small-shops

Privacy Policy

Last updated: 05. November 2025

1. Data Controller

The data controller within the meaning of Article 4(7) of the General Data Protection Regulation (GDPR) is:

small-shops Owner: Valeria Pandimiglio Stargarder Straße 78 10437 Berlin, Germany Email: info@small-shops.com

2. Introduction and Scope

This Privacy Policy explains how small-shops (“we”, “us”, “our”) collects, uses, discloses, and protects personal data in connection with the operation of our online and offline marketplace that connects customers (“Buyers”) with independent sustainable retailers (“Sellers”).

It applies to:

Visitors of our website at www.small-shops.com and associated mobile versions;

Registered Buyers and Sellers using our Platform;

Users participating in our offline cashback programme.

We process all personal data in compliance with the EU General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG), and the German Telecommunications Telemedia Data Protection Act (TTDSG).

3. Legal Bases for Processing

Personal data is processed based on the following legal grounds under Article 6 GDPR:

Art. 6(1)(a) – Consent, e.g. for optional cookies, marketing communication, or newsletter subscriptions.

Art. 6(1)(b) – Contract performance or pre-contractual steps, e.g. to register an account, process orders, or issue cashback.

Art. 6(1)(c) – Compliance with legal obligations, e.g. bookkeeping, tax documentation, consumer protection law.

Art. 6(1)(f) – Legitimate interests, e.g. maintaining platform security, preventing fraud, improving user experience, enforcing our rights.

4. Categories of Personal Data

(a) Buyer (Customer) Data

Collected when Buyers register, place an order, or upload offline receipts:

Name, email address, password, shipping and billing addresses Order details (product, quantity, price, Seller, transaction time) Uploaded receipts (for cashback verification) Payment information (processed via Stripe; we do not store full card data) Communication history and customer service interactions

(b) Seller Data

Collected during Seller registration and ongoing use:

Company name, contact person, business address Email, VAT ID, tax number Bank or payout account details Store location and sustainability profile

(c) Technical and Usage Data

Automatically collected through system logs and cookies:

IP address, device type, browser and operating system Access time, referrer URL, session identifiers Cookie identifiers and analytics data (only with consent)

(d) Communication and Marketing Data

Emails, messages, or inquiries via contact forms Newsletter and marketing preferences Product reviews, comments, and feedback

5. Purpose of Processing

We process personal data for the following specific purposes:

Operation of the Platform – account creation, authentication, profile management.

Order facilitation – enabling Buyers to purchase goods from Sellers.

Payment processing – managing Stripe transactions, fees, and Seller payouts.

Offline cashback management – verifying uploaded receipts and calculating Seller commissions.

Customer and Seller support – handling inquiries, complaints, and communication.

Fraud prevention and platform security – detecting and mitigating unauthorized activity.

Legal compliance – fulfilling tax, accounting, and statutory retention duties.

Analytics and improvement – optimizing the Platform (only with user consent).

Marketing and newsletters – sent exclusively with prior consent.

6. Payment Processing via Stripe

We use Stripe Payments Europe, Ltd., The One Building, 1 Grand Canal Street Lower, Dublin 2, Ireland, as our payment processor.

Stripe independently processes certain data (e.g., card number, expiration date, payment authorization) as a separate controller. For details, please refer to Stripe’s Privacy Policy: https://stripe.com/privacy

small-shops only receives transaction metadata (amount, status, and reference ID) and does not store or access full payment details.

7. Cookies and Tracking Technologies

We use cookies in accordance with the TTDSG and GDPR to ensure core functionality and, with your consent, analyze usage and improve performance.

Categories of Cookies

Strictly necessary cookies: essential for login, checkout, and fraud prevention.

Functional cookies: remember preferences (language, login state).

Analytics cookies: collect anonymized usage statistics (activated only with consent).

Marketing cookies: track engagement for promotions or campaigns (consent required).

You can manage or revoke your cookie preferences at any time via our Cookie Settings link on the Platform.

8. Disclosure of Data to Third Parties

Personal data is only shared when necessary for the purposes outlined in this Policy and always in accordance with GDPR.

Typical recipients:

Sellers – for order fulfillment and communication with Buyers.

Payment service providers – Stripe, for secure payment handling.

IT infrastructure providers – hosting, cloud storage, and email systems (within the EU).

Analytics and support tools – only where compliant with GDPR and subject to data processing agreements.

Legal authorities and tax offices – where required by law.

All third-party processors are bound by contractual data processing agreements (Art. 28 GDPR).

9. International Data Transfers

If personal data is transferred to third countries outside the European Economic Area (EEA), we ensure an adequate level of protection using EU Standard Contractual Clauses (SCCs) or other approved mechanisms.

10. Data Retention

We retain data only as long as necessary to fulfill the purposes for which it was collected or as required by law.

Typical retention periods:

Buyer and Seller account data – until account deletion or contractual termination.

Transaction and accounting data – 10 years (under German tax law).

Support and correspondence data – up to 3 years after last contact.

Uploaded receipts – deleted after cashback verification and settlement.

Cookie data – according to consent or technical expiration.

11. Your Rights as a Data Subject

Under the GDPR, you have the following rights regarding your personal data:

Right of access (Art. 15) – request information about your personal data.

Right to rectification (Art. 16) – correct inaccurate or incomplete data.

Right to erasure (Art. 17) – request deletion (“right to be forgotten”).

Right to restriction (Art. 18) – limit processing in specific circumstances.

Right to data portability (Art. 20) – obtain a machine-readable copy of your data.

Right to object (Art. 21) – object to processing based on legitimate interests.

Right to withdraw consent (Art. 7(3)) – withdraw consent at any time, without affecting prior lawful processing.

To exercise your rights, please contact: info@small-shops.com

You may also file a complaint with the competent supervisory authority: Berliner Beauftragte für Datenschutz und Informationsfreiheit Alt-Moabit 59–61, 10555 Berlin, Germany Website: https://www.datenschutz-berlin.de/

12. Data Security

We implement appropriate technical and organizational measures (TOMs) pursuant to Art. 32 GDPR, including:

SSL/TLS encryption of all data transmissions;

Secure data hosting within the EU;

Access controls, role-based permissions, and encryption at rest;

Regular data backups and security audits;

Passwords stored using one-way hashing algorithms.

13. Cashback Programme and Receipt Uploads

When Buyers upload a purchase receipt to verify an offline purchase:

The receipt may contain personal or transactional information (store name, date, product details, total price).

The data is processed solely for cashback verification and Seller commission calculation.

Receipts are stored securely, accessible only to authorized personnel, and deleted after verification and mandatory retention expiry.

14. External Links

Our Platform may contain links to external websites operated by third parties. We are not responsible for the privacy practices or content of such websites. Users are advised to review the privacy policies of any linked services they visit.

15. Updates to this Privacy Policy

We may update this Privacy Policy periodically to reflect legal, technical, or business changes. The latest version will always be published on our website, indicating the “Last Updated” date. Significant changes will be communicated to registered users via email or platform notice.