Skip to main content

Privacy Policy

Policy version 2026-04-27 · Effective 2026-04-27

1. Data Controller

The data controller and legal supplier of all products sold via YiwuPortal is YIWU ARIVON TRADE CO., LTD, our consolidated trade entity registered in Yiwu, Zhejiang, China. This entity operates as "data controller" under GDPR Art 4(7) and the equivalent role under Turkish KVKK and Chinese PIPL.

Data Protection Officer (DPO): dpo@yiwuportal.com

2. Personal Data We Collect

Account data: name, email, phone, company details, tax ID, payment methods.

Transactional data: order history, RFQ records, proforma + invoices, shipping addresses, payment receipts.

Communication data: WhatsApp messages, email correspondence, voice call records (with transcription on request).

Usage data: session logs, IP address, browser + device info, pages visited.

Preference data: language, currency, notification preferences, consent records.

3. Processing Purposes & Legal Bases

Performance of contract (GDPR Art 6/1-b): account management, order processing, payment, shipping, customer service.

Legal obligation (GDPR Art 6/1-c): 10-year invoice retention under tax + commercial laws.

Explicit consent (GDPR Art 6/1-a): WhatsApp / email marketing, non-essential cookies, voice recording + transcription for AI training.

Legitimate interest (GDPR Art 6/1-f): platform security, fraud prevention, service improvement, AI customer service automation.

4. Data Retention

While the account is active + 12 months after closure (to respond to legal requests).

Order, invoice, payment records: 10 years (tax + commercial law obligation).

WhatsApp + voice records: 24 months (then automatic anonymization).

Cookies: session cookies expire on browser close; persistent cookies live a maximum of 12 months.

Marketing consent: 36 months unless renewed.

5. Recipients of Your Data

Cloud infrastructure providers (AWS, Cloudflare) — bound by Data Processing Agreements (DPAs).

Payment processors (Stripe, Iyzico, bank transfer providers).

Communications: SMTP provider (email), Evolution API (WhatsApp), Vapi (voice calls).

AI providers: Anthropic (Claude), OpenAI — calls flagged sensitive=true follow zero-training policies.

Logistics + customs partners: only the minimum data required for shipment.

Legal authorities: when required by court order or statutory obligation.

6. International Transfers

AWS regions may include EU and US. EU → US transfers rely on Standard Contractual Clauses (SCCs) plus supplementary measures.

Our China operations (Yiwu office) hold Chinese-region data only; EU/Turkey data does not flow into Chinese infrastructure.

Per GDPR Art 44-49, transfers to countries without adequacy decisions require explicit consent.

7. Automated Decisions + AI

YiwuPortal uses an AI sales assistant (Anthropic Claude) to answer customer queries. The assistant provides product, pricing, and shipping information automatically.

AI-generated outputs (e.g. quote drafts, MOQ suggestions) do not produce legal effects. All binding offers are reviewed by our team.

We do NOT perform "solely automated decision-making" within the meaning of GDPR Art 22; human oversight is always present, and customers can request a human agent at any time.

8. Cookies

Strictly necessary: session, language preference, cart — no consent required.

Analytics: visit statistics, page performance — explicit consent.

Marketing: ad tracking, retargeting — explicit consent.

Update preferences any time at /[locale]/cookie-preferences.

9. Security

TLS 1.2+ encrypted transport, bcrypt password hashing, JWT-based session management.

Role-based DB access; every operation written to audit_logs.

Regular penetration testing + OWASP Top 10 controls. Security report: security@yiwuportal.com

Your rights (GDPR Art 15-22 / KVKK Art 11): access, rectification, erasure, portability, objection, exclusion from automated decisions. Submit via /unsubscribe or /[locale]/gdpr-request — we respond within 30 days.

Questions: dpo@yiwuportal.com. Data breach notifications will be sent within 72 hours per GDPR Art 33.