Privacy Policy

BRANTELO OÜ (registry code 17282632) is a private limited company incorporated under the laws of Estonia, with its registered address at Tornimäe tn 5, 10145 Tallinn, Republic of Estonia. We operate the global automotive and EV parts marketplace available at brantelo.com (the "Platform").

Brantelo connects three categories of users on a single marketplace: (i) individual and business customers ("Buyers") who purchase parts for personal or fleet use; (ii) verified B2B wholesale buyers ("B2B Buyers") who procure in bulk under commercial terms; and (iii) verified third-party businesses ("Sellers") who list, sell, and ship products through the Platform.

References to "Brantelo", "we", "us", or "our" throughout this Privacy Policy mean BRANTELO OÜ acting as the data controller for personal data processed in connection with the Platform. Where Sellers process data of Buyers in connection with order fulfilment, each Seller acts as an independent data controller for those processing activities.

This Privacy Policy applies to all personal data collected and processed by Brantelo when you: visit or browse the Platform; create and use a customer account; register as a B2B wholesale buyer; apply to become a verified Seller; place orders, request quotes, or communicate with us; or interact with any Brantelo service, API, or communication.

This Policy does not apply to websites or services operated by third parties that may be linked from the Platform, nor to the independent data processing activities of individual Sellers beyond what Brantelo instructs. We encourage you to review the privacy policies of any third-party services you use.

When you register for a customer account or interact with the Platform as an individual or retail buyer, we collect the following categories of personal data:

Account & Identity Data: full name, email address, password (stored as a cryptographic hash — never in plain text), phone number, country of residence, and company name (optional). Alternatively, you may register or sign in using a third-party OAuth provider (Google or LinkedIn). In that case, we receive your name, email address, and the provider-assigned account identifier from Google or LinkedIn; we do not receive or store your password for those accounts. OAuth-authenticated accounts are marked as email-verified upon creation.

Transaction Data: details of products browsed, added to cart, or purchased; order identifiers; quantities; delivery addresses; and payment confirmation references (we do not store full card numbers — payment processing is handled by PCI-DSS compliant third-party processors).

Communication Data: messages sent to us via the contact form, chat widget, or email, including the content and timestamp of those communications.

Technical Data: IP address, browser type and version, operating system, device identifiers, referring URLs, pages visited, session duration, and click-path data collected via Google Analytics 4 (GA4) with anonymisation enabled.

Cookie Data: session authentication tokens stored in httpOnly cookies (not accessible to JavaScript), and optional analytics cookies subject to your consent preferences managed through our Cookie Banner.

When you register as a B2B Buyer, we collect all data listed in Section 3 plus the following additional categories required for commercial wholesale relationships:

Company & Compliance Data: registered company name, EU VAT number, country of registration, and business type (e.g. distributor, retailer, fleet operator).

Commercial Profile Data: expected monthly purchase volume, preferred payment terms (e.g. Net-30, Net-60, Prepaid), and order history on the Platform.

Quote Request Data: product identifiers, requested quantities, and the content of custom quote requests submitted through the B2B portal.

Verification Data: any documentation voluntarily provided during the B2B application review process to confirm business legitimacy.

B2B account data is used to administer your wholesale account, apply appropriate pricing tiers, process bulk orders, issue commercial invoices, and maintain records required under applicable accounting and tax law.

When you apply to become a verified Seller on the Platform, we collect the following categories of data as part of the onboarding, verification, and ongoing commercial relationship:

Identity & Company Data: company name, contact person's full name, email address, password (hashed), phone number, country of incorporation, and company website.

Verification Documents: company registration certificate, tax identification document, authorised person's government-issued ID or passport, and bank account details for commission disbursement. These documents are stored securely and accessed only by authorised Brantelo compliance staff.

Product Listing Data: product names, SKU codes, categories, pricing (including wholesale tiers), stock status, minimum order quantities, delivery lead times, country of origin, and product images or image URLs.

Order & Fulfilment Data: order identifiers, buyer names, buyer countries, product quantities, unit prices, order status updates, and shipment information.

Payment & Commission Data: gross order amounts, 10% marketplace commission calculations, net payable amounts, payment hold periods (45-day standard settlement), and payout records. Commission is deducted automatically; net amounts are disbursed following the hold period.

Communication Data: messages exchanged with Brantelo's seller support team, including any appeals, document submissions, or compliance correspondence.

We process personal data only for specified, explicit, and legitimate purposes. The primary purposes for which we use your data are:

Account Management: creating and maintaining your account, authenticating your identity via secure session tokens, and enabling you to access Platform features appropriate to your account type.

Order Processing & Fulfilment: processing purchase orders, coordinating fulfilment by Sellers, communicating order status, and managing returns or disputes where applicable.

Marketplace Operations: publishing and maintaining Seller product listings, facilitating discovery by Buyers, managing the B2B wholesale catalog with tiered pricing, and operating the quote request system.

Payments & Commission Settlement: calculating and disbursing Seller commissions net of the 10% marketplace fee, maintaining the 45-day payment hold period for dispute protection, and issuing payment records.

Seller Verification & Compliance: reviewing Seller applications, validating submitted business documents, assessing eligibility for Platform participation, and taking enforcement actions (suspension, rejection) where necessary.

Customer Support: responding to enquiries, resolving disputes between Buyers and Sellers, processing complaints, and providing technical assistance.

Legal Compliance: meeting obligations under Estonian, EU, and applicable international law, including accounting and tax record-keeping, responding to lawful government or court orders, and enforcing our Terms of Service.

Platform Improvement & Analytics: understanding how users navigate the Platform using aggregated and anonymised data (Google Analytics 4) to improve user experience, identify technical issues, and develop new features.

Communications: sending transactional emails (order confirmations, verification links, password resets, Seller approval or rejection notices) via our email delivery provider Resend. We do not send unsolicited marketing emails without explicit opt-in consent.

We rely on the following legal bases under the EU General Data Protection Regulation (GDPR) for our processing activities:

Performance of a Contract (Art. 6(1)(b)): processing necessary to fulfil orders, maintain accounts, and deliver the marketplace services you have requested. This covers most core processing for customers, B2B Buyers, and Sellers.

Legal Obligation (Art. 6(1)(c)): processing required to comply with Estonian accounting law (7-year retention of financial records), tax obligations, anti-fraud measures, and responses to lawful legal processes.

Legitimate Interests (Art. 6(1)(f)): analytics and Platform improvement (balanced against your right to privacy via anonymisation and aggregation); fraud prevention and security monitoring; and enforcement of our marketplace policies. We have conducted legitimate interest assessments and concluded these interests are not overridden by your fundamental rights.

Consent (Art. 6(1)(a)): optional analytics cookies and any future marketing communications, where you have given explicit, freely withdrawable consent via the Cookie Banner or a separate consent mechanism.

We do not sell, rent, or trade your personal data to third parties for their own marketing purposes. We share data only in the following circumstances:

With Sellers (for Buyer data): when you place an order, necessary order details (name, delivery country, product and quantity) are shared with the relevant Seller to enable fulfilment. Sellers are contractually prohibited from using this data for any purpose other than fulfilling your order.

With Buyers (for Seller data): Seller company names, countries, and product information are publicly displayed as part of marketplace listings. No financial, document, or contact data is shared with Buyers.

With Service Providers (Data Processors): we engage the following categories of data processors who act only on our documented instructions: (a) Resend — transactional email delivery; (b) Google LLC — analytics (GA4, data anonymised and subject to Google's data processing terms) and OAuth 2.0 authentication (Google Sign-In); when you choose "Continue with Google", Google shares your name, email address, and Google account identifier with us under Google's OAuth API Terms of Service; (c) LinkedIn Corporation — OAuth 2.0 authentication (LinkedIn Sign-In); when you choose "Continue with LinkedIn", LinkedIn shares your name, email address, and LinkedIn account identifier with us under LinkedIn's API Terms of Use; (d) payment processors — for order payment collection (PCI-DSS compliant, card data not retained by Brantelo); (e) cloud infrastructure providers — for secure hosting and storage of Platform data.

With Authorities: where required by law, court order, or regulatory authority, we may disclose personal data. We will notify you of such disclosure unless legally prohibited from doing so.

Business Transfers: in the event of a merger, acquisition, or sale of all or substantially all of our assets, personal data may be transferred as part of that transaction. We will notify affected users before data is transferred and becomes subject to a different privacy policy.

Brantelo is based in Estonia, a Member State of the European Union. The Platform and its data are primarily processed within the European Economic Area (EEA).

Where we engage service providers located outside the EEA (for example, Google LLC in the United States), we ensure appropriate safeguards are in place, including: Standard Contractual Clauses (SCCs) approved by the European Commission; or the recipient country's adequacy decision under GDPR Article 45.

You may request details of the specific safeguards applicable to any international transfer by contacting us at the address in Section 15.

We retain personal data only for as long as necessary for the purposes described in this Policy, or as required by law:

Customer & B2B Buyer Accounts: account data is retained for the duration of your active account plus 3 years following account closure or last activity, for the purpose of resolving any post-sale disputes or warranty claims.

Order & Transaction Records: financial and order records are retained for 7 years from the transaction date in compliance with the Estonian Accounting Act (Raamatupidamise seadus).

Seller Records & Verification Documents: Seller account data, product listings, and payout records are retained for 7 years from the date of the last transaction. Verification documents (ID, registration certificates) are deleted 1 year after account closure, unless retention is required by applicable law.

Pre-Contractual Enquiries: contact form submissions and enquiries that do not result in an account or order are retained for 3 years from receipt, after which they are securely deleted.

Analytics Data: aggregated and anonymised usage data processed via Google Analytics 4 is retained per Google's default retention settings (14 months at signal level). No personally identifiable raw analytics data is retained by Brantelo.

Session Cookies: authentication session cookies expire after 30 days of inactivity or upon sign-out, whichever occurs first.

We use the following categories of cookies and similar technologies on the Platform:

Strictly Necessary Cookies: httpOnly session cookies (customer_session, seller_session, b2b_session) that authenticate your identity and maintain your logged-in state. These cannot be disabled without breaking core Platform functionality. They are not accessible to browser-side JavaScript and expire after 30 days.

Analytics Cookies: Google Analytics 4 cookies (_ga, _gid, _ga_*) used to understand aggregate usage patterns. These are deployed only with your consent, which you can grant or withdraw at any time through the Cookie Banner displayed on your first visit.

No Marketing Cookies: we do not deploy advertising networks, retargeting pixels, social media tracking widgets, or behavioural profiling cookies on the Platform.

You can manage cookie preferences at any time by: clicking "Manage Cookies" in the site footer; adjusting your browser settings to block or delete cookies; or opting out of Google Analytics specifically via tools.google.com/dlpage/gaoptout.

We implement appropriate technical and organisational security measures proportionate to the risk, including:

Encryption: all data in transit between your device and our servers is encrypted using TLS 1.2 or higher. Passwords are stored as HMAC-SHA256 hashes with a server-side salt — plain-text passwords are never stored or logged.

Access Controls: personal data and Seller verification documents are accessible only to authorised Brantelo personnel on a need-to-know basis. Administrative access requires multi-factor authentication.

Session Security: authentication cookies are flagged HttpOnly (not accessible to JavaScript), SameSite=Lax (CSRF protection), and expire automatically after 30 days.

Data Minimisation: we collect only the personal data necessary for each specific purpose and do not retain data beyond the periods set out in Section 10.

Incident Response: we maintain a data breach response procedure. In the event of a breach likely to result in a high risk to your rights and freedoms, we will notify you and the Estonian Data Protection Inspectorate within 72 hours of becoming aware, in accordance with GDPR Article 33–34.

No security measure is 100% foolproof. You are responsible for maintaining the confidentiality of your account credentials and for notifying us immediately at sales@brantelo.com if you suspect unauthorised access to your account.

As a data subject under the EU General Data Protection Regulation, you have the following rights:

Right of Access (Art. 15): you may request a copy of the personal data we hold about you, along with information about how it is processed.

Right to Rectification (Art. 16): you may request correction of inaccurate or incomplete personal data.

Right to Erasure / "Right to be Forgotten" (Art. 17): you may request deletion of your personal data where it is no longer necessary for the purposes for which it was collected, or where you withdraw consent. This right is subject to our legal retention obligations (Section 10).

Right to Restriction of Processing (Art. 18): you may request that we restrict processing of your data in certain circumstances, for example while a rectification request is being assessed.

Right to Data Portability (Art. 20): where processing is based on your consent or a contract, you may request your data in a structured, machine-readable format.

Right to Object (Art. 21): you may object to processing based on our legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests.

Rights Related to Automated Decision-Making (Art. 22): we do not make solely automated decisions that produce legal or similarly significant effects. Seller approval decisions involve human review by Brantelo compliance staff.

To exercise any of the above rights, email sales@brantelo.com with the subject line "GDPR Data Request" and include sufficient information to verify your identity. We will respond within 30 days (extendable by a further 60 days for complex requests, with notice to you).

You also have the right to lodge a complaint with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) at www.aki.ee, or with the supervisory authority of your EU Member State of habitual residence.

The Platform is intended for use by individuals aged 18 or over, or businesses operated by adults. We do not knowingly collect personal data from individuals under the age of 16. If we become aware that a child under 16 has provided us with personal data, we will delete that information promptly. If you believe we may have collected data from a child, please contact us immediately at sales@brantelo.com.

We may update this Privacy Policy from time to time to reflect changes in our practices, the Platform's features, or applicable law. The current version is always available at brantelo.com/privacy.

When we make material changes, we will notify you by: updating the "Effective Date" at the top of this page; displaying a prominent notice on the Platform; and, where required by law or where the changes significantly affect your rights, sending an email notification to the address associated with your account.

Your continued use of the Platform after the effective date of a revised Policy constitutes your acceptance of the updated terms. If you do not agree with any changes, you should close your account and cease using the Platform.

For any questions, requests, or complaints relating to this Privacy Policy or the processing of your personal data, please contact us:

Email: sales@brantelo.com (subject: "Privacy Policy")

Post: BRANTELO OÜ · Tornimäe tn 5, 10145 Tallinn, Estonia

Registry Code: 17282632

We aim to respond to all privacy-related correspondence within 5 business days.