HAND-BUILT IN ITALYFREE SHIPPING OVER 500€1% CASHBACK ON EVERY ORDERMOLICEL · SAMSUNG · SONYSHIPPING WORLDWIDEECO-FRIENDLY PACKAGINGSAFE MARKETPLACE FOR USED PARTSSINCE 20161% CASHBACK ON EVERY ORDERFREE SHIPPING OVER 500€3D PRINTED IN ITALYCUSTOM CONFIGURATIONSDALY BMSHAND-BUILT IN ITALYFREE SHIPPING OVER 500€1% CASHBACK ON EVERY ORDERMOLICEL · SAMSUNG · SONYSHIPPING WORLDWIDEECO-FRIENDLY PACKAGINGSAFE MARKETPLACE FOR USED PARTSSINCE 20161% CASHBACK ON EVERY ORDERFREE SHIPPING OVER 500€3D PRINTED IN ITALYCUSTOM CONFIGURATIONSDALY BMSHAND-BUILT IN ITALYFREE SHIPPING OVER 500€1% CASHBACK ON EVERY ORDERMOLICEL · SAMSUNG · SONYSHIPPING WORLDWIDEECO-FRIENDLY PACKAGINGSAFE MARKETPLACE FOR USED PARTSSINCE 20161% CASHBACK ON EVERY ORDERFREE SHIPPING OVER 500€3D PRINTED IN ITALYCUSTOM CONFIGURATIONSDALY BMS
ESKATING

Legal

Privacy Policy.

Last updated: 30 May 2026

1. Data Controller

The data controller for all personal data processed through eskating.eu is:

ESKATING (Ferrer Alberto)
Via Chiesa 531, 37040 Zimella (VR), Italy
VAT: IT05127330230
Privacy enquiries: info@eskating.eu

We are committed to handling your data with care, transparency, and in compliance with the EU General Data Protection Regulation (GDPR — Regulation 2016/679) and the Italian Privacy Code (D.Lgs. 196/2003, as amended by D.Lgs. 101/2018).

2. What Data We Collect

2.1 Data you give us directly

  • Contact form — name, email address, subject, message body.
  • Checkout — billing and shipping address (first name, last name, company, VAT number, street, city, postcode, country), email address, phone number.
  • Account creation — name and email address (via Google OAuth sign-in only; we never store passwords).
  • Newsletter — email address, if you subscribe to ESK-Wire.
  • Marketplace seller listings — if you create a peer-to-peer listing you provide your name, email, PayPal email (for payouts), item description, photos and asking price. Your full name is never shown publicly on the site: buyers see only your first name and the initial of your surname (e.g. “Mario R.”). Your email and PayPal email are kept strictly private and shared only with ESKATING staff acting as escrow broker for the sale.
  • Marketplace buyer purchases — when you buy a marketplace item we collect your shipping address, email and the purchase amount to coordinate the broker-escrow transaction and shipping.
  • Spark AI chat assistant — the messages you type into the on-site Spark chat widget are sent to our AI provider (OpenAI) to generate replies. Do not enter personal data, payment details, or sensitive information into the chat.
  • AI listing helper (sellers only) — if you use the “Generate with AI” button while creating a marketplace listing, the photos you upload are transmitted to OpenAI's Vision API to draft the title and description. Photos are not retained by OpenAI for training (per their API data-use policy).

2.2 Data collected automatically

  • IP address — logged server-side for security (rate limiting, abuse prevention). Not retained longer than 24 hours in active memory; not stored in our database.
  • Session tokens — short-lived JWT tokens stored in an HTTP-only cookie, required for authentication.
  • Browser storage — your shopping cart and display-theme preference are stored in your browser's localStorage. This data never leaves your device unless you initiate a checkout.

2.3 Data collected by third parties on our behalf

  • PayPal — when you pay, you interact directly with PayPal's checkout. PayPal may set its own cookies and collect payment-related data under PayPal's Privacy Policy.
  • Google — if you sign in with Google, your name, email, and profile picture are shared with us by Google under Google's Privacy Policy.
  • Packlink PRO — when we generate a shipping label for your order (standard shop orders and marketplace purchases), your shipping address, phone number and parcel data are transmitted to Packlink and to the chosen courier (e.g. BRT, GLS, DHL, UPS) for delivery, under Packlink's Privacy Policy.
  • OpenAI — messages sent through the Spark chat assistant and images submitted to the AI listing helper are processed by OpenAI to generate the response. See OpenAI's Privacy Policy. API inputs are not used to train OpenAI's models.

2.4 Data we do NOT collect

We do not use advertising networks, behavioural tracking pixels, or third-party analytics (e.g., Google Analytics, Meta Pixel). We do not collect health data, biometric data, or data from children under 16.

3. How We Use Your Data

PurposeLegal basis (GDPR Art. 6)
Process and fulfil your orderArt. 6(1)(b) — performance of a contract
Send order confirmation and shipping updatesArt. 6(1)(b) — performance of a contract
Reply to contact-form enquiriesArt. 6(1)(b) — pre-contractual steps / Art. 6(1)(f) — legitimate interest
Maintain your account (if signed in via Google)Art. 6(1)(b) — performance of a contract
Publish your marketplace listing and broker the sale (escrow role)Art. 6(1)(b) — performance of a contract
Generate AI-assisted listing drafts (Spark / listing helper)Art. 6(1)(a) — consent (you click “Generate with AI”)
Generate shipping labels via PacklinkArt. 6(1)(b) — performance of a contract
Prevent fraud and abuse (rate limiting, spam filters)Art. 6(1)(f) — legitimate interest in security
Send ESK-Wire newsletter (if subscribed)Art. 6(1)(a) — consent
Comply with tax and accounting obligationsArt. 6(1)(c) — legal obligation

4. Data Sharing

We share personal data only with the following categories of recipients:

  • Supabase Inc. (database hosting) — our database is hosted on Supabase's EU infrastructure. A Data Processing Agreement is in place. Data does not leave the EU.
  • SMTP / email provider — order confirmations and contact-form replies are delivered through our email service provider. Recipient email addresses are transmitted only to deliver the relevant message.
  • PayPal (Europe) S.à r.l. et Cie, S.C.A. — payment processing. Data shared is limited to order amount, currency, and billing details required for the transaction.
  • Google LLC — only if you choose to sign in with Google. We receive your name, email, and profile picture from Google.
  • Packlink Shipping S.L. (Madrid, Spain) — shipping orchestration. We transmit the recipient's name, address, phone number, email and parcel dimensions so the chosen courier can pick up and deliver the parcel. A Data Processing Agreement is in place.
  • OpenAI, L.L.C. — receives only the content you actively submit to the Spark chat (your typed messages) or to the AI listing helper (the photos you upload). No customer database, order data, or other identifiers are sent. Inputs transmitted via the OpenAI API are not used to train OpenAI's models.
  • Marketplace counterparts — when a marketplace transaction completes, we share the buyer's shipping address with the seller exclusively for the purpose of shipping the purchased item, and we share the buyer's tracking number with the buyer. Sellers never receive buyer payment data; buyers never receive the seller's PayPal address (ESKATING acts as escrow broker).
  • Legal authorities — we may disclose data if required by law, court order, or competent authority. We will notify you unless prohibited by law.

We do not sell, rent, or trade your personal data to any third party for marketing or commercial purposes.

5. Data Retention

Data typeRetention period
Order records (billing data, items, totals)10 years — Italian civil and tax law obligation
Marketplace listings (active or sold)24 months from last activity; sellers may request earlier deletion
Marketplace purchase / broker records10 years — tax and dispute-resolution obligations
Spark chat transcriptsStored in your browser only; not retained server-side
Contact-form messages2 years from last interaction, then deleted
Account data (name, email from Google OAuth)Until account deletion is requested
Newsletter subscriptionUntil unsubscribe; then deleted within 30 days
Session authentication tokens14 days (JWT expiry); revoked on sign-out
Server-side rate-limiting data (IP counts)Maximum 24 hours in memory; not persisted to DB
Browser localStorage (cart, theme)Until you clear browser data or withdraw consent

6. Your Rights Under GDPR

As a data subject in the EU, you have the following rights. You may exercise them at any time by writing to info@eskating.eu. We will respond within 30 days.

  • Right of access (Art. 15) — request a copy of all personal data we hold about you.
  • Right to rectification (Art. 16) — ask us to correct inaccurate or incomplete data.
  • Right to erasure / "right to be forgotten" (Art. 17) — request deletion of your data, subject to legal retention obligations.
  • Right to restriction of processing (Art. 18) — ask us to pause processing while a dispute is resolved.
  • Right to data portability (Art. 20) — receive your data in a structured, machine-readable format.
  • Right to object (Art. 21) — object to processing based on legitimate interest, including direct marketing.
  • Right to withdraw consent (Art. 7(3)) — where processing is based on consent (e.g., newsletter), you may withdraw at any time without affecting prior lawful processing.
  • Right to lodge a complaint — you may complain to the Italian data protection authority, the Garante per la protezione dei dati personali, or the supervisory authority in your country of residence.

7. Security

We implement the following technical and organisational measures:

  • All data in transit is encrypted via TLS 1.2+ (HTTPS enforced).
  • Database data at rest is encrypted by Supabase (AES-256).
  • Authentication tokens are stored in HTTP-only cookies (not accessible to JavaScript).
  • Admin access is protected by a secret token and IP-based rate limiting.
  • Contact and checkout endpoints are rate-limited per IP to prevent abuse.
  • Payment card data is never transmitted to or stored on our servers — PayPal handles all card processing in their PCI-DSS-certified environment.

No system is 100% secure. In the event of a personal data breach likely to result in high risk to you, we will notify you and the Garante within 72 hours as required by GDPR Art. 33–34.

8. Cookies & Browser Storage

For detailed information about the cookies and browser storage we use, how long they last, and how to manage your preferences, please see our Cookie Policy.

You can update your cookie preferences at any time by clicking Manage cookie preferences in the site footer.

9. International Data Transfers

Our database (Supabase) is hosted in the EU and data does not leave the EU for storage. Google LLC and PayPal (Europe) S.à r.l. may process data in the United States or other countries. Both companies participate in mechanisms approved under GDPR:

  • Google LLC — Standard Contractual Clauses (SCCs) under GDPR Art. 46(2)(c).
  • PayPal (Europe) S.à r.l. — EU incorporated entity; further transfers covered by SCCs.
  • OpenAI, L.L.C. — transfers to the US under SCCs (EU – US Data Privacy Framework where applicable).
  • Packlink Shipping S.L. — EU incorporated entity (Madrid, Spain); onward transfers to non-EU couriers, where applicable, are covered by SCCs.

10. Children's Privacy

Our services are not directed at children under 16 years of age. We do not knowingly collect personal data from children. If you believe we have inadvertently received data from a child, please contact us immediately at info@eskating.eu and we will delete it promptly.

11. Changes to This Policy

We may update this privacy policy when our data practices change or when required by law. Material changes will be communicated via a notice on the site or, where appropriate, by email. The "Last updated" date at the top of this page always reflects the most recent version. Continued use of the site after a change constitutes acceptance of the updated policy.

12. Contact Us

For any privacy-related enquiry, request to exercise your rights, or data breach report, contact us at:

ESKATING (Ferrer Alberto) — Data Controller
Via Chiesa 531, 37040 Zimella (VR), Italy
info@eskating.eu
Cookie Policy →Contact us →← Back to site