How Vestiaire Collective and Tradesy will ensure your privacy and handle your personal data during the migration process (should you agree to it)
Tradesy is now part of the Vestiaire Collective group!
You may have noticed that the Tradesy platform (www.tradesy.com and the Tradesy mobile applications) already contains links and features originated from the Vestiaire Collective platform, i.e., the website www.vestiairecollective.com and its mobile application "Vestiaire Collective" available on IOS and Android (together, the "Platform").
As a result, the Tradesy platform will be shut down during 2023, and we are providing Tradesy users with the opportunity to migrate their account to the Platform on a voluntary basis.
Right from the start, we want you to know that no personal data will be moved across from the Tradesy platform to the Vestiaire one unless you expressly consent to it. If you choose not to migrate, your personal data will be deleted when the Tradesy platform is shut down.
Should you accept to migrate your account information from the Tradesy platform to the Platform (“Account Migration”), this will require Tradesy and Vestiaire Collective to process your personal data, within the meaning of the EU General Data Protection Regulation No. 2016/679 of 27 April 2016 ("GDPR") and the California Consumer Privacy Act of 28 June 2018 (“CCPA”).
In accordance with these regulations, should you decide to subscribe to Vestiaire Collective and trigger your Account Migration, we would like to provide you with some information on how we will ensure your privacy and protect your personal data during this process.
In short (even though we still recommend you to carefully read the full notice):
- Your data will be stored in the European Union and no longer in the US
- Our customer care, and more generally, the Vestiaire Collective teams that have access to your data, will also be located in the European Union
- New data processors will have access to your personal data, new data will be collected (for instance in application of European anti-fraud regulations) and different retention periods may apply (see below for more information)
- You will have new rights on your data, as per the GDPR requirements (more on this in Section 1 below)
- In the context of this migration, Tradesy Inc. and Vestiaire Collective will act as joint controllers regarding your personal data (i.e. both companies will determine how and why personal data is processed).
- Sections 5 and 7 below detail what personal data will be migrated and what security measures will apply, we recommend you to read them
- Tradesy Inc. and Vestiaire Collective signed Standard Contractual Clauses (SCCs) to regulate international personal data transfers to make sure such transfers are GDPR compliant. If you want to receive a summarized copy of this intragroup agreement, please reach out to our Privacy team at firstname.lastname@example.org
In any event, should you have any questions regarding your privacy rights, please contact us at email@example.com.
1. What would change in the way your data is processed, in a nutshell
As a result of Tradesy becoming part of Vestiaire Collective, a European-based group, the main changes relate to:
- The storage location of the main database containing your personal data: in the Amazon Web Services’ premises located in Frankfurt, Germany, and the European Union.
- The location of the Vestiaire Collective staff allowed to access your personal data: the U.S., France, and more generally the European Union.
Accordingly, the GDPR now applies to the processing of your personal data by Vestiaire Collective, in addition to any applicable U.S. privacy regulations.
- Personal data that Vestiaire Collective collects and processes include:
- Information relating to the transportation of items: delivery option, address of the shipping point and the delivery point of the package, date and time of delivery, etc.
- Due to specific EU regulations, anti-fraud information may be requested from time to time: photo of the credit card, bank statement listing the most recent charges, etc.
- Data retention periods:
- Data relating to the sending of newsletters and alerts are kept as long as you do not withdraw your consent by unsubscribing, and otherwise for a period of 3 (three) years from the last contact with you.
- Data collected in the context of our legal, fiscal and accounting obligations are kept for the applicable legal, fiscal and accounting retention periods: (i) invoices are kept for 10 (ten) years, (ii) the precious metals police book for 6 (six) years.
In addition to the rights you own under U.S. regulations, the GDPR grants you with the following rights:
- A right of access and rectification allowing you to update your personal data
- A right of deletion of inaccurate, outdated data, or whose processing is prohibited
- A right to object to the processing of your data for legitimate reasons
- A right to object, without any reason, to the use of your data for prospecting purposes
- A right to define directives concerning the fate of your personal data after your death
- The right to lodge a complaint with the European competent supervisory authority (in France: the Commission Nationale de l'Informatique et des Libertés, CNIL).
Should you choose not to migrate your personal data, it will remain on the Tradesy platform until it is shut down. It will then be definitely erased, being noted that you can of course request the erasure of your data at any time beforehand.
2. How does this notice apply?
3. Which company is responsible for ensuring my rights to privacy and data protection?
The GDPR grants you with rights over your personal data and requires the “controller” to protect your data.
If you have agreed to the Migration, subscribed to the Platform and that your Account Migration is achieved, Tradesy, Inc. and its parent company, Vestiaire Collective SA, will both act as joint controllers for all personal data processed through the Platform.
4. Why would we process your personal data, should you accept to migrate?
In addition, should you subscribe to the Platform, we will process your Migrated Personal Data (as listed below) for the purpose of achieving the Account Migration, including:
- The technical transfer of your Migrated Personal Data to the Platform, by creating virtual connections between Tradesy’s and Vestiaire Collective’s data warehouses and keeping them synchronized until the Tradesy data warehouse is shut down and all data is stored and merged within the Platform;
- Conducting an overlap analysis to determine whether you have accounts on both platforms;
- The improvement of our algorithm pricing;
- Ensuring that your shopping experience on the Platform is seamless and uninterrupted;
- Ensuring continuity of your account from Tradesy to the Vestiaire Collective Platform
5. Should you consent to it, what account information will move to the Platform?
If you choose to migrate your data and subscribe to the Platform, the following category of personal data will be shared from the Tradesy platform to Vestiaire Collective and the Platform (“Migrated Personal Data”):
6. How would we justify using your Migrated Personal Data?
If you agree to the migration of your personal data from the Tradesy platform to the Platform, this data will then be processed, as per section 5.
As we want to preserve the quality and integrity of our U.S. users database to pursue our core activity after the Tradesy platform is shut down. We believe that this usage is reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed and is compatible with the context in which the personal information was collected.
We thus rely on our “legitimate interest” for using your Migrated Personal Data during the Account Migration.
As described in section 4 above, several Migrated Personal Data are technically required to achieve the Account Migration. Others are optional but still useful to help ensure you have a smooth transition.
Except if you specifically allow us to do so, we will not use those Migrated Personal Data for direct marketing operations.
During the Account Migration, Vestiaire Collective will ensure the confidentiality and integrity of your migrated personal data, as explained in section 6 below.
If you want to restrict the amount of data to be migrated, please reach out to our Privacy team at firstname.lastname@example.org.
7. Security measure against the risks resulting from the migration process
Before and during the Account Migration, Vestiaire Collective endeavors to ensure the confidentiality and integrity of your Migrated Personal Data, by elaborating and implementing the following measures:
- Vestiaire Collective documented the scope of the Account Migration;
- Access to Migrated Personal Data has been restricted to the roles, devices and networks strictly necessary to achieve the Account Migration;
- The bulk of the actual Account Migration is being passed directly from server to server, and is protected by a required token value;
- Of information that is not being passed server to server, some initial Migrated Personal Data (email address, tradesy user id and user first name) is being passed over HTTPS protocols and is encoded in the URL;
- Following the sunset of Tradesy platform, all personal data will be permanently and irretrievably deleted, regardless of your choice regarding the migration (i.e. if you agree to the migration your personal data will be transferred to the Platform, if you do not agree to the migration, when the Tradesy platform is shut down, your personal data will be deleted).
8. International data transfers
To achieve the operations listed in section 3 above, some of your personal data must be shared between Vestiaire Collective SA and Tradesy, Inc. to harmonize privacy practices within the group and ensure an adequate level of protection of your personal data, both companies entered into a set of intragroup agreements containing Standard Contractual Clauses, as issued by the European Commission in its Decision No. 2021/914 of 4 June 2021.
If you want to receive a summarized copy of this intragroup agreement, please reach out to our Privacy team at email@example.com.
You may request information and exercise your privacy rights by contacting our Privacy team at firstname.lastname@example.org.