Privacy Policy

The data controller for personal data processed through the D27 platform is D27 Europe GmbH, registered in Berlin, HRB [to be assigned], with registered office in Berlin, Germany (“D27”, “we”, “us”). D27 Europe GmbH is a subsidiary of D27 OÜ (Delaware, USA); where D27 OÜ processes personal data of data subjects in the EU/EEA in its capacity as parent, it does so jointly with D27 Europe GmbH, and D27 Europe GmbH acts as its Article 27 GDPR representative.

Contact for all privacy matters: anon.schneerson@gmail.com. A Data Protection Officer has been appointed and can be reached at anon.schneerson@gmail.com. Postal notices: D27 Europe GmbH — Data Protection, Berlin, Germany (full registered address on request).

We process the following categories of personal data:

• Account data — individual contact name, business email, telephone (optional), role, company name, VAT ID, registered address, hashed password, country, preferred language. Collected at signup.
• Verification and compliance data — documents and information used for business verification (commercial register excerpt, UBO information), sanctions and export-control screening inputs and results (name-match logs, hit reviews, licence references), end-use statements where applicable. Collected at signup and before release of a flagged order.
• Transaction data — billing and shipping address, order history, payment-method metadata (card brand, last four digits, token — the full card number is stored at the PCI-DSS Level-1 payment processor, never on D27 systems), VAT-relevant data. Collected at checkout.
• Usage data — pages viewed, searches, clicks, IP address, user-agent, session identifiers, referrer. Collected automatically via essential cookies and server logs.
• Support data — content of emails, support tickets, scheduled-call metadata (date, participants), and, where the caller is notified and consents, call recordings and transcripts. Collected when you contact us.
• Marketing data — subscription preferences, email engagement (open, click) where you have opted in. Collected on consent.

We do not knowingly process special categories of data (Art. 9 GDPR). Do not submit such data through the platform.

• Contract (Art. 6(1)(b) GDPR) — to operate your account and fulfil orders.
• Legal obligation (Art. 6(1)(c)) — tax invoicing, export control, sanctions screening, accounting retention.
• Legitimate interests (Art. 6(1)(f)) — we rely on legitimate interests for the following specific purposes, each balanced against your rights and freedoms under a documented Legitimate Interests Assessment available on request:
  • preventing fraud, abuse, and unauthorised access (our interest: protecting the platform and other users);
  • ensuring the security and integrity of our infrastructure, including intrusion detection and abuse logging (our interest: operational security and continuity);
  • aggregate and de-identified analytics to measure feature usage and improve the platform (our interest: product development);
  • catalogue improvement and classification refinement on the basis of aggregated search and navigation data (our interest: marketplace quality);
  • operational communications with business contacts who have expressly provided their details in a commercial context (our interest: enabling B2B commerce; Recital 47 GDPR).
  You may object to processing based on legitimate interests at any time; see §07.
• Consent (Art. 6(1)(a)) — marketing emails beyond strictly-necessary account notices, and any non-essential cookies. Withdrawable any time.

Personal data is disclosed only to the following categories of recipients:

• Suppliers filling your order — shipping address, contact, order line items.
• Payment processor (PCI-DSS Level 1) — billing details required to process the card transaction.
• Shipping carrier — delivery address and contact.
• Cloud / infrastructure providers processing data under Art. 28 data-processing agreements, primarily hosted in EU regions.
• Sanctions / export-screening providers for legally-required checks at signup and at checkout.
• Authorities where required by law (tax, customs, court orders).

We do not sell personal data, nor share it for third-party advertising.

Personal data is primarily processed within the European Economic Area. Where personal data is transferred outside the EEA — for example to a US-based infrastructure sub-processor — we rely on one of the following Article 46 GDPR transfer mechanisms, as applicable to the recipient:

• where the recipient is a US organisation self-certified under the EU-US Data Privacy Framework, the European Commission's adequacy decision of 10 July 2023;
• for all other third-country transfers, the European Commission's Standard Contractual Clauses (Decision 2021/914) with supplementary technical and organisational measures following a documented Transfer Impact Assessment;
• for transfers from the United Kingdom, the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs, issued by the Information Commissioner's Office.

All data is encrypted in transit (TLS 1.2+) and at rest (AES-256). A current list of sub-processors and transfer mechanisms is available from anon.schneerson@gmail.com on request.

We retain personal data only as long as necessary for the purposes for which it was collected and to meet applicable legal obligations. Our standard retention periods are:

• Account data — while the account is active and for six (6) months after deactivation or closure, to enable re-activation, dispute resolution, and security investigation. Account data linked to transactions is retained for the transaction retention period below.
• Transaction, order, invoicing and VAT data — ten (10) years from the end of the calendar year in which the transaction occurred, in accordance with German HGB §257 and AO §147.
• Verification and compliance data (business verification, UBO records, sanctions-screening logs, export-control records) — five (5) years minimum from the date of the relevant transaction, subject to longer retention where required by Regulation (EU) 2021/821, OFAC or UK ECJU recordkeeping rules.
• Support data — two (2) years from the close of the ticket, except where required for an active dispute.
• Server and security logs — ninety (90) days by default, longer for logs pertaining to an active security or fraud investigation.
• Marketing data — until you withdraw consent or after 24 months of no engagement, whichever is earlier.

When a retention period ends, data is deleted or irreversibly anonymised.

You have the right to:

• Access your personal data (Art. 15).
• Rectify inaccurate data (Art. 16).
• Erase data where no overriding legal basis applies (Art. 17).
• Restrict or object to processing (Art. 18, 21).
• Data portability — a machine-readable export (Art. 20).
• Withdraw consent at any time, without affecting the lawfulness of prior processing.
• Lodge a complaint with a supervisory authority. The primary authority for D27 is the Berliner Beauftragte für Datenschutz und Informationsfreiheit (BlnBDI), An der Urania 4–10, 10787 Berlin. You are also free to lodge a complaint with the supervisory authority of your habitual residence or place of work.

To exercise a right, email anon.schneerson@gmail.com from the email address associated with your account or provide sufficient information to verify your identity under Art. 12(6) GDPR. We respond within one month of receiving a verified request; for complex or numerous requests we may extend this by up to two further months and will inform you within the first month. A manifestly unfounded or excessive request may be refused or charged a reasonable fee in accordance with Art. 12(5).

Screening against sanctions and export-control lists is initially performed by automated systems. However, a positive screening match always triggers human review by D27's compliance team before any order is declined, suspended, or account restricted on that basis. We do not make decisions solely by automated means that produce legal or similarly significant effects within the meaning of Art. 22 GDPR.

Where you believe an automated match was made in error, you may contact anon.schneerson@gmail.com to request human review of the decision, express your point of view, and contest the decision.

We use the following cookie and similar-technology categories:

• Strictly necessary (no consent required, TTDSG §25(2) No. 2): session authentication, CSRF token, cart state, load-balancer affinity, consent-banner preference. Duration: session or up to 12 months.
• Analytics (consent required): deployed only on explicit consent via the cookie banner; currently none by default. If enabled, aggregated product-usage metrics with IP truncation.
• Functional / third-party embeds (consent required): loaded only where you interact with a feature that requires them.

A current cookie list, including provider, purpose, and retention, is available via the “manage preferences” link in the consent banner. You can withdraw or change consent at any time via the same banner.

Data in transit is TLS-encrypted (TLS 1.2+); at rest, AES-256. Access to production systems is restricted to authorised personnel under the principle of least privilege, with SSO and hardware-key MFA. Passwords are hashed with bcrypt. Rate limits apply to authentication endpoints. We maintain an incident-response plan. Personal-data breaches are assessed and notified to the competent supervisory authority within 72 hours where they are likely to result in a risk to rights and freedoms (Art. 33 GDPR) and communicated to affected data subjects where the breach is likely to result in a high risk to rights and freedoms (Art. 34 GDPR).

The D27 platform is intended exclusively for use by business organisations represented by adult professionals. We do not direct the platform to children and do not knowingly collect personal data from any individual under the age of 16. If you believe a minor has submitted data, contact anon.schneerson@gmail.com and we will delete it.

We may update this Policy. Material changes will be notified at least 30 days in advance via email and an in-app banner. The “Last updated” date above reflects the current version.

Where D27 processes personal data on your behalf (for example, contact data for a designated recipient at your organisation, or end-user data you provide in a BOM Audit engagement), you are the controller and D27 acts as processor under Article 28 GDPR. Our standard Data Processing Agreement applies to such processing and is available at anon.schneerson@gmail.com. You must not submit personal data to the platform except as reasonably required for the business purpose.

Data-protection queries: anon.schneerson@gmail.com. DPO: anon.schneerson@gmail.com. See also our Terms of Service and Compliance overview.