Privacy Notice — ClearDelta

1. Who we are

Service provider / controller for website and sales inquiries:
Thibaud CLAUDE, operating as ClearDelta
Balmes 316, 08006, Barcelona, Spain
Email: privacy@cleardelta.io

        Controller / Processor split: For the website contact form and commercial communications, ClearDelta acts as data controller. For Seller Central CSV data supplied by a client for the fee-audit service, the client is the controller and ClearDelta acts as data processor under the client’s documented instructions.
      

To exercise your rights or ask questions about this notice, contact privacy@cleardelta.io.

2. Data we process

Website & contact form

First name, last name, work email, company name, marketplace, estimated GMV, approximate SKU count, and the contents of your message. Basic website security logs (IP address, timestamp, user agent).

Audit service data

CSV exports supplied by you from Seller Central, including: SKU identifiers, ASINs, FNSKUs, packed product dimensions and weights, FBA fee amounts, settlement lines, reimbursement lines, case-tracking metadata, and business contact details needed to deliver the service.

        Data minimisation by design: Order IDs and merchant-order IDs are hashed or removed at ingestion — they are not required for our calculations and are never stored in identifiable form. Raw CSV files are automatically deleted within 7 days of Evidence Pack generation.
      

3. Why we use the data & our legal bases

Purpose	Typical data	Legal basis (GDPR)
Respond to website inquiries and qualify a potential client	Name, email, company, message	Consent (Art. 6(1)(a)) and/or pre-contractual steps at your request (Art. 6(1)(b))
Deliver the fee-audit service and generate Evidence Packs	Seller Central CSV data, business contact, correspondence	Performance of a contract (Art. 6(1)(b)); as processor, on documented instructions from the client controller
Secure the service, detect misuse, maintain logs	Technical logs, service metadata	Legitimate interests (Art. 6(1)(f)) — securing and improving the service, defending legal claims
Accounting, invoicing, tax compliance	Invoice records, payment data	Legal obligation (Art. 6(1)(c)) — Spanish tax and commercial law

4. How long we keep the data

Data type	Retention period
Raw uploaded CSV files	Deleted automatically within 7 days of Evidence Pack generation
Sanitised aggregates & claims-tracking records	Duration of contract + 120 days for attribution & clawback management, then deleted
Website contact form data	12 months after last meaningful contact (unless you become a client sooner)
Contract, invoice & tax records	As required by Spanish law (minimum 5 years — Art. 30 Código de Comercio)

5. Who receives the data

We share personal data only where there is a valid need. Categories of recipients:

Hosting and cloud infrastructure providers (VPS)
Email delivery providers
Secure file-transfer tools
Payment processors (Stripe, Inc.)
Professional advisers (legal, accounting) where required

The full sub-processor list is provided in our Data Processing Agreement (DPA), signed with each client upon onboarding.

6. International transfers

ClearDelta is based in Spain (EEA). To the extent any sub-processor processes data outside the EEA, we ensure an appropriate transfer mechanism is in place (adequacy decision, Standard Contractual Clauses, or equivalent) as required by Chapter V GDPR.

Stripe, Inc. (payment processor, US) operates under the EU–US Data Privacy Framework.

7. Security

No Seller Central credentials, API tokens, or account access are ever requested or stored.
Order IDs hashed or removed at ingestion (pseudonymisation).
Raw CSV files auto-deleted within 7 days.
Role-based access controls and least-privilege access.
All data transmitted over encrypted channels (HTTPS/TLS).
Sanitisation events logged for audit purposes.

No security measure is perfect. We cannot guarantee absolute security, but we apply industry-standard protections appropriate to the risk level of the data processed.

8. Your rights

Under GDPR and Spanish law (LOPDGDD), you may have the right to:

Access — obtain a copy of your personal data.
Rectification — correct inaccurate data.
Erasure — request deletion where no legal retention requirement applies.
Restriction — limit processing in certain circumstances.
Objection — object to processing based on legitimate interests.
Portability — receive data in a structured, machine-readable format.
Withdraw consent — at any time where consent is the legal basis.

If ClearDelta is acting only as processor for service data, we may need to redirect your request to the relevant client controller.

To exercise any right, contact privacy@cleardelta.io. We will respond within 30 days.

You may also lodge a complaint with the Agencia Española de Protección de Datos (AEPD) at www.aepd.es.

9. Contact

Email: privacy@cleardelta.io
Postal address: Thibaud CLAUDE, Balmes 316, 08006, Barcelona, Spain
EU representative / DPO: Not applicable (processing does not meet the thresholds requiring a DPO under Art. 37 GDPR).