Privacy Policy
Last updated: January 2025
Your Privacy Matters
Reptimorph is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, store, and protect your information in compliance with the General Data Protection Regulation (GDPR) and applicable data protection laws.
1. Introduction and Data Controller
This Privacy Policy describes how Reptimorph ('we', 'us', 'our') collects, processes, and protects personal data when you use our platform at reptimorph.io.
Data Controller:
Reptimorph
Email: contact@reptimorph.io
Data Protection Officer: contact@reptimorph.io
(Complete address will be added upon company registration)
By using Reptimorph, you acknowledge that you have read and understood this Privacy Policy and consent to the processing of your personal data as described herein.
2. Legal Basis for Processing
We process your personal data based on the following legal grounds under GDPR Article 6:
- Contract Performance (Art. 6.1.b): Processing necessary to provide our platform services and facilitate transactions
- Legal Obligation (Art. 6.1.c): Compliance with tax, accounting, anti-fraud, and other legal requirements
- Legitimate Interest (Art. 6.1.f): Platform security, fraud prevention, service improvement, and marketing to existing customers
- Consent (Art. 6.1.a): Optional features like marketing communications and certain cookies (can be withdrawn anytime)
3. Personal Data We Collect
3.1 Information You Provide Directly
- Account Information: Username, email address, password (encrypted), date of birth, country/region
- Profile Information: Display name, bio, profile photo, breeder information, social media links (optional)
- Contact Information: Shipping address, billing address, phone number
- Payment Information: Payment method details (processed securely by Stripe - we do not store full card numbers)
- Identity Verification: Government-issued ID, business registration documents (for verified sellers)
- Listing Content: Photos, descriptions, prices, animal information, morph details
- Communications: Messages between users, support inquiries, reviews, forum posts
3.2 Information Collected Automatically
- Device Information: IP address, browser type and version, operating system, device identifiers
- Usage Data: Pages visited, time spent on pages, click patterns, search queries, features used
- Location Data: Approximate location based on IP address (precise location only with your permission)
- Cookies and Tracking: See the Cookies and Tracking Technologies section below for details
- Transaction Data: Purchase history, listing views, saved searches, watchlist items
3.3 Information from Third Parties
- Payment Processors: Transaction confirmation, fraud detection data from Stripe
- Social Media: Profile information if you sign up via social login (Google, Facebook)
- Analytics Services: Aggregated usage statistics from Google Analytics, Vercel Analytics
- Anti-Fraud Services: Risk assessment data from fraud prevention partners
4. How We Use Your Personal Data
We use your personal data for the following purposes:
4.1 Platform Services
- Create and manage your account
- Enable listing creation and browsing
- Facilitate communication between buyers and sellers
- Process payments and transactions
- Provide customer support
- Send transactional emails (order confirmations, shipping updates)
4.2 Platform Security and Integrity
- Detect and prevent fraud, spam, and abuse
- Verify user identity and breeder credentials
- Enforce our Terms of Service
- Protect against unauthorized access and security threats
- Investigate policy violations and illegal activity
4.3 Platform Improvement
- Analyze usage patterns and user behavior
- Develop and test new features
- Improve search algorithms and recommendations
- Optimize platform performance and user experience
- Conduct research and analytics
4.4 Marketing and Communications (with consent)
- Send promotional emails about new features, listings, or offers
- Display personalized recommendations
- Show targeted advertising (can opt out)
- Conduct surveys and request feedback
4.5 Legal Compliance
- Comply with legal obligations (tax reporting, CITES verification)
- Respond to legal requests and court orders
- Maintain records for accounting and auditing
- Cooperate with law enforcement when required
5. How We Share Your Data
We do not sell your personal data to third parties. We may share your data in the following circumstances:
5.1 Between Platform Users
- Sellers can see buyer's shipping address and contact information for order fulfillment
- Buyers can see seller's public profile, ratings, and reviews
- Public profile information is visible to all users
5.2 Service Providers
We share data with trusted third-party service providers who help us operate the platform:
- Stripe: Payment processing (subject to Stripe's privacy policy)
- Email Service Providers: Transactional and marketing emails (e.g., Brevo)
- Analytics Providers: Usage analytics (Google Analytics, Vercel Analytics)
- Customer Support Tools: Support ticket management
- All service providers are contractually bound to protect your data and use it only for specified purposes
5.3 Legal Requirements
We may disclose your data when required by law or to:
- Comply with legal processes (subpoenas, court orders)
- Enforce our Terms of Service
- Protect rights, property, or safety of Reptimorph, users, or public
- Prevent fraud or illegal activities
- Cooperate with wildlife authorities on CITES compliance
5.4 Business Transfers
If Reptimorph is involved in a merger, acquisition, or sale of assets, your personal data may be transferred to the acquiring entity. We will notify you of any such change.
6. International Data Transfers
Your personal data may be transferred to and processed in countries outside the European Economic Area (EEA), including the United States, where our service providers operate.
When we transfer data outside the EEA, we ensure appropriate safeguards are in place:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Adequacy decisions for countries with equivalent data protection standards
- Privacy Shield Framework compliance (where applicable)
- Binding Corporate Rules for multinational service providers
You have the right to request information about the safeguards we use for international transfers by contacting our DPO.
7. Data Retention
We retain your personal data only as long as necessary for the purposes described in this policy or as required by law:
| Data Type | Retention Period |
|---|---|
| Account Information | Until account deletion + 30 days |
| Transaction Records | 7 years (tax/accounting requirements) |
| Messages & Communications | 3 years after last activity |
| Listings (Active) | Until removed by seller |
| Listings (Sold/Expired) | 1 year for reference |
| Support Tickets | 3 years |
| Analytics Data | 26 months (anonymized after 14 months) |
| Marketing Consent | Until withdrawn |
| Legal/Fraud Records | As required by law or ongoing investigation |
After the retention period expires, we will securely delete or anonymize your data. Some data may be retained in anonymized form for statistical analysis.
8. Your Rights Under GDPR
Under the GDPR and applicable data protection laws, you have the following rights:
8.1 Right of Access (Art. 15)
Request a copy of all personal data we hold about you, including information about processing purposes, recipients, and retention periods.
8.2 Right to Rectification (Art. 16)
Correct inaccurate or incomplete personal data. You can update most information directly in your account settings.
8.3 Right to Erasure / 'Right to be Forgotten' (Art. 17)
Request deletion of your personal data, subject to legal retention requirements. Note: We may retain certain data for legal compliance, fraud prevention, or dispute resolution.
8.4 Right to Restriction of Processing (Art. 18)
Request temporary restriction of data processing in certain circumstances (e.g., while verifying accuracy of contested data).
8.5 Right to Data Portability (Art. 20)
Receive your personal data in a structured, commonly used, machine-readable format (JSON or CSV) and transmit it to another controller.
8.6 Right to Object (Art. 21)
Object to processing based on legitimate interests or direct marketing. We will cease processing unless we demonstrate compelling legitimate grounds.
8.7 Right to Withdraw Consent (Art. 7.3)
Withdraw consent for processing at any time (e.g., marketing emails, optional cookies). This does not affect lawfulness of processing based on consent before withdrawal.
8.8 Right to Lodge a Complaint (Art. 77)
File a complaint with your national data protection authority if you believe we have violated your rights:
- France: Commission Nationale de l'Informatique et des Libertés (CNIL) - cnil.fr
- Other EU countries: Contact your local data protection authority
How to Exercise Your Rights
To exercise any of these rights, contact us at contact@reptimorph.io or through your account settings. We will respond within 30 days. In some cases, we may need to verify your identity before processing your request.
9. Data Security Measures
We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction:
- Encryption: Data in transit protected by TLS/SSL encryption; passwords hashed using bcrypt
- Access Controls: Strict access limitations; role-based permissions; multi-factor authentication for staff
- Secure Infrastructure: Cloud hosting with SOC 2 Type II certified providers
- Payment Security: PCI DSS compliant payment processing through Stripe (we do not store full card numbers)
- Regular Security Audits: Vulnerability scanning, penetration testing, and security reviews
- Data Backups: Regular encrypted backups with secure off-site storage
- Incident Response: Procedures for detecting, reporting, and responding to data breaches
- Employee Training: Regular security and privacy training for staff with data access
Important: While we implement strong security measures, no system is 100% secure. You are responsible for maintaining the confidentiality of your account credentials. Notify us immediately if you suspect unauthorized access to your account.
10. Children's Privacy
Reptimorph is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children under 18 without parental consent.
If you are under 18, you may only use Reptimorph with the involvement and consent of a parent or legal guardian. If we become aware that we have collected personal data from a child under 18 without parental consent, we will take steps to delete that information.
Parents or guardians who believe we may have collected data from a minor should contact us immediately at contact@reptimorph.io.
11. Cookies and Tracking Technologies
We use cookies and similar tracking technologies to improve your experience, analyze platform usage, and provide personalized content.
You can manage your cookie preferences through your browser settings. Most browsers allow you to refuse or accept cookies, or receive a notification when a cookie is sent. Note that blocking certain cookies may affect platform functionality.
12. Third-Party Links and Services
Our platform may contain links to third-party websites, social media platforms, or external services. We are not responsible for the privacy practices or content of these third parties. We encourage you to review their privacy policies before providing any personal data.
13. Automated Decision-Making and Profiling
We may use automated processing and profiling for the following purposes:
- Fraud Detection: Automated systems analyze transaction patterns to detect and prevent fraud
- Recommendations: Algorithms suggest listings based on your browsing and search history
- Risk Assessment: Automated scoring of listings for policy compliance
These automated decisions do not produce legal effects or significantly affect you. You have the right to request human review of automated decisions by contacting us.
14. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or platform features. We will notify you of material changes via:
- Email notification to your registered address
- Prominent notice on the platform
- Updated 'Last Updated' date at the top of this page
Continued use of Reptimorph after changes become effective constitutes acceptance of the updated Privacy Policy.
15. Contact Information
For questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us:
Data Protection Officer:
Email: contact@reptimorph.io
General Inquiries: contact@reptimorph.io
We will respond to your request within 30 days as required by GDPR.
Supervisory Authority
If you believe your data protection rights have been violated, you have the right to lodge a complaint with the French data protection authority:
CNIL (Commission Nationale de l'Informatique et des Libertés)
3 Place de Fontenoy, TSA 80715
75334 Paris Cedex 07, France
Website: www.cnil.fr
Phone: +33 1 53 73 22 22