Privacy Policy

At Alabast.ai, operated by [PLACEHOLDER: Company Name], registered at [PLACEHOLDER: Registered Address], Registration Number: [PLACEHOLDER: Registration Number], VAT Number: [PLACEHOLDER: VAT Number] ("we," "our," or "us"), we are committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our marketplace platform and services.

Data Controller: We are the data controller responsible for processing your personal data in accordance with the EU General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) and applicable national data protection laws.

Please read this Privacy Policy carefully. By using our Service, you agree to the collection and use of information in accordance with this policy. If you do not agree with this policy, please do not use our Service.

We use the information we collect for the following purposes and based on the legal bases indicated:

We do not sell your personal information. We may share your information in the following circumstances:

We use cookies and similar tracking technologies in compliance with the EU ePrivacy Directive (Directive 2002/58/EC) and applicable national laws. Cookies are small data files stored on your device.

Cookie Consent: We obtain your consent before placing non-essential cookies on your device. Essential cookies necessary for the Service to function do not require consent but are limited to what is strictly necessary.

We use cookies for:

• Essential Cookies: Authentication and session management (required for Service functionality)
• Functional Cookies: Remembering your preferences and settings
• Analytics Cookies: Analyzing usage patterns and improving our Service (with your consent)
• Marketing Cookies: Providing personalized content and advertisements (with your consent)

Third-Party Tracking: We may use third-party analytics services (such as Google Analytics) that use cookies and similar technologies. These services are subject to their own privacy policies. You can opt out of certain third-party tracking through your browser settings or the service provider's opt-out mechanisms.

Managing Cookies: You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent. You can also manage cookie preferences through our cookie consent banner. However, if you do not accept essential cookies, you may not be able to use some portions of our Service.

If you are located in the EU, you have the following rights under GDPR Articles 15-22:

• Right of Access (Article 15): Request access to the personal information we hold about you, including information about how we process it
• Right to Rectification (Article 16): Request correction of inaccurate or incomplete information
• Right to Erasure ("Right to be Forgotten") (Article 17): Request deletion of your personal information, subject to legal obligations and legitimate interests
• Right to Restriction of Processing (Article 18): Request restriction of processing in certain circumstances
• Right to Data Portability (Article 20): Request transfer of your data to another service in a structured, commonly used format
• Right to Object (Article 21): Object to processing of your information for direct marketing or based on legitimate interests
• Right to Withdraw Consent (Article 7): Withdraw consent where processing is based on consent, without affecting the lawfulness of processing before withdrawal
• Right to Lodge a Complaint (Article 77): Lodge a complaint with your local supervisory authority if you believe we have violated your data protection rights

Exercising Your Rights: To exercise any of these rights, please contact us through our Contact Us page or email us at [PLACEHOLDER: Privacy Email]. We will respond to your request within 30 days (or inform you if we need more time, up to 60 days for complex requests) as required by GDPR Article 12(3).

Verification: We may need to verify your identity before processing your request to protect your privacy and security.

No Fee: You will not have to pay a fee to exercise your rights, unless your request is manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse the request.

We retain your personal information only for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law (GDPR Article 5(1)(e)).

Retention Periods:

• Account Information: Retained while your account is active and for 3 years after account closure, unless you request earlier deletion (subject to legal obligations)
• Transaction Records: Retained for 7 years for tax and accounting purposes as required by EU law
• Marketing Communications Data: Retained until you withdraw consent or opt out
• Support Communications: Retained for 3 years after the last interaction
• Legal Claims: Retained for the duration of any legal proceedings plus applicable limitation periods

Deletion: When we no longer need your information, we will securely delete or anonymize it in accordance with GDPR Article 17. Deletion may be delayed if information is needed for legal proceedings or compliance with legal obligations.

Backup Data: Information in backup systems may be retained for a limited period but will not be actively processed.

Our Service is not intended for individuals under the age of 18. In accordance with GDPR Article 8, we do not knowingly collect personal information from children under 16 (or the age specified by your member state, which may be as low as 13) without verifiable parental consent.

Age Verification: If you are under 18, you may only use the Service with the consent and supervision of a parent or legal guardian who agrees to be bound by our Terms of Service and this Privacy Policy on your behalf.

Parental Rights: If you are a parent or guardian and believe your child has provided us with personal information without your consent, please contact us immediately. We will delete such information upon verification of your relationship and the child's age.

Parental Consent Procedures: For users between 16-18, we may require verification of parental consent before processing personal data, in accordance with applicable member state laws.

Your information may be transferred to and processed in countries outside the European Economic Area (EEA) that may have data protection laws differing from those in the EU.

Transfer Safeguards: We ensure that all international transfers comply with GDPR Chapter V requirements through one or more of the following mechanisms:

• Adequacy Decisions: Transfers to countries with adequacy decisions by the European Commission (GDPR Article 45)
• Standard Contractual Clauses (SCCs): We use EU-approved Standard Contractual Clauses (GDPR Article 46(2)(c)) with all processors and sub-processors in non-adequate countries
• Binding Corporate Rules: Where applicable, we rely on binding corporate rules for intra-group transfers
• Other Appropriate Safeguards: Additional safeguards as required by GDPR Article 46

Your Rights: You have the right to obtain a copy of the safeguards we use for international transfers by contacting us. Transfers are limited to what is necessary for the purposes described in this Privacy Policy.

Third-Country Processors: Our service providers (such as AWS, Stripe, PayPal) may process data in the United States and other countries. We ensure all such transfers are protected by appropriate safeguards, including SCCs.

In accordance with GDPR Articles 33 and 34, we have procedures in place to detect, report, and investigate personal data breaches.

Notification to Supervisory Authority: In the event of a personal data breach that is likely to result in a risk to individuals' rights and freedoms, we will notify the relevant supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach (GDPR Article 33(1)).

Notification to Data Subjects: If a breach is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay (GDPR Article 34(1)). The notification will include:

• Description of the nature of the breach
• Name and contact details of our data protection officer or contact point
• Likely consequences of the breach
• Measures taken or proposed to address the breach and mitigate its effects

Communication Methods: We will notify you of breaches via email to the address associated with your account, or through a prominent notice on our Service if email is not available.

No Notification Required: We are not required to notify you if: (a) we have implemented appropriate technical and organizational measures that render the data unintelligible to unauthorized persons (e.g., encryption); (b) we have taken subsequent measures to ensure the high risk is no longer likely to materialize; or (c) notification would involve disproportionate effort (GDPR Article 34(3)).

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, or to exercise your GDPR rights, please contact us:

• Company: [PLACEHOLDER: Company Name]
• Registered Address: [PLACEHOLDER: Registered Address]
• Registration Number: [PLACEHOLDER: Registration Number]
• VAT Number: [PLACEHOLDER: VAT Number]
• Data Protection Officer (if applicable): [PLACEHOLDER: DPO Name and Contact]
• EU Representative (if applicable): [PLACEHOLDER: EU Representative Name and Contact]
• Privacy Contact: Through our Contact Us page or email: [PLACEHOLDER: Privacy Email]

Supervisory Authority: If you are located in the EU and believe we have violated your data protection rights, you have the right to lodge a complaint with your local supervisory authority. You can find your supervisory authority at https://edpb.europa.eu/about-edpb/about-edpb/members_en.

Our Supervisory Authority: [PLACEHOLDER: Supervisory Authority Name and Contact Information]