-599x580.png "NTW")
Privacy Policy
1. Scope of Policy Application
This policy is formulated in accordance with the EU General Data Protection Regulation (GDPR) and applies to all activities involving the collection, storage, use, transfer, and protection of personal data in connection with our company's tableware sales and after-sales services with EU residents (data subjects). Regardless of where the data is stored, all personal data processed regarding EU residents is subject to this policy and the GDPR.
2. Definition and Scope of Collection of Personal Data
(I) Definition of Personal Data
According to Article 4 of the GDPR, personal data means "any information relating to an identified or identifiable natural person," including directly identifying information (such as name, ID number) and indirectly identifying information (such as IP address, email address, device identifier, etc.). (II) Specific Data Types Collected
Business Interaction Data: Name, contact information (phone number, email address), shipping address, company name (for corporate customers), and other information provided by customers when inquiring about tableware products (such as ceramic tableware and stainless steel cookware) or placing orders;
Transaction Data: Payment records, invoice information, order number, product model and quantity, logistics tracking information, etc.;
Technical Interaction Data: IP address, browser type, access time, page views, etc. generated when visiting the official website (nexustradeworld.com);
Special Scenario Data: Guardian information may be collected when purchasing tableware for children (under 16 years old) (must comply with specific age requirements in EU member states, such as 15 years old in France and 13 years old in the UK).
(III) Collection Methods
Actively Provided by the Data Subject: Voluntarily provided through official website forms, email communications, order submission, etc.;
Generated During the Business Process: Automatically generated during order processing, logistics coordination, after-sales service, etc.;
Accessed Through Technical Tools: Access data obtained through website analytics tools (with prior explicit consent). 3. Lawful Basis and Purpose of Data Processing
(I) Principles of Lawful Processing
The Company strictly adheres to the processing principles set forth in the GDPR: lawfulness, fairness, transparency; specific purpose; data minimization; accuracy; storage limitation; integrity and confidentiality; and accountability.
(II) Processing Purposes and Corresponding Lawful Basis
For the processing purpose of "processing meal kit orders, delivering products, and providing invoices," the lawful basis is "necessary for the performance of the contract with the data subject."
For the processing purpose of "providing after-sales service and handling complaints and inquiries," the lawful basis is "protecting the legitimate rights and interests of the data subject."
For the processing purpose of "sending product updates and promotional information (optional)," the lawful basis is "obtaining the explicit consent of the data subject."
For the processing purpose of "ensuring the normal operation of the website and optimizing the user experience," the lawful basis is "the Company's legitimate business interests."
For the processing purpose of "complying with statutory regulatory requirements, such as tax and customs regulations," the lawful basis is "fulfilling legal obligations." 4. Data Use and Sharing Restrictions
(I) Use Restrictions
Personal data will only be used within the scope of the purposes stated above. If processing beyond the original purpose is necessary, consent will be obtained from the data subject or other legitimate reasons will be met as required by the GDPR. Unauthorized user profiling using data mining or other techniques will not be conducted.
(II) Sharing Rules
Necessary Sharing Scenario: Data will only be shared with third parties for order fulfillment (e.g., sharing delivery addresses with logistics providers) and compliance filings (e.g., providing necessary data to regulatory authorities).
Third-Party Constraints: When collaborating with third parties, such as suppliers and logistics providers, contracts containing data protection clauses will be signed, requiring them to comply with GDPR standards, and only necessary processing permissions will be granted.
Prohibited Practices: Personal data will not be sold or leased to unrelated third parties. 5. Data Storage and Cross-Border Transfer
(I) Storage Period
In accordance with the "Storage Limitation Principle," data will be stored for the period necessary to achieve the processing purpose:
Order-related data: Retained for 7 years after transaction completion (to comply with tax filing requirements);
Consultation and after-sales data: Retained for 2 years after issue resolution;
Consent-related data: Retained until the data subject withdraws consent.
After this period, data will be anonymized or permanently deleted.
(II) Cross-Border Transfer Rules
If EU residents' data is transferred outside the EU (e.g., our company's servers are not located in the EU), the following safeguards will be implemented:
Transfers will only be made to countries or regions designated as "adequate protection" by the EU;
For regions without adequate protection, security measures will be provided through the signing of Standard Data Processing Clauses (SDPRs) and the use of encrypted transmission technology. 6. Core Rights of Data Subjects
Under the GDPR, EU residents as data subjects have the following rights. The Company will respond to reasonable requests within one month (up to two months in complex cases):
Right of Access: The right to inquire about whether their personal data is processed, the purpose of the processing, and how it has been shared;
Right of Correction: The right to request rectification if the data is inaccurate or incomplete;
Right to Erasure (Right to Be Forgotten): The right to request erasure if:
The data is no longer necessary for the purposes of the processing;
Withdrawal of consent and there is no other basis for processing;
Objection to data processing and there is no overriding legitimate interest;
The data processing is unlawful;
To comply with child protection obligations;
Right to Restriction of Processing: The right to request restriction of processing if you object to the accuracy of the data or the processing is unlawful but you do not wish to have it deleted;
Right to Data Portability: The right to request access to the personal data you have provided in a structured, commonly used format;
Right to Object: The right to object to processing based on legitimate business interests. To exercise your rights: Send an email to [email protected], specifying "Data Subject Rights Request" and your specific request. We may request authentication information (such as order number or registered email address) for security purposes.
7. Data Security Measures
Technical Protection: Data is stored using AES-256 encryption technology, and firewalls, intrusion detection, and other protection measures are implemented on our official website and backend systems.
Internal Management: Employees accessing data will receive GDPR compliance training, a least privilege access policy will be implemented, and regular security audits will be conducted.
Breach Response: In the event of a high-risk data breach, we will notify the EU Data Protection Authorities (DPAs) and affected data subjects within 72 hours of discovery, and provide a description of the breach's cause, impact, and remediation measures.
Risk Assessment: For high-risk processing activities, we will conduct a Data Protection Impact Assessment (DPIA) in advance. 8. Child Data Protection
For tableware purchases for children under 16 (e.g., orders for schools or children's institutions):
We must obtain explicit consent from their parents or legal guardians, and verify their identity through secure means (e.g., multi-factor authentication);
We must provide child-friendly, concise information about data processing rules;
Once a child reaches adulthood or upon the guardian's request, non-essential data from their childhood may be deleted.
10. Policy Updates
Our company will update this policy based on GDPR revisions and business changes. We will notify data subjects of these updates through official website announcements, email notifications, and other means.