Privacy & Data Sovereignty

Privacy Policy

Salp.shop respects your business sovereignty. This policy outlines our commitment to data isolation, GDPR compliance, and the security of your catalog.

Version 2.0 • Effective June 2026

01Controller & Scope

Salp B.V., established in the Netherlands (acting as the 'Operator' and 'Data Controller'), operates the unified B2B/B2C marketplace (salp.shop) and its associated Partner Portal. This Privacy Policy applies to the collection and processing of personal data of B2B partner users (vendors, administrators) and B2C customers whose orders are processed through our Hybrid Operating Model (incorporating both the Deemed Supplier/Undisclosed Agent model and Disclosed Agent model in accordance with EU tax directives).

02 The Isolation Guardrail

Mandatory Context Isolation

To protect your competitive advantage, our platform enforces strict Context Isolation. B2B partner data is completely compartmentalized and isolated at the database layer using secure access control protocols. No partner can ever view, query, or compare the inventory levels, transaction volume, margins, or pricing strategies of another partner. All commercial secrets are secured by design.

03 Automated Translation & Optimization

To deliver 'Zero-Touch' automation across 27 EU member states, we process catalog data using AI-driven engines (including Gemini 1.5 Flash):

  • Automatic translation of product listings into 22 European languages for localized storefronts.
  • Categorization and normalization of GTIN/EAN product codes for search optimization.
  • AI-assisted generation of SEO metadata for regional search visibility.

Note: AI models are used solely to optimize and localize your active listings; your commercial data is never used to train models for competitors.

04 E-Commerce Integrations & Data Sync

The Partner Portal interfaces directly with your source systems (Shopify, Lightspeed eCom, WooCommerce, Salesforce, etc.) via secure API channels and OAuth 2.0. We process:

Inventory Data

Real-time stock counts and warehouse IDs to prevent overselling.

Orders & Fulfillment

Bidirectional synchronization of fulfillment statuses, tracking numbers, and carrier details.

05Data Categories & Legal Bases

B2B Partner Data: We collect and process names, business email addresses, phone numbers, corporate addresses, trade registry registration numbers, VAT identification numbers, Tax Identification Numbers (TIN), IBAN/bank account details, and DAC7-related earnings data. This is processed under GDPR Art. 6(1)(b) (performance of contract) and Art. 6(1)(c) (compliance with legal obligations, including DAC7 reporting to the Dutch Tax Authorities, and Digital Services Act Article 30 trader verification).

B2C Customer Data: When an order is placed, we process customer names, delivery addresses, billing addresses, email addresses, phone numbers, and purchased items. Under the Deemed Supplier Model, Salp B.V. acts as the independent Data Controller (Art. 6(1)(b) to fulfill the B2C contract, and Art. 6(1)(c) for OSS VAT compliance). Under the Disclosed Agent Model, the B2C contract is directly with the vendor, and we act as a processor or joint controller. Customer data is processed solely for order routing, fulfillment sync, and tax calculation.

Legitimate Interests: Under Art. 6(1)(f) GDPR, we process logs, IP addresses, and session details to ensure platform security, prevent commercial fraud, and enforce strict data access controls.

06Data Sharing & Sub-processors

These include: (a) Hosting and cloud database infrastructure providers; (b) Payment Service Providers (PSPs like Stripe) to process payout transactions; (c) Shipping and tracking carriers to generate shipping labels and proof of export; (d) Google Generative AI for translation and support triaging; and (e) Dutch Tax Authorities (Belastingdienst) and other EU surveillance authorities under statutory compliance laws (DAC7, DSA, OSS).

All personal data is stored and processed within the European Economic Area (EEA). Any transfer of support diagnostics to external tools is protected by AES-256-GCM encryption.

07Data Retention

In accordance with Dutch tax law (Rijksbelastingdienst), transaction records, sales ledgers, self-billed invoices, and related customer order data are retained for a minimum of 7 years.

Partner account logs, credentials, and diagnostic logs are retained for 3 years following the termination of the vendor agreement, after which they are deleted or irreversibly anonymized.

08Your GDPR Rights & Contact

If you believe your data has been processed unlawfully, you have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens - AP) at https://autoriteitpersoonsgegevens.nl.

For all GDPR requests, context access inquiries, or data extraction, please contact our Data Protection Officer at info@salp.shop.

Governance

This policy is governed by the laws of the Netherlands and the EU General Data Protection Regulation (GDPR). For data access requests or inquiries regarding your partner context, please visit our Contact Redirect.