Legal · GDPR

Privacy Policy

Last updated: 1 July 2025

This Privacy Policy explains how CBDITALY (Organic CBD ITALY Kft.) collects, uses and protects personal data submitted through the brand showcase at cbditaly.store. It applies only to this website — the selling stores (cbditaly.ee, cbditaly.lv, etc.) have their own separate privacy policies.

01

Data Controller

The data controller for personal data collected through cbditaly.store is Organic CBD ITALY Kft., trading as CBDITALY(“CBDITALY”, “we”, “us”, “our”).

Registered address: 1068 Budapest, Király utca 80. fszt. 11., Hungary. VAT number: 27323854-2-42.

Contact: biz@cbditaly.store

02

What Data We Collect

cbditaly.store is a read-only brand showcase. The only point where we collect personal data is the Partner / Wholesale enquiry form. When you submit that form, we collect:

  • First name and last name
  • Business email address
  • Business name
  • Date of business registration
  • Business tax number
  • EU VAT number
  • Business address (optional)

We do not collect payment data, browsing history, or device identifiers through this site.

03

Why We Collect Your Data

We process the data you submit for the following purposes:

  • Partner evaluation — to assess your wholesale application and contact you about the outcome.
  • Legitimate business communication — to answer questions and follow up on your enquiry.

Legal basis: Article 6(1)(b) GDPR — processing necessary for taking steps prior to entering into a contract at your request.

04

How Long We Keep Your Data

Partner application records are kept for a maximum of 2 years from the date of submission. If we enter a business relationship with you, your data is retained for the duration of that relationship plus any mandatory legal retention period (typically 8 years for accounting records under Hungarian law). If your application is unsuccessful we delete or anonymise your data within 12 months.

05

Who We Share Data With

We share your data only with:

  • Supabase Inc. — our database and hosting provider (EU region, GDPR-compliant data processor).
  • Brevo (Sendinblue SAS) — our transactional email provider, used only to deliver the internal notification email. Your data is not used for Brevo marketing.
  • Google reCAPTCHA Enterprise — bot detection on the partner form. Google processes a risk assessment on form submission per Google's Privacy Policy.

We do not sell, rent or trade your personal data to third parties.

06

Your Rights

Under the GDPR you have the right to:

  • Access the personal data we hold about you.
  • Request correction of inaccurate data.
  • Request deletion of your data (right to be forgotten).
  • Object to processing or request restriction of processing.
  • Withdraw consent at any time where processing is based on consent.
  • Lodge a complaint with the Hungarian National Authority for Data Protection and Freedom of Information (NAIH) or the supervisory authority in your country of residence.

To exercise any of these rights, email biz@cbditaly.store. We will respond within 30 days.

07

Security

Data is stored in a Supabase Postgres database with row-level security enabled. All data in transit is encrypted via TLS. Access to partner application records is restricted to authorised CBDITALY staff via role-based access control.

08

Changes to This Policy

We may update this Privacy Policy from time to time. The “Last updated” date at the top reflects the most recent revision. Continued use of cbditaly.store after an updated policy is published constitutes acceptance of the changes.