Informativa sulla privacy

Privacy Policy – GRW Trading Dropshipping Program

Effective Date: 06/10/2025

Last Updated: 06/10/2025

This Privacy Policy applies to the Dropshipping Program offered via the website operated by the private limited liability company GRW Trading FZE, located at Jafza One, 11 Floor, Office No 11455, Jebel Ali Free Zone, Dubai, United Arab Emirates (“GRW Trading”, “we”, “our”, or “us”).

This Policy outlines how personal data of participating Dropshippers and their End Customers is collected, used, shared, and protected in accordance with UAE Federal Decree Law No. 45 of 2021 (the PDPL) and other applicable data protection laws, including the EU General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA), as specified in the attached Appendices.

By using the GRW Trading Dropshipping Platform, you agree to the terms of this Privacy Policy. We may update this Policy from time to time, and the updated version will be posted on this page with an updated "Last Updated" date.

Contents

• ARTICLE 1 - SCOPE
• PART I: PRIVACY FOR DROPSHIPPERS
  • 1.1. Data collected from Dropshippers
  • 1.2. Purpose of Processing
  • 1.3. Legal Basis for Processing
  • 1.4. Sharing Dropshipper Data and transfers
  • 1.5. Communications Preferences
• PART II – PRIVACY FOR END CUSTOMERS
  • 2.1. Nature of Relationship
  • 2.2. Data Shared with GRW Trading
  • 2.3. Purpose of Processing
  • 2.4. Dropshipper Responsibilities
  • 2.5. Sharing of End Customer Data
• ARTICLE 3 – CONFIDENTIALITY & SECURITY
• ARTICLE 4 – DATA SUBJECT RIGHTS
  • 4.1 For Dropshipper
  • 4.2 For End Customers
• ARTICLE 5 – DATA RETENTION
• ARTICLE 6 – COOKIES & TRACKING TECHNOLOGIES
• ARTICLE 7 - CONTACT US
• Appendices (Jurisdiction-Specific)
  • APPENDIX A – GDPR (EU/EEA and UK)
  • APPENDIX B – CCPA (California, USA)
  • APPENDIX C - PIPEDA (Canada)
  • APPENDIX D – AUSTRALIA PRIVACY ACT 1988 (Australia)
  • APPENDIX E – SWISS FEDERAL ACT ON DATA PROTECTION (FADP)
  • APPENDIX G – JAPAN APPI (Japan)

ARTICLE 1 - SCOPE

This Privacy Policy is divided into two parts:

• Part I: Privacy for Dropshippers
• Part II: Privacy for End Customers (shared by Dropshippers)

We are committed to protecting the privacy and personal data of all stakeholders and primarily comply with the Federal Decree Law No. 45 of 2021 Regarding the Protection of Personal Data (PDPL) of the UAE. Additional provisions may apply under international privacy laws, as set out in the appendices which forms an integral part of this Policy.

PART I: PRIVACY FOR DROPSHIPPERS

1.1. Data collected from Dropshippers

We collect the following types of personal and business data from you as part of your participation in the GRW Trading Dropshipping Program:

• Company name and registration details
• Company financial details (e.g., VAT number, bank info)
• Business address
• Contact person's name, email address, and phone number
• Platform usage data and interactions
• Communications and correspondence with GRW Trading

1.2. Purpose of Processing

We use this information to:

• Register and authenticate Dropshipper accounts
• Fulfill orders and manage transactions
• Communicate important updates and changes
• Provide after sales services and logistical support
• Send product, service, and policy updates
• Comply with legal and regulatory obligations

1.3. Legal Basis for Processing

We process Dropshipper data:

• To fulfill our contractual obligations with Dropshipper
• To comply with applicable laws and regulations
• Based on our legitimate interest in operating and improving the service
• With consent, where required (e.g., for marketing)

1.4. Sharing Dropshipper Data and transfers

We may share Dropshipper data with:

• Our affiliated entities
• Service providers acting on our behalf (e.g., IT, legal, payment processors, courier companies, etc.)
• Government authorities if legally required
• Third parties involved in the process of verifying Dropshipper
• Third parties involved in order fulfilment and after sales services

Personal data may be transferred and processed outside of the UAE. We ensure all international data transfers occur with appropriate contractual safeguard and in compliance with applicable privacy laws.

1.5. Communications Preferences

You may opt out of receiving non-essential communications (e.g., marketing or product updates) at any time by contacting us via email.

PART II – PRIVACY FOR END CUSTOMERS

2.1. Nature of Relationship

The Dropshipper collects personal data from its end customers and submits it to GRW Trading to fulfill orders. GRW Trading acts as a data processor on behalf of the Dropshipper.

2.2. Data Shared with GRW Trading

For the purpose of fulfilling orders, the Dropshipper shares the following customer data with GRW Trading:

• Full name
• Delivery address
• Phone number
• Email address
• Order details (products ordered)

2.3. Purpose of Processing

GRW Trading uses this data solely to:

• Fulfill the order
• Arrange delivery and logistics via its partners
• Provide after-sales services
• Maintain compliance with applicable laws

GRW Trading does not engage in any direct marketing or contact with the end customer. All communication with the customer is the responsibility of the DROPSHIPPER.

2.4. Dropshipper Responsibilities

As the primary data controller, the Dropshipper is responsible for:

• Providing appropriate privacy notices to their customers
• Obtaining any required consents
• Enabling the exercise of customer rights (e.g., access, deletion)
• Ensuring compliance with applicable data protection laws

GRW Trading disclaims liability for any non-compliance by the Dropshipper with respect to their own data handling practices.

2.5. Sharing of End Customer Data

End customer data may be shared and processed outside of the UAE. Data transfers outside of the UAE will be subject to appropriate safeguards (e.g. standard contractual clauses).

ARTICLE 3 – CONFIDENTIALITY & SECURITY

We apply appropriate technical and organizational measures to protect all personal data we process from loss, unauthorized access, alteration, or disclosure. These include:

• Role-based access control
• Encrypted transmission and storage
• Regular audits and monitoring
• Staff training in data protection and security

In the event of a data breach, we will notify affected Dropshipper or authorities as required under applicable law.

ARTICLE 4 – DATA SUBJECT RIGHTS

4.1 For Dropshipper

You have the right to:

• Access your personal data
• Correct inaccuracies
• Request erasure of your data (subject to contractual/legal limitations)
• Object to processing or request restriction
• Data portability (where applicable)

4.2 For End Customers

Please contact your respective Dropshipper (seller) to exercise your rights. GRW Trading will support the Dropshipper in fulfilling these requests as needed.

ARTICLE 5 – DATA RETENTION

Personal data will be retained only as long as necessary:

• To fulfil contractual obligations;
• For legal and regulatory compliance;
• For legitimate business purposes.

ARTICLE 6 – COOKIES & TRACKING TECHNOLOGIES

We use cookies and similar technologies on our platforms. These may include:

• Essential: Google Tag Manager
• Analytics: Google Analytics, New Relic
• Advertising: Google ADS, DoubleClick, Leadboxer, Impact

You can manage your cookie preferences via browser settings or cookie banners where provided.

ARTICLE 7 - CONTACT US

For questions, complaints, or requests regarding this Privacy Policy, you can contact:

Appendices (Jurisdiction-Specific)

The following appendices supplement this Privacy Policy based on applicable data protection laws:

• APPENDIX A – GDPR (EU/EEA and UK)
• APPENDIX B – CCPA (California, USA)
• APPENDIX C - PIPEDA (Canada)
• APPENDIX D – AUSTRALIA PRIVACY ACT 1988 (Australia)
• APPENDIX E – SWISS FEDERAL ACT ON DATA PROTECTION (FADP)
• APPENDIX F – JAPAN APPI (Japan)

APPENDIX A – GDPR (EU/EEA and UK)

This Appendix supplements and forms an integral part of the GRW Trading Privacy Policy and applies to the processing of personal data concerning individuals located in the European Economic Area (EEA) or the United Kingdom (UK).

1. Data controller and data processor roles. For End Customer personal data, the Dropshipper is the data controller, and GRW Trading acts as the data processor.
2. Lawful basis for processing. Under GDPR, we process the end customer data on the following legal bases: The Dropshipper, as controller, determines the appropriate legal basis (commonly: Article 6(1)(b) – contract, or Article 6(1)(a) – consent)
3. Data transfers. Where personal data is transferred outside the EEA/UK, we ensure appropriate safeguards are in place, such as:
   • Standard Contractual Clauses (SCCs) approved by the European Commission
   • UK International Data Transfer Agreement (IDTA) where applicable
   • Binding Corporate Rules (BCRs) or other transfer mechanisms
   We ensure that our processors and partners provide adequate protection and commit to GDPR-compliant practices.
4. Data subject rights. Individuals whose data is processed under this Policy have the following rights under GDPR:
   • Right of Access – Know what data we hold about you
   • Right to Rectification – Request correction of inaccurate data
   • Right to Erasure ("Right to be Forgotten") – Request deletion of data
   • Right to Restriction – Request limitation of processing
   • Right to Data Portability – Receive your data in a structured format
   • Right to Object – Object to processing on grounds relating to your particular situation
   • Right to Withdraw Consent – Where processing is based on consent
   • Right to Lodge a Complaint – With your local Data Protection Authority (DPA)
   To exercise any of these rights, please contact your respective Dropshipper. GRW Trading will assist Dropshippers in fulfilling such requests where applicable.
5. Data retention.
   1. End Customer data is retained only as long as required to fulfill delivery, after-sales support, or legal obligations, as instructed by the Dropshipper.
   2. We apply appropriate data minimization and secure disposal practices.
6. Security measures. In line with Article 32 GDPR, we implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:
   • Encryption in transit and at rest
   • Access controls and authentication protocols
   • Regular staff training on data protection
   • Incident response procedures

APPENDIX B – CCPA (California, USA)

This Appendix supplements and forms an integral part of the GRW Trading Privacy Policy and applies solely to the personal information of individuals residing in California, in accordance with the California Consumer Privacy Act of 2018 (CCPA), as amended by the California Privacy Rights Act of 2020 (CPRA).

1. Categories of personal information. In the preceding 12 months, we may have collected the following categories of personal information:

Category	Examples	Collected
A. Identifiers	Name, address, phone number, IP address, email	Yes
B. Customer Records	Billing/shipping info, order details	Yes
C. Commercial Information	Products purchased, service history	Yes
D. Internet Activity	IP address, browsing data (via cookies)	Yes
F. Geolocation Data	Approximate location (from IP)	Yes
G. Professional Information	Company name, job title (Dropshippers only)	Yes
K. Inferences	Preferences (e.g., from browsing)	No

We do not collect sensitive personal information as defined under CCPA Section 1798.140(ae).

2. Sources of personal information. We collect personal information:
   • From Dropshipper about their end customers, for order fulfillment
   • Automatically, via cookies or tracking tools on our platforms
3. Purpose of use. We use personal information to:
   • Operate, support, and fulfill our Dropshipping Program
   • Manage business relationships and transactions
   • Fulfill orders and arrange shipping
   • Provide after-sales services
   • Maintain platform security and performance
   • Comply with legal obligations
4. Disclosure of personal information. In the past 12 months, we may have disclosed personal information to:
   • Logistics and fulfillment providers (for delivery purposes)
   • IT service providers (e.g., cloud hosting, email services)
   • Regulatory authorities (if required by law)
   We do not sell or share personal information with third parties for cross-context behavioral advertising, and have not done so in the past 12 months.
5. Your rights under CCPA. California residents have the following rights under CCPA/CPRA:
   • Right to Know – Request details about the personal information we collect, use, and disclose
   • Right to Delete – Request deletion of personal information we hold about you
   • Right to Correct – Request correction of inaccurate personal information
   • Right to Opt-Out – You have the right to opt out of the sale or sharing of your personal information (not applicable as we do not sell/share data)
   • Right to Limit Use of Sensitive PI – Not applicable (we do not collect sensitive PI)
   • Right to Non-Discrimination – You will not be discriminated against for exercising your rights
6. Submitting a request. You can make a privacy request by contacting the Dropshipper who collected your data. GRW Trading will assist Dropshipper in fulfilling these requests where required.
   We will verify your identity before fulfilling your request. You may also designate an authorized agent to make a request on your behalf.
7. Data retention. We retain personal information only for as long as necessary to fulfill the purposes outlined in our Privacy Policy, or as required by applicable law.
8. Do not track. Our websites do not currently respond to “Do Not Track” signals. You can manage cookie preferences via your browser settings.

APPENDIX C - PIPEDA (Canada)

This Appendix supplements and forms an integral part of the GRW Trading Privacy Policy and applies to the collection, use, and disclosure of personal information relating to individuals located in Canada, in compliance with the Personal Information Protection and Electronic Documents Act (PIPEDA).

1. Accountability. GRW Trading is responsible for the personal information it controls and has designated a Privacy Officer to ensure compliance with PIPEDA. For End Customer data provided by DS, GRW Trading acts as the data processor on behalf of the DS.
2. Identifying purposes. Personal information is collected and used for the following purposes:
   • To manage DS accounts and business relationships
   • To fulfill End Customer orders on behalf of DS
   • To provide after-sales service
   • To comply with legal or contractual obligations
   • To detect fraud, ensure security, and improve our services
   • Where applicable, purposes are disclosed at or before the time of collection.
3. Consent. We rely on meaningful consent, either directly or indirectly (through DS), for the collection, use, and disclosure of End-customer’s personal information. It is the DS’s responsibility to obtain valid consent from their Canadian customers to share their data with GRW Trading for fulfillment purposes.
   Consent can be withdrawn at any time, subject to legal or contractual restrictions and reasonable notice.
4. Limiting collection. We collect only End- customer’s personal information necessary for the purposes identified above. This includes: Name, shipping address, phone number, order details.
5. Limiting use, disclosure and retention. Personal information is used or disclosed only for the purposes for which it was collected, unless otherwise permitted or required by law.
   We may share information with fulfillment partners and technology service providers solely for service provision.
   Data is retained only as long as necessary to fulfill identified purposes or comply with legal obligations.
   Secure deletion or anonymization practices are applied when data is no longer needed.
6. Accuracy. We make reasonable efforts to ensure that personal information is accurate, complete, and up to date. DSs are responsible for ensuring the accuracy of the end customer data they provide.
7. Safeguards. We use physical, technical, and administrative measures to safeguard personal information against loss, theft, unauthorized access, disclosure, copying, or modification. These measures are appropriate to the sensitivity of the information involved.
8. Openness. This Privacy Policy and Appendices describe our data practices in a clear and transparent way. Additional details may be requested via the contact details below.
9. Individual access. Canadian individuals have the right to access their personal information and to challenge its accuracy or completeness. You may:
   • Request details about your personal information
   • Request correction of inaccurate data
   End Customers should first contact their respective DS. GRW Trading will support DS in responding to access and correction requests where applicable.
10. Challenging compliance. Questions, concerns, or complaints about our handling of personal information can be directed to contact information provided in the main policy. If your concern is not resolved to your satisfaction, you may contact the Office of the Privacy Commissioner of Canada (OPC): https://www.priv.gc.ca/

APPENDIX D – AUSTRALIA PRIVACY ACT 1988 (Australia)

This Appendix supplements and forms an integral part of the GRW Trading Privacy Policy and applies to the collection, use, and disclosure of personal information concerning individuals located in Australia, in compliance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

1. Collection of personal information.

GRW Trading processes personal information of End-customers for the following purposes: To fulfill product orders placed via the DS, provide after-sales support, and manage logistics

We collect personal information directly from the DS in relation to their End Customers. Information collected may include: Full name, shipping address, contact phone number, and order content

2. Use and disclosure of personal information.

End Customer data is processed only to fulfill the order placed through the DS. The DS is responsible for obtaining consent or otherwise complying with the APPs in relation to the customer data they share with GRW Trading.

We may disclose personal information to service providers and partners located outside of Australia, in accordance with APP 8 (Cross-border disclosure), ensuring adequate data protection measures are in place.

3. Cross-border disclosure of personal information.

Personal information may be disclosed to foreign service providers for logistics and support services.

In doing so, GRW Trading will take reasonable steps to ensure that such overseas recipients comply with APPs or are bound by laws or frameworks that offer similar protections (e.g., through contractual terms and organizational controls).

4. Data quality and security.

We take reasonable steps to:

• Ensure the personal information we collect is accurate, complete, and up to date
• Protect personal information from misuse, interference, loss, unauthorized access, modification, or disclosure

These include technical controls, access restrictions, and secure data storage practices.

5. Access and correction.

You have the right to access personal information we hold about you and to request correction if it is inaccurate, out of date, or incomplete. As End-customer, we invite you to contact the DS you placed your order with. GRW TRADING will assist the DS in responding to any access or correction requests as required.

6. Marketing and communications.

We do not send marketing communications to End Customers.

7. Complaints.

If you believe we have breached the APPs or mishandled your personal information, you can make a complaint by contacting us. We will investigate your complaint and respond within a reasonable time. If you're not satisfied with our response, you may contact the Office of the Australian Information Commissioner (OAIC):

Website: https://www.oaic.gov.au/
Phone: 1300 363 992

APPENDIX E – SWISS FEDERAL ACT ON DATA PROTECTION (FADP)

This Appendix supplements and forms an integral part of the GRW Trading Privacy Policy and applies to personal data of individuals located in Switzerland, in accordance with the Federal Act on Data Protection (FADP) and the corresponding Ordinance on the Federal Act on Data Protection (OFADP).

1. Definitions.

• Personal data: Any information relating to an identified or identifiable individual
• Processing: Any operation with personal data, such as collection, storage, use, disclosure, or deletion
• Controller: The entity that determines the purpose and means of the processing of personal data
• Processor: A third party that processes personal data on behalf of the controller

2. Roles and responsibilities.

GRW Trading acts as the processor for End Customer personal data, processing it on behalf of the DS (controller), for the purpose of order fulfillment and related services.

3. Legal basis and purpose of processing.

We process personal data only as necessary to:

• Fulfill our contractual obligations
• Comply with legal obligations
• Carry out legitimate interests (e.g., fraud prevention, service improvement)

We do not process data for profiling or automated decision-making.

4. Cross-border data transfers.

Personal data may be transferred outside of Switzerland. Switzerland does not currently recognize the UAE as offering an adequate level of data protection. Therefore, we implement appropriate safeguards, including:

• Standard Contractual Clauses (SCCs)
• Contractual assurances aligned with Swiss data protection requirements
• Technical and organizational security measures

These safeguards are designed to ensure that the data remains protected even when transferred outside of Switzerland.

5. Data subjects rights (Swiss residents).

Swiss individuals have the following rights:

• Right to Information – Obtain confirmation whether your data is processed and receive detailed information
• Right of Access – Receive a copy of your personal data processed by GRW
• Right to Rectification – Request correction of inaccurate or incomplete data
• Right to Erasure – Request deletion of personal data when no longer necessary or if unlawful
• Right to Object – Object to processing on legitimate grounds
• Right to Data Portability – Request a copy of your data in a structured format (where applicable)

End Customers must first exercise their rights through the DS. GRW Trading will assist DS with fulfilling rights requests as necessary.

6. Data security.

GRW Trading applies organizational and technical safeguards to protect personal data against unauthorized access, accidental loss, destruction, or alteration, including:

• Data encryption
• Access controls
• Secure servers and protocols
• Staff training and confidentiality agreements

7. Data retention.

Personal data is retained only for as long as necessary to fulfill the identified processing purposes or comply with legal and contractual obligations. Once no longer required, data is securely deleted or anonymized.

8. Authority.

Swiss residents have the right to contact the Federal Data Protection and Information Commissioner (FDPIC): https://www.edoeb.admin.ch/edoeb/en/home.html

APPENDIX F – JAPAN APPI (Japan)

This Appendix supplements and forms part of the GRW TRADING Privacy Policy and outlines how GRW TRADING handles personal information in compliance with Japan’s Act on the Protection of Personal Information (APPI), including the amendments effective as of April 2022. It applies specifically to personal data of individuals located in Japan (End-customers).

1. Scope and definitions.

• Personal Information: Any information relating to a living individual that can identify the individual (e.g., name, address, contact details, etc.)
• Retained Personal Data: Personal data that GRW Trading has authority to disclose, correct, or suspend use of

This policy applies where GRW TRADING handles personal data of individuals in Japan, regardless of the country in which GRW TRADING is based.

2. Purpose of use.

End-customer personal information is collected and used for the following purposes: to fulfill orders placed via DS, provide logistics and after-sales services

End Customer data is processed solely on behalf of the DS, who acts as the primary data controller under Japanese law. GRW Trading acts as a data processor/subcontractor and does not engage in direct communication with End Customers.

3. Consent and transparency.

In accordance with APPI, GRW Trading ensures:

• Clear identification of the purpose of use at or before the time of collection
• That DSs obtain appropriate consent from End Customers before sharing their personal data with Trading
• No use of personal data beyond the stated purposes without renewed consent

4. Data sharing and overseas transfers.

Personal data may be transferred outside of Japan. Under APPI, when transferring data outside Japan, GRW Trading ensures:

• Appropriate measures equivalent to APPI standards are taken by overseas recipients
• Standard contractual clauses or similar safeguards are in place
• Data subjects are informed of the countries to which their data is transferred and the security measures used

5. Security control measures.

GRW Trading implements the following to protect personal data:

• Access control and account management for internal personnel
• Encryption of data during storage and transmission
• Training and confidentiality agreements for employees
• Regular audits and system monitoring

6. Data subject rights under APPI.

Individuals in Japan have the following rights:

• Right to Know Purpose of Use – Know why and how their data is used
• Right to Access – Request access to their personal data held by GRW Tradings
• Right to Correction/Addition/Deletion – Request correction or deletion of inaccurate or outdated data
• Right to Suspension of Use – Request stop to the use or provision of data if used outside intended scope or obtained unlawfully
• Right to Disclosure of Data Transfer Information – Request info on overseas transfers

Requests from End Customers should be made to the DS. GRW Trading will assist DSs in responding to such requests within legal timelines.