LEGAL - GDR COMPLAINT
Privacy Policy
We take your privacy seriously. This policy explains exactly what data we collect, why we collect it, how we use it, and what rights you have over it โ in plain language.
ยท Last updated: 1 May 2026 ยท Effective date: 1 May 2026 ยท GDPR & ePrivacy compliant
Contents
โ 8. Cookies
| 1. Who We Are
Makeitbuy is an e-commerce marketplace operated by Makeitfy, a brand based in Italy. We sell our own products and facilitate the sale of third-party products through our platform.
Data Controller
Company: Makeitfy / Makeitbuy
Registered address: Italy
Contact: privacy@makeitbuy.com
Data Protection Officer: privacy@makeitbuy.com
When we refer to “Makeitbuy”, “we”, “us” or “our” in this policy, we mean the business entity above. “You” or “your” refers to any person who visits, browses, purchases from, or otherwise interacts with our website at makeitbuy.com.
| 2. Data We Collect
2.1 Data You Give Us Directly
- โ Account data: Name, email address, password (hashed), date of birth (if provided)
- โ Order data: Name, billing address, delivery address, phone number, order history, payment method type (not full card number โ processed by Stripe/PayPal)
- โ Communication data: Messages you send via our contact form, email, or live chat
- โ Seller application data: Business name, contact details, product descriptions submitted via our “Sell With Us” form
- โ Marketing preferences: Whether you’ve opted in to receive newsletters and promotional emails
2.2 Data Collected Automatically
- โ Usage data: Pages visited, time on site, clicks, search queries, referring URLs
- โ Device and technical data: IP address, browser type and version, operating system, screen resolution, device identifiers
- โ Cookie data: See our Cookie Policy for full details
- โ Transaction data: Purchase history, basket contents, abandoned cart data
2.3 Data From Third Parties
- โ Payment processors (Stripe, PayPal) โ transaction confirmation and fraud signals only
- โ Analytics providers (Google Analytics 4) โ anonymised behavioural data
- โ Social media platforms โ only if you connect your account or engage with our social content
Note: We never collect or store full payment card numbers. All payment processing is handled by PCI-DSS certified third-party processors.
| 3. How We Use Your Data
| PURPOSE | DATA USED | LEGAL BASIS |
| Processing and fulfilling your orders | Order data, contact details | Contract performance |
| Sending order confirmations and updates | Email, order data | Contract performance |
| Fraud prevention and security checks | IP, device data, payment signals | Legitimate interests |
| Customer support and resolving disputes | Communication data, order data | Contract / Legitimate interests |
| Sending marketing emails (with consent) | Email, purchase history | Consent |
| Improving our website and services | Usage data, analytics | Legitimate interests |
| Personalising your experience | Browsing history, purchase data | Consent / Legitimate interests |
| Legal compliance and record-keeping | Order and financial records | Legal obligation |
| Evaluating seller applications | Seller application data | Pre-contractual steps |
| 4. Legal Basis (GDPR)
Under the General Data Protection Regulation (GDPR), we are required to have a lawful basis for processing your personal data. We rely on the following bases:
- โ Contract performance (Art. 6(1)(b)): Processing necessary to fulfil your order, deliver your goods, and provide after-sales support.
- โ Legitimate interests (Art. 6(1)(f)): Fraud prevention, site security, improving our services, and certain marketing activities where these don’t override your rights.
- โ Legal obligation (Art. 6(1)(c)): Retaining financial records as required by Italian and EU tax law (minimum 10 years).
- โ Consent (Art. 6(1)(a)): Email marketing, non-essential cookies, and personalisation features. You may withdraw consent at any time without affecting previous processing.
| 5. Data Sharing
We do not sell your personal data. We share it only where necessary with carefully selected third parties:
| THIRD PARTY | PURPOSE | LOCATION |
| Stripe / PayPal | Payment processing | EU / USA (SCCs) |
| Shipping carriers (DHL, PostNL, etc.) | Delivery of physical goods | EU / Global |
| Shopify / WooCommerce | E-commerce platform & data hosting | EU / USA (SCCs) |
| Mailchimp / Klaviyo | Email marketing (consented subscribers only) | USA (SCCs) |
| Google Analytics 4 | Anonymised website analytics | EU / USA (SCCs) |
| Customer support tools | Handling support tickets | EU |
| Legal authorities | When required by law | EU / Italy |
SCCs = Standard Contractual Clauses, the approved EU mechanism for lawful data transfers outside the European Economic Area.
Marketplace sellers: When you purchase from a third-party seller listed on Makeitbuy, that seller will receive your name, delivery address, and order details necessary to fulfil your order. They are independently responsible for handling that data in accordance with GDPR.
| 6. Data Retention
- โ Order and financial records: 10 years (required by Italian tax law)
- โ Account data: Until account deletion + 90 days for backup purposes
- โ Marketing data: Until you unsubscribe or withdraw consent
- โ Support communications: 3 years from last contact
- โ Analytics data: 14 months (Google Analytics 4 default, shortened to 2 months for IP data)
- โ Cookie data: Varies by cookie โ see Cookie Policy
| 7. Your Rights
As a data subject in the EU/EEA, you have the following rights. We will respond to all requests within 30 days:
- โ Right of access (Art. 15): Request a copy of all personal data we hold about you.
- โ Right to rectification (Art. 16): Ask us to correct inaccurate or incomplete data.
- โ Right to erasure / “Right to be forgotten” (Art. 17): Ask us to delete your data where there is no compelling reason to continue processing. Note: we may need to retain certain data for legal compliance.
- โ Right to restriction of processing (Art. 18): Ask us to pause processing in certain circumstances.
- โ Right to data portability (Art. 20): Receive your data in a structured, machine-readable format.
- โ Right to object (Art. 21): Object to processing based on legitimate interests, including profiling and direct marketing.
- โ Rights related to automated decision-making (Art. 22): We do not make solely automated decisions with legal or significant effects. Personalisation features involve human oversight.
- โ Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time via your account settings or by emailing us.
To exercise any right: Email privacy@makeitbuy.com with “Data Subject Request” in the subject line. We may ask for proof of identity to protect your data. You also have the right to lodge a complaint with your national supervisory authority โ in Italy: Garante per la Protezione dei Dati Personali (www.gpdp.it).
| 8. Cookies
We use cookies and similar tracking technologies. Please see our full Cookie Policy for details, accessible via the page navigation above. In summary, we use:
- โ Essential cookies: Required for the website to function (shopping cart, login session). Always active.
- โ Analytics cookies: Google Analytics 4, anonymised. Require consent.
- โ Marketing cookies: Used for retargeting and measuring ad performance. Require consent.
- โ Preference cookies: Remember your language, currency, and display settings.
You can manage your cookie preferences at any time via our Cookie Consent Banner or your browser settings.
| 9. International Transfers
Makeitbuy is based in Italy and primarily processes data within the EU/EEA. Some of our third-party service providers are located in the United States. Wherever data is transferred outside the EU/EEA, we ensure adequate safeguards are in place, including:
- โ EU Standard Contractual Clauses (SCCs) adopted under Commission Implementing Decision (EU) 2021/914
- โ Adequacy decisions where applicable
- โ Data Processing Agreements (DPAs) with all data processors
| 10. Contact & DPO
Data Protection Contact
Email: privacy@makeitbuy.com
Subject line: “Data Subject Request” or “Privacy Enquiry”
Response time: Within 30 days as required by GDPR
Supervisory Authority (Italy):
Garante per la Protezione dei Dati Personali
Piazza Venezia 11, 00187 Roma โ www.gpdp.it