Legal & Compliance
Required legal pages, GDPR compliance and company registration
Launch blocker
Legal pages are an EU requirement and OAuth providers ask for the privacy URL — tracked in the launch checklist. Company registration is a hard prerequisite before going live with payments.
Required pages
Terms of Service (CGU)
Platform role (intermediary, not seller) · user obligations (accurate listings, no counterfeits) · transaction rules (escrow, delivery, dispute timeline) · commission disclosure · account termination conditions · liability limitations · governing law (French law if FR-based).
Privacy Policy (Politique de confidentialité)
Data collected (email, name, location, payment info via Stripe) · purpose of processing · third-party sharing (Stripe, Sentry, analytics) · retention periods · user rights (access, rectification, deletion — GDPR Art. 15-22) · cookie policy · DPO contact.
Cookie consent
GDPR-compliant banner — active consent required for non-essential cookies, not just a notice. Categories: Essential (auth, session) / Analytics / Marketing. Save the choice, allow withdrawal.
Legal mentions (Mentions Légales — required by French law)
Company/individual name and address · hosting provider info · publication director · SIRET/SIREN if applicable.
Selling conditions (CGV — if the platform takes commission)
Commission rate and calculation · payment terms · refund policy · delivery responsibilities · dispute resolution process.
GDPR compliance
- Right to access: user can download their data (JSON export of deals, messages, profile)
- Right to deletion: account + data deletion flow (30-day grace period)
- Consent tracking: record when/how consent was given
- Cookie consent manager (e.g. Tarteaucitron.js or custom)
- Privacy-by-design: minimize data collection
Decision: company registration required before launch
Hard prerequisite before going live with payments:
- Register company (SAS or SASU recommended for marketplace platforms in France)
- Obtain SIRET/SIREN
- Register as marketplace intermediary (article L. 111-7 Code de la consommation)
- Open business bank account (needed for the Stripe Connect platform account)
- Consult an e-commerce lawyer for legal text review
- PCI DSS: handled by Stripe (never store card data on our side)
Tasks
/legal/terms,/legal/privacy,/legal/cookies,/legal/mentionspages + footer links- Cookie consent banner component; consent storage (localStorage + DB record)
- User data export endpoint (GDPR); account deletion flow
- Legal review by a professional (external)