Eleplated

Privacy Policy

Last updated: April 11, 2026

This Privacy Policy explains how Eleplated collects, uses, stores, and shares personal data when you use our marketplace platform at eleplated.shop and eleplated.nl. We comply with the EU General Data Protection Regulation (Regulation (EU) 2016/679 — GDPR), the Dutch Algemene Verordening Gegevensbescherming (AVG) as implemented by the Uitvoeringswet AVG (UAVG), the ePrivacy Directive 2002/58/EC, and the cookie rules of Telecommunicatiewet artikel 11.7a.

You can update your cookie preferences at any time:

1Data Controller

Eleplated is the data controller responsible for the processing of your personal data on this platform. For all privacy-related enquiries, data subject requests, or complaints, please contact us at hello@eleplated.shop.

2Personal Data We Collect

  • Account & profile — email address, business name, display name, business type, phone number, city, country, postal code, pickup address, profile photo, description.
  • Listings & transactions — items you list for sale, items you request, photos, prices, bids placed or received, completed transactions, reviews.
  • Messages — content of conversations between buyers and sellers on the platform. Contact information (phone, email) inside messages is automatically blocked.
  • Payment data — handled entirely by Stripe (our payment processor). We never see or store your card details. We receive transaction IDs and payout records only.
  • Usage data — pages visited, clicks, referrer, browser type, approximate location (country/city), device type. Only collected if you consent to analytics cookies.
  • Technical data — IP address, user agent, timestamps of requests, error logs. Used for security and debugging.

3How We Use Your Data & Legal Basis

  • Providing the service (contract, Art. 6(1)(b) GDPR): account creation, listing management, matching buyers and sellers, processing transactions, messaging.
  • Transactional emails (contract): account confirmations, new messages, bid notifications, payment confirmations, pickup reminders.
  • Security & fraud prevention (legitimate interest, Art. 6(1)(f) GDPR): error monitoring, abuse detection, rate limiting, authentication.
  • Analytics (consent, Art. 6(1)(a) GDPR): only if you accept analytics cookies. Helps us understand how visitors use the site to improve it.
  • Marketing emails (consent): only if you opt in to our newsletter. You can unsubscribe at any time from every email we send.
  • Legal obligations (Art. 6(1)(c) GDPR): accounting, tax records, compliance with court orders.

4Third-Party Data Processors

Eleplated uses the following sub-processors to deliver the service. Each has a Data Processing Agreement (DPA) in place with us and is bound by GDPR-equivalent standards:

Supabase (Postgres database, authentication, file storage)
Location: EU (Frankfurt). Purpose: stores all user data, listings, messages. Retention: lifetime of account + 30 days after deletion.
Vercel (web hosting)
Location: Global CDN with EU edge. Purpose: serves the website. Retention: request logs kept for 30 days.
Resend (transactional email)
Location: EU. Purpose: sends welcome, bid, message, and payment notification emails. Retention: email delivery logs kept for 30 days.
Google Analytics 4 (optional)
Location: EU servers with data transfers to the US under SCCs (Standard Contractual Clauses). Purpose: website traffic and behaviour analytics. Only active with your explicit consent. Uses Google Consent Mode v2 — anonymised cookieless pings when consent is not given. Retention: 14 months.
PostHog (optional product analytics)
Location: EU (Frankfurt). Purpose: understanding how users interact with the product. Only active with your explicit consent. No session recording. Retention: 12 months.
Sentry (error monitoring)
Location: EU. Purpose: capturing errors and crashes to improve platform stability. Legal basis: legitimate interest. PII (emails, cookies, auth headers, form fields) is automatically scrubbed before events are sent. Retention: 90 days.
Stripe (payment processing, planned)
Location: EU + US under SCCs. Purpose: processing payments and payouts to sellers. Retention: per Stripe's own policy (7 years for financial records).

5Cookies & Tracking Technologies

Under Article 11.7a Telecommunicatiewet and the ePrivacy Directive, we are required to obtain your prior informed consent before placing any cookie that is not strictly necessary for the service. The table below lists every cookie and tracking technology we use, its purpose, category, and retention:

NameCategoryPurposeDurationProvider
sb-*-auth-tokenNecessaryAuthentication session1 hour (refresh)Supabase
langNecessaryLanguage preference (EN/NL)1 yearEleplated
eleplated_consentNecessaryCookie consent record1 yearEleplated
_ga, _ga_*Analytics (consent)Session + visitor identification for Google Analytics14 monthsGoogle LLC (US, SCCs)
ph_*_posthogAnalytics (consent)Product usage analytics12 monthsPostHog (EU)
(none currently)Marketing (consent)Reserved for future advertising campaigns. Currently no marketing cookies are set.

Analytics cookies are only set after you explicitly grant consent. Until then, Google Analytics runs in Consent Mode v2 deniedstate, sending only anonymised aggregate pings without identifiers or cookies. PostHog is initialised in opt-out mode and captures nothing until consent is given.

You can change your cookie preferences at any time: . Your choice is stored for 12 months, after which you will be asked again. Rejecting cookies has no negative impact on your ability to use the site.

5aData Protection Officer (DPO)

Under Article 37 GDPR, appointing a DPO is only mandatory when the core activities involve systematic large-scale monitoring of data subjects or processing of special categories of data. Eleplated does neither, so no formal DPO is appointed. All privacy enquiries are handled directly by the Eleplated team at hello@eleplated.shop. We will respond within the statutory one-month deadline.

6Your Rights

Under GDPR and AVG you have the following rights, which you can exercise by emailing hello@eleplated.shop. We will respond within one month.

  • Right of access (Art. 15): request a copy of the personal data we hold about you.
  • Right to rectification (Art. 16): correct inaccurate or incomplete data.
  • Right to erasure (Art. 17): request deletion of your account and all associated data.
  • Right to restrict processing (Art. 18): temporarily stop certain data uses.
  • Right to data portability (Art. 20): receive your data in a machine-readable format.
  • Right to object (Art. 21): object to processing based on legitimate interests.
  • Right to withdraw consent: withdraw consent for cookies, newsletters, or any consent-based processing at any time.
  • Right to lodge a complaint: file a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at autoriteitpersoonsgegevens.nl.

7Data Retention

  • Account data: kept for the lifetime of your account. Deleted within 30 days after account closure.
  • Completed transactions: retained for 7 years to comply with Dutch tax and accounting law (Boek 2 BW).
  • Messages: deleted when the conversation's related listing is removed, or on account deletion.
  • Analytics data: 14 months (Google Analytics default).
  • Server logs: 30 days.
  • Error monitoring: 90 days.

8Security

We protect your data with industry-standard measures: end-to-end TLS encryption (HTTPS everywhere, HSTS preloaded), encrypted database storage at rest, row-level security policies on every database table, Content Security Policy headers, regular dependency vulnerability scans, automatic error monitoring, and strict access controls on administrative functions. Pickup addresses are only revealed after a transaction is confirmed. Passwords are hashed by Supabase Auth using industry-standard algorithms (bcrypt/argon2).

9International Data Transfers

Primary processing happens within the EU. Some processors (notably Google Analytics and Stripe) may transfer data to the United States. These transfers are protected by Standard Contractual Clauses (SCCs) approved by the European Commission, supplementary safeguards, and adherence to the EU-US Data Privacy Framework where applicable.

10Children

Eleplated is a B2B marketplace for professional hospitality businesses. Our services are not directed at or intended for children under 16. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us immediately.

11Changes to This Policy

We may update this policy to reflect changes in our practices or legal obligations. We will notify you of material changes via email or a prominent notice on the site. The "Last updated" date at the top of this page always reflects the current version.

← Back to home