Privacy policy

The controller responsible for processing your personal data is Ecrila [legal entity], with its registered office at [full address], registered with the [city] companies register under company number [registration number]. Ecrila alone determines the purposes and means of the processing described in this policy.

For any question relating to your data, you may contact our Data Protection Officer (DPO) at [email protected] or by post at our registered office, marked for the attention of the DPO.

We collect the following categories of data, depending on the nature of your buyback request. Some are essential: without them, we are unable to carry out authentication, the transaction or payment.

Identity

Title, surname, first name, date and place of birth and nationality, required to draw up the buyback agreement and to meet our due diligence obligations.

Contact details

Postal address, email address and telephone number, used to keep you informed and to arrange the shipment of your items.

Identity document / KYC

A copy of a valid identity document and identity verification data, processed as part of our know-your-customer obligations.

Item photographs

Images, serial numbers and descriptions of the items submitted, used for valuation, authentication and lot traceability.

Bank details (IBAN)

Bank account details (IBAN, BIC, account holder) required to pay the buyback price by bank transfer.

Your data is only processed for specified and explicit purposes:

Buyback

Handling your request, valuation, making the offer and concluding and performing the buyback agreement.

Authentication

Verifying the provenance, authenticity and condition of the items entrusted to our experts.

Payment

Processing the payment, accounting traceability and prevention of payment fraud.

AML/CFT

Meeting our obligations to combat money laundering and terrorist financing, including identity verification and the reporting of suspicious transactions.

Each processing activity relies on one of the legal bases set out in Article 6 of the GDPR:

Performance of a contract — the processing of identity data, contact details, item photographs and your IBAN is necessary to handle your buyback request and to pay the price.

Legal obligation — identity verification (KYC), the retention of supporting documents and AML/CFT due diligence respond to legal and regulatory obligations that apply to us, in particular under applicable financial regulations.

Legitimate interests — fraud prevention, the security of our systems and the improvement of our services rely on our legitimate interests, balanced against your rights and freedoms.

Consent — certain optional processing (analytics cookies, marketing communications) is only carried out with your prior agreement, which you may withdraw at any time.

Your data is only kept for as long as necessary for the purposes pursued, after which it is archived or deleted:

Buyback file

Kept for the duration of the relationship, then archived for up to five years from the last transaction in line with the commercial limitation period.

AML/CFT / KYC records

Identity documents and due diligence records kept five years after the end of the business relationship, in accordance with anti-money-laundering obligations.

Accounting records

Invoices and payment documents kept for six years, in accordance with accounting and tax obligations.

Prospects & cookies

Marketing data kept for three years after the last contact; trackers subject to consent limited to thirteen months.

Your data is accessible to our authorised teams (expertise, compliance, accounting, customer relations), strictly on a need-to-know basis. It may be shared with service providers acting as processors, governed by contract:

Stripe

Payment service provider, for the secure processing of payments and fraud prevention.

KYC providers

Identity verification partners responsible for checking documents and carrying out know-your-customer due diligence.

Carriers

Secure courier companies and insurers, for the collection and delivery of items.

Your data may also be disclosed to the competent authorities (financial intelligence units, judicial authorities) where the law requires it. It is never sold to third parties.

Your data is hosted and processed within the European Union. Where a service provider may access data from a third country, such a transfer only takes place to a country recognised as offering an adequate level of protection or on the basis of appropriate safeguards — in particular the standard contractual clauses adopted by the European Commission, supplemented where necessary by additional measures.

A copy of these safeguards can be made available to you on request to our DPO.

Our site sets cookies that are strictly necessary for it to function, which do not require your consent. Analytics cookies and, where applicable, personalisation cookies are only set once we have obtained your consent through our dedicated banner.

You may change your choices at any time from the cookie management module or your browser settings. Trackers subject to consent are kept for a maximum of thirteen months.

Under the GDPR, you have the following rights over your personal data, within the limits provided by law — certain data subject to a legal obligation (KYC, AML/CFT) cannot be erased before its retention period has expired:

To exercise these rights, send your request to the DPO at [email protected], together with proof of identity where necessary. We respond within one month. If, after contacting us, you believe that your rights are not being respected, you may lodge a complaint with your national data protection authority, [authority name and address], or via cnil.fr.