CODShipEuropeBack to home

GDPR — Data Protection

Regulation (EU) 2016/679 — Last updated: January 1, 2025

Our commitment

CODShipEurope is fully compliant with the General Data Protection Regulation (GDPR). As a platform operating in Europe, protecting your data and that of your customers is an absolute priority.

1. Who are we?

Data Controller: CODShipEurope Lda
Registered office: Lisbon, Portugal
DPO contact: dpo@codshipeurope.com

2. Data Processed and Legal Bases

CODShipEurope processes two categories of personal data: those of its merchant users (you) and those of your end customers (COD buyers).

Merchant data: processed on the basis of contract performance and legitimate interest (service improvement).

End customer data: processed on the basis of the delivery contract. As a merchant using CODShipEurope, you are the data controller for your customers' data; CODShipEurope acts as a data processor.

3. Rights of Data Subjects

Right of access (Art. 15)

Obtain confirmation of processing and a copy of your data.

Right to rectification (Art. 16)

Have inaccurate or incomplete data corrected.

Right to erasure (Art. 17)

Request deletion of your data under certain conditions.

Right to data portability (Art. 20)

Receive your data in a structured, machine-readable format.

Right to object (Art. 21)

Object to processing for marketing or legitimate interest purposes.

Right to restriction (Art. 18)

Limit processing where the accuracy of data is contested.

To exercise your rights: dpo@codshipeurope.com. Response time: maximum 30 days.

4. Retention Periods

  • Active account data: throughout the duration of the contractual relationship
  • Data after termination: 3 years (civil limitation period)
  • Billing data: 10 years (accounting and tax obligation)
  • Technical logs: 12 months
  • Delivery data: 5 years

5. International Transfers

CODShipEurope uses sub-processors whose servers may be located outside the European Union. These transfers are governed by Standard Contractual Clauses (SCCs) approved by the European Commission, ensuring a level of protection equivalent to the GDPR.

6. Sub-processors

CODShipEurope engages the following sub-processors, all GDPR compliant:

  • Supabase: database and authentication
  • Vercel: hosting and deployment
  • Stripe: payment processing
  • Resend: transactional email sending

7. Security Measures

  • TLS 1.3 encryption for all communications
  • Encryption of sensitive data at rest (AES-256)
  • Secure authentication with bcrypt password hashing
  • Role-based access control (RBAC)
  • Access logging and monitoring
  • Daily encrypted backups
  • Regular security testing

8. Data Breaches

In the event of a personal data breach likely to result in a risk to your rights and freedoms, CODShipEurope commits to notifying you within 72 hours of becoming aware of it, in accordance with Article 33 of the GDPR.

9. Complaint

If you believe that the processing of your data does not comply with the GDPR, you have the right to lodge a complaint with the competent supervisory authority:

CNPD (Portugal): Rua de São Bento, 148-3°, 1200-821 Lisbon — www.cnpd.pt