Privacy Policy

Effective Date: August 20, 2025
Last Updated: August 20, 2025

1. Introduction

Tamio GmbH ("we," "us," or "our") operates the e-commerce platform available at www.tamio.com (the "Platform"). We provide merchants ("sellers") and their customers ("buyers") with e-commerce services that facilitate online transactions.

This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use our Platform, whether as a merchant, buyer, or website visitor.

Important: Your use of our Platform constitutes acceptance of this Privacy Policy. If you do not agree with this policy, please do not use our services.

2. Contact Information and Data Controller

Tamio GmbH (Data Controller)
Rahmannstr. 11
65760 Eschborn, Germany
VAT: DE329477216
Email: legal@tamio.com
Managing Director: George Spitaliotis

3. Types of Information We Collect

3.1 Information You Provide Directly

Merchant Account Information:
  • Full name and business name
  • Email address and phone number
  • Business address and billing information
  • Financial details for payments and payouts
  • Tax identification numbers (VAT, etc.)
  • Identity verification documents

Communication Data:
  • Messages sent through our support system
  • Survey responses and feedback
  • Marketing preferences

3.2 Information Collected Automatically

Technical Information:
  • IP address and device identifiers
  • Browser type and version
  • Operating system and device information
  • Login timestamps and session data
  • Platform usage patterns and analytics

Cookies and Similar Technologies: We use cookies and similar tracking technologies as detailed in Section 8 below.

3.3 Information from Third Parties

Payment Processors:
  • Transaction verification data
  • Fraud prevention information
  • Payment method details (last 4 digits, card type)

Business Partners:
  • Credit and fraud checking data
  • Marketing and analytics data (where consented)

4. Legal Basis for Processing

We process your personal data based on the following legal grounds under GDPR Article 6:

4.1 Contract Performance (Article 6(1)(b))

  • Creating and managing your merchant account
  • Processing transactions and payments
  • Providing customer support
  • Delivering our platform services

4.2 Legitimate Interests (Article 6(1)(f))

  • Platform security and fraud prevention
  • Service improvement and optimization
  • Internal analytics and reporting
  • Direct marketing (with opt-out options)
  • Business administration and operations

4.3 Legal Compliance (Article 6(1)(c))

  • Tax reporting and record-keeping
  • Anti-money laundering checks
  • Regulatory compliance requirements
  • Court orders and legal investigations

4.4 Consent (Article 6(1)(a))

  • Marketing communications (where not based on legitimate interest)
  • Optional cookies and tracking
  • Additional data uses beyond core services

5. How We Use Your Information

5.1 Service Provision

  • Account creation and management
  • Transaction processing and settlement
  • Customer support and technical assistance
  • Platform functionality and features
  • Security monitoring and fraud prevention

5.2 Business Operations

  • Internal analytics and reporting
  • Service improvement and development
  • Risk assessment and management
  • Financial reporting and accounting
  • Legal compliance and auditing

5.3 Marketing and Communications

  • Service updates and announcements
  • Product information and new features
  • Marketing communications (with consent/opt-out)
  • Surveys and feedback requests
  • Educational content and resources

6. Information Sharing and Disclosure

6.1 Service Providers and Sub-Processors

We share information with trusted third-party service providers who assist in our operations:

Payment Processing:
  • Stripe (payment processing and fraud prevention)
  • Mollie (European payment processing)
  • GoCardless (direct debit processing)
  • Klarna (buy now, pay later services)

Infrastructure and Technical Services:
  • Hetzner (cloud hosting - Germany)
  • Various email and communication service providers
  • Security and monitoring service providers

Analytics and Marketing:
  • Google Analytics (website analytics - anonymized)
  • Facebook/Meta (marketing pixels - with consent)
  • Other marketing and analytics platforms (with consent)

All service providers are bound by data protection agreements and process data only as instructed.

6.2 Legal Requirements

We may disclose information when required by law or to:
  • Comply with legal processes, court orders, or regulatory requirements
  • Protect our rights, property, or safety, or that of others
  • Investigate potential violations of our terms or policies
  • Prevent fraud, security threats, or illegal activities

6.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity, subject to equivalent privacy protections.

6.4 Consent-Based Sharing

We may share information for other purposes with your explicit consent.

7. International Data Transfers

7.1 Transfer Safeguards

When we transfer personal data outside the European Economic Area (EEA), we ensure appropriate safeguards:
  • European Commission Adequacy Decisions for countries with adequate protection
  • Standard Contractual Clauses (2021 version) for other jurisdictions
  • Transfer Impact Assessments to evaluate and mitigate risks
  • Additional safeguards as required by supervisory authorities

7.2 Primary Data Locations

  • Primary hosting: Germany (Hetzner)
  • Payment processing: Various global locations with adequate safeguards
  • Analytics: Global processing with data minimization

8. Cookies and Tracking Technologies

8.1 Cookie Categories

Strictly Necessary Cookies (Always Active):
  • xLanguage - Stores visitor language preference
  • xCurrency - Stores visitor currency preference
  • xCurrencyTo - Stores currency conversion settings
  • darkmode - Stores dark mode preference
  • session - Encrypted session data for logged-in users
  • xVisited - Stores recently visited products

Functional Cookies (Optional):
  • xRememberCustomer - Remembers customer information (with consent)
  • x_last_billing_address - Stores billing address (if opted in)
  • x_last_shipping_address - Stores shipping address (if opted in)

Analytics Cookies (Optional, requires consent):
  • _ga - Google Analytics main tracking cookie (2 years)
  • _gid - Google Analytics session identification (24 hours)
  • _gat - Google Analytics request throttling (1 minute)

Marketing Cookies (Optional, requires consent):
  • _fbp - Facebook pixel browser identifier (90 days)
  • _fbc - Facebook click identifier
  • fr - Facebook retargeting cookie (90 days)

8.2 Cookie Management

You can manage cookie preferences through:
  • Our cookie consent banner (for optional cookies)
  • Your browser settings
  • Opt-out tools provided by third-party services
  • Your account settings for functional preferences

9. Data Retention

9.1 General Retention Principles

We retain personal data only as long as necessary for the purposes collected, considering:
  • Legal and regulatory requirements
  • Business operational needs
  • Data subject preferences
  • Security and fraud prevention needs

9.2 Specific Retention Periods

Active Merchant Accounts:
  • Data retained throughout the service relationship
  • Transaction data retained as required by law (typically 10 years for tax purposes)

Closed Merchant Accounts:
  • Account data: 3 months (to allow reactivation)
  • Financial/tax data: 10 years (German legal requirement)
  • Marketing data: Until withdrawal of consent or 3 years of inactivity

Website Visitors:
  • Analytics data: 26 months (anonymized)
  • Cookie data: As specified in cookie settings
  • Contact inquiries: 3 years

Legal Hold: Data may be retained longer if required for legal proceedings or investigations.

10. Data Security

10.1 Security Measures

We implement comprehensive security measures including:

Technical Safeguards:
  • Encryption in transit (TLS/HTTPS) and at rest
  • Access controls and authentication systems
  • Network security and firewalls
  • Regular security assessments and updates
  • Intrusion detection and monitoring systems

Organizational Safeguards:
  • Employee training on data protection
  • Background checks for personnel with data access
  • Confidentiality agreements and access restrictions
  • Incident response procedures
  • Regular security audits and assessments

10.2 Data Breach Response

In the event of a data breach:
  • We will assess and contain the breach immediately
  • Notify supervisory authorities within 72 hours if required
  • Inform affected individuals without undue delay when required
  • Provide ongoing updates and remediation steps
  • Conduct post-incident reviews to prevent recurrence

11. Your Rights Under Data Protection Laws

11.1 Right to Information and Access

You have the right to know:
  • What personal data we process
  • Why we process it
  • Who we share it with
  • How long we keep it
  • Your rights regarding this data

You have the right to request access to your personal data and receive a copy in a portable format.

11.2 Right to Rectification

Request correction of inaccurate or incomplete personal data.

11.3 Right to Erasure ("Right to be Forgotten")

Request deletion of your personal data when:
  • It's no longer necessary for the original purpose
  • You withdraw consent (where processing was based on consent)
  • Data has been unlawfully processed
  • Required for compliance with legal obligations

Limitations: We may need to retain certain data for legal compliance (tax records, fraud prevention, etc.).

11.4 Right to Restrict Processing

Request limitation of processing when:
  • You contest the accuracy of the data
  • Processing is unlawful but you prefer restriction over deletion
  • We no longer need the data but you need it for legal claims
  • You've objected to processing pending verification

11.5 Right to Data Portability

Receive your personal data in a structured, machine-readable format and transmit it to another service provider where technically feasible.

11.6 Right to Object

Object to processing based on:
  • Our legitimate interests (we'll stop unless we have compelling legitimate grounds)
  • Direct marketing purposes (we'll stop immediately)
  • Scientific/historical research or statistical purposes

11.7 Rights Related to Automated Decision-Making

You have the right not to be subject to decisions based solely on automated processing that produce legal effects or significantly affect you. Currently, we don't engage in such automated decision-making.

11.8 Right to Withdraw Consent

Where processing is based on consent, you can withdraw it at any time through:
  • Your account settings
  • Unsubscribe links in emails
  • Contacting us directly
  • Cookie preference centers

11.9 Exercising Your Rights

How to Contact Us:
  • Email: legal@tamio.com
  • Subject line: "Privacy Rights Request"
  • Include: Your name, account information, and specific request

Response Timeline:
  • We will respond within one month of receipt
  • Complex requests may require up to three months with notification
  • We may request additional information to verify your identity

No Cost: Requests are generally free, but we may charge for excessive or repetitive requests.

12. Merchant Responsibilities

12.1 Customer Data Processing

When you use our platform to collect customer data, you are the Data Controller and must:
  • Provide clear privacy notices to your customers
  • Obtain necessary consents and legal bases
  • Handle customer data subject requests
  • Ensure compliance with applicable data protection laws
  • Notify us of any relevant requirements or restrictions

12.2 Data Accuracy

Ensure that information you provide to us is accurate, complete, and up-to-date.

13. Customer Data Rights (For Buyers)

If you are a customer of a merchant using our platform:

13.1 Primary Contact

Your primary point of contact for data rights is the merchant from whom you made purchases. Contact them using:
  • Contact details on your purchase receipt/invoice
  • Their website contact form
  • Their registered business address

13.2 Merchant Tools

Merchants can fulfill data rights requests through our administrative panel to:
  • Update customer information
  • Delete customer records
  • Provide data exports
  • Restrict processing

13.3 Data Retention for Customers

Customer data is retained as specified in our merchant agreements and legal requirements:
  • Transaction records: As required by tax law (typically 10 years)
  • Marketing data: Until consent withdrawn or account deletion
  • Technical data: As specified in retention policy above

14. Children's Privacy

Our services are not intended for children under 16 years of age. We do not knowingly collect personal information from children under 16. If we become aware that we have collected information from a child under 16, we will take steps to delete it promptly.

15. Updates to This Privacy Policy

15.1 Notification of Changes

We may update this Privacy Policy to reflect:
  • Changes in our processing activities
  • Legal or regulatory developments
  • Service improvements or new features
  • Industry best practices

15.2 How We Notify You

Material changes will be communicated through:
  • Email notification to your registered address
  • Prominent notice on our website
  • In-platform notifications for active users
  • At least 30 days advance notice for significant changes

15.3 Continued Use

Continued use of our services after changes become effective constitutes acceptance of the updated policy.

16. Supervisory Authority Contact

You have the right to lodge a complaint with data protection supervisory authorities:

Germany (Our Lead Authority): Federal Commissioner for Data Protection and Freedom of Information (BfDI)
Graurheindorfer Str. 153, 53117 Bonn, Germany
Website: www.bfdi.bund.de

Your Local EU Authority: Contact details available at: https://edpb.europa.eu/about-edpb/board/members_en

17. Legal Framework and Jurisdiction

This Privacy Policy is governed by:
  • European Union General Data Protection Regulation (GDPR)
  • German Federal Data Protection Act (BDSG)
  • Other applicable national and regional data protection laws

Disputes are subject to the jurisdiction of German courts, without prejudice to your rights under data protection law.

18. Additional Resources

18.1 Related Documents

  • Terms of Use: www.tamio.com/terms
  • Data Processing Agreement (DPA): For merchants acting as data controllers
  • Data Privacy Addendum: Additional GDPR-specific provisions
  • Cookie Policy: Detailed cookie information

18.2 GDPR Rights Information

We provide detailed guides on exercising your GDPR rights:
  • Right to be forgotten
  • Right to be informed
  • Right to have personal details up to date
  • Right to data portability
  • Right to object/Right to restrict processing

Available at: www.tamio.com/gdpr
This Privacy Policy is effective August 20, 2025. For questions or to exercise your rights, contact us at legal@tamio.com.