⚠ Starter content — review with a qualified lawyer before going live. The wording below is realistic for a B2B sourcing platform but is not legal advice; your jurisdiction, data flows and partner network may require adjustments.
This Privacy Policy describes how CML Trading Group ("we", "us") collects, uses, stores and protects the personal information you provide through our website and the related Client, Account Manager, Supplier and Warehouse portals. We act as data controller under the EU General Data Protection Regulation (GDPR) 2016/679.
Who we are
CML Trading Group srls — sourcing and trade operator between China and partner markets across the EU, the MEA region and beyond. Our registered address and contact details are shown in the footer of this site and on our Legal Notice page.
What we collect
We collect only the data we need to deliver our services. Specifically:
- Identity & contact — full name, company, email address, phone, country (when you request a quote, register, or contact us).
- Business data — product specifications, quantities, target prices, reference photos / PDFs you attach to quotation requests, order history, invoice records.
- Account data — hashed password, role (client / supplier / manager / warehouse), language preference, and — if you sign in with Google or WeChat — the unique OAuth identifier returned by those providers (we never receive your OAuth password).
- Technical data — IP address, browser / device information, and the time of each session (collected automatically for security and abuse-prevention purposes).
How we use it
Your data is used exclusively to:
- respond to quotation requests and prepare commercial offers;
- process orders, issue invoices, ship goods and handle payments;
- communicate with you about your account (verification, password resets, payment proofs, shipment status);
- comply with our legal obligations (tax, customs, anti-fraud and accounting record-keeping).
We do not sell, rent or share your personal data with third parties for marketing purposes.
Legal basis
We process your personal data on the following legal bases under Article 6 GDPR:
- Contract performance — to issue quotations, fulfil orders and invoice you;
- Legal obligation — to keep accounting and tax records as required by Italian and EU law;
- Legitimate interest — to secure our portals and prevent fraud.
Sharing & processors
We share data only with the third parties strictly required to run our service: our email-sending provider, our hosting partner, shipping carriers (for delivery), and our accountants. Each processor is bound by a written data-processing agreement that limits use of your data to the instructions we give them.
International transfers
Because we trade between China and the EU/MEA, some data (typically order references and shipping addresses) is transferred to our supplier partners in China. We rely on the European Commission's Standard Contractual Clauses for these transfers and only share the minimum necessary for the shipment.
Retention
We keep your account data for as long as your account is active. Commercial records (invoices, orders, related correspondence) are retained for 10 years in line with Italian tax law. Technical session logs are retained for 12 months.
Your rights (GDPR)
You have the right to:
- access the personal data we hold about you;
- request correction of inaccurate data;
- request deletion of data we no longer need to keep;
- request export of your data in a portable format;
- object to or restrict certain processing;
- lodge a complaint with the Italian data-protection authority (Garante per la protezione dei dati personali).
To exercise any of these rights, email us at the address shown in the footer. We respond within 30 days.
Cookies
We use a single, strictly necessary session cookie to keep you signed in while you use the portal. We do not set tracking, profiling or advertising cookies. No third-party scripts track you on our pages.
Security
Passwords are stored as salted hashes (never in plaintext). Sessions are bound to your IP and auto-close after 30 minutes of inactivity. Uploaded files (proofs of payment, quotation reference photos, etc.) are stored outside the public web root and served only to authenticated users with the right role.
Changes
We may update this policy from time to time. The "Last updated" date at the top of this page reflects the most recent change; material changes will be highlighted on the portal at next sign-in.
Contact
Questions about this policy or about how we handle your data? Reach us at the email address shown in the site footer.