right to Rectification
Correct inaccurate or incomplete data.
6.3 Right to Erasure
Request deletion of your data (except for legal obligations).
6.4 Right to Portability
Receive your data in a structured format (JSON/CSV).
6.5 Right to Object
Object to processing based on legitimate interest.
6.6 Exercise Your Rights
Contact us at: support@kiweal.com
Response time: Maximum 30 days.
If unsatisfied with our response, you may contact the French data protection authority (CNIL): cnil.fr
7. Security
We implement technical and organizational measures:
- HTTPS encryption (TLS 1.3)
- Hashed passwords (bcrypt)
- Two-factor authentication (optional)
- Data access limited to authorized personnel
- Regular encrypted backups
8. Cookies
8.1 Essential Cookies
- Authentication: Session maintenance
- Preferences: Language, theme
- Security: CSRF protection
8.2 Analytics Cookies
We use Vercel Analytics to understand site usage. This data is anonymized and aggregated.
8.3 No Advertising Cookies
Kiweal does not use any advertising or third-party tracking cookies.
9. International Transfers
Some service providers (Stripe, Vercel, Resend) are based in the USA. These transfers are governed by:
- Standard Contractual Clauses (SCC)
- Certifications (e.g., SOC 2)
10. Minors
Kiweal is reserved for persons 18 years and older. We do not knowingly collect data from minors.
11. Changes
This policy may be updated. In case of significant changes, we will notify you by email.
12. Contact
For any questions regarding your data:
Email: support@kiweal.com
Address: Kiweal, 30 rue de Courcelles, 51100 Reims, France