1) What data we collect
- Return operations: RMA/Order IDs, parcel labels (sender name/address and contact if present), box IDs, weight/size, photos, grading notes, timestamps, storage location.
- Accounts & communications: user name, work email, IM handle (WeChat/WhatsApp if provided), roles/permissions, activity logs.
- Billing: company details, tax numbers, invoices/credit notes, payment confirmations (we do not store card details).
- Website: consent signals, strictly-necessary cookies/local storage, and server logs (IP, user-agent, referrer) for security.
- Partners/referrals: agent name, contact, payout method, ref code and attribution windows.
We do not intentionally process special categories of data. If such data appears on labels/photos, we minimise or mask where feasible.
2) Where we get it
- From you (signup, onboarding, support).
- From your customers’ returns (labels/contents).
- From your systems via files/API/webhooks (when enabled).
- From service and security logs generated by our infrastructure.
3) Purposes & legal bases
- Provide the service (receive, inspect, photograph, report, store, execute your decisions) — Art. 6(1)(b) contract.
- Billing & compliance (invoices, tax, accounting) — Art. 6(1)(c) legal obligation.
- Security & abuse prevention (access control, logging) — Art. 6(1)(f) legitimate interests.
- Support & onboarding (EN/中文 communications) — Art. 6(1)(b)/(f).
- Service quality/improvement (anonymised metrics, QC) — Art. 6(1)(f).
- B2B updates/marketing (rare; easy opt-out) — Art. 6(1)(f) or consent where required by local law.
- No ads/ML training (policy statement) — we do not use Personal Data for targeted advertising, unrelated profiling, or training of machine-learning models beyond what is strictly necessary to provide the services.
4) Retention
- Return photos/reports: retained up to 180 days (earlier deletion on request).
- Operational/access logs: typically ≤ 180 days.
- Invoices/accounting: per Polish law (usually 5–6 years).
- Backups: rolling; typically overwritten within ≤ 60 days.
6) International transfers
Processing occurs primarily in the EEA. If a transfer outside the EEA/UK/CH is required, we implement appropriate safeguards (e.g., EU/UK Standard Contractual Clauses) and, where needed, perform a transfer impact assessment (TIA) with supplementary measures. If you instruct us to use a non-EEA channel (e.g., WeChat) or carrier, that instruction covers the minimum necessary data for that purpose.
7) Security
We apply proportional technical and organisational measures: access control, EU hosting, encryption in transit, CCTV & controlled warehouse areas, monitoring, vulnerability management, incident response, and continuity. See DPA Annex II (TOMs) for details.
8) Your rights
You may request access, rectification, erasure, restriction, objection, and data portability under GDPR. Email denis@eureturnshub.eu. We respond without undue delay and within one month (extendable where permitted).
We acknowledge Data Subject requests within 2 business days and respond without undue delay and within one month (extendable where permitted).
Where we act as processor for your returns data, please send end-customer requests to the Controller; we will assist the Controller under the DPA.
10) Children
Our service is B2B and not directed to children. We do not knowingly collect children’s data.
11) Changes
We may update this notice to reflect legal or operational changes. Material changes will be sign-posted here with a new “Last updated” date.
12) Contact & complaints
Controller contact: EU Returns Hub — Dzianis Vislavus, ul. Różany Zakątek 22/1, 62-069 Dąbrówka, Poland · denis@eureturnshub.eu
You may also complain to your local EEA supervisory authority, or in Poland (UODO, Warsaw).
Marketplace disclaimer: we are not affiliated with Amazon, AliExpress, Temu or Shein.