LOADING
Prices include a 3% margin above the mid-market exchange rate to protect against currency fluctuations between order and settlement. Your financial institution may apply additional fees.
LOADING
0 of 3 items on your table
Empty slot
Empty slot
Empty slot
Place items on your table to begin your commission
BROWSE THE COLLECTIONLEGAL
Effective Date: [DATE]
Last Updated: [DATE]
Version 1.0
Data Controller:
Privateer Trading Co. LLC
[Address — Collin County, Texas, USA]
Email: [PRIVACY EMAIL]
Website: privateertrading.net
EU Representative (Article 27 GDPR):
[EU REPRESENTATIVE NAME AND ADDRESS — PLACEHOLDER]
Email: [EU REPRESENTATIVE EMAIL]
UK Representative (UK GDPR Article 27):
[UK REPRESENTATIVE NAME AND ADDRESS — PLACEHOLDER]
Email: [UK REPRESENTATIVE EMAIL]
Data Protection Officer:
[DPO NAME — PLACEHOLDER]
Email: [DPO EMAIL]
If you have any questions about this Privacy Policy or about how we handle your personal data, please contact us at [PRIVACY EMAIL]. EU and UK residents may also contact our regional representatives directly using the details above.
This Privacy Policy applies to all personal data collected and processed by Privateer Trading Co. LLC (“Privateer,” “we,” “us,” or “our”) through:
This Policy applies to all users of the Platform, including visitors, registered customers, and business customers, regardless of where they are located.
For EU and UK residents, this Policy constitutes the transparency notice required under Articles 13 and 14 of the General Data Protection Regulation (GDPR) and UK GDPR respectively.
We collect personal data in the following categories:
We do not intentionally collect any special categories of personal data (such as health data, racial or ethnic origin, political opinions, religious beliefs, or biometric data). Please do not provide us with such information.
Under GDPR, we must have a lawful basis for every processing activity. The tables below set out each activity, the data we use, and the legal basis we rely on.
We process the following data because it is necessary to fulfill your orders and provide the Platform services you have requested:
| Processing Activity | Data Used |
|---|---|
| Creating and managing your account | Identity, Contact, Profile |
| Processing and fulfilling orders | Identity, Contact, Financial, Order |
| Managing the two-stage payment authorization and capture | Financial, Order |
| Processing Crafting Table custom order requests | Identity, Contact, Order, Communications |
| Managing Scout Sourcing Program requests | Identity, Contact, Order, Communications |
| Arranging international shipping via the Iron Tunnel DDP program | Identity, Contact, Order |
| Sending order confirmations and transactional emails | Identity, Contact, Order |
| Providing customer support | Identity, Contact, Communications |
| Processing Activity | Legal Obligation |
|---|---|
| Maintaining transaction and tax records | Tax and accounting law |
| Customs and import documentation for DDP shipments | EU and US customs regulations |
| Responding to data subject rights requests | GDPR Articles 15–22 |
| Fraud prevention and detection | Financial crime regulations |
| Retaining records required by law | Applicable national law |
We rely on legitimate interests for the following activities, having conducted Legitimate Interests Assessments (LIAs) in each case and determined that our interests are not overridden by your rights and freedoms:
| Processing Activity | Data Used | Our Legitimate Interest |
|---|---|---|
| Logging AI Concierge interactions | Communications, Technical | Improving the quality and safety of the AI Concierge; detecting misuse |
| Platform analytics and performance monitoring | Technical | Understanding how the Platform is used to improve it |
| Fraud prevention and security monitoring | Identity, Technical, Financial | Protecting our customers and business from fraud and security threats |
| Maintaining and improving the Platform | Technical | Operating a reliable and high-quality service |
You have the right to object to processing based on legitimate interests at any time. See Section 9.
We rely on your consent for:
| Processing Activity | Data Used | How to Withdraw |
|---|---|---|
| Non-essential cookies and tracking | Technical | Via Cookie Preferences in the site footer at any time |
| Marketing and promotional communications | Identity, Contact, Profile | Via unsubscribe link in any marketing email, or by contacting us |
Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.
Our Platform includes an AI Concierge powered by the Anthropic Claude API. The AI Concierge processes your inputs to generate personalized product recommendations and responses.
Nature of processing: The AI Concierge constitutes automated processing of personal data. It may generate personalized responses based on your inputs within a session. It does not make decisions that produce legal or similarly significant effects on you within the meaning of Article 22 GDPR.
What the AI Concierge does not do:
Interaction logging: AI Concierge interactions may be logged for quality assurance and safety purposes, on the basis of our legitimate interests (Section 4.3). Logged interactions are retained for [RETENTION PERIOD — PLACEHOLDER] and are not used for automated profiling.
Third-party processing: AI Concierge queries are processed by Anthropic, Inc. (USA). Please review Section 7 and Section 8 for information about this transfer and Anthropic's data handling practices.
Your right to human review: If you have concerns about any AI Concierge output, you may contact us at [PRIVACY EMAIL] to request human review. We will respond within a reasonable time.
Privateer does not make any decisions about you that are based solely on automated processing and that produce legal or similarly significant effects within the meaning of Article 22 GDPR.
We retain personal data only for as long as necessary for the purposes set out in this Policy, or as required by law. The following retention periods apply:
| Data Category | Retention Period | Basis |
|---|---|---|
| Account and profile data | Duration of account + 2 years after closure | Contractual; legal obligation |
| Order and transaction records | 7 years from transaction date | Tax and accounting law |
| Payment authorization records | 13 months from transaction date | Payment card industry standards |
| Customer communications | 3 years from last contact | Legitimate interests |
| AI Concierge interaction logs | [RETENTION PERIOD — PLACEHOLDER] | Legitimate interests |
| Cookie consent records | 3 years from consent date | GDPR accountability |
| DSR request records | 5 years from request date | Legal compliance |
| Erasure/anonymization logs | 5 years | Legal compliance |
| Marketing consent records | Until consent withdrawn + 3 years | GDPR accountability |
When retention periods expire, personal data is securely deleted or anonymized. Anonymized data (from which you cannot be identified) may be retained indefinitely for business analytics purposes.
We share personal data with the following categories of recipients:
These parties process personal data on our behalf under written Data Processing Agreements and may only use your data as instructed by Privateer:
| Processor | Purpose | Location | Transfer Mechanism |
|---|---|---|---|
| Supabase, Inc. | Authentication, database storage of all customer data | USA | Standard Contractual Clauses |
| Stripe, Inc. | Payment processing and fraud prevention | USA | EU-US Data Privacy Framework; SCCs |
| Cloudflare, Inc. | Content delivery, file storage (R2), platform security | USA (global CDN) | EU-US Data Privacy Framework; SCCs |
| Anthropic, Inc. | AI Concierge query processing | USA | [TRANSFER MECHANISM — CONFIRM WITH ANTHROPIC] |
| Vercel, Inc. | Platform hosting and edge functions | USA (global edge) | Standard Contractual Clauses |
| Postmark (ActiveCampaign) | Transactional email delivery | EU region servers | EU data residency; DPA in place |
| DHL / Logistics Partners | International shipping and customs clearance | Global | Contractual necessity |
We may share data with lawyers, accountants, auditors, and insurers where necessary for our legitimate business operations, subject to professional confidentiality obligations.
We may disclose personal data to law enforcement, regulatory authorities, or courts where required by applicable law, or where necessary to protect the rights, property, or safety of Privateer, our customers, or others.
In the event of a merger, acquisition, or sale of all or substantially all of Privateer's assets, personal data may be transferred to the acquiring entity. We will provide notice before your data is transferred and becomes subject to a different privacy policy.
We may share your data with third parties where you have given explicit consent.
We do not sell your personal data to third parties. We do not share your personal data with third parties for their own marketing purposes.
Privateer Trading Co. LLC is based in the United States. When we transfer personal data from the European Economic Area (EEA) or the United Kingdom to the United States or other third countries, we ensure appropriate safeguards are in place as required by GDPR Chapter V and UK GDPR.
The transfer mechanisms we rely on are set out in the processor table in Section 7.1. These include:
For transfers where the mechanism is marked as requiring confirmation (notably Anthropic), we are in the process of completing our due diligence and will update this Policy when confirmed. In the interim, we implement additional contractual protections and limit the personal data included in AI Concierge queries.
You may request a copy of the safeguards applicable to any transfer by contacting us at [PRIVACY EMAIL].
If you are located in the European Economic Area or the United Kingdom, you have the following rights under GDPR and UK GDPR. These rights are not absolute and are subject to certain exemptions under applicable law.
You have the right to obtain confirmation of whether we process your personal data and, if so, to receive a copy of that data along with information about how it is processed.
You have the right to have inaccurate personal data corrected and incomplete data completed without undue delay.
You have the right to request deletion of your personal data where:
This right does not apply where we are required to retain data by law (e.g., financial records).
You have the right to request that we restrict processing of your data in certain circumstances, including while a dispute about accuracy or legitimate interests is resolved.
Where processing is based on consent or contractual necessity and is carried out by automated means, you have the right to receive your personal data in a structured, commonly used, machine-readable format (JSON or CSV) and to transmit it to another controller.
You have the right to object at any time to processing of your personal data based on legitimate interests (Article 6(1)(f)). We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, or the processing is for the establishment, exercise, or defence of legal claims.
You have an unconditional right to object to processing of your personal data for direct marketing purposes at any time.
You have the right not to be subject to solely automated decisions that produce legal or similarly significant effects. As noted in Section 5.2, Privateer does not currently make such decisions.
Where processing is based on consent, you have the right to withdraw consent at any time without affecting the lawfulness of prior processing. See Section 4.4 for how to withdraw.
Online: Submit a Data Subject Request at: privateertrading.net/privacy/data-request
By email: [PRIVACY EMAIL]
We will respond within 30 days of receiving your request. For complex or multiple requests, we may extend this by a further two months and will notify you within the initial 30-day period.
We may need to verify your identity before processing your request. We will not charge a fee for requests unless they are manifestly unfounded or excessive.
If you are a Texas resident, you have rights under the Texas Data Privacy and Security Act (effective July 1, 2024), including the right to:
To exercise these rights, submit a request at: privateertrading.net/privacy/data-request
We will respond within 45 days. We do not sell personal data or process it for targeted advertising.
At Privateer's current scale, we do not meet the thresholds triggering obligations under the California Consumer Privacy Act (CCPA/CPRA). We will update this Policy if our processing activities change such that CCPA applies.
As additional US state privacy laws come into effect, we will assess applicability and update this Policy accordingly. Residents of all US states may contact us at [PRIVACY EMAIL] with privacy-related inquiries.
We use cookies and similar tracking technologies on the Platform. A full description of the cookies we use, their purposes, and retention periods is available in our Cookie Policy.
Strictly Necessary Cookies — These cookies are essential for the Platform to function. They include authentication cookies (Supabase), payment processing cookies (Stripe), and security cookies (Cloudflare). These cookies cannot be disabled.
Functional Cookies — These cookies remember your preferences (such as language, currency selection, and cookie consent choices) to provide a personalized experience. They are activated only with your consent.
Analytics Cookies — These cookies help us understand how visitors interact with the Platform, enabling us to improve our services. They are activated only with your consent.
Marketing Cookies — These cookies track your activity to deliver relevant advertising. We do not currently use marketing cookies. If this changes, we will update this Policy and request fresh consent.
You can manage your cookie preferences at any time by clicking Cookie Preferences in the footer of the Platform. You can accept all, reject all non-essential cookies, or set granular preferences by category.
The Platform is not directed at children under the age of 16 (or such higher age as required by applicable law in the relevant jurisdiction). We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us at [PRIVACY EMAIL] and we will delete the data promptly.
We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, disclosure, alteration, and destruction. These measures include:
No method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security but are committed to maintaining industry-standard protections.
Data breach notification: In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay.
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email (if you have an account with us) or by a prominent notice on the Platform at least 30 days before the changes take effect.
The “Last Updated” date at the top of this Policy reflects the date of the most recent revision. We encourage you to review this Policy periodically.
Your continued use of the Platform after the effective date of any updated Policy constitutes acceptance of the changes. If you do not agree to the updated Policy, you must discontinue use of the Platform and may request deletion of your account.
If you have a concern about how we handle your personal data, we ask that you contact us first at [PRIVACY EMAIL] so that we have the opportunity to address it.
If you are located in the EU and are not satisfied with our response, you have the right to lodge a complaint with the data protection supervisory authority in your country of habitual residence, place of work, or place of the alleged breach.
A list of EU supervisory authorities is available at: edpb.europa.eu
If you are located in the UK, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
Information Commissioner's Office
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Tel: 0303 123 1113
Website: ico.org.uk
EU consumers may also use the European Commission's Online Dispute Resolution platform: ec.europa.eu/consumers/odr
If you are a Texas resident and wish to appeal our response to a privacy rights request, you may submit an appeal by contacting us at [PRIVACY EMAIL] with the subject line “TDPSA Appeal.” We will respond within 60 days. If your appeal is denied, you may contact the Texas Attorney General at texasattorneygeneral.gov.
© 2026 Privateer Trading Co. LLC. All rights reserved.
DRAFT — FOR REVIEW ONLY — NOT FOR PUBLICATION. This document is a first draft and has not been reviewed by outside counsel. Placeholder text indicated by [BRACKETS] must be completed prior to publication. Legal review by qualified EU/UK data protection counsel is recommended before deployment.