Skip to content
Spring naar hoofdinhoud
Winkel Factuur logo
Log inTry for free

Privacy Policy

Last updated: February 2025. We attach great value to privacy and data protection. In this statement you can read which personal data we process, for what purpose and how we protect it.

1. Data Controller

WinkelFactuur is operated by FOR KIVANÇ BİLİŞİM EV DEKORASYON DIŞ TİCARET SAN. TİC. LTD. ŞTİ.
Email: [email protected]

2. What Data We Collect

2.1 Account Data: Name, email address, company details, and login credentials (encrypted).
2.2 Transaction and Invoice Data: Order information from connected platforms, invoice details and payment status.
2.3 Marketplace Data (Amazon, Bol.com, etc.): When you connect your marketplace account, we access order information (order ID, date, amounts), buyer name and shipping address (for invoice generation), and product details (SKU, title, quantity).
2.4 Technical Data: IP addresses, browser information, and audit logs for security purposes.

3. Purpose of Processing

We process personal data for the following purposes:
  • **Invoice Generation:** Creating VAT-compliant invoices as required by EU tax regulations (EU VAT Directive 2006/112/EC)
  • **Platform Integration:** Uploading invoices back to marketplaces (Amazon, Bol.com)
  • **Legal Compliance:** Maintaining fiscal records as required by law
  • **Security:** Detecting and preventing unauthorized access

4. Amazon Seller Partner API Data

4.1 Data Collection: We collect order data from Amazon exclusively via the official Selling Partner API (SP-API) for the purpose of generating tax invoices.
4.2 Data Elements Accessed: Buyer name (for invoice addressing), shipping address (for invoice and VAT determination), and order details (items, amounts, dates).
4.3 Data Use Restrictions: Amazon data is used exclusively for generating VAT-compliant invoices, uploading invoice documents back to Amazon, and determining correct VAT rates based on destination country.
Amazon data is never used for marketing or advertising purposes, profiling or customer analytics, or sharing with third parties (except as required for invoice delivery).
4.4 Data Retention: Amazon personally identifiable information (PII) is automatically deleted within 30 days after order shipment, in compliance with Amazon's Data Protection Policy.
4.5 Data Security: All Amazon data is encrypted at rest using AES-256 encryption, transmitted over TLS 1.2+ encrypted connections, stored in EU-based data centers (GDPR compliant), and protected by role-based access controls.

5. Data Retention Periods

We retain data according to the following schedule:
  • **Invoices and fiscal data:** 7 years (legal requirement)
  • **Amazon buyer PII:** 30 days after shipment
  • **Account data:** Duration of account + 30 days
  • **Audit logs:** 12 months
  • **Technical logs:** 90 days

6. Security Measures

We implement appropriate technical and organizational measures:
  • **Encryption:** AES-256 encryption at rest, TLS 1.2+ in transit
  • **Access Control:** Role-based access, multi-factor authentication
  • **Monitoring:** Real-time security monitoring and audit logging
  • **Infrastructure:** Private cloud servers in EU data centers
  • **Testing:** Regular vulnerability scans and penetration testing
  • **Incident Response:** 24/7 security incident response capability

7. Sub-processors

We use the following sub-processors with appropriate data processing agreements:
  • **AWS (Amazon Web Services):** Cloud hosting - EU (Ireland/Frankfurt)
  • **Amazon SES:** Transactional emails - EU (Ireland)

8. Your Rights

Under GDPR, you have the right to:
  • **Access:** Request a copy of your personal data
  • **Rectification:** Correct inaccurate data
  • **Erasure:** Delete your data (where legally permitted)
  • **Restriction:** Limit how we use your data
  • **Portability:** Receive your data in machine-readable format
  • **Objection:** Object to certain processing activities

9. Data Breach Notification

In the event of a data breach affecting your personal data, we will notify affected users within 72 hours, report to relevant supervisory authorities as required, and take immediate steps to contain and remediate the breach.

10. Changes to This Policy

We may update this privacy policy periodically. Significant changes will be communicated via email or platform notification.

11. Contact

For privacy inquiries: [email protected] (Response time: Within 1 business day)
For security incidents: [email protected] (Available: 24/7 for urgent matters)