Privacy Policy
Last updated: 1 April 2026
Last updated: 1 April 2026 · Version 1.0
1. Who We Are (Data Controller)
[COMPANY NAME] ("we", "us", "our"), registered in Belgium under KBO/BCE number [KBO NUMBER], VAT number [VAT NUMBER], registered office at [STREET, POSTAL CODE, CITY, BELGIUM], is the data controller responsible for personal data collected through the Second Stride platform.
Privacy contact: [EMAIL]
2. Data We Collect
2.1 Account Data
- Full name, username, email address (password is hashed — never stored in plain text)
- Profile photo (optional), phone number (optional), country of residence
- Date of account creation and last activity
2.2 Listing Data
- Listing content: title, description, photos, price, category, condition, size, weight
- Listing history: creation date, edits, status changes
2.3 Transaction Data
- Order details: items purchased, prices, shipping costs, platform fees, payment method type
- Shipping address (buyer), tracking numbers, delivery status
- Stripe payment intent IDs and transfer IDs (we do not store full card numbers — handled by Stripe)
2.4 Communication Data
- Messages exchanged between users via the Platform's messaging system
- Dispute submissions, content reports, admin communications
2.5 Technical Data
- IP address, browser type, device type, operating system
- Last active timestamp, session data
- Cookies and similar technologies (see Section 9)
2.6 Seller Verification Data (DAC7 and KYC)
- Tax identification number (TIN / national register number or company VAT number)
- Bank account details — IBAN (collected and verified via Stripe Connect)
- Business registration number (for business sellers)
- Total gross transaction amounts per calendar year
3. Legal Basis for Processing
| Purpose | Legal Basis (GDPR Art. 6) |
|---|---|
| Account creation and management | Contract (Art. 6(1)(b)) |
| Processing transactions and payments | Contract (Art. 6(1)(b)) |
| Shipping and delivery | Contract (Art. 6(1)(b)) |
| Sending transactional emails | Contract (Art. 6(1)(b)) |
| Fraud prevention and platform security | Legitimate interest (Art. 6(1)(f)) |
| Improving the Platform | Legitimate interest (Art. 6(1)(f)) |
| Dispute resolution | Legitimate interest / Contract (Art. 6(1)(b)(f)) |
| DAC7 tax reporting obligations | Legal obligation (Art. 6(1)(c)) |
| Belgian accounting and invoicing obligations | Legal obligation (Art. 6(1)(c)) |
| Newsletters and marketing | Consent (Art. 6(1)(a)) |
4. How We Use Your Data
- Create and manage your account and profile;
- Enable listing, buying and selling of items;
- Process payments and release payouts to Sellers;
- Arrange shipping and track deliveries;
- Send transactional emails (order confirmations, shipping updates, dispute notifications);
- Send newsletters and platform updates (where you have opted in and can opt out at any time);
- Detect and prevent fraud, abuse and policy violations;
- Resolve disputes between Buyers and Sellers;
- Comply with legal obligations including DAC7 reporting and Belgian accounting law (7-year retention);
- Improve and develop the Platform.
5. Data Sharing and Third Parties
| Recipient | Purpose | Location |
|---|---|---|
| Stripe (Stripe Payments Europe, Ltd.) | Payment processing, Seller KYC/identity verification | Ireland (EU) |
| Clerk, Inc. | Authentication and session management | USA (SCCs) |
| Sendcloud | Shipping label generation, carrier routing, parcel tracking | Netherlands (EU) |
| Resend | Transactional and newsletter email delivery | USA (SCCs) |
| Cloudflare R2 | Image and file storage | EU region |
| Neon | PostgreSQL database hosting | Germany (EU) |
| Fly.io | Application hosting and infrastructure | France (EU) |
| SPF Finances / FOD Financiën | DAC7 annual tax reporting (qualifying Sellers only) | Belgium |
| Shipping carriers (DPD, bpost, GLS, etc.) | Parcel delivery (name, address, parcel details shared with carrier) | EU |
We do not sell your personal data. We do not share data with third parties for their own marketing purposes.
6. International Data Transfers
Some service providers (Clerk, Resend) are located in the United States. Where data is transferred outside the EEA, we ensure appropriate safeguards including Standard Contractual Clauses (SCCs) approved by the European Commission under GDPR Article 46(2)(c).
7. Data Retention
| Data Type | Retention Period |
|---|---|
| Account data | Until deletion + 1 year |
| Transaction and invoice data | 7 years (Belgian Accounting Law obligation) |
| Messages | Until deleted by both parties, or 2 years after last activity |
| Dispute records | 5 years after resolution |
| DAC7 Seller reporting data | 10 years (legal reporting obligation) |
| Technical/log data | 90 days |
| Newsletter consent records | Until consent withdrawn + 3 years |
8. Your Rights Under GDPR
You have the following rights regarding your personal data:
- Access (Art. 15): Request a copy of all personal data we hold about you.
- Rectification (Art. 16): Request correction of inaccurate or incomplete data.
- Erasure (Art. 17): Request deletion of your data, subject to legal retention obligations (e.g. transaction data must be kept 7 years).
- Portability (Art. 20): Request your data in a structured, machine-readable format.
- Restriction (Art. 18): Request restriction of processing in certain circumstances.
- Objection (Art. 21): Object to processing based on legitimate interests.
- Withdraw consent (Art. 7(3)): Where processing is based on consent (e.g. newsletter), withdraw at any time without affecting prior lawful processing. Use the unsubscribe link in any newsletter email or update your preferences in account settings.
To exercise any right, contact us at [EMAIL]. We will respond within 30 days and may request proof of identity.
If dissatisfied with our response, you have the right to lodge a complaint with the Belgian Data Protection Authority (Autorité de protection des données / Gegevensbeschermingsautoriteit — APD/GBA):
Rue de la Presse 35 / Drukpersstraat 35, 1000 Brussels · Tel: +32 2 274 48 00 · www.dataprotectionauthority.be
9. Cookies
9.1 We use cookies and similar technologies to operate the Platform and improve your experience.
Strictly necessary cookies (no consent required): authentication sessions, security tokens, shopping cart state. These cannot be disabled as the Platform cannot function without them.
Functional cookies: Remember your preferences (e.g. language, display settings).
Analytics cookies (require consent): Used to understand how users interact with the Platform. We will request your consent before placing these.
9.2 You can manage or disable cookies through your browser settings. Disabling strictly necessary cookies may prevent you from using the Platform.
10. Children
The Platform is not directed at persons under 18. We do not knowingly collect personal data from minors. If you become aware that a minor has registered, please contact us at [EMAIL] so we can delete the account promptly.
11. Security
We implement appropriate technical and organisational security measures including: encrypted connections (HTTPS/TLS 1.3), hashed passwords (never stored in plain text), strict access controls, regular security reviews, and data minimisation practices. In the event of a data breach posing a risk to your rights and freedoms, we will notify you and the Belgian DPA as required by GDPR Article 33.
12. Automated Decision-Making
We do not make decisions based solely on automated processing (including profiling) that produce legal or similarly significant effects on you, within the meaning of GDPR Article 22.
13. Changes to This Policy
We may update this Privacy Policy periodically. Material changes will be communicated by email or in-app notification. The "Last updated" date at the top reflects the most recent revision.
14. Contact
[COMPANY NAME]
[STREET, POSTAL CODE, CITY, BELGIUM]
Email: [EMAIL]
KBO: [KBO NUMBER] · VAT: [VAT NUMBER]
This Privacy Policy is compliant with EU Regulation 2016/679 (GDPR), the Belgian Act of 30 July 2018 on the protection of personal data, and EU Directive 2021/514 (DAC7).