Skip to main content

Privacy policy

This policy explains how P2B Club Sàrl ("P2B", "we") collects and processes your personal data when you use p2b.club. It is compliant with the GDPR (EU), UK GDPR and the Swiss revised Federal Act on Data Protection (nFADP).

1. Controller

P2B Club Sàrl, Rue du Marché 1, 1204 Geneva, Switzerland. UID: CHE-000.000.000. Contact for data matters: hello@p2b.club.

2. Data we collect

When you place an order we collect:

  • Your Instagram handle — entered by you. It is encoded into the QR printed on your item.
  • Email address — for order confirmation and follow-up.
  • Shipping address — name, street, city, postal code, country, optional phone.
  • Payment data — handled by Stripe. We never see or store your card numbers.
  • Order metadata — product, colour, size, amount, currency, Stripe and Gelato identifiers.

We collect no Instagram data. The handle you provide is treated as a public identifier, encoded into a redirect URL (p2b.club/q/yourhandle).

3. Purposes and legal bases

  • Contract performance (Art. 6(1)(b) GDPR): processing your order, generating the QR, shipping, customer communication.
  • Legal obligation (Art. 6(1)(c)): Swiss accounting and tax obligations.
  • Legitimate interests (Art. 6(1)(f)): fraud prevention (Stripe essential cookies), site security.
  • Consent (Art. 6(1)(a)): future marketing communications (you can opt out at any time).

4. Your Instagram handle

Your Instagram handle is personal data under the GDPR. Here is exactly how we handle it:

  • You enter the handle yourself at order time.
  • We generate a QR encoding the URL https://p2b.club/q/yourhandle.
  • When someone scans the QR, our server redirects them to https://instagram.com/yourhandle.
  • We do not read, scrape or store any data from your Instagram profile.
  • If you change your handle, contact us — we update the redirect within 24 hours. Your physical QR keeps working.
  • If you delete your Instagram account, the QR will land on the standard Instagram "user not found" page. No compromising data is exposed.

5. Processors

We use the following processors to operate the service:

  • Stripe Payments Europe Ltd. (Ireland) — payments. Privacy policy.
  • Gelato AS (Norway) — print on demand and shipping. Privacy policy.
  • Cloudflare, Inc. (USA, EU edge nodes) — hosting, CDN, D1 database, R2 storage. Privacy policy.

6. Transfers outside the EEA

Stripe and Cloudflare may process data in the United States. Both participate in the EU-US Data Privacy Framework and Swiss-US DPF, which provide GDPR-equivalent protection. Gelato uses EU-based production hubs for European orders.

7. Retention

  • Order data: 10 years (Swiss accounting requirement, Art. 958f CO).
  • QR image in R2: as long as the redirect service is active.
  • Account / mailing list: until you unsubscribe.

8. Your rights

You can at any time exercise:

  • Right to access your data.
  • Right to rectification and update (e.g. change the handle the QR redirects to).
  • Right to erasure (subject to legal retention requirements).
  • Right to restrict processing and right to object.
  • Right to data portability.
  • Right to lodge a complaint with a supervisory authority: ICO (UK), CNIL (France), AEPD (Spain), FDPIC (Switzerland).

To exercise these rights, email hello@p2b.club.

9. Cookies and local storage

The site uses essential cookies only — Stripe's fraud-prevention cookies. Your cart contents are stored via localStorage in your browser, not cookies. No advertising or third-party tracking cookies are set without your consent.

10. Contact

For any questions about this policy or your data:
P2B Club Sàrl — Rue du Marché 1, 1204 Geneva, Switzerland
hello@p2b.club