Privacy Policy

Data Controller: Various Archives

Email: contact@various-archives.com

Postal address: Tokyo, Seoul, Paris.

We have not appointed a Data Protection Officer at this time. If that changes, we will update this policy.

• Visitors to our website
• Users who create an account
• Individuals who join our waitlist or newsletter
• Individuals who contact us
• Seller applicants, including individuals acting on behalf of a store or company

A. Information you provide to us

Waitlist and newsletter

• Email address
• Optional: name, country, and preferences

Account creation

• Email address
• Authentication data needed to access your account

Contact

• Name if provided
• Email address
• Message content and any attachments you send

Seller applications

• Store or business name
• Name of a contact person
• Business email, phone, and address if provided
• Store links such as website and social accounts
• Verification information if requested during the application process
• Communications related to the application

B. Information we collect automatically when you use the website

Technical and usage data

• IP address
• Device and browser information
• Pages viewed, approximate timestamps, and referral information
• Diagnostic and security logs

This information is typically generated by hosting and security operations.

C. Information we receive from third parties

• Limited contact information relevant to a platform request, if provided by a seller
• Information collected independently by sellers when you visit their websites

A. Provide and operate the platform. Access to the website, account creation, and core functionality. Legal basis: performance of a contract, pre-contractual steps, or legitimate interests depending on the context.

B. Respond to you. Inquiries, support, and communications. Legal basis: legitimate interests or steps at your request.

C. Manage waitlist and newsletter. Launch updates and newsletter content. Legal basis: consent where required. You can withdraw consent at any time.

D. Review seller applications and maintain marketplace integrity. Review applications, verify professional status, prevent fraud, and manage onboarding. Legal basis: legitimate interests and steps at your request.

E. Security and abuse prevention. Protect the platform, detect abuse, prevent attacks, and troubleshoot issues. Legal basis: legitimate interests.

F. Legal obligations. Comply with applicable laws and respond to lawful requests. Legal basis: legal obligation.

If you join our newsletter or opt in to updates, we may send you emails. You can unsubscribe at any time using the link in our emails or by contacting us. We may also use double opt-in to strengthen consent records.

We explain cookies and similar technologies in a separate Cookie Policy. For many non-essential trackers, EU rules require prior consent and an easy way to withdraw it.

We do not sell your personal data.

We share personal data only as needed with:

• Our internal team on a limited, need-to-know basis
• Service providers that process data on our behalf
• Authorities, courts, or parties where required by law

Current key service providers include:

• Hosting, delivery, and aggregated web analytics: Vercel
• Database and possibly authentication: Supabase
• Email and domain services: Infomaniak
• Product analytics with consent: PostHog

We will update this section if these providers materially change.

Because we work with global infrastructure providers, personal data may be processed outside the European Economic Area.

Where relevant, we rely on recognized transfer mechanisms such as:

• Adequacy decisions where applicable
• Standard Contractual Clauses adopted by the European Commission
• Other mechanisms described in vendor agreements where applicable

We keep personal data only as long as necessary for the purposes described above. Indicative retention periods are:

• Waitlist and newsletter contacts: up to 3 years from the last interaction
• Contact requests: typically up to 24 months after resolution, unless longer retention is needed for disputes
• Seller applications: up to 24 months after the final decision, unless onboarding or legal needs require longer
• Account data: for as long as the account is active, with limited retention after deletion where needed for security, fraud prevention, or legal claims
• Security and technical logs: limited retention, then deletion or anonymization

We use reasonable technical and organizational measures to protect personal data. No method of transmission or storage is fully secure, but we work to reduce risk and respond to incidents.

Depending on your location, you may have rights to:

• Access your data
• Rectify inaccurate data
• Delete data
• Restrict processing
• Object to processing based on legitimate interests
• Data portability
• Withdraw consent where processing is based on consent

To exercise your rights, email contact@various-archives.com. We may ask for information to verify your identity.

Complaints: if you are in France, you can lodge a complaint with the CNIL.

Our website is not intended for children. If you believe a child provided personal data, contact us so we can delete it where appropriate.

We do not use automated decision making that produces legal or similarly significant effects on you.

The Various Archives Connector is a Shopify Sales Channel app that lets merchants list their products on the Various Archives marketplace. When a merchant installs and connects the app, we process the following data on their behalf:

Data collected from merchants

• Shop domain and myshopify domain
• Shopify API access token (stored encrypted, used only to read and publish products)
• Product and variant data synced from the merchant’s catalog: titles, descriptions, prices, images, inventory status
• Publication and channel settings for the Various Archives Sales Channel

Data collected through the attribution flow

When a buyer clicks through to a merchant's checkout via Various Archives, we create an attribution session to track whether the resulting order should be attributed to the marketplace for commission purposes. We may store:

• A signed attribution token (va_ref) tied to the shop and product variant
• The Shopify order ID and order amount if the order is attributed
• The calculated commission amount
• Buyer identifiers (Shopify customer ID and email) on the attribution session, temporarily, to support GDPR data requests from that buyer

Legal bases

We process merchant data to perform the service contracted through the app (execution of the Connector agreement, including commission billing via Shopify's usage-based billing API). Attribution and billing data is processed on the basis of legitimate interests and contractual necessity.

Retention

• Merchant and product data: retained while the app is installed and the shop is active.
• Attribution and billing data: retained for up to 36 months after the last billing event for accounting and dispute purposes.
• Shop redact: when Shopify sends a shop/redact webhook (48 hours after uninstall), we delete all shop-scoped data including products, attributed orders, billing records, and the shop record itself.
• Buyer data on attribution sessions: nulled upon receipt of a customers/redact webhook from Shopify.

GDPR requests from buyers

Shopify routes buyer data-access and deletion requests to us via mandatory compliance webhooks (customers/data_request and customers/redact). We process these automatically. Merchants can also direct buyer inquiries to contact@various-archives.com.

We may update this policy to reflect changes in our practices, features, or legal requirements. We will update the "Last updated" date and may provide additional notice when appropriate.