Privacy Policy
1. Data Controller
The data controller for your personal information is:
Part Collector Ltd
Bulgaria
Contact: partcollector.com/#contact — select Legal & Privacy
For any privacy or GDPR-related requests, please use our contact form (select Legal & Privacy).
2. Data We Collect
Part Collector operates exclusively within Discord. We collect the minimum data required to operate the Platform. Buyers’ search activity, messages, and communications are handled entirely through Discord and are not stored by us. However, to enforce the Platform Terms of Service and maintain a complete legal record for dispute resolution, we record the minimum data listed below for all users (both buyers and sellers) who interact with the Platform.
| Category | Data Points | Source | Who |
|---|---|---|---|
| Discord Identity | Discord user ID, username | Discord bot interaction at server entry | Sellers |
| Seller Payment Email | PayPal email address (manually entered by the seller and verified via OTP) | Seller-provided; OTP delivered via Brevo email | Sellers only |
| Business / Tax Identity | VAT registration number, company name (as validated by VIES) | Seller-provided; validated in real-time via EU VIES system | EU business sellers only |
| Seller Profile | Shipping origin country, preferred currency, weight unit, custom shipping rates | Seller-provided during Shipping Setup in Discord | Sellers only |
| Subscription Records | Subscription tier, billing cycle, PayPal subscription ID, payment amounts, payment dates | PayPal subscription webhooks | Sellers only |
| Seller Listing Data | Part descriptions, photographs, prices, shipping terms of listed items | Seller-provided when creating listings | Sellers only |
| Consent Records | Discord user ID; Discord username at the time of acceptance; exact UTC timestamp of acceptance; policy version accepted; URLs of all policy documents presented at the time of acceptance; and — where available following a completed payment — the verified PayPal email address associated with the account. Per-transaction non-refundable payment acknowledgements are recorded separately for each subscription purchase. | Platform bot interactions (TOS acceptance button); PayPal payment confirmation webhook (PayPal email, retroactively linked after first completed payment) | All platform users (buyers and sellers) |
| Buyer Payment Email | PayPal email address of the buyer, obtained from the PayPal payment confirmation when an invoice is paid | PayPal Orders API payment confirmation; stored into the buyer’s Terms of Service consent record for dispute resolution purposes | Buyers who have completed at least one payment |
We do not collect or store PayPal OAuth credentials, credit card numbers, or banking details. All payment processing is handled directly by PayPal. The only buyer personal data we collect is the minimum necessary to record Terms of Service acceptance and, after a completed payment, to link it to the PayPal account used for that payment — solely for dispute resolution purposes.
3. Lawful Basis for Processing
| Purpose | Lawful Basis (EU GDPR) |
|---|---|
| Verifying seller PayPal email ownership via OTP | Consent (Art. 6(1)(a)) |
| Processing seller subscriptions and maintaining platform access | Contract performance (Art. 6(1)(b)) |
| EU VAT validation via VIES for accurate invoicing | Contract performance (Art. 6(1)(b)) |
| Retaining subscription payment records | Legal obligation (Art. 6(1)(c)) — Bulgarian Accounting Act |
| Fraud prevention and platform integrity | Legitimate interests (Art. 6(1)(f)) |
| Recording Terms of Service and Rules acceptance for all platform users | Legitimate interests (Art. 6(1)(f)) — establishing proof that users agreed to Platform Terms before transacting, and maintaining an evidence record for dispute resolution |
| Linking a buyer’s PayPal email to their Platform Terms acceptance record (obtained from invoice payment confirmation) | Legitimate interests (Art. 6(1)(f)) — establishing a complete identity evidence chain for dispute resolution; the buyer’s interest in not having this data processed does not override the legitimate interest given the minimal scope of data and legal purpose |
4. How We Use Your Data
- To verify that your PayPal email address is valid and belongs to you (OTP verification process);
- To create PayPal payment links for your subscription billing;
- To automatically calculate and remove VAT from invoices for EU VAT-registered sellers (via VIES);
- To display and manage your seller shipping profile, rates, and active listings;
- To maintain subscription and payment records as required by Bulgarian accounting legislation;
- To enforce platform rules, resolve disputes, and prevent abuse;
- To respond to your support requests and legal rights enquiries;
- For buyers who complete a payment: to link the PayPal email address from the payment confirmation to your Platform Terms acceptance record, solely for the purpose of dispute resolution and enforcement of the Terms of Service you accepted.
5. Data Sharing
We share personal data only as strictly necessary:
- PayPal: We use the PayPal Orders API to create subscription payment links. Payment capture and processing is governed entirely by PayPal’s own Privacy Policy;
- VIES (EU VAT Information Exchange System): EU sellers’ VAT numbers are submitted to the VIES system in real-time for validation. No data is retained from this query beyond what the seller has provided to us;
- Brevo: We use Brevo to send OTP verification emails to sellers during PayPal email setup. See Brevo’s Privacy Policy;
- OCI (Oracle Cloud Infrastructure): All Platform data is hosted on OCI servers in Turin, Italy (EU). See Oracle’s Privacy Policy;
- Cloudflare: Our website (partcollector.com) is served via Cloudflare for security and CDN. See Cloudflare’s Privacy Policy;
- Legal Authorities: Where we are legally obliged to disclose data (e.g., court orders, government requests).
We do not sell your personal data to third parties, use it for advertising profiling, or share it with any other party.
6. Data Storage & Location
All personal data collected by Part Collector is stored exclusively on servers located within the European Economic Area (OCI Turin, Italy). We do not transfer your personal data outside the EEA for our own processing purposes.
PayPal, Brevo, and VIES operate as independent data controllers under their own privacy policies; please refer to those policies for information about their own data storage and international transfer practices.
7. Data Retention
| Data Type | Retention Period |
|---|---|
| Seller profile (PayPal email, VAT details, shipping profile, listings) | Until seller deletes their account via the “⚙️ Setup Shipping” → “Delete Account” feature in Discord, or upon written request |
| Subscription and payment records | 10 years (Bulgarian Accounting Act, Art. 38 — accounting documents retention obligation) |
| Terms of Service consent records — sellers (Discord ID, username, timestamp, policy version, PayPal email) | 5 years after account deletion or written erasure request; may be retained beyond this period under Art. 17(3)(e) GDPR where necessary to establish, exercise, or defend legal claims |
| Terms of Service consent records — buyers (Discord ID, username, timestamp, policy version; PayPal email if a payment was completed) | 5 years from the date of last transaction, or 5 years from date of acceptance where no transaction was completed; erasure requests accepted via our contact form; may be retained under Art. 17(3)(e) GDPR where necessary to defend legal claims |
| Discord identity (user ID, username) | Until account deletion request is processed |
| OTP verification logs | 30 days |
When a seller deletes their account via the Discord bot (“⚙️ Setup Shipping” → “Delete Account”), all seller profile data, listings, shipping credentials, and PayPal details are permanently and immediately deleted. Subscription payment records are retained solely to satisfy our legal obligations under Bulgarian accounting law and are not used for any other purpose.
8. Your Rights
Under EU GDPR you have the following rights:
Request a copy of the personal data we hold about you.
Ask us to correct inaccurate or incomplete data.
Sellers: Use “Delete Account” in the Discord bot for immediate self-service deletion of all profile, listing, and PayPal data. Buyers: Submit a written request via our contact form (select Legal & Privacy). Note: Terms of Service consent records may be retained for up to 5 years under Art. 17(3)(e) GDPR where necessary to establish or defend legal claims, regardless of an erasure request.
Request that we restrict processing in certain circumstances.
Receive your listing and seller data in a machine-readable format. Use the Export feature in the bot or contact us.
Object to processing based on legitimate interests.
Withdraw any consent you have given at any time without affecting prior lawful processing.
Lodge a complaint with the CPDP (Bulgaria) or your national supervisory authority (EU).
To exercise any of the above rights, use the self-service “Delete Account” feature in the Discord bot, or submit a request via our contact form (select Legal & Privacy). We will respond within 30 days.
9. Cookies and Tracking
The Part Collector website (partcollector.com) uses minimal, essential-only cookies:
- Session cookies: Temporary cookies for secure navigation; deleted when you close your browser.
- Cloudflare security cookies: Set by our CDN provider for DDoS protection and security; see Cloudflare’s Privacy Policy.
We do not use advertising, tracking, or analytics cookies. No third-party tracking scripts are deployed on our site.
10. Children’s Privacy
Our Platform is not directed at persons under the age of 18. We do not knowingly collect personal data from minors. If you believe a minor has provided us with data, please contact us via our contact form (select Legal & Privacy) and we will delete it promptly.
11. Security
We employ industry-standard security measures including encrypted data storage, access controls, and strict internal data handling policies. While we take all reasonable precautions, no system is completely immune to breach. In the event of a notifiable data breach, we will inform the relevant supervisory authority within 72 hours and notify affected individuals where required by law.
12. Changes to This Policy
We may update this Privacy Policy periodically. Significant changes will be notified via the Discord server and/or DM at least 14 days before taking effect. The current Policy is always accessible at partcollector.com/privacy.
13. Contact & Supervisory Authority
For privacy-related enquiries: partcollector.com/#contact — select Legal & Privacy
As a Bulgaria-registered company, our lead data protection supervisory authority is the Commission for Personal Data Protection (CPDP). If you believe your rights have been violated, you may contact the CPDP at cpdp.bg.
If you are in the European Union, you may also contact your national data protection authority. A list of EU authorities is available at edpb.europa.eu.