SURPL.IO
Legal

Privacy Policy

Last updated: June 2026 · GDPR-compliant

1. Introduction

Surpl.io B.V. ("we", "us", "our") respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, store, and share information when you use the Surpl.io platform, whether as a buyer, seller, or visitor. We process personal data in accordance with the General Data Protection Regulation (EU) 2016/679 (GDPR) and other applicable data protection laws.

2. Data Controller

The data controller responsible for your personal data is:

Surpl.io B.V.
Keizersgracht 123
1015 CJ Amsterdam, Netherlands
Email: dpo@surpl.io

We have appointed a Data Protection Officer (DPO) who can be reached at the above address.

3. Information We Collect

We collect the following categories of personal data:

  • Account Information: Company name, contact name, email address, phone number, VAT number, and business address;
  • Transaction Data: Order history, payment information (processed by our PCI-compliant payment partners), shipping addresses, and purchase patterns;
  • Platform Usage: Browsing behaviour, search queries, saved searches, watchlist items, and device information (IP address, browser type, operating system);
  • Communication Data: Messages exchanged through our platform, support tickets, and email correspondence;
  • Verification Data: Business registration documents, tax certificates, and identity verification materials submitted for VerifiedSurplus™ or seller onboarding.

4. How We Use Your Data

We process your personal data for the following purposes:

  • To provide, operate, and maintain the Surpl.io platform and its features;
  • To process transactions, facilitate payments, and manage order fulfilment;
  • To verify seller identity and maintain the integrity of the VerifiedSurplus™ programme;
  • To communicate with you about your account, orders, and platform updates;
  • To personalise your experience, including search results and recommendations;
  • To detect and prevent fraud, abuse, and security incidents;
  • To comply with legal obligations, including tax and accounting requirements;
  • To send marketing communications where you have provided consent (which you may withdraw at any time).

5. Legal Basis for Processing

Under GDPR, we rely on the following legal bases:

  • Contractual necessity: Processing required to perform our contract with you (account management, order fulfilment);
  • Legal obligation: Compliance with tax, anti-money laundering, and other regulatory requirements;
  • Legitimate interests: Fraud prevention, platform security, analytics, and business development;
  • Consent: Marketing communications and non-essential cookies. You may withdraw consent at any time.

6. Data Sharing & Recipients

We share personal data only with:

  • Other platform users: Necessary business information shared with transaction counterparties (e.g., shipping details shared with sellers);
  • Service providers: Cloud hosting, payment processing, email delivery, analytics, and customer support tools bound by data processing agreements;
  • Legal authorities: When required by law, court order, or to protect our rights and safety;
  • Business partners: Only with your explicit consent, such as verified logistics providers.

We do not sell personal data to third parties for advertising or marketing purposes.

7. International Transfers

Your data is primarily stored within the European Economic Area (EEA). Where we transfer data outside the EEA (e.g., to cloud service providers), we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission, and we verify that recipients maintain adequate data protection standards.

8. Data Retention

We retain personal data for as long as necessary for the purposes outlined above:

  • Account data: retained while your account is active, plus 7 years for tax/accounting records;
  • Transaction data: 7 years from the date of transaction (statutory requirement);
  • Marketing data: until you withdraw consent or we cease marketing activity;
  • Platform usage logs: 12 months for security and analytics purposes.

Upon account deletion request, we will erase or anonymise your personal data within 30 days, except where retention is required by law.

9. Your GDPR Rights

As an EU resident, you have the following rights:

  • Access: Request a copy of your personal data;
  • Rectification: Correct inaccurate or incomplete data;
  • Erasure: Request deletion of your data ("right to be forgotten");
  • Restriction: Limit processing in certain circumstances;
  • Portability: Receive your data in a structured, machine-readable format;
  • Objection: Object to processing based on legitimate interests or for direct marketing;
  • Withdraw consent: At any time, without affecting prior lawful processing.

To exercise any of these rights, contact us at dpo@surpl.io. We will respond within 30 days.

10. Cookies & Tracking Technologies

We use cookies and similar technologies to operate the platform, remember preferences, analyse usage, and deliver relevant content. You can manage your cookie preferences through your browser settings or our cookie consent banner. For more details, please see our Cookie Policy.

11. Security Measures

We implement appropriate technical and organisational measures to protect your personal data, including encryption in transit (TLS 1.3), encryption at rest, access controls, regular security assessments, and staff training. While we strive to protect your data, no internet transmission is completely secure, and we cannot guarantee absolute security.

12. Changes to This Policy

We may update this Privacy Policy periodically. Material changes will be communicated to registered users via email or prominent platform notice. Continued use of Surpl.io after changes constitutes acceptance of the updated policy.

13. Contact Us

For privacy-related questions, data subject requests, or complaints, please contact our Data Protection Officer at dpo@surpl.io or Surpl.io B.V., Keizersgracht 123, 1015 CJ Amsterdam, Netherlands. You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).