Privacy Policy
Last updated: April 2026
1. Who we are
It Goes Forward B.V. is a private limited company incorporated in the Netherlands (KvK registration available on request), with registered offices at Zomerhofstraat 71, Rotterdam. We operate the Forwarding platform, which enables e-commerce webshops to route consumer returns directly to new buyers.
For the purposes of this privacy policy:
- Your webshop (our client) is the data controller. You determine why and how consumer data is processed in your return flow.
- It Goes Forward B.V. is the data processor. We process consumer data on documented instructions from your webshop, only for the purpose of operating Forwarding.
This policy describes how we handle personal data of: (a) consumers using the Forwarding return flow via our clients' webshops, and (b) contacts at webshops and organisations we work with.
2. What data we collect and why
| Data | Who it concerns | Purpose | Retention |
|---|---|---|---|
| Name and email address | Consumers | Sending transaction notifications (match made, label issued, refund triggered) via Postmark | Duration of transaction + 30 days |
| Postal code (sender) | Consumers | Matching algorithm: finding geographically proximate buyers to minimise transport | Duration of listing |
| Postal code (receiver) | Consumers | Shipping label generation, passed to carrier | Duration of shipment |
| Product details (SKU, name, price) | Consumers | Creating listings, matching, discount generation | Duration of listing |
| Return reason | Consumers | Eligibility check, damaged items excluded | Not retained after check |
| Buyer rating and feedback | Consumers | Triggering refund, behavioural filtering | 12 months |
| CO₂ savings per transaction | Consumers | ISO-standard impact reporting to retailer | Indefinitely (anonymised aggregate) |
| Name, email, company | Retailer contacts | Account management, support, invoicing | Duration of contract + 2 years |
| Usage data and API logs | Retailers | Platform operation, debugging, security | 90 days |
We do not collect full street addresses beyond what is strictly necessary for carrier label generation. Full addresses are passed directly to the carrier and are not stored by It Goes Forward beyond the shipment lifecycle. Consumer addresses are never visible to other consumers.
3. Legal basis for processing
We process personal data on the following legal bases under GDPR Article 6:
- Contractual necessity (Article 6(1)(b)): processing necessary to perform the Forwarding service. This covers matching, label generation, notification delivery, and refund triggering.
- Legitimate interests (Article 6(1)(f)): behavioural filtering and fraud prevention to protect consumers and retailers using the platform.
- Legal obligation (Article 6(1)(c)): retention of transaction records as required by Dutch tax law and applicable regulations.
Consumer data is processed on behalf of the retailer (data controller) under a GDPR Article 28 Data Processing Agreement. The retailer is responsible for establishing a lawful basis for sharing consumer data with us.
4. Who we share data with (sub-processors)
We use the following sub-processors. All are bound to GDPR-equivalent data protection standards by contract.
| Sub-processor | Purpose | Location | Legal basis |
|---|---|---|---|
| Google Cloud Platform | Infrastructure and data storage | EU (europe-west4, Netherlands) | Standard Contractual Clauses + EU-US Data Privacy Framework |
| Mollie B.V. | Payment processing | Netherlands (EU regulated) | GDPR-compliant regulated financial institution |
| Postmark (Wildbit LLC) | Transactional email delivery | USA | EU-US Data Privacy Framework or Standard Contractual Clauses |
We notify clients of sub-processor changes at least 30 days in advance. Clients may object to new sub-processors under the terms of the Data Processing Agreement.
5. Data retention
We retain personal data for the minimum period necessary for its purpose. See the table in Section 2 for specific retention periods. On contract termination, we provide a data export and delete all client and consumer data within 30 days. Deletion is confirmed in writing.
Anonymised aggregate data (for example, total CO₂ saved or total Forwards completed) may be retained indefinitely, because it cannot be used to identify individuals.
6. Your rights under GDPR
Under GDPR, you have the following rights regarding your personal data:
- Access: request a copy of personal data we hold about you.
- Rectification: request correction of inaccurate data.
- Erasure: request deletion of your data where there is no legitimate reason to retain it.
- Restriction: request that we limit processing in certain circumstances.
- Portability: receive your data in a structured, machine-readable format.
- Objection: object to processing based on legitimate interests.
To exercise these rights, contact us at privacy@itgoesforward.com. We will respond within one month. If you believe we have not handled your data correctly, you have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).
8. Security
We apply appropriate technical and organisational measures to protect personal data against unauthorised access, loss, or destruction. These measures include TLS 1.2+ encryption in transit, AES-256 encryption at rest, API key authentication scoped per retailer, access controls limiting data access to authorised personnel, and breach notification procedures.
See our Security & Privacy page for full details.
9. Changes to this policy
We may update this policy from time to time. Material changes will be communicated to clients by email at least 14 days before taking effect. The "Last updated" date at the top of this page reflects the most recent revision.
10. Contact
For privacy-related questions or to exercise your rights:
It Goes Forward B.V.
Zomerhofstraat 71, Rotterdam
privacy@itgoesforward.com
+31 10 3072644