Privacy Policy
Effective Date: June 1, 2026
Last Updated: June 1, 2026
CANISMAJORIS21 SRL, Tudor Arghezi 15, Brasov, Romania
Contact: hello@net21.app
1. Who We Are
net21 is a product operated by CANISMAJORIS21 SRL, a Romanian legal entity registered at Tudor Arghezi 15, Brasov, Romania. This Privacy Policy describes what personal data we collect, how we use it, with whom we share it, how long we retain it, and what rights you have as a user of our platform. This document is drafted in compliance with Regulation (EU) 2016/679 (GDPR). Contact for privacy issues: hello@net21.app.
2. What net21 Is and How It Works
net21 is an ecommerce identity platform that builds behavioral customer profiles from purchase data originating from the Shopify stores of partner brands. The platform operates as a trusted intermediary between brands (B2B clients) and customers (end users). Brands do not have direct access to customers personal data. They can define target audiences based on behavioral attributes, and the net21 platform performs the matching and offer delivery, maintaining customer anonymization from brands.
3. What Data We Collect
3.1 Brand Data (B2B Clients) When a brand registers on the net21 platform, we collect: brand commercial name and company identification information; contact email address; website domain and Shopify store domain; Shopify OAuth access token; billing and payment data processed exclusively through Stripe (net21 never stores bank card data); wallet transaction history; campaign history; reputation score; authentication data managed by Clerk. 3.2 Customer Data Data Automatically Collected from Shopify Synchronization When a connected brand synchronizes their Shopify store data, the platform automatically processes: customer email address (used as unique identifier for cross-brand data matching); order history including purchased products, quantities, prices, order dates, payment status. We do not collect card data, complete physical addresses, or phone numbers from Shopify synchronization. Data Voluntarily Provided by Customer Customers who create an account on the Customer Portal may voluntarily provide: style preferences (casual, formal, sport, minimalist, etc.); category preferences (fashion, sport, home, beauty, etc.); color preferences; preferred weekly offer limit (1-20, default 5). This data is stored with the self_reported source and automatically receives maximum intensity value (1.0). Platform-Generated Data Based on collected data, the platform generates: behavioral attributes with intensity values (e.g., High Spender: 0.87); offer viewing timestamps (seen_at); offer click timestamps (clicked_at); creation date and last activity.
4. How We Use Data
4.1 For Brands Providing and improving the customer base analysis service Processing and displaying approved campaigns in Customer Portal Calculating estimated reach for marketplace audiences Calculating and updating the reputation score Processing payments through Stripe and managing the wallet Transactional communications: account approval confirmation, campaign status, low balance Fraud and platform abuse prevention 4.2 For Customers Building and updating the behavioral attributes profile Matching relevant offers with the customer profile Delivering offers in the For You section of the Customer Portal Respecting offer frequency preferences Ensuring a customer never receives the same offer twice
5. Platform Rules for Customer Protection
No duplicates: A customer never receives the same offer twice Weekly limit: Default 5 offers per week, configurable between 1 and 20; the platform cannot exceed the customer-set limit Time-limited: Offers expire after 30 days from campaign approval Mandatory intermediation: Brands cannot directly contact customers Prior approval: Any campaign is reviewed and approved by net21 before distribution Reputation score: Brands with abusive behavior lose access to marketplace campaigns
6. Legal Basis for Processing (GDPR)
Type of Processing GDPR Legal Basis Brand data - service contract execution Art. 6(1)(b) - contract performance Shopify order data synchronization Art. 6(1)(f) - legitimate interest (personalization) Building the attributes profile Art. 6(1)(f) - legitimate interest (personalization) Customer-declared preferences Art. 6(1)(a) - explicit consent Brand transactional communications Art. 6(1)(b) - contract performance Technical data and security logs Art. 6(1)(f) - legitimate interest (security) Financial transactions Art. 6(1)(c) - legal obligation
7. With Whom We Share Data
Provider Purpose / Data Transferred Supabase (USA) Database storage - all platform data Clerk (USA) User authentication - sessions, cookies, 2FA Stripe (USA) Payment processing - brand billing data, wallet transactions Resend (USA) Transactional email - recipient email addresses Vercel (USA) Hosting and deployment - technical data, IP addresses Shopify (Canada) Order synchronization - brand OAuth token, order data All listed providers process data in compliance with GDPR through Standard Contractual Clauses (SCC) or European Commission Adequacy Decisions.
8. International Data Transfers
Our main providers (Supabase, Clerk, Stripe, Resend, Vercel) are US-headquartered companies. Data transfers from the EEA are covered by Standard Contractual Clauses (SCC) per Commission Implementing Decision (EU) 2021/914. Shopify is a Canadian company, and Canada benefits from an EU Commission Adequacy Decision.
9. Data Retention
Data Category Retention Period Active brand account data Duration of contract + 3 years after termination Inactive brand account data 2 years from last recorded activity Active customer account data Until voluntary account deletion Customer data without account (from sync) 3 years from date of last synchronized order Offer history (consumer_offers) 2 years from campaign expiration Behavioral attributes (consumer_attributes) Deleted upon customer account deletion Financial transactions (wallet) 10 years - fiscal obligation under Romanian law Technical data and security logs 90 days Emails sent through Resend 30 days in Resend systems
10. Your Rights (GDPR)
Right of Access (Art. 15 GDPR) You have the right to know whether we hold data about you, what categories of data we process, for what purposes, with whom we share them, and how long we retain them. Right to Rectification (Art. 16 GDPR) If the data we hold about you is incorrect or incomplete, you have the right to request its correction within 30 days. Right to Erasure (Art. 17 GDPR) You can request deletion of all your personal data. All behavioral attributes are deleted immediately. The account is deactivated within 24 hours and permanently deleted within 30 days. Brands that benefited from your data are notified retroactively. Financial data is retained per legal fiscal obligations but anonymized. Right to Data Portability (Art. 20 GDPR) Upon request, we provide your personal data in a structured, machine-readable format (JSON or CSV). Right to Restriction of Processing (Art. 18 GDPR) You can request temporary restriction of processing in certain circumstances, including when you contest the accuracy of data or when processing is unlawful. Right to Object (Art. 21 GDPR) You can object to processing based on net21s legitimate interest. We will stop processing unless we demonstrate compelling legitimate grounds. Right to Withdraw Consent Where processing is based on your consent, you can withdraw it at any time without affecting the lawfulness of prior processing. How to Exercise These Rights Send an email to hello@net21.app with the subject GDPR Request and indicate which right you wish to exercise. We will respond within 30 calendar days.
11. Data Security
Transit encryption: all communications are protected by HTTPS/TLS 1.3 Encryption at rest: data stored encrypted in Supabase infrastructure with AES-256 Secure authentication: managed by Clerk with two-factor authentication (2FA) support Database-level isolation: Row Level Security (RLS) in PostgreSQL Payment processing: net21 never stores bank card data; all transactions processed through Stripe, PCI DSS Level 1 certified Continuous monitoring for anomaly detection and unauthorized access attempts In case of a security incident, net21 will notify ANSPDCP within 72 hours and inform affected users without undue delay, per Art. 33-34 GDPR.
12. Cookies
net21 uses a minimum number of strictly necessary cookies: Clerk session cookies required for user authentication, and language preference cookies (next-intl). net21 does not use tracking, analytics, or third-party advertising cookies.
13. Changes to This Policy
net21 may update this Privacy Policy. For significant changes, users will be notified by email at least 14 days before the new provisions take effect. The updated version will be published at net21.app/privacy. Continued use of the platform after changes take effect constitutes implicit acceptance.
14. Contact and Supervisory Authority
CANISMAJORIS21 SRL, Tudor Arghezi 15, Brasov, Romania, hello@net21.app, net21.app. Romanian National Supervisory Authority (ANSPDCP): anspdcp.ro, anspdcp@dataprotection.ro. You have the right to lodge a complaint with ANSPDCP or the supervisory authority of your EU member state of residence.