GDPR Compliance

1. Our Commitment to GDPR

SaleFast is committed to compliance with the General Data Protection Regulation (GDPR) and respects the privacy rights of individuals in the European Union (EU) and European Economic Area (EEA).

This page explains how we comply with GDPR and how you can exercise your rights.

2. Legal Basis for Processing

We process your personal data under the following legal bases:

2.1 Contract Performance

Processing necessary to provide the Service you've signed up for, including:

• Account management
• Product listing and discovery
• Premium feature access
• Payment processing

2.2 Legitimate Interest

Processing necessary for our legitimate business interests:

• Service improvement and optimization
• Fraud prevention and security
• Customer support
• Analytics and research

2.3 Consent

For marketing communications and non-essential cookies, we obtain your explicit consent.

2.4 Legal Obligation

To comply with applicable laws, such as tax and accounting requirements.

3. Your GDPR Rights

Under GDPR, you have the following rights:

3.1 Right to Access (Article 15)

You can request a copy of all personal data we hold about you. We will provide this within 30 days.

How to exercise: Email hello@salefa.st or contact us through your account settings.

3.2 Right to Rectification (Article 16)

You can correct inaccurate or incomplete personal data.

How to exercise: Update your information in your profile settings or contact us.

3.3 Right to Erasure / "Right to be Forgotten" (Article 17)

You can request deletion of your personal data when:

• It's no longer necessary for the purposes collected
• You withdraw consent
• You object to processing
• It was unlawfully processed

How to exercise: Use the "Delete Account" option in settings or contact us.

Note: We may retain certain data if required by law (e.g., financial records for 7 years).

3.4 Right to Restriction of Processing (Article 18)

You can request we limit how we use your data while we investigate a concern.

3.5 Right to Data Portability (Article 20)

You can receive your data in a structured, machine-readable format (JSON/CSV) and transfer it to another service.

How to exercise: Contact us to request an export of your profile and product data.

3.6 Right to Object (Article 21)

You can object to processing based on legitimate interests or for direct marketing.

How to exercise: Unsubscribe from marketing emails or contact us to object to specific processing.

3.7 Right to Withdraw Consent (Article 7)

Where processing is based on consent, you can withdraw it at any time.

3.8 Right to Lodge a Complaint

You have the right to file a complaint with your local supervisory authority:

Find your data protection authority: EDPB Member List

4. Data Processing Details

4.1 Data Controller

SaleFast is the data controller for your personal information.

4.2 Data Protection Officer

Contact our DPO: hello@salefa.st

4.3 Data Processors

We use the following processors who have appropriate GDPR safeguards:

• Vercel (USA): Hosting - Standard Contractual Clauses (SCCs)
• Neon (USA): Database - GDPR-compliant data processing agreement
• Google (USA): Authentication & Analytics - Model Contract Clauses
• GitHub (USA): Authentication - Data Processing Agreement
• Polar.sh: Payment processing - PCI-DSS compliant

5. International Data Transfers

Your data may be transferred outside the EU/EEA to countries that may not offer the same level of data protection.

We ensure adequate protection through:

• Standard Contractual Clauses (SCCs): EU-approved data transfer contracts
• Adequacy Decisions: Transfers only to countries approved by the EU Commission
• Additional Safeguards: Encryption, access controls, security audits

6. Data Retention

We retain personal data for different periods:

• Account Data: Until account deletion + 30 days grace period
• Product Submissions: Until deletion or account closure
• Billing Records: 7 years (legal requirement)
• Support Tickets: 2 years
• Analytics Data: 2 years (anonymized)
• Logs: 90 days

7. Security Measures

We implement technical and organizational measures to protect your data:

Technical Measures:

• End-to-end encryption (TLS 1.3)
• Encrypted database storage
• Secure OAuth authentication
• Regular security updates
• Access logging and monitoring

Organizational Measures:

• Access controls and least privilege principle
• Data processing agreements with vendors
• Regular security reviews
• Incident response procedures

8. Data Breach Notification

In the event of a data breach affecting your personal data:

• We will notify the relevant supervisory authority within 72 hours
• We will inform affected users without undue delay
• We will describe the nature of the breach and steps being taken
• We will provide recommendations to minimize potential harm

9. Cookies and Tracking

We use cookies in compliance with the ePrivacy Directive:

• Essential Cookies: No consent required (necessary for service)
• Analytics Cookies: Used for understanding platform usage
• Marketing Cookies: We don't use these currently

You can manage cookie preferences in your browser settings.

10. Children's Data

We do not knowingly process data of individuals under 13 (or 16 in EU/EEA countries where applicable). If you're under the applicable age, please do not use our Service.

11. How to Exercise Your Rights

To exercise any of your GDPR rights:

1. Email us: hello@salefa.st
2. Use account settings: Many rights can be exercised directly in your profile
3. Include in your request:
   • Your name and email address
   • The specific right you're exercising
   • Any relevant details

Response time: We will respond within 30 days (may extend to 60 days for complex requests).

Free of charge: We do not charge fees unless requests are manifestly unfounded or excessive.

12. Updates to GDPR Policy

We may update this GDPR compliance statement. Material changes will be communicated via email and on this page with an updated "Last updated" date.

13. Contact Information

=Inquiries: hello@salefa.st