Privacy Policy
Last updated: May 24, 2026
ShopyLocal is operated by Idriss Jordane Mba Takoukam, in the process of registering as a self-employed entrepreneur (preduzetnik) in the Republic of Serbia, based in Belgrade. This policy describes, in accordance with the EU General Data Protection Regulation (Regulation 2016/679, "GDPR") and the Serbian Personal Data Protection Act (Закон о заштити података о личности, "ZZPL"), what personal data we process, the legal basis we rely on, who receives it, how long we keep it, and what rights you have.
Personal data we process
Identification data: first name, last name, email address, hashed password, preferred language, time zone, country. Store data: name, subdomain, logo, configuration, templates, categories, products and their media assets, payment settings. Order data: items ordered, amount, identifier and contact details of the end customer (entered by the customer or the merchant), delivery address, status. Payment data: we never store full payment card numbers or CVV codes; only a transaction identifier and the last four digits are kept via our processor Paddle. Technical data: truncated IP address, browser and OS information, viewed pages, session identifiers, error logs. Communication data: messages submitted via the contact form, support emails, content of order notifications.
Legal bases for processing
Each processing activity relies on a legal basis under Article 6 GDPR and Article 12 ZZPL: (1) Performance of the contract to provide the service, route orders, bill the subscription, send transactional notifications. (2) Compliance with legal obligations regarding invoicing, fraud prevention, and responses to competent authorities. (3) Legitimate interests for platform security, abuse prevention, anonymized audience measurement, and continuous improvement. (4) Free, informed and revocable consent for non-essential cookies, marketing communications, and third-party sign-in (Google). You can withdraw consent at any time from the cookie banner or your account settings, without affecting the lawfulness of prior processing.
Purposes of processing
Your personal data is used to: operate your online store, process and route orders, send notifications by email and WhatsApp, bill and renew your subscription through Paddle, deliver customer support, secure the platform against intrusion and abuse, measure audience anonymously, and inform you of significant changes to the service. We never sell, rent or trade your personal data. No automated decision producing legal effects on you is made on the basis of your data.
Cookies and tracking
Strictly necessary cookies (always active): session keep-alive, language preference, security (anti-CSRF, Cloudflare Turnstile). Analytics cookies (consent required): anonymized Google Analytics to understand the most visited pages. We do not set advertising cookies or cross-site trackers. You manage your choices from the consent banner shown on first visit or from the footer. Withdrawing consent is as easy as giving it.
Sub-processors and recipients
Exhaustive list of our sub-processors within the meaning of Article 28 GDPR: Supabase Inc. (United States, data hosted in the EU, database + authentication + storage), Paddle.com Market Limited (United Kingdom / United States, billing and Merchant of Record for subscriptions), Cloudflare Inc. (United States, CDN, DDoS protection and Turnstile anti-bot), Google LLC (United States, optional Google sign-in and analytics if consented), SMTP providers for transactional emails, WhatsApp Business providers for order notifications. Each sub-processor is bound by a Data Processing Agreement (DPA) and processes your data only on our documented instructions. An up-to-date list is available on request at [email protected].
International data transfers
Some sub-processors (Supabase, Paddle, Cloudflare, Google) are established in the United States or the United Kingdom. Transfers outside the European Economic Area are governed by the Standard Contractual Clauses adopted by the European Commission (Decision 2021/914) and, where applicable, by the EU-US Data Privacy Framework. For Serbia, transfers comply with Articles 63 to 65 ZZPL. A list of destination countries and applicable safeguards is provided on request.
Security measures
We apply technical and organizational measures proportionate to the risk (Article 32 GDPR): TLS 1.3 encryption in transit, encryption at rest for databases and storage, Argon2 / bcrypt password hashing, optional two-factor authentication, short-lived signed JWT tokens, role-based access controls, audit logging of sensitive actions, encrypted daily backups, regular security reviews, and least-privilege access. We notify the supervisory authority and affected individuals in the event of a data breach in accordance with Articles 33 and 34 GDPR.
Retention periods
Account data: retained while the account is active, deleted within 30 days after account deletion. Store and order data: retained for the duration of the subscription, archived for 30 days after termination, then deleted (subject to legal obligations). Invoices and accounting records: retained for 10 years to comply with accounting obligations. Technical and security logs: retained for up to 12 months. Prospect data (waitlist, contact): retained for 3 years from the last active interaction. Cookies: lifespan specified per category in the consent banner (maximum 13 months for analytics cookies).
Your rights, deletion and portability
In accordance with the GDPR and the Serbian Personal Data Protection Act, you have the following rights over your data: right of access and to obtain a copy, right of rectification, right of erasure ("right to be forgotten"), right to restriction of processing, right to portability (structured CSV / JSON export), right to object to processing based on legitimate interest, and right to lodge a complaint with the competent supervisory authority (Повереник за информације од јавног значаја и заштиту података о личности in Serbia, CNIL in France, supervisory authority of your country of residence for other EU citizens). To exercise these rights or to request the deletion of your account, write to [email protected] with your request. Deletion triggers erasure of your personal data within 30 days, except for records we are legally required to retain (invoices, security logs).
Language of authority
This policy is published in multiple languages for convenience. In the event of any inconsistency between the versions, the English version shall prevail as the legally binding version.
To exercise your rights or ask a privacy question, contact: [email protected]