This Privacy Policy (the “Policy”) defines how personal data is collected, processed, stored, transferred and protected in the operation of the KatrIva software platform (the “Platform”), available at https://katriva.com.ua and on related Store domains. The Policy is an integral part of the Public offer for access to the Platform (the “Offer”) and applies to everyone who uses the Platform: Customers (Store owners) and Buyers (end consumers who place orders in Stores).
The Platform serves Customers and Buyers regardless of their country of residence, including residents of Ukraine, the European Union and other countries. Personal data is processed in accordance with the Law of Ukraine “On Personal Data Protection” of 01.06.2010 No. 2297-VI (the “Law”), and for data subjects in the European Union — also in accordance with Regulation (EU) 2016/679 (GDPR) to the extent applicable to the Provider as a controller / processor. For data subjects in other jurisdictions, the Provider follows the general principles of lawfulness, fairness and data minimisation set out in this Policy.
1. Definitions
- Provider / Platform Operator — the owner and operator of the KatrIva Platform (details in section 10 of this Policy and in the Offer).
- Customer — a sole proprietor or legal entity that uses the Platform to create and operate a Store; is the owner of their Buyers’ personal data within the meaning of the Law.
- Buyer — an individual who places an order for the Customer’s goods/services via the Store storefront.
- Personal data — any information that directly or indirectly identifies an individual (name, phone number, e-mail, delivery address, payment details to the extent passed to the Platform, IP address, cookie data, etc.).
- Processing of personal data — any action or set of actions with personal data (collection, registration, accumulation, storage, modification, use, dissemination, anonymisation, destruction).
2. What data is processed
- Customer data: account registration data (name, Store name, e-mail, phone number, login); payment and billing details for the Service (registration code, bank details); technical data (IP address, device and browser data, admin activity logs, cookies).
- Buyer data received via the Store storefront: name, phone number, e-mail, delivery address; order contents (item list, amount, comments); technical visit data (IP address, device/browser type, cookies and similar technologies, data on the user’s interaction with the storefront — pages viewed, navigation sequence, interaction events); data passed to payment systems to pay for the order (the Platform does not store full payment card details).
3. Purpose and legal bases for processing
Processing is carried out for the following purposes and on the following bases:
- performance of the Offer and providing the Customer with access to the Platform — on the basis of a concluded contract (Art. 11 of the Law; Art. 6(1)(b) GDPR);
- enabling placement and processing of Buyer orders in the Store — on the basis of the sale contract between the Customer and the Buyer, of which the Provider is not a party, but for which it technically enables processing in the Customer’s interest;
- compliance with legal requirements (accounting, requests from public authorities) — on the basis of law (Art. 6(1)(c) GDPR);
- ensuring technical security, preventing fraud and abuse — on the basis of the Provider’s legitimate interest (Art. 6(1)(f) GDPR);
- sending marketing messages (where applicable) — on the basis of separate consent from the data subject, which may be withdrawn at any time.
4. Role allocation: Customer and Provider
- The Customer is the owner of their Buyers’ personal data: they define the purpose of collecting this data (selling goods/services), are responsible for the lawfulness of obtaining it and for informing Buyers (including by publishing the Store’s own privacy policy where required by the Buyer’s country’s law).
- The Provider acts as a processor of Buyers’ personal data to the extent necessary for the Platform’s technical operation (storing order data, sending technical notifications, enabling checkout). The Provider processes such data solely on the Customer’s instructions and in the Customer’s interest and does not use it for its own marketing purposes without a separate lawful basis.
- With respect to the Customer’s own data (account, Service payment details), the Provider is the owner of personal data and independently defines the purpose of processing to the extent necessary to provide the Service.
- For Customers to whom the GDPR applies, the terms of personal data processing may additionally be governed by a separate Data Processing Agreement (DPA), which prevails in respect of personal data processing.
5. Disclosure to third parties
To operate the Platform, the Provider may engage and disclose personal data to the following categories of third parties:
- hosting providers and data centres — for data storage;
- payment systems and acquirers — for payment processing (the Provider does not store full payment card details; such data is processed by the payment system in accordance with PCI DSS);
- delivery services — to the extent needed for delivery (Buyer name, phone, address);
- analytics and notification services (including messengers, e-mail) — to the extent needed for the service to function;
- public authorities — in cases and in the manner provided by law.
The Provider requires engaged third parties to ensure an adequate level of personal data protection consistent with the Law and, where needed, GDPR.
6. Cross-border data transfers
Because the Platform serves users in different countries and part of the infrastructure may be located outside Ukraine, personal data may be transferred abroad, including to countries that do not provide a level of protection equivalent to the Law or GDPR. In such cases the Provider takes reasonable measures to ensure adequate protection (including Standard Contractual Clauses, provider certification, etc.) to the extent technically and commercially feasible.
7. Cookies and similar technologies
- The Platform and Store storefronts use cookies and similar technologies to: enable checkout and authentication; analyse traffic; where applicable — targeted advertising and remarketing.
- Non-essential cookies (analytics, marketing) are used with separate visitor consent where required by applicable law. Essential cookies needed for the service to work may be used without separate consent.
- Visitors can manage cookies through browser settings. Disabling certain cookies may limit storefront functionality (for example, the shopping cart).
- Where required by applicable law, the Platform and/or Stores may display a cookie notice and request the user’s consent.
8. Retention of personal data
Personal data is retained for the term of the Offer with the Customer and for an additional period needed to comply with legal requirements (including tax and accounting rules — not less than the periods set by applicable law, and in their absence up to 3 years), and to protect the parties’ legitimate interests in case of a dispute. After the Offer ends, Store data is retained and deleted in accordance with section 9 of the Offer, unless a longer period is required by law.
9. Rights of data subjects
Under the Law and (where applicable) GDPR, a data subject has the right to: know the sources and purpose of processing; access their data; request correction of inaccurate or outdated data; request erasure or withdraw consent (the “right to be forgotten”); object to processing based on legitimate interest; request restriction of processing and receive data in a structured, machine-readable format (portability) — for GDPR data subjects; lodge a complaint with a supervisory authority (in Ukraine — the Ukrainian Parliament Commissioner for Human Rights; for EU residents — the national supervisory authority of the relevant country).
Requests may be submitted to the Customer (regarding Store data) or to the Provider using the contacts in section 10. A response is provided within the period required by law (typically within 30 calendar days).
10. Data protection and contacts
The Provider implements technical and organisational measures to protect personal data against unauthorised access, loss, destruction or disclosure, including: access controls, encryption of transmission channels, backups (to the extent defined in the Offer).
If a security incident is detected that may result in unauthorised access to personal data, the Provider takes reasonable steps to minimise the consequences and, where required by law, notifies the relevant data subjects or competent authorities within the prescribed time limits.
Provider name: Sole proprietor Anton Viktorovych Luchkin,
operating under the commercial designation “KatrIva”
Status: sole proprietor, single tax payer (group 2)
Registration code (RNOKPP): 3230400379
Address: Ukraine, 02093, Kyiv, Boryspilska St., building 17,
apt. 52
E-mail for personal data enquiries:
hello@katriva.com.ua
Website:
https://katriva.com.ua
11. Changes to the Policy
The Provider may amend this Policy by publishing a new version on the Website. The new version takes effect 7 calendar days after publication unless a different period is stated on the Website. Continued use of the Platform after it takes effect constitutes acceptance of its terms.
Customers are advised to bring this Policy to their Buyers’ attention (for example, via a link on the Store storefront) to fulfil their obligation to inform Buyers.