Infrastructure and data storage. All data is stored in EU regions (europe-west4, Netherlands).
Legal basis: Standard Contractual Clauses (SCCs) + EU-US Data Privacy Framework
Privacy policySecurity & Privacy
How we handle your data, and your customers' data.
It Goes Forward is a GDPR-compliant data processor operating under Dutch law. This page explains exactly what data we collect, who processes it, how it is protected, and what rights apply.
The short version
- Consumer addresses are never visible to each other: the sender never sees the buyer's address, and the buyer never sees the sender's address.
- We are a GDPR Article 28 compliant data processor. A signed verwerkersovereenkomst (DPA) is in place with all clients.
- We use three sub-processors: Google Cloud Platform (storage), Mollie (payments), and Postmark (transactional email). All operate under EU-US Data Privacy Framework or Standard Contractual Clauses.
- We do not sell, share, or use consumer data for purposes other than operating the Forwarding service for your webshop.
GDPR roles
Your webshop (Data Controller)
Your webshop is the data controller. You determine the purposes and means of processing consumer data. You are responsible for your own return policies, privacy notices to consumers, and the lawful basis for sharing consumer data with us.
It Goes Forward (Data Processor)
It Goes Forward is the data processor. We process consumer data only on your documented instructions, only for the purpose of operating Forwarding, and only for as long as necessary. We do not use consumer data for any other purpose.
A GDPR Article 28 compliant Data Processing Agreement (verwerkersovereenkomst) governs this relationship. The DPA covers: the scope and purpose of processing, sub-processor obligations, data subject rights, breach notification, data return and deletion, and audit rights. Available on request.
Request the DPAWhat data we process and why
| Data | Purpose | Retention |
|---|---|---|
| Consumer name and email address | Sending transaction notifications (match made, label issued, refund triggered) via Postmark | Duration of the transaction + 30 days |
| Consumer postal code (sender) | Matching algorithm: used to find geographically proximate buyers to minimise transport distance | Duration of the listing |
| Consumer postal code (receiver) | Shipping label generation: passed to the carrier, never shown to the sender | Duration of the shipment |
| Product details (SKU, name, price) | Creating the listing, matching with buyer orders, generating the discount | Duration of the listing |
| Return reason | Eligibility check: items with reason 'damaged' are excluded from Forwarding | Not retained after eligibility check |
| Buyer rating and feedback | Triggering refund, behavioural filtering of bad actors | 12 months |
| CO₂ savings per transaction | Reporting to retailer, ISO-standard impact calculation | Indefinitely (used for aggregate reporting) |
Full addresses (street, house number) are only ever passed to the carrier for label generation. They are never stored by It Goes Forward beyond the shipment lifecycle and are never visible to the other consumer.
Sub-processors
We use three sub-processors. All are contractually bound to GDPR-equivalent data protection standards.
Mollie
Payment processing for buyer transactions. Mollie is a Dutch payment service provider regulated by De Nederlandsche Bank.
Legal basis: GDPR compliant. Regulated EU financial institution.
Privacy policyPostmark
Transactional email delivery. Used to send match notifications, shipping label emails, and refund confirmations to consumers.
Legal basis: EU-US Data Privacy Framework or Standard Contractual Clauses
Privacy policyWe notify clients of any changes to sub-processors at least 30 days in advance, in accordance with our DPA. Clients may object to new sub-processors.
Consumer privacy is built into the product, not added on top.
Addresses are never shared
The sender never sees the buyer's address. The buyer never sees the sender's address. The shipping label is generated by It Goes Forward and passed directly to the carrier; neither party sees the other's location.
Single-item returns only
Forwarding is only available for single-item returns. This is a deliberate privacy and quality decision: it ensures the original packaging is reused and prevents any possibility of mixing up items between consumers.
No consumer accounts required
Consumers do not need to create an account with It Goes Forward. All interactions happen inside your webshop's existing return flow, using your existing consumer authentication.
Technical and organisational security measures
All data in transit encrypted via TLS 1.2+
All data at rest encrypted (AES-256) on Google Cloud Platform
API authentication via API key; keys are scoped per retailer
Test and production environments are fully separated
No consumer full addresses stored beyond shipment lifecycle
Access to production data limited to authorised engineers only
Breach notification to clients within 72 hours of discovery, in accordance with GDPR Article 33
Data export available to clients on request
Data deletion on contract termination, confirmed in writing
Audit rights available to clients under the DPA
Consumer rights under GDPR
Consumers whose data we process have the following rights under GDPR: access, rectification, erasure, restriction of processing, portability, and the right to object. As the data controller, your webshop is responsible for receiving and responding to data subject requests from your consumers. We will assist you in responding to requests that require action on our systems within the timeframes required by GDPR.
To submit a data subject request related to It Goes Forward's processing, contact: privacy@itgoesforward.com
Security & privacy FAQ
Do you have a Data Processing Agreement (DPA)?
Yes. A GDPR Article 28 compliant verwerkersovereenkomst is in place with all clients. It covers sub-processor obligations, breach notification, data retention, deletion, and audit rights. Available on request before contract signature; contact us.
Where is consumer data stored?
All data is stored on Google Cloud Platform in EU regions (europe-west4, Netherlands). No consumer data is stored outside the EU.
Can the sender see the buyer's address, or vice versa?
No. This is a core product design decision. Neither party ever sees the other's address. Shipping labels are generated by It Goes Forward and delivered to the sender as a URL; the carrier handles the delivery without exposing the receiver's address.
What happens to consumer data when we end our contract?
On contract termination, we provide a data export and then delete all consumer data from our systems within 30 days. Deletion is confirmed in writing. Aggregate, anonymised reporting data (e.g. total CO₂ saved) may be retained for our own records.
Do you conduct penetration testing or security audits?
Security audits are planned as part of our roadmap, including through the NLnet/Radically Open Security programme. We will publish summaries of audit results on this page when available.
Are you ISO 27001 certified?
Not yet. ISO 27001 certification is on our roadmap. We operate according to the technical and organisational measures described on this page, which are contractually committed to in our DPA.
How do you handle a data breach?
In the event of a personal data breach affecting consumer data we process on your behalf, we will notify you within 72 hours of becoming aware of the breach, in accordance with GDPR Article 33. Our DPA specifies the notification procedure in detail.
Need documentation for your procurement or legal team?
We can provide: our signed DPA template, a security questionnaire response, our sub-processor list with contractual basis, and our CO₂ calculation methodology documentation. Most procurement questions can be answered without a call; send us your questionnaire and we'll complete it.
Send us your security questionnaireEnterprise procurement documentation is packaged and ready. Enterprise details →