12return takes data security seriously

General Data Protection Regulation (GDPR) at 12return.



The European Union has taken a monumental step in protecting the fundamental right to privacy for every EU resident with the General Data Protection Regulation (GDPR) which will be effective from May 25, 2018. Simply put, EU residents will now have a greater say over what, how, why, where, and when their personal data is used, processed, or disposed of. This rule clarifies how the EU personal data laws apply even beyond the borders of the EU. Any organization that works with EU residents' personal data in any manner, irrespective of location, has obligations to protect the data. 12Return is well aware of its role in providing the right tools and processes to support its customers and their users to meet their GDPR mandates.


We honor our user's right to data privacy and protection. We will never rely on advertising as a revenue stream. We will never serve ads to our users. This means that we have no necessity to collect and process users' personal information beyond what is required for the functioning of our product.

Where is your data stored?

When you sign up with 12Return for a reverse supply chain solution you can choose where to host your account. You can choose between Europe (The Netherlands) and the United States. Your data is stored in the chosen datacenter location.

What Personal Data lives in 12Return


12Return does hold any of this personal data:

  • Personal master data (name, address)
  • Contact details (telephone number, mobile phone number, email address, fax number, address data)
  • System access / usage / authorization data


12Return does not hold any of this personal data:

  • Personal Data revealing racial or ethnic origin
  • Personal Data revealing political opinions
  • Personal Data revealing religious or philosophical beliefs
  • Personal Data revealing trade union membership
  • Genetic or biometric data
  • Data concerning health
  • Data concerning a natural person's sex life or sexual orientation
  • Personal Data relating to criminal convictions and offenses

The privacy policy for the 12Return Returns Management System can be found here.

Who is who in GDPR

Entities controlled by you

  • Controller means you who, alone or jointly with others, determines the purposes and means of the processing of Personal Data.<
  • Other Controller means any entity other than you that is Controller of your Personal Data, such as your affiliated companies or Client’s, their customers, or affiliated companies.

Entities controlled by 12Return

  • Processor means 12Return which processes Personal Data on behalf of you as the Controller.
  • Subprocessor means any subcontractor engaged by 12Return for the Processing of Personal Data.
  • Data Exporter means you, located in a Member State (our European datacenter) whose Personal Data is being transferred to a Data Importer.
  • Data Importer means a subcontractor established in a country that is neither a Member State nor considered by the European Commission to have adequate protection.

How does 12Return process Personal Data

To Other Controllers

  • The Personal Data that has been submitted to 12Return is processed in the 12Return Datacenter in The Netherlands.
  • 12Return submits Personal Data with a pre-alert to your affiliated companies who take care of Returns Processing on your behalf. These companies are considered OtherController.

To Subprocessors

  • All Personal Data is processed in the 12Return Datacenter in The Netherlands.
  • Our Subprocessors are transportation services that are either located in a Member State or in a country with adequate protection.
  • 12Return does not submit Personal Data to a Data Importer. Therefore you are not a Data Exporter.

How does 12Return protect Personal Data

Data Center and network

We ensure the confidentiality and integrity of your data with industry best practices. Our servers are hosted at Tier IV, fully ISO 27001, 27017, 27018, 22301, and 31000 compliant facilities. All locations comply with the global regulations governed by the EU-US Privacy Shield, GDPR, and the Cloud Security Alliance. The whole infrastructure is monitored 24/7 for security alerts and events.

Data Storage and Backups

All personal data is encrypted and stored on secured servers within the chosen region. Our backup policies ensure the data is always recoverable while keeping the data secure and private.


Security and privacy concerns are deeply embedded in our Software Development Lifecycle (SDLC), we take steps to securely develop and test against security threats to ensure the safety of our customer data. 


We support managing access with authentication and single-sign-on (SSO) options. All communications with our servers are encrypted using industry-standard HTTPS (TLS1.2+) over public networks, meaning the traffic between you and 12Return is secure. Both the portals and APIs are protected against brute force attacks.

Best Practices

We provide a range of security options to ensure data is protected and secure, like different levels of password security. We provide audit log reports as an option in our Enterprise plan.

Do you still have any questions

12Return Customers

If you have any questions please contact your Customer Success Manager or use our contact form.


You are an end-user if you use the 12return return portal for returning a product to one of our customers. If you have any questions please ask your contact person at the company you return to (12return customer).

12return takes data privacy seriously

Here is the privacy policy for the 12return platform.