Privacy Policy

1.1. This Privacy Policy (hereinafter referred to as the «Policy») describes how Ivo Marketplace S.R.L., IDNO: 1024602014330, with its registered office at mun. Bălți, str. Filip Nicolae, 2, Republic of Moldova (hereinafter referred to as the «Operator» or «We»), collects, processes, stores, protects and, where applicable, transmits the personal data of Users of the IVO Marketplace platform.

1.2. This Policy applies to all persons who access, browse, register or use the Platform, in their capacity as Buyers, Merchants or simple visitors.

1.3. By accessing or using the Platform, the User confirms that they have read and understood this Policy.

1.4. Legal basis

This Policy is drawn up in accordance with:

a) Law No. 133/2011 on the protection of personal data of the Republic of Moldova;

b) Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data (GDPR), to the extent applicable;

c) Law No. 284/2004 on electronic commerce;

d) Other normative acts applicable in the field of personal data protection.

1.5. Data Protection Officer (DPO)

The Operator has designated a Data Protection Officer (DPO): Claudio Mulas.

DPO Contact: mydata@ivo.md

2.1. Depending on the User's interaction with the Platform, the Operator may collect the following categories of personal data:

Note: The Operator may launch a mobile application (iOS/Android) in the future, in which case additional data may be collected (unique device identifier, push notification token, etc.). This Policy will be updated accordingly before the application launch.

A. Identification and contact data

Name, surname, email address, phone number, delivery address, billing address.

B. Payment data

Card type, card BIN (first 6 digits), issuing bank. The Operator does not store the full bank card number, expiration date or CVV/CVC code. Payment processing is carried out exclusively by authorized payment processors (details in Section 5).

C. Geolocation and technical data

IP address, device type, operating system, browser type, screen resolution, approximate geolocation data (derived from IP address).

D. Platform activity data

Order history, viewed products, searches performed, products added to cart, browsing preferences, visit frequency and duration, interactions with notifications and marketing communications.

Session association: The Platform may retroactively associate anonymous browsing sessions with the User's account after authentication, for the purpose of personalizing the experience, recommending relevant products and statistical analysis. This association is carried out on the basis of the Operator's legitimate interest (Art. 6(1)(f) GDPR). The User may exercise the right of opposition in accordance with Section 8.

E. Behavioral and profiling data

Purchasing habits, preferred product categories, interaction history with personalized recommendations. This data is used exclusively for the purpose of personalizing the Platform experience and recommending relevant products.

F. Fraud prevention data

Card BIN, issuing bank, transaction patterns, IP address, device technical identifiers. This data is processed exclusively for the purpose of detecting and preventing fraudulent activities.

Device fingerprinting: During the checkout process, the Operator collects, with the User's consent, detailed technical data of the device used, including: processor type (CPU), graphics card type (GPU), screen resolution and size, time zone, browser language and geolocation data. This data is used exclusively for generating a digital fingerprint of the device («device fingerprint») for fraud prevention purposes and is not associated with the User's identity for other purposes.

The Operator may use automated risk assessment systems that analyze correlations between IP address, card country, device used, delivery address and transaction history. These systems may lead to temporary blocking of a transaction or suspension of an account, in which case the User is notified and may request a manual review of the decision.

In cases where the Platform's anti-fraud mechanisms flag a suspicious transaction, the Operator reserves the right to request additional identity verification documents from the Buyer, including a copy of the identity document and proof of address. These documents are processed exclusively for the purpose of verifying the legitimacy of the transaction and are kept for a period of 6 (six) months from the date of verification, corresponding to the chargeback period, after which they are deleted, except where retention is necessary in the context of an investigation or under a legal obligation.

G. Merchant data

Company name / name and surname of the authorized natural person, IDNO/IDNP, registered office address / domicile, contact details (email, phone), bank details (IBAN, SWIFT, bank name), legal representative data, invoice series and number ranges, logo, signature and stamp (if uploaded in the Administration Panel), transaction history and performance indicators.

Additionally, within identity verification (KYC) procedures, the Operator may collect copies of identity documents of the legal representative or authorized natural person, registration certificates, extracts from the State Register and other supporting documents. These documents are kept exclusively for the duration of the contractual relationship and are deleted within 30 days of termination of the Contract, except where retention is required by law.

H. Data of corporate Buyers (B2B)

Company name, IDNO, VAT code, registered office address, contact person details (name, surname, position, email, phone), delivery and billing address. This data is processed for the purpose of order execution, invoicing and compliance with tax obligations.

I. Reviews and ratings

Buyers may publish reviews of purchased products. Reviews are displayed publicly on the Platform together with the Buyer's first name and initial of the surname (for example, «John S.»). By publishing a review, the User consents to the public display of this data.

J. Warranty claims and returns data

Buyers may submit, through the Platform, warranty claims or return requests, in which they may upload photographs of the defects found, descriptions of the problem and other supporting documents. This data is processed on the basis of contract performance (Art. 6(1)(b) GDPR) and is transmitted to the relevant Merchant for the purpose of resolving the claim.

Photographs and documentation related to claims are kept for the duration of the dispute resolution and for an additional 6 (six) months after its completion (corresponding to the chargeback period), after which they are automatically deleted.

K. Data obtained through Social Login authentication

When authenticating through a Google or Facebook account, the Operator receives: name, surname, email address and, where applicable, profile photo. The Operator does not have access to the User's Google or Facebook account password. Data received through Social Login is used exclusively for authentication and User account management.

L. Candidate data («Work with us» section)

Persons applying for a job through the «Work with us» section of the Platform provide the following data: name, surname, email address, phone number, curriculum vitae (CV), cover letter and other supporting documents attached to the application.

This data is processed on the basis of the candidate's consent (Art. 6(1)(a) GDPR) and the Operator's legitimate interest in recruiting personnel (Art. 6(1)(f) GDPR). Candidate data is kept for a maximum period of 12 (twelve) months from the date of application, for the purpose of evaluating candidacy for future positions, after which it is automatically deleted. The candidate may request deletion of their data at any time at mydata@ivo.md.

M. Google reCAPTCHA

The Platform uses the Google reCAPTCHA service, provided by Google LLC, for protection of forms against automated access (bots). reCAPTCHA may collect IP address, cookies, browsing behavior data and device technical identifiers. Data is processed by Google in accordance with its own Privacy Policy. The use of reCAPTCHA falls under the Operator's legitimate interest in ensuring Platform security (Art. 6(1)(f) GDPR).

3.1. The Operator processes personal data for the following purposes and on the basis of the following legal grounds:

3.2. In the case of consent-based processing, the User has the right to withdraw consent at any time, without affecting the lawfulness of processing carried out before the withdrawal.

3.3. Consent withdrawal can be done through: newsletter unsubscribe (unsubscribe link in email), changing cookie settings or by sending a request to mydata@ivo.md.

4.1. The Platform uses cookies and similar local storage technologies to ensure the proper functioning of the Platform, to improve the User experience and to provide personalized marketing services.

4.2. Categories of cookies used:

4.3. The User can manage cookie preferences through the consent banner displayed on the first visit to the Platform or through browser settings.

4.4. Disabling certain cookies may affect the functionality of the Platform.

5.1. The Operator may transmit personal data of Users to the following categories of third parties, exclusively to the extent necessary to fulfill the purposes described in Section 3:

A. Payment processors

Authorized payment processors (banking institutions and payment service providers from the Republic of Moldova and abroad). These providers process payment data in accordance with PCI DSS standards and their own privacy policies. The list of payment processors used may be obtained upon request by sending a request to mydata@ivo.md.

B. Courier services

Partner courier and postal services, used for order delivery. Data transmitted: recipient name, delivery address, phone number, IDNO/IDNP. The list of partner couriers may be obtained upon request by sending a request to mydata@ivo.md.

C. Analytics, marketing and security services

Google LLC (Google Analytics, Google Ads, Google reCAPTCHA) and Meta Platforms Ireland Ltd (Facebook Pixel / Conversions API). These services may process data outside the European Economic Area, with appropriate safeguards (Standard Contractual Clauses, adequacy decisions).

Microsoft Corporation (Microsoft Clarity) – user behavior analysis service on the Platform (heatmaps, anonymized session recordings). Data collected may include: clicks, scroll, interface element interactions, anonymized IP address.

D. Merchants

Merchants registered on the Platform receive the data necessary for order execution (name, delivery address, phone). Merchants are contractually obligated to use this data exclusively for the purpose of Order execution.

Legal capacity: Merchants act as independent personal data controllers for data received for the purpose of order execution and are fully responsible for compliance with data protection legislation regarding the further processing of such data. IVO Marketplace is not liable for processing carried out by Merchants outside the contractually specified purposes.

E. Infrastructure providers

Hosting and data storage service providers, with servers located in the European Union (Finland). The Operator may use, where applicable, CDN services and DDoS protection provided by third parties.

F. Mapping services

OpenStreetMap Foundation – map services for displaying delivery addresses and locating pickup points. Data transmitted may include delivery address and approximate geographic coordinates.

G. External accounting services provider

The Operator may use the services of an external accounting provider, who processes personal data as a processor, for the purpose of keeping accounting and tax records. Data transmitted may include: name, surname, IDNO/IDNP, address, invoice data and other tax documents. The external provider is contractually obligated to respect the confidentiality and security of processed data.

H. SMS service providers

External SMS messaging service providers (transactional notifications, verification codes, delivery notifications). Data transmitted: the User's phone number and message content.

I. Authentication providers (Social Login)

Google LLC and Meta Platforms Ireland Ltd – authentication services through Google or Facebook account. When authenticating through Social Login, the Operator receives from the provider: name, surname, email address and, where applicable, profile photo. The Operator does not have access to the User's Google or Facebook account password.

5.2. The Operator does not sell, rent or transfer personal data of Users to third parties for marketing purposes, except in cases where the User has given explicit consent.

5.3. The Operator may disclose personal data to public authorities, law enforcement bodies, financial institutions or regulatory authorities, where this is required by law, by a court decision or is necessary for the defense of the Operator's legitimate rights and interests.

6.1. Personal data is stored on servers located in the European Union (Finland).

6.2. In cases where certain service providers (Google, Meta) process data outside the European Economic Area, the transfer is carried out on the basis of one of the following mechanisms:

a) Adequacy decisions issued by the European Commission;

b) Standard Contractual Clauses (SCC) approved by the European Commission;

c) Other appropriate safeguards provided by applicable legislation.

7.1. The Operator retains personal data for the period necessary to fulfill the purposes for which it was collected, as follows:

7.2. Upon expiration of the storage period, personal data is deleted or irreversibly anonymized.

7.3. After deletion of the User account, personal data is removed from active systems within 30 calendar days, except for data that the Operator is required to retain under legal obligations (tax data – 5 years).

7.4. Personal data may temporarily remain in backup copies for a limited period before being permanently deleted. Backup copies are protected by the same technical and organizational measures as data in active systems.

8.1. In accordance with Law No. 133/2011 and, where applicable, GDPR, the User enjoys the following rights:

a) Right of access – the right to obtain confirmation of processing of their data and a copy thereof;

b) Right to rectification – the right to request correction of inaccurate data or completion of incomplete data;

c) Right to erasure («right to be forgotten») – the right to request deletion of data, subject to legal retention obligations;

d) Right to restriction of processing – the right to request limitation of processing in certain circumstances;

e) Right to data portability – the right to receive data provided in a structured, commonly used and machine-readable format;

f) Right to object – the right to object to processing based on legitimate interest, including profiling;

g) Right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects them;

h) Right to lodge a complaint with the National Centre for Personal Data Protection of the Republic of Moldova (CNPDCP).

8.2. To exercise any of these rights, the User may send a written request to: mydata@ivo.md.

8.3. The Operator will respond to the request within a maximum of 30 calendar days from receipt of the request. In complex cases, the deadline may be extended by an additional 30 days, with prior notification to the User.

8.4. The Operator may request verification of the User's identity before processing the request, for the purpose of protecting data against unauthorized access.

9.1. The Operator implements appropriate technical and organizational measures to protect personal data against unauthorized access, loss, destruction, alteration or disclosure, including:

a) Encryption of data transmissions through SSL/TLS protocol;

b) Storage of data on secure servers in the European Union (Finland);

c) Use of DDoS protection services and web application firewall (WAF);

d) Role-based access control and multi-factor authentication for authorized personnel;

e) Periodic security audits and data access logging;

f) Security incident notification procedures in accordance with applicable legislation.

9.2. Despite the measures implemented, the Operator cannot guarantee absolute security of data transmission over the Internet. The User is responsible for maintaining the confidentiality of their own access credentials.

9.3. In the event of a security incident affecting personal data, the Operator will notify the National Centre for Personal Data Protection (CNPDCP) and, if necessary, the data subjects, within the deadlines provided by applicable legislation.

10.1. The Operator may send marketing communications to Users by email (newsletter, promotional offers, product recommendations), exclusively based on the User's express consent.

10.2. The User may withdraw consent at any time by:

a) Accessing the unsubscribe link included in each marketing email;

b) Changing settings in the User account;

c) Sending a request to mydata@ivo.md.

10.3. Withdrawal of consent does not affect transactional communications (order confirmations, delivery notifications, invoices), which are sent on the basis of contract performance.

11.1. The Operator uses behavioral data (viewed products, searches, purchase history) to personalize the Platform experience, including recommending products that may interest the User.

11.2. Profiling is carried out on the basis of the Operator's legitimate interest (Art. 6(1)(f) GDPR) and does not produce legal effects or similarly significant effects on the User.

11.3. The User has the right to object to profiling at any time, by sending a request to mydata@ivo.md or by changing settings in the User account.

11.4. The Operator uses automated mechanisms for fraud detection (analysis of transaction patterns, card BIN verification, correlations between IP/card country/device/delivery address). The Operator may temporarily suspend accounts or transactions pending completion of security checks, in which case the User is notified and may request a manual review of the decision.

12.1. The Platform is not intended for persons under the age of 18. The Operator does not intentionally collect personal data from minors.

12.2. If the Operator discovers that it has collected data from a minor, such data will be immediately deleted and the account will be deactivated.

13.1. IVO Marketplace acts as a technological intermediary between Buyers and Merchants. Buyer data is transmitted to Merchants exclusively for the purpose of order execution.

13.2. In the case of payments made through the Platform, funds may be processed and temporarily managed by the Operator before being transferred to Merchants, in accordance with contractual conditions. Payment data is processed exclusively for the purpose of transaction execution and is not used for other purposes.

13.3. The Operator may analyze suspicious transactions and may temporarily suspend accounts or transactions pending completion of security checks, on the basis of legitimate interest in fraud prevention.

14.1. The Operator reserves the right to modify this Policy at any time, by publishing the updated version on the Platform.

14.2. Users will be notified of substantial changes to the Policy through the Platform or by email, at least 15 calendar days before entry into force.

14.3. Continued use of the Platform after the changes come into effect constitutes acceptance of the new version of the Policy.

Ivo Marketplace S.R.L.

IDNO: 1024602014330

Registered office: mun. Bălți, str. Filip Nicolae, 2, Republic of Moldova

Data protection email: mydata@ivo.md

DPO: Claudio Mulas

Supervisory authority: National Centre for Personal Data Protection of the Republic of Moldova (CNPDCP)

CNPDCP Website: www.datepersonale.md