Privacy Policy
Last updated: April 17, 2026
1. Introduction
This Privacy Policy explains how Orbito d.o.o. ("we", "us", "our"), the operator of RideDirect.eu, collects, uses, stores, and protects your personal data when you use our Platform.
We process personal data in compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and applicable Slovenian data protection law.
Data Controller:
Orbito d.o.o., Ložnica pri Žalcu 35K, 3310 Žalec, Slovenia
Email: info@ridedirect.eu
2. Who This Policy Applies To
This policy applies to all users of RideDirect.eu — including visitors who browse without an account and registered users who post listings or send messages. The Platform is intended for businesses and professionals; we do not knowingly collect data from individuals under 18.
3. Data We Collect
3.1 Account Data
When you register: full name, email address, country, and password (stored as a secure hash — never in plaintext).
3.2 Listing Data
When you post a listing: title, description, category, condition, year, price, location, and uploaded images.
3.3 Messaging Data
Messages sent through the Platform are stored along with sender/recipient identifiers and timestamps.
3.4 Usage and Technical Data
We automatically collect: IP address, browser type, pages visited, and device type. This is used for security and platform improvement. We do not build behavioral profiles for advertising.
3.5 Contact Form Data
Your name, email address, and message content if you contact us.
4. Legal Basis for Processing
| Purpose | Legal Basis |
|---|---|
| Account management | Performance of contract (Art. 6(1)(b)) |
| Displaying listings | Performance of contract (Art. 6(1)(b)) |
| Messaging between users | Performance of contract (Art. 6(1)(b)) |
| Transactional emails | Performance of contract (Art. 6(1)(b)) |
| Security & fraud prevention | Legitimate interests (Art. 6(1)(f)) |
| Analytics & improvement | Legitimate interests (Art. 6(1)(f)) |
| Legal compliance | Legal obligation (Art. 6(1)(c)) |
| Marketing (if opted in) | Consent (Art. 6(1)(a)) |
5. How We Use Your Data
We use collected data to: manage your account, display listings, facilitate buyer-seller communications, send transactional emails, detect and prevent fraud, improve the Platform, respond to support requests, and comply with legal obligations.
We do not sell your personal data to third parties. We do not use your data for automated individual decision-making or profiling that produces legal effects.
6. Third-Party Services and Data Processors
6.1 Supabase
Used for database storage, authentication, and file storage. Data is stored in the EU region (AWS eu-central-1, Frankfurt). Privacy policy →
6.2 Vercel
Used to host and serve the web application. Server request logs (including IP addresses) may be processed. Privacy policy →
6.3 Resend
Used to deliver transactional emails. Your email address and automated email content are processed by Resend. Privacy policy →
6.4 DeepL
Used for optional message translation. Text submitted for translation is processed by DeepL SE (Germany, EU). Privacy policy →
7. Cookies
We use cookies to operate and improve the Platform.
| Cookie | Type | Purpose |
|---|---|---|
| sb-auth-token | Strictly necessary | Authentication session |
| va_* (Vercel Analytics) | Analytics (cookie-free) | Aggregate page view statistics — no personal data collected |
Strictly necessary cookies cannot be disabled. Vercel Analytics does not use cookies or collect personal data — it measures only aggregate page views. We do not use cookies for advertising or cross-site tracking.
8. Data Retention
| Data Type | Retention Period |
|---|---|
| Account data | Until deletion + 30 days for backup purge |
| Listings | Until deleted by you or account termination |
| Messages | 2 years from last message in conversation |
| Server/access logs | 90 days |
| Contact form submissions | 1 year |
| Backup snapshots | Up to 30 days rolling |
9. Your Rights Under GDPR
As a data subject under the GDPR, you have the following rights:
- Access (Art. 15): Request a copy of all personal data we hold about you.
- Rectification (Art. 16): Request correction of inaccurate or incomplete data.
- Erasure (Art. 17): Request deletion of your personal data.
- Restriction (Art. 18): Request that we limit processing in certain circumstances.
- Portability (Art. 20): Request your data in a machine-readable format.
- Object (Art. 21): Object to processing based on legitimate interests.
- Withdraw consent: Where processing is consent-based, you may withdraw at any time.
To exercise these rights, email info@ridedirect.eu. We will respond within 30 days.
You may also lodge a complaint with the Slovenian Information Commissioner (Informacijski pooblaščenec): ip-rs.si · gp.ip@ip-rs.si
10. International Data Transfers
Some processors (Vercel, Resend) are based in the United States. Where data is transferred outside the EEA, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission.
11. Data Security
We take technical and organizational measures to protect your data, including HTTPS/TLS encryption, hashed password storage, row-level database security, and access controls. In the event of a personal data breach, we will notify the relevant supervisory authority within 72 hours and affected users without undue delay, as required by GDPR Articles 33–34.
12. Children's Data
The Platform is intended for businesses and professionals. We do not knowingly collect personal data from individuals under 18. If we become aware that a minor has registered, we will promptly delete their account and data.
13. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify registered users by email or by posting a notice on the Platform. Continued use after the effective date constitutes acknowledgment of the updated policy.