Trust is our product. Mark3t builds trust infrastructure for high-value resale, and that begins with how we treat your data: we collect the minimum, we explain everything, we sell nothing. This policy covers the mark3t.ai website and the Mark3t Passport, and is written to satisfy the EU GDPR and applicable US state privacy laws, including the California CCPA/CPRA.
01Who We Are
The data controller is Zernica Corp dba Mark3t SASU (SIRET 100 359 744 00016), 66 Avenue des Champs-Élysées, 75008 Paris, France. Privacy questions and rights requests: Bonjour@mark3t.ai. Our lead supervisory authority is the French CNIL.
02The Data We Collect
- Identity & account. Name, email, phone, hashed password, language, country; for professional sellers and vendors, business registration details (e.g., SIRET, VAT number) and the legal representative’s identity.
- Verification & trust. Identity verification outcomes from our verification provider (who retains source documents under contract — we do not store them), and the reputation and performance data you choose to connect from external marketplaces: the inputs to your Passport and Trust Score.
- Transactions. Items, amounts, dates, counterparties, status. Payments are handled by our payment provider; Mark3t never stores full card numbers.
- Device & usage. IP address, device and browser type, pages viewed, referral source, and cookie data (see §10).
- Communications. Messages you send us, your marketing consent records, and email engagement data where lawfully collected.
We do not collect special-category data (health, religion, political opinions, and similar) and ask you not to submit it in free-text fields. The platform is for adults: we do not knowingly collect data from anyone under 18.
03Why We Use It, and On What Legal Basis
| Purpose | Legal basis (GDPR) |
|---|---|
| Providing the platform, your account, the Passport, and transactions | Performance of our contract with you |
| Verifying the identity and credentials of professional sellers and vendors | Contract; legal obligation where anti-fraud or KYC rules apply |
| Computing and displaying Trust Scores from the sources you connect | Contract — the score is the service; your consent for each connected source |
| Security, fraud prevention, and abuse detection | Our legitimate interest in protecting the platform and its users |
| Service and transactional emails (receipts, alerts, status updates) | Performance of our contract |
| Marketing emails and newsletters | Your consent — withdrawable at any time, in one click |
| Product analytics and improvement | Legitimate interest, using minimised or aggregated data; consent where cookies require it |
| Tax, accounting, and responses to lawful requests | Legal obligation |
Where we rely on legitimate interest, you can object at any time (§8). We never use your data for purposes incompatible with this table.
04Trust Scores & Automated Decisions
The Passport evaluates professional performance signals to produce a trust score — profiling, in GDPR terms. Our commitments: you can see which sources feed your score and the principal factors behind material changes; no decision with legal or similarly significant effects (refusal of verification, suspension, removal of Passport status) is taken by automated means alone — a human reviews first; and you can contest any score or verification outcome at Bonjour@mark3t.ai, with a reasoned response within 30 days. Score inputs are limited to professional conduct signals — never private-life data, and never inferred sensitive attributes.
05Who Receives Your Data
We do not sell your personal data, and we do not “share” it for cross-context behavioural advertising as defined by the CCPA/CPRA. Data is disclosed only to: service providers acting under contract and on our instructions (hosting, email, verification, payments, analytics); counterparties, to the extent a transaction or your Passport visibility settings require; professional advisers under confidentiality; public authorities where the law compels it, after validating the request; and a successor entity in the event of corporate restructuring, under equivalent protections and with notice.
06International Transfers
We are established in France and store primary data in the EU/EEA. Where a provider processes data outside the EEA, we rely on European Commission adequacy decisions (including the EU–US Data Privacy Framework for certified providers) or the 2021 Standard Contractual Clauses with supplementary safeguards. Details of providers and mechanisms are available on request.
07How Long We Keep It
| Data | Retention |
|---|---|
| Account and profile data | Life of the account, then archived up to 3 years (limitation periods) |
| Verification outcomes | Life of the Passport + 3 years; source documents deleted by the provider after verification |
| Trust Score inputs and history | Life of the Passport; connected-source data deleted on disconnection |
| Transaction and invoice records | 10 years (French commercial law) |
| Marketing consents and unsubscribe (suppression) records | Consent proof: 3 years. Suppression entries: kept permanently so we never email you again by mistake |
| Inactive marketing contacts | Deleted or re-permissioned after 3 years without engagement |
| Cookies | Maximum 13 months (see §10) |
| Support correspondence | 3 years after resolution |
| Security logs | 12 months |
08Your Rights — EU/EEA & UK
You may: access your data and obtain a copy; rectify it; request erasure; restrict processing; receive your data in a portable format; object to processing based on legitimate interest — and to direct marketing without giving any reason, always honoured; withdraw consent at any time; and not be subject to solely automated decisions with significant effects (§4). Write to Bonjour@mark3t.ai from your account address; we respond within one month (extendable for complex requests, with notice). We ask only the minimum identity proof necessary and delete it after verification. You may complain to the CNIL (cnil.fr) or your local authority — though we would welcome the chance to resolve it first.
09Your Rights — United States, Including California
California residents (and residents of other states with comprehensive privacy laws) may: request the categories and specific pieces of personal information we hold, its sources, purposes, and recipients; request deletion, subject to statutory exceptions; request correction; opt out of sale or sharing — noting that we do not sell or share personal information, and if that ever changed we would first add a “Do Not Sell or Share” link and honour Global Privacy Control signals; limit the use of sensitive personal information — which we already use only for permitted service, security, and compliance purposes; and exercise all of this without discrimination. Email Bonjour@mark3t.ai with the subject “US Privacy Request”; we respond within 45 days (extendable once, with notice). Authorized agents may act with your signed permission. Refusals can be appealed at the same address, reviewed by a different decision-maker.
10Cookies & Similar Technologies
In the EU, no non-essential cookie is set before you consent, and declining is exactly as easy as accepting. Your choice is remembered for six months, and a “Cookie settings” link in the footer lets you change it at any time. Categories in use:
| Category | Purpose | Basis | Lifetime |
|---|---|---|---|
| Strictly necessary | Login sessions, security, load balancing, storing your consent choice | Exempt from consent | Session to 6 months |
| Functional | Language and interface preferences | Consent | ≤ 6 months |
| Analytics | [Tool]: aggregate audience measurement | Consent (or CNIL-exempt configuration) | ≤ 13 months |
| Advertising / social | None deployed. Any future introduction: prior consent (EU), opt-out incl. GPC (US), and this table updated first | Consent | — |
Blocking strictly necessary cookies may break login and checkout; blocking everything else has no functional consequence, by design.
11Security
TLS encryption in transit and at rest, role-based least-privilege access, multi-factor authentication on administrative systems, encrypted backups, audit logging, vendor security review, and penetration testing as we scale. Breaches likely to pose a risk are notified to the CNIL within 72 hours and to affected individuals without undue delay where the risk is high.
12Changes & Contact
We review this policy at least annually and announce significant changes by email or platform notice before they take effect; the version published here, with its last-updated date, is authoritative. Questions and requests: Bonjour@mark3t.ai · Zernica Corp dba Mark3t SASU, 66 Avenue des Champs-Élysées, 75008 Paris, France.
