Privacy Policy

1. General Provisions

This Privacy Policy defines the procedure for processing and protecting personal data of users of the Catama service (hereinafter — the Service, the Website). Use of the Service constitutes the user’s consent to this Policy.

This Policy applies in conjunction with the Service’s Terms of Use.

Identification of the data controller and contact details for personal data inquiries are provided in Section 2.

2. Information about the Personal Data Controller

The personal data controller is the person who processes personal data within the framework of the Service.

• Controller name: Catama
• Place of business: Georgia
• Legal status: individual
• Contact for personal data inquiries: https://t.me/catamasupport

3. Categories of Data Subjects

The Controller processes personal data of the following categories of data subjects:

• Service Users — individuals who register or log into the Service, create catalogs and manage them (catalog owners).
• Buyers (third parties) — individuals who place orders in catalogs hosted on the Service; their data (name, contact phone number, and other information provided when placing an order) are processed in the interests of the catalog owner and for order fulfillment.
• Representatives of legal entities — where an authorized person acts on behalf of a legal entity (if such functionality is available in the Service).

4. What Data We Collect

• Account data: when logging in via a third-party authorization service, we receive the user ID, email address, and name (as provided by the login service). These data are necessary for account functionality and display in the interface.
• Order data: when placing an order in a catalog, we may store the name, contact phone number, and other information provided by the buyer. These data are available to the catalog owner for order fulfillment.
• Catalog content: catalog names, products, prices, descriptions, images, and catalog settings created by users. Processed to provide the Service functionality.
• Technical data: data automatically transmitted when visiting the Website (IP address, browser type, cookie data, device information) — to ensure Website operation, security, and, subject to your consent, usage analytics.

With regard to buyers’ personal data, the user (catalog owner) acts as an independent personal data controller, and the Service processes such data solely as a technical processor on behalf of the user.

Information about cookies and similar technologies is provided in Section 12.

5. Purposes of Processing

Personal data are processed for the following purposes:

• providing access to the Service and ensuring account functionality;
• creating and managing catalogs, receiving and processing orders;
• communicating with the user when necessary (support, order notifications);
• improving the Website and analyzing its use (subject to your consent for analytics);
• complying with applicable legal requirements.

6. Legal Grounds for Processing

Personal data are processed on the following legal grounds, depending on the purpose:

• Consent of the data subject — for processing not strictly necessary for contract performance or required by law (including analytical cookies, marketing communications, where applicable). Consent may be expressed electronically, including by affirmative actions (e.g., clicking “Accept” regarding cookies, using the Service after reviewing the Policy).
• Performance of a contract — to provide access to the Service, create catalogs, receive and process orders, and communicate within the scope of service provision.
• Legitimate interest of the controller — in cases permitted by law (security, fraud prevention, compliance with applicable requirements).
• Legal obligation — where processing is explicitly required by law (record-keeping, reporting, responding to lawful requests of public authorities).

In certain cases предусмотренных applicable law, processing may be carried out without the data subject’s consent (performance of a contract, compliance with a legal obligation, protection of vital interests, etc.). In such cases, the legal basis is the relevant provision of law.

7. Data Retention Period

Data are retained for the period necessary to achieve the stated purposes or until consent is withdrawn / the account is deleted, unless otherwise required by law. After account deletion, personal data associated with it shall be deleted or anonymized within a reasonable period necessary for processing purposes, except where retention is required by law.

8. Disclosure to Third Parties

We may disclose data to:

• hosting and infrastructure providers necessary for Website operation (under contracts and in compliance with data protection requirements);
• authentication providers — to the extent necessary for authentication;
• analytics providers — only subject to your consent to the relevant cookies (see Section 12).

We do not sell personal data. Disclosure to public authorities occurs only in cases provided by law.

9. Cross-Border Data Transfers

Users’ personal data may be transferred and processed outside their country of residence. Transfers are carried out on the basis of contract performance necessity, the controller’s legitimate interest, and/or the data subject’s consent — depending on applicable law.

• Legal grounds: Data transfers are carried out based on your consent, the necessity of contract performance (provision of access to the Service), and agreements with infrastructure providers ensuring an adequate level of data protection (including Standard Contractual Clauses — SCCs, where applicable).
• Jurisdiction specifics: Users from countries requiring special consent for transfers to countries not ensuring an “adequate level of protection” confirm their consent to such transfers to the above jurisdictions by clicking the registration/login button.

10. Place of Processing and Data Localization

The Controller uses cloud infrastructure to ensure global availability of the Service.

• Transmission security: All data are transmitted via encrypted channels (SSL/TLS), minimizing the risks of unauthorized access during cross-border transfer.

11. Cookies and Consent to Use Cookies

The Service uses cookies and similar technologies. Essential (technical) cookies necessary for account login and language preferences are used based on the necessity of providing the Service and do not require separate consent.

Analytical cookies (used to analyze Website traffic and usage) are applied only after your explicit consent. Consent is requested upon your first visit to the Website (cookie banner). Without your consent, analytical scripts are not loaded and analytical cookies are not set.

You may withdraw your consent to analytical cookies at any time: delete the relevant cookies in your browser settings or clear Website data; upon your next visit, the cookie banner will be shown again, and you may select “Essential only” to disable analytics. A detailed description of the cookies used is provided on the “Privacy and Cookies” page.

12. Your Rights

In accordance with applicable law, you have the right to:

• receive information about the processing of your personal data;
• request rectification, blocking, or deletion of data where there are legal grounds;
• request cessation of personal data processing (where provided by law);
• request restriction of processing (e.g., during verification of lawfulness or in case of dispute);
• withdraw consent to processing based on consent; withdrawal does not affect the lawfulness of processing carried out before withdrawal;
• lodge a complaint with the competent data protection authority in your country.

legalPrivacyPolicy.s12P2

13. Procedure for Handling Data Subject Requests

Requests regarding personal data processing and the exercise of rights are accepted in written form, including via the contact specified in Section 2.

The request should specify: the substance of the request (which right you are exercising) and contact details for response. The Controller may request additional information necessary to identify the applicant.

The Controller shall review the request and respond within no later than 10 (ten) business days from receipt, unless a different period is established by applicable law.

14. Security

We implement organizational and technical measures to protect personal data against unauthorized access, destruction, modification, or blocking.

15. Automated Decision-Making and Profiling

The Service does not use solely automated processing that produces legal effects concerning you or similarly significantly affects you.

16. Processing of Minors’ Data

The Service is not intended for individuals under the age at which applicable law allows independent consent to personal data processing (generally 16 years or age of majority).

17. Changes to the Policy

We may amend this Policy. The current version is published on this page with the update date indicated.

18. Contacts

For questions regarding personal data processing and exercising your rights, please contact the Controller using the contact for personal data inquiries specified in Section 2.