SouqGo

Privacy Policy (Datenschutzerklärung)

Last updated: 1 June 2025

1. Data Controller

The controller responsible for processing your personal data within the meaning of the GDPR is:

SouqGo GmbH
Musterstraße 1
10115 Berlin
Germany

Phone: +49 30 0000 0000
E-mail: datenschutz@souqgo.de

2. Personal Data We Collect

We collect and process the following categories of personal data:

  • Account data: Full name, e-mail address, phone number, preferred language, profile picture (optional), encrypted password hash.
  • Delivery addresses: Street address, city, postal code, country.
  • Order data: Items ordered, quantities, prices, vendor, order status, delivery time slot, notes, order number.
  • Payment data: Payment method type, last four digits of card, billing confirmation. Full card data is processed exclusively by Stripe and never stored by SouqGo.
  • Technical data: IP address, browser type, device type, operating system, referring URL, session identifiers — collected automatically for security and operational purposes.
  • Communication data: Correspondence with our support team.
  • Reviews and ratings you submit for stores or products.

3. Purposes and Legal Basis for Processing

PurposeLegal basis (GDPR)
Account creation and loginArt. 6(1)(b) — performance of contract
Order processing, delivery coordinationArt. 6(1)(b) — performance of contract
Payment processing via StripeArt. 6(1)(b) — performance of contract
Customer supportArt. 6(1)(b) and (f) — legitimate interest
Transactional emails (order status, alerts)Art. 6(1)(b) — performance of contract
Fraud prevention and security monitoringArt. 6(1)(f) — legitimate interest
Legal obligations (tax, accounting records)Art. 6(1)(c) — legal obligation
Platform improvement and analyticsArt. 6(1)(f) — legitimate interest

4. Data Sharing and Third-Party Processors

We share personal data only to the extent necessary to provide our services. The following categories of recipients may receive your data:

  • Vendors (stores): Name, delivery address, phone number, and order details are shared with the vendor fulfilling your order.
  • Stripe, Inc. (USA / Ireland): Payment processing. Stripe acts as an independent controller for its payment services. Data is transferred under the EU–US Data Privacy Framework (DPF) and Stripe's Standard Contractual Clauses. See stripe.com/privacy.
  • Resend, Inc. (USA): Transactional email delivery (order confirmations, status updates). We have signed a Data Processing Agreement with Resend.
  • Neon, Inc. (USA): Managed PostgreSQL database hosted in the EU. Data is stored in AWS eu-central-1 (Frankfurt).
  • Vercel, Inc. (USA): Application hosting and static asset delivery. Data is processed in the EU (edge regions).

We do not sell your personal data to third parties or use it for advertising profiling.

5. Transfers to Third Countries

Some of our processors (Stripe, Resend, Vercel) are based in the United States. Data transfers are safeguarded by Standard Contractual Clauses (SCCs) approved by the European Commission pursuant to Art. 46(2)(c) GDPR, or, where applicable, by the EU–US Data Privacy Framework.

6. Cookies and Session Storage

We use technically necessary session cookies to maintain your login session and shopping cart state. We do not use tracking or advertising cookies. No cookie consent banner is shown because no non-essential cookies are set.

7. Data Retention

  • Account data: Retained for the duration of your account and deleted upon verified deletion request, subject to legal retention obligations.
  • Order and payment records: Retained for 10 years per §147 AO (German Fiscal Code) tax retention obligations.
  • Support correspondence: Retained for 3 years from the last contact.
  • Security logs: Retained for 30 days, then deleted automatically.

8. Your Rights under the GDPR

As a data subject you have the following rights (Art. 15–22 GDPR):

  • Right of access (Art. 15): You may request a copy of all personal data we hold about you.
  • Right to rectification (Art. 16): You may request correction of inaccurate data at any time (also via your account settings).
  • Right to erasure (Art. 17): You may request deletion of your personal data where no statutory retention obligation applies.
  • Right to restriction (Art. 18): You may request restriction of processing in certain circumstances.
  • Right to data portability (Art. 20): You may receive your data in a structured, machine-readable format.
  • Right to object (Art. 21): You may object to processing based on legitimate interests at any time.
  • Right to withdraw consent: Where processing is based on your consent, you may withdraw it at any time without affecting prior processing.

To exercise any of these rights, contact us at datenschutz@souqgo.de. We will respond within 30 days as required by Art. 12 GDPR.

9. Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority. The competent authority for SouqGo GmbH is:

Berliner Beauftragte für Datenschutz und Informationsfreiheit
Friedrichstraße 219
10969 Berlin
www.datenschutz-berlin.de

10. Changes to this Policy

We may update this Privacy Policy to reflect changes to our data practices or applicable law. The current version is always available at /legal/privacy. Material changes will be communicated by email.