1. Data controller
2. Data we process and purposes
We process the personal data you provide when you register and use the platform. The following table summarises what data we collect, what we use it for and on what legal basis.
a) Account and authentication
- Data: name, alias (username), email address, encrypted password, preferred language, avatar.
- Purpose: to create and maintain your account, authenticate you and prevent unauthorised access.
- Legal basis: performance of the contract (Terms of use).
b) Purchases, shipping and payments
- Data: shipping and billing address, NIF/DNI if you act as self-employed or a company, country tax details, tokenised payment methods (Stripe), history of orders, bids, invoices and refunds.
- Purpose: to process orders, generate shipping labels, charge and refund, issue invoices, prevent fraud and handle disputes.
- Legal basis: performance of the contract and compliance with legal obligations (tax, accounting, anti-money laundering).
c) Seller identity verification (KYC)
- Data: identity document, selfie, proof of life, business tax ID, bank details; the process is carried out by our provider Didit and the results are recorded as approved/rejected without Krofter keeping the originals.
- Purpose: to comply with the KYC/AML obligations of Stripe Connect and protect buyers from fraudulent accounts.
- Legal basis: legal obligation and performance of the contract with Stripe Connect.
d) Communications and support
- Data: messages with the support team, dispute messages, live chats, user reports.
- Purpose: to handle queries, mediate disputes, moderate the community and keep documentary records in the event of complaints.
- Legal basis: performance of the contract and legitimate interest in keeping the platform free from abuse.
e) Push and email notifications
- Data: device token (FCM or Web Push), notification preferences, delivery log.
- Purpose: to notify you of bids, events from your favourite sellers, order status and critical communications.
- Legal basis: performance of the contract (transactional notices) and consent (promotional notices, revocable at any time from your profile).
f) Technical data and analytics
- Data: IP address, cookie identifiers, user agent, usage events, anonymous JavaScript errors.
- Purpose: to ensure the security and availability of the service, measure traffic on an aggregated basis and improve the product.
- Legal basis: legitimate interest (security and maintenance) and consent (analytics and marketing — manageable from the cookie banner).
3. Retention periods
- Account data: while your account is active. After deletion it is kept blocked for 12 months for defence against claims, unless the law requires longer periods.
- Tax and accounting documentation (invoices, payments, commissions): 6 years (art. 30 of the Commercial Code).
- KYC/AML records: 10 years from the end of the relationship (Law 10/2010).
- Chat and dispute messages: up to 5 years, depending on the possible initiation of proceedings.
- Cookie consents: up to 365 days from when they were granted.
4. Recipients and data processors
To provide the service we share the strictly necessary data with providers that act as data processors under contract (art. 28 GDPR):
- Stripe Payments Europe Ltd. (Ireland) — payment processing and Stripe Connect.
- Didit (KYC provider) — seller identity verification.
- envia.com / carriers (Correos, SEUR, GLS, MRW…) — label generation and shipment tracking.
- Google Firebase Cloud Messaging (Ireland/USA) — sending push notifications.
- Anthropic PBC (USA) — assisted generation of product descriptions when a seller expressly requests it.
- Transactional email services (SMTP IONOS) — sending order, notification and support emails.
- Hosting provider (EU VPS) — hosting of the application and the database.
Where a provider involves an international transfer outside the EEA (for example, the USA), we apply the Standard Contractual Clauses approved by the European Commission as an appropriate safeguard.
We do not sell personal data to third parties. We do not transfer your data to sellers beyond what is necessary to manage the sale (name, shipping address and, where applicable, billing tax ID).
5. Your rights
In accordance with the GDPR and the LOPDGDD, you may exercise the following rights over your data at any time:
- Access: request a copy of the data we process about you.
- Rectification: to correct inaccurate or incomplete data.
- Erasure («right to be forgotten»): to delete your account and associated data (with the legal exceptions indicated above).
- Objection and restriction: to object to processing based on legitimate interest or to request that we restrict its use.
- Portability: to receive your data in a structured, machine-readable format.
- To withdraw the consent given (marketing, analytics cookies, promotional notifications).
You can exercise them by sending an email to soporte@krofter.live indicating the right you wish to exercise and attaching a copy of your identity document. We will handle your request within a maximum of one month.
If you consider that the processing of your data infringes the regulations, you can lodge a complaint with the Spanish Data Protection Agency (www.aepd.es).
6. Security
We apply reasonable technical and organisational measures to protect data: TLS encryption in transit, passwords stored with bcrypt, role-based access control, regular backups, network segmentation and security event logging. Card data is never stored on our servers: it is handled directly by Stripe as a PCI-DSS Level 1 entity.
7. Minors
The platform is aimed exclusively at people over 18 years of age. We do not knowingly process data of minors. If we detect that a minor has registered, we will cancel the account and delete their data.
8. Changes to this policy
We may update this policy to reflect legal changes or new features. We will notify you by email or via the platform when the changes are substantial. The date of last update appears at the beginning of this document.