1. Introduction
1.1 Who We Are. This Privacy Policy (“Policy”) describes how Ryden (“we,” “us,” “our,” or “Ryden”) collects, uses, shares, and protects personal data of individuals interacting with our wholesale operations at ryden.store/business, our wholesale services, or our communications.
1.2 Data Controller. Ryden is the data controller of personal data collected through our operations. Our contact details:
Ryden Ryden
[Registered business address to be specified]
Email: contact@ryden.store
Privacy Contact: [Designated privacy compliance person, name and contact details to be specified]
1.3 Scope. This Policy applies to:
- Wholesale buyers and prospective wholesale buyers;
- Authorized representatives, employees, and agents of wholesale buyer entities;
- Visitors to our wholesale website;
- Recipients of our communications.
1.4 Multi-Jurisdiction Compliance. This Policy is designed to comply with privacy regulations applicable to our global operations, including:
- General Data Protection Regulation (GDPR): for personal data of individuals in the European Union and European Economic Area;
- UK General Data Protection Regulation (UK GDPR): for personal data of individuals in the United Kingdom;
- California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA): for personal data of California residents;
- Personal Information Protection Law (PIPL): for personal data of individuals in the People’s Republic of China;
- Personal Information Protection and Electronic Documents Act (PIPEDA): for personal data of individuals in Canada;
- Act on the Protection of Personal Information (APPI): for personal data of individuals in Japan;
- Lei Geral de Proteção de Dados (LGPD): for personal data of individuals in Brazil;
- Australia Privacy Act 1988: for personal data of individuals in Australia;
Jurisdiction-specific provisions are addressed in Section 11.
1.5 Modification. Ryden may amend this Policy from time to time. Material changes are communicated to active wholesale buyers with thirty (30) days’ notice. The “Last Updated” date at the top of this Policy reflects the most recent revision. Continued use of our services after the effective date of changes constitutes acceptance.
2. Personal Data We Collect
2.1 Categories of Personal Data Collected. We collect personal data in the following categories:
2.1.1 Business Contact Information
- Business name and registered entity details;
- Contact person name, job title, and role;
- Business address (registered, billing, delivery);
- Business contact phone numbers;
- Business email addresses.
2.1.2 Account Credentials
- Username and password for wholesale buyer portal;
- Account security questions and answers;
- Multi-factor authentication settings.
2.1.3 Transaction Data
- Purchase history including products ordered, quantities, prices, and dates;
- Quote requests and pricing history;
- Shipping addresses and delivery details;
- Payment information processing references (not full payment card data, which is processed by third-party payment processors per Section 5.1);
- Returns, defects, and credit history.
2.1.4 Communication Data
- Email correspondence with our sales, support, and account management teams;
- Support tickets and customer service interactions;
- Chat conversations through customer service tools;
- Phone call records and notes where applicable;
- Meeting notes from sales discussions.
2.1.5 Marketing Data
- Marketing communications preferences and consents;
- Newsletter subscriptions and engagement metrics;
- Event participation and follow-up data;
- Response to marketing communications.
2.1.6 Behavioral Data
- Website usage data including pages visited, time spent, navigation patterns;
- Search queries on our website;
- Product views and catalog engagement;
- Device information including IP address, browser type, operating system, screen resolution;
- Referrer information indicating how you arrived at our website;
- Cookie and similar tracking technology data per Section 6.
2.1.7 Financial Data (Net Terms Applicants)
- Banking details and bank reference letters;
- Trade reference contact details and reference information;
- Financial statements where requested as part of credit verification;
- Credit history and payment performance data;
- Credit insurance information where applicable.
2.2 Categories of Data We Do Not Collect.
- Sensitive Personal Data: We do not intentionally collect special categories of personal data under GDPR Article 9 (data revealing racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, health data, sex life, or sexual orientation). If you provide sensitive personal data in unstructured communications (e.g., mentioning a health condition affecting a business decision), please be aware we have no operational basis for processing such data and request that you not share sensitive data through our communication channels.
- Children’s Data: Our wholesale operation serves business buyers exclusively. We do not knowingly collect personal data from individuals under sixteen (16) years of age. Where we become aware that we have collected data from a child without appropriate parental consent, we delete such data.
- Government-Issued Identifiers: We do not collect government-issued identifiers (national ID numbers, social security numbers, passport numbers) except where specifically required for export documentation or regulatory compliance (e.g., tax registration numbers for business entities).
3. Sources of Personal Data
3.1 Direct Collection. We collect personal data directly from you when you:
- Submit a wholesale application or inquiry;
- Register a wholesale buyer account;
- Place orders or request quotes;
- Communicate with our teams via email, phone, chat, or in-person;
- Subscribe to marketing communications;
- Visit our website (behavioral data per Section 6);
- Provide feedback or participate in surveys.
3.2 Indirect Collection from Authorized Parties. We may collect personal data from authorized parties acting on your behalf:
- Customs brokers handling import documentation;
- Freight forwarders coordinating shipments;
- Bank communications regarding payments and L/C transactions;
- Trade references and bank references provided during credit verification.
3.3 Public Sources. We may collect personal data from publicly available business sources:
- Business registration databases;
- Industry directories;
- Trade publications;
- Public records of business contact information.
3.4 Third-Party Sources. We may receive personal data from third-party sources with appropriate legal basis:
- Credit verification services (Dun & Bradstreet or equivalent) for net terms applications;
- Industry trade associations where membership data is shared;
- Marketing data providers (where data is supplied with verifiable opt-in consent and we conduct due diligence).
4. Purposes and Legal Bases for Processing
4.1 Purposes of Processing. We process personal data for the following purposes:
4.1.1 Wholesale Operations
- Processing wholesale applications and account approval;
- Managing wholesale buyer accounts;
- Processing quotes, orders, payments, and shipments;
- Providing customer service and account management;
- Handling returns, defects, and quality issues;
- Conducting credit verification and managing payment terms.
4.1.2 Communications
- Responding to inquiries and support requests;
- Providing order updates and shipment notifications;
- Issuing invoices and account communications;
- Communicating policy changes and operational updates.
4.1.3 Marketing (Where Permitted)
- Sending newsletters and product updates (with appropriate consent or legitimate interest basis);
- Promoting new products and categories;
- Inviting buyers to industry events;
- Conducting market research and buyer satisfaction surveys.
4.1.4 Service Improvement
- Analyzing website usage to improve user experience;
- Analyzing buyer behavior patterns to improve catalog and operations;
- Conducting market research and analytics;
- Developing new products and services.
4.1.5 Legal, Regulatory, and Operational Compliance
- Complying with tax, accounting, and regulatory recordkeeping requirements;
- Complying with export, customs, and trade compliance regulations;
- Responding to lawful requests from regulatory authorities;
- Establishing, exercising, and defending legal rights;
- Preventing fraud and protecting against unauthorized access.
4.2 Legal Bases for Processing (GDPR / UK GDPR). [LEGAL REVIEW REQUIRED: DETERMINATION OF APPROPRIATE LEGAL BASIS PER PROCESSING ACTIVITY] We process personal data on the following legal bases under GDPR Article 6:
- Performance of a Contract (Article 6(1)(b)): Processing necessary to perform our wholesale supply contracts and pre-contractual steps at your request, wholesale applications, quotes, orders, payments, shipments, returns.
- Legitimate Interests (Article 6(1)(f)): Processing necessary for our legitimate interests where these do not override your fundamental rights, basic communications, security, fraud prevention, service improvement, certain types of business-to-business marketing.
- Compliance with Legal Obligations (Article 6(1)(c)): Processing required to comply with legal obligations, tax recordkeeping, export documentation, regulatory compliance.
- Consent (Article 6(1)(a)): Processing based on your consent for specific purposes, marketing communications, cookie-based advertising tracking, certain analytics, optional product enhancements.
You may withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.
4.3 Processing of Special Categories. As stated in Section 2.2, we do not intentionally process special categories of personal data.
5. Third-Party Sharing
5.1 Categories of Third Parties. We share personal data with the following categories of third parties:
5.1.1 Payment and Banking Services
- Bank wire transfer processing: banking institutions and correspondent banks worldwide;
- Letter of Credit processing: Issuing and confirming banks per L/C transactions;
- Payment processors: Stripe, PayPal, or equivalent for any electronic payment processing where applicable.
5.1.2 Shipping and Logistics
- Freight forwarders and carriers: DHL, FedEx, UPS, sea freight forwarders, air freight forwarders, regional courier services as applicable to specific shipments;
- Customs brokers: Where Ryden engages customs brokers for export documentation, broker information sharing as needed.
5.1.3 Credit Verification
- Credit reporting agencies: Dun & Bradstreet or equivalent commercial credit reporting agencies for net terms applications;
- Trade credit insurers: Euler Hermes, Atradius, Coface, or equivalent where Ryden maintains credit insurance on buyer accounts.
5.1.4 Marketing Services
- Email marketing platforms: Mailchimp or SendGrid for newsletter and marketing communication distribution;
- Customer relationship management (CRM): HubSpot or Salesforce for sales and account management;
- Advertising platforms: Meta (Facebook / Instagram) Ads, Google Ads, and equivalent platforms for digital advertising and conversion tracking;
- Chat and support tools: Intercom, Zendesk, or equivalent customer service platforms.
5.1.5 Analytics and Operations
- Google Analytics 4 (GA4): For website analytics and behavior analysis;
- Cloud hosting providers: Amazon Web Services (AWS), Google Cloud, or equivalent for website and data hosting;
- Business operations tools: Accounting software, ERP systems, and similar operational platforms as applicable to internal operations.
5.1.6 Legal, Tax, and Professional Services
- Legal counsel: External legal counsel engaged for legal matters affecting buyer relationships;
- Tax and accounting professionals: External accountants and tax advisors as part of regulatory compliance;
- Auditors: External auditors engaged for financial or regulatory audits.
5.1.7 Regulatory and Governmental Authorities
- Tax authorities: tax authorities as legally required;
- Customs authorities: customs authorities (origin and destination) as legally required;
- Privacy and data protection authorities: Privacy regulators as legally required;
- Law enforcement: Where legally required to respond to lawful requests.
5.2 Purpose of Each Sharing. Each third-party sharing serves specific operational, regulatory, or legitimate business purposes. Sharing is limited to the personal data necessary for the specific purpose.
5.3 Data Processor Agreements. Where third parties process personal data on Ryden’s behalf, we maintain data processing agreements requiring the third party to:
- Process personal data only on Ryden’s documented instructions;
- Maintain confidentiality;
- Implement appropriate technical and organizational security measures;
- Cooperate with Ryden’s privacy obligations.
5.4 International Data Transfers. [LEGAL REVIEW REQUIRED: TRANSFER MECHANISMS FOR INTERNATIONAL DATA FLOWS] Personal data may be transferred to and processed in countries outside the data subject’s country of residence, including the countries where Ryden and our third-party service providers operate. Where personal data is transferred from jurisdictions with data transfer restrictions (notably EU/EEA, UK, and certain other markets), transfers are made under appropriate safeguards including:
- Standard Contractual Clauses (SCCs): EU SCCs (2021 version) for transfers from EU/EEA to third countries;
- UK International Data Transfer Agreement (IDTA) or UK Addendum to EU SCCs: For transfers from UK to third countries;
- Adequacy decisions: Where the destination country has an adequacy decision from the relevant authority;
- Other appropriate safeguards as required by applicable law.
5.5 No Sale of Personal Data. [CCPA/CPRA-SPECIFIC] Ryden does not sell personal data in exchange for monetary consideration. Sharing with third-party advertising platforms (Meta, Google Ads) for digital advertising purposes may constitute “sharing” under CCPA/CPRA. California residents have specific rights regarding such sharing per Section 11.3.
7. Data Retention
7.1 Retention Principles. We retain personal data only as long as necessary for the purposes for which it was collected, subject to legal, regulatory, or operational requirements requiring longer retention.
7.2 Specific Retention Periods.
- Active Wholesale Account Data: Retained for the duration of the active wholesale relationship;
- Closed Wholesale Account Data: Retained for seven (7) years following account closure, matching standard applicable tax, accounting, and regulatory recordkeeping requirements. After this period, data is deleted or anonymized.
- Quote Requests Without Subsequent Order: Retained for two (2) years from submission date, allowing for follow-up and account development.
- Marketing Communications Data: Retained until consent is withdrawn or, where processing is based on legitimate interest, for two (2) years from last engagement.
- Cookie Data: Per the retention periods specified in the cookie preference center.
- Communication Records: Retained for the longer of (i) seven (7) years following the communication, or (ii) the duration of any active dispute or legal matter affected by the communication.
- Financial and Credit Data: Retained per applicable financial recordkeeping requirements, typically ten (10) years from the transaction or credit verification.
- Server Logs: Retained for [X months, TO BE SPECIFIED] for security and operational purposes.
7.3 Retention Beyond Standard Periods. Personal data may be retained beyond standard periods where required for:
- Active legal proceedings or disputes;
- Regulatory investigations or inquiries;
- Establishment, exercise, or defense of legal claims;
- Specific legal obligations requiring longer retention.
7.4 Data Deletion. Upon expiration of the applicable retention period, personal data is deleted, anonymized, or aggregated such that the individual is no longer identifiable.
8. Data Subject Rights
8.1 Rights Available to Data Subjects. Subject to applicable law and jurisdiction-specific variations, you have the following rights regarding your personal data:
- Right of Access: To know what personal data we hold about you and to receive a copy;
- Right to Rectification: To request correction of inaccurate or incomplete personal data;
- Right to Erasure (“Right to be Forgotten”): To request deletion of your personal data in certain circumstances;
- Right to Restrict Processing: To request restriction of processing in certain circumstances;
- Right to Data Portability: To receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller;
- Right to Object: To object to processing based on legitimate interest, processing for direct marketing, or processing for scientific / historical research;
- Rights Related to Automated Decision-Making: To not be subject to a decision based solely on automated processing with significant legal effects;
- Right to Withdraw Consent: Where processing is based on consent, to withdraw consent at any time;
- Right to Lodge a Complaint: With the supervisory authority in your jurisdiction.
8.2 How to Exercise Rights. To exercise your rights, contact us through:
- Email: contact@ryden.store with subject line “Data Subject Rights Request”;
- Mail: Ryden, [registered address to be specified], Attention: Privacy Compliance.
We respond to rights requests within thirty (30) days of receipt. Complex requests may require additional time, in which case we notify you and explain the reason.
8.3 Identity Verification. To protect against unauthorized rights requests, we may require identity verification before processing your request. Verification methods include:
- Confirming details from your active account;
- Requesting copies of identification documents (limited to what’s necessary);
- Multi-factor verification through email or phone.
8.4 No Fee for Rights Requests. Rights requests are generally provided free of charge. Excessive or unfounded requests (particularly repetitive requests) may be subject to a reasonable administrative fee or refusal, as permitted by applicable law.
8.5 Limits on Rights. Some rights are subject to legal limits:
- Right of access does not include third parties’ personal data;
- Right to erasure does not apply where data must be retained for legal compliance or for establishment, exercise, or defense of legal claims;
- Other limits apply per applicable law.
9. Data Security
9.1 Security Measures. We implement appropriate technical and organizational security measures to protect personal data, including:
- Encryption: TLS/SSL encryption for data in transit; encryption at rest for sensitive data categories;
- Access Controls: Role-based access controls limiting personal data access to authorized personnel;
- Authentication: Multi-factor authentication for systems containing personal data;
- Network Security: Firewalls, intrusion detection, and other network security measures;
- Physical Security: Physical access controls at facilities where personal data is processed;
- Employee Training: Privacy and security training for employees with personal data access;
- Vendor Management: Due diligence on third parties processing personal data and contractual privacy / security commitments;
- Incident Response: Documented incident response procedures for data breach scenarios.
9.2 Data Breach Notification. [LEGAL REVIEW REQUIRED: BREACH NOTIFICATION TIMING VARIES BY JURISDICTION] In the event of a personal data breach, we will:
- Investigate the breach scope and impact;
- Notify supervisory authorities within seventy-two (72) hours of becoming aware of the breach where required by applicable law;
- Notify affected data subjects without undue delay where the breach is likely to result in high risk to the rights and freedoms of natural persons;
- Document the breach, its effects, and remediation actions.
9.3 No Guarantee of Absolute Security. While we maintain robust security measures, no system is absolutely secure. We cannot guarantee against all possible security risks. You are responsible for maintaining the confidentiality of your account credentials.
10. International Data Transfers
10.1 Locations of Processing. Personal data is processed in:
- United States: Cloud hosting (AWS), marketing platforms, analytics platforms, advertising platforms, CRM platforms;
- European Union: Some service providers based in EU member states;
- Other Locations: Various third-party service provider locations.
10.2 Transfer Safeguards. [LEGAL REVIEW REQUIRED: SPECIFIC TRANSFER MECHANISMS PER JURISDICTION] For transfers from jurisdictions with data transfer restrictions, we use appropriate safeguards:
- From EU/EEA: Standard Contractual Clauses (SCCs, 2021 version) or other approved mechanisms;
- From UK: UK International Data Transfer Agreement (IDTA) or UK Addendum to EU SCCs;
- From China: Standard Contract approved by Cyberspace Administration of China (CAC) where applicable;
- From other jurisdictions: Appropriate safeguards as required by applicable law.
10.3 Right to Information. You have the right to be informed of the specific safeguards used for international transfers of your data. Contact our privacy team for specific transfer mechanism information applicable to your data.
11. Jurisdiction-Specific Provisions
11.1 European Union and European Economic Area (GDPR).
- Data Controller: Ryden, address per Section 1.2;
- Lead Supervisory Authority: [TO BE SPECIFIED, depends on Ryden’s main establishment determination];
- EU Representative: [LEGAL REVIEW REQUIRED, under GDPR Article 27, non-EU controllers processing EU personal data on a regular basis may need to designate an EU representative];
- Your Rights: All rights specified in Section 8 are available to EU/EEA data subjects;
- Right to Complaint: You have the right to lodge a complaint with the supervisory authority in your EU/EEA member state of residence.
11.2 United Kingdom (UK GDPR).
- Data Controller: Ryden, address per Section 1.2;
- UK Supervisory Authority: Information Commissioner’s Office (ICO);
- UK Representative: [LEGAL REVIEW REQUIRED, under UK GDPR, non-UK controllers may need to designate a UK representative];
- Your Rights: All rights specified in Section 8 are available to UK data subjects.
11.3 California (CCPA and CPRA). California residents have the following specific rights:
- Right to Know: Categories of personal information collected, sources, purposes, third parties to whom it is shared;
- Right to Delete: Request deletion of personal information subject to exceptions;
- Right to Correct: Request correction of inaccurate personal information;
- Right to Opt-Out of Sale / Sharing: Opt out of “sale” or “sharing” of personal information. Submit opt-out requests through: [opt-out mechanism URL to be specified];
- Right to Limit Use of Sensitive Personal Information: Direct businesses to limit use of sensitive personal information;
- Right to Non-Discrimination: Not be discriminated against for exercising your rights;
- Authorized Agent: You may designate an authorized agent to make requests on your behalf;
- Verification: We will verify your identity before processing requests using methods commensurate with the data sensitivity.
11.4 China (PIPL).
- PIPL Compliance: [LEGAL REVIEW REQUIRED, PIPL has specific cross-border transfer requirements including security assessments, standard contracts, or certifications depending on the volume and sensitivity of data];
- PIPL Representative: [LEGAL REVIEW REQUIRED, PIPL may require designation of a PRC representative for processing of personal data of individuals in China];
- Your Rights: PIPL provides rights similar to GDPR; specific rights and exercise methods detailed in Section 8.
11.5 Canada (PIPEDA).
- Privacy Officer: Our designated privacy compliance person serves as the Privacy Officer for PIPEDA purposes;
- Your Rights: Access, correction, withdrawal of consent;
- Right to Complaint: Office of the Privacy Commissioner of Canada (OPC).
11.6 Japan (APPI).
- APPI Compliance: Ryden complies with APPI requirements for personal information handling;
- Your Rights: Access, correction, and use suspension rights per APPI;
- Right to Complaint: Personal Information Protection Commission (PPC).
11.7 Brazil (LGPD).
- LGPD Compliance: Ryden complies with LGPD requirements;
- Brazilian Representative (DPO): [LEGAL REVIEW REQUIRED, LGPD may require DPO designation];
- Your Rights: LGPD provides comprehensive data subject rights similar to GDPR;
- Right to Complaint: National Data Protection Authority (ANPD).
11.8 Australia.
- Australia Privacy Act Compliance: Ryden complies with Australian Privacy Principles (APPs);
- Your Rights: Access and correction rights per Australia Privacy Act;
- Right to Complaint: Office of the Australian Information Commissioner (OAIC).
12. Children’s Privacy
12.1 Age Limitation. Our wholesale services are intended for business buyers. We do not knowingly collect personal data from individuals under sixteen (16) years of age (or higher age threshold as required by applicable law in specific jurisdictions).
12.2 Discovery of Child Data. Where we discover that we have inadvertently collected data from a child without appropriate parental consent, we delete the data and terminate any associated account.
12.3 Reporting Suspected Child Data. If you believe we have collected personal data from a child, please contact us immediately at contact@ryden.store.
13. Automated Decision-Making
13.1 Limited Automated Decision-Making. We do not currently use automated decision-making with significant legal effects on data subjects. Credit verification (Section 3 of the Net Terms Policy) involves human review of automated credit reports rather than purely automated decision-making.
13.2 Profiling. We conduct limited profiling for analytics and marketing purposes, such as segmenting buyers by purchase categories or geographic regions. Such profiling does not result in automated decisions with significant effects.
13.3 Future Changes. If we implement automated decision-making with significant effects in the future, we will update this Policy and provide notice to affected data subjects.
14. Contact Information
14.1 Privacy Inquiries.
Ryden Privacy Compliance
Email: contact@ryden.store
Mail: [registered address to be specified], Attention: Privacy Compliance
Privacy Contact Person: [designated person name to be specified]
14.2 Data Subject Rights Requests.
Email: contact@ryden.store with subject line “Data Subject Rights Request”
Online Form: [rights request form URL to be specified, if implemented]
14.3 California Consumer Rights.
Opt-Out of Sale / Sharing: [California opt-out URL to be specified]
California-Specific Requests: [California-specific contact to be specified]
14.4 EU Representative. [TO BE COMPLETED IF EU REPRESENTATIVE IS DESIGNATED]
14.5 UK Representative. [TO BE COMPLETED IF UK REPRESENTATIVE IS DESIGNATED]
14.6 China PIPL Representative. [TO BE COMPLETED IF PRC REPRESENTATIVE IS DESIGNATED]
14.7 LGPD DPO. [TO BE COMPLETED IF LGPD DPO IS DESIGNATED]
15. Updates to This Policy
15.1 Periodic Review. We review this Policy at least annually and update it as our practices change, as third-party service providers change, or as applicable law evolves.
15.2 Material Changes. Material changes to this Policy are communicated through:
- Email notification to active wholesale buyers;
- Prominent notice on our website;
- Updated “Last Updated” date at the top of the Policy.
15.3 Continued Use. Continued use of our services after the effective date of policy changes constitutes acceptance of the updated Policy. Where consent is the legal basis for specific processing, we obtain renewed consent for new processing purposes.
Exercising your rights or have a privacy question?
Email contact@ryden.storewith subject line “Data Subject Rights Request” or your question. We respond within 30 days for rights requests under GDPR, UK GDPR, CCPA/CPRA, and other applicable regimes.
Related policies: Net Terms Policy (credit verification data handling), Customs and Import Documentation Policy (data shared with customs brokers and authorities), Quality Testing Policy (buyer-specific quality data confidentiality), Return and Defect Policy, and Shipping and Freight Policy.