Legal
Privacy
policy
Veplex is operated by Everything s.r.o. and is subject to the EU General Data Protection Regulation. This page explains what personal data we process, why, who sees it, and the rights you have over it.
Effective 2026-05-28 · v1.0
Who we are
Controller
- Veplex is operated by Everything s.r.o., a limited company registered in the Czech Republic. We act as the data controller for the personal data processed in connection with the Veplex service.
- For privacy matters use the contact form on this site. We respond to all subject requests within 30 days.
What we collect
Categories of personal data
- Account data: name, email, phone, jurisdiction. Provided by you when you initiate or complete a trade.
- Identity data: government-issued ID, business registration documents, and liveness check images, processed for KYC and sanctions screening.
- Trade data: items listed or purchased, prices, the marketplaces and currencies involved, shipping addresses, and the full conversation log between counterparties (including its translations).
- Technical data: IP address, device and browser identifiers, session and interaction logs. Collected to operate the service, prevent fraud, and meet regulatory record-keeping obligations.
Why we collect
Lawful bases
- Contract performance: account, identity, and trade data are necessary to deliver the Veplex service you have requested.
- Legal obligation: KYC, AML, sanctions screening, and tax records are processed to comply with EU and national law.
- Legitimate interest: technical and behavioural data is processed to prevent fraud, protect the integrity of the marketplace ecosystem, and improve the service.
Who sees it
Sharing and sub-processors
- Counterparties to a trade see the information they need to complete it: agreed price, item, shipping address, and the translated content of conversations. They never see your KYC documents.
- Sub-processors are used for cloud hosting, payment processing, KYC verification, fraud detection, and translation. The current list is published in our Data Processing Agreement, available on request.
- Regulators, courts, and law enforcement receive data only when we are legally required to provide it, and only the data within the scope of the request.
Where it lives
Residency and transfers
- Personal data is stored within the European Union by default.
- Where a trade involves a counterparty outside the EU, the minimum necessary data may be transferred to that jurisdiction to complete the transaction. Such transfers rely on Standard Contractual Clauses or another lawful transfer mechanism.
How long
Retention
- Account and identity data is kept for the duration of your relationship with Veplex plus the minimum statutory period required by anti-money-laundering law in our jurisdiction.
- Trade and conversation records are kept for a minimum of six years from the closing of the trade, to support tax records, dispute resolution, and regulatory audits.
- Technical logs are retained for up to 12 months.
Your rights
What you can ask for
- Access: a copy of the personal data we hold about you.
- Rectification: correction of inaccurate or incomplete data.
- Erasure: deletion of your data where there is no longer a lawful basis to keep it. Note that anti-money-laundering and tax obligations may require us to retain certain records even after a deletion request.
- Portability: a machine-readable export of the data you have provided to us.
- Objection: to processing based on legitimate interest.
- Complaint: to your national data protection authority. In the Czech Republic this is the Úřad pro ochranu osobních údajů (uoou.cz).
Updates
Changes to this policy
- We may update this policy from time to time. The current version and its effective date are always shown at the top of this page. Material changes are notified to active users by email.
Requests