Back to Login

Privacy Policy

ℹ️

Test Environment Only

This is a test environment for development purposes only. This is not an official product or service. The platform is currently in development and testing phase.

Last updated: January 27, 2026

1. Introduction

Welcome to RideSpot ("we," "our," or "us"). RideSpot is a biking and vintage car event platform that connects enthusiasts. We are committed to protecting your personal information and your right to privacy in accordance with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform at ridespot.app and related services.

2. Data Controller

The data controller responsible for your personal data is:

RideSpot Team
Company Address - No Company - just a page for testing
Contact Email - info@ridespot.de

3. Personal Data We Collect

We collect the following categories of personal data:

3.1 Account and Profile Data

  • Identity Data: Username, first name, last name
  • Contact Data: Phone number (with verification status)
  • Address Data: Street address, ZIP code, city, country
  • Location Data: Geographic coordinates (latitude/longitude) for address and event discovery
  • Profile Media: Avatar/profile picture URL
  • Account Metadata: Account creation date, user role

3.2 Event Registration Data

  • Driver Information: Name, phone number, verification status
  • Co-Driver Information: Name, phone number (may include data of non-platform users)
  • Registration Details: Event selections, pricing preferences, registration status
  • Vehicle Information: Car descriptions, brand, type, specifications, photos

3.3 Communication Data

  • Messages: Content of messages sent through the platform
  • Attachments: Images and link previews shared in messages
  • Notifications: Notification history and delivery status

3.4 Financial Data

  • Transaction Records: Payment amounts, currency, transaction dates, payment status
  • Payout Records: Organizer payment details (for event organizers)
  • Note: Actual payment card details are processed by Stripe and never stored on our servers

3.5 Technical Data

  • Device Information: Browser name/version, operating system, device type (for push notifications)
  • Push Subscription Data: Notification endpoint URLs, encryption keys
  • IP Address: Temporarily processed for rate limiting and security (maximum 5 minutes, in-memory only)

3.6 Verification Data

  • SMS Verification: Phone numbers, verification attempt counts, OTP codes (stored as SHA-256 hashes only)
  • Invitation Tokens: Stored as SHA-256 hashes for security

4. Legal Basis for Processing

We process your personal data based on the following legal grounds under GDPR Article 6:

  • Contract Performance (Art. 6(1)(b)): Processing necessary to provide our services, including account management, event registration, messaging, and payment processing
  • Legitimate Interest (Art. 6(1)(f)): Security measures (rate limiting, fraud prevention), service improvement, and platform analytics
  • Legal Obligation (Art. 6(1)(c)): Financial record retention (7 years per EU tax regulations)
  • Consent (Art. 6(1)(a)): Marketing communications, optional notifications, and where specifically required

5. How We Use Your Information

  • Provide, maintain, and improve our event platform services
  • Process event registrations and manage participant lists
  • Enable communication between users and event organizers
  • Send transactional notifications (registration confirmations, event updates)
  • Process payments and maintain financial records
  • Verify phone numbers for secure event communication
  • Detect, investigate, and prevent fraudulent or unauthorized activities
  • Comply with legal obligations

6. Data Sharing and Third-Party Processors

We share your data with the following categories of recipients:

6.1 Event Organizers

When you register for an event, your registration data (name, contact information, vehicle details) is shared with the event organizer to facilitate the event.

6.2 Self-Hosted Infrastructure

Our database and authentication services are self-hosted on servers located in the European Union. Your account data, event data, and communications are stored on infrastructure we control, not transferred to third-party cloud providers.

6.3 Third-Party Service Providers

We use the following third-party processors for specific services:

ProviderPurposeData ProcessedLocation
StripePayment processingPayment informationEU/US (PCI-DSS compliant)
TwilioSMS verificationPhone numbersUS (with EU processing)
ResendTransactional emailsEmail addressesUS
Google Safe BrowsingLink safety validationURL hashes onlyUS

All third-party processors are bound by Data Processing Agreements (DPAs) ensuring GDPR compliance.

7. Data Retention

We retain your data for the following periods:

  • Account Data: Until account deletion, then anonymized or deleted
  • Financial Records: 7 years (EU tax regulation requirement)
  • Messages: Until deletion by user, then 30 days for recovery purposes before permanent deletion
  • SMS Verification Data: 30 days
  • Registration Drafts: Until completion or 30 days
  • IP Address (Rate Limiting): Maximum 5 minutes (in-memory only, not persisted)
  • Push Subscriptions: Until you unsubscribe or subscription expires

8. Cookies and Local Storage

We use the following cookies and browser storage:

8.1 Essential Cookies (Strictly Necessary)

  • sb-*-auth-token: Supabase authentication session (HTTP-only, secure). Required for login functionality.
  • NEXT_LOCALE: Language preference cookie. Expires after 1 year.

8.2 Storage Principles

We follow a database-first approach and minimize client-side storage. Any local storage keys use the "ridespot_" prefix namespace. We prefer sessionStorage over localStorage and clear data when no longer needed.

9. Data Security

We implement appropriate technical and organizational measures to protect your data:

  • Encryption: All data encrypted at rest and in transit (TLS 1.3)
  • Access Control: Row Level Security (RLS) policies ensure users can only access their own data
  • Authentication Security: HTTP-only cookies, CSRF protection, secure session management
  • Sensitive Data Hashing: OTP codes and invitation tokens stored as SHA-256 hashes
  • Rate Limiting: Protection against brute-force attacks (5 requests/minute on sensitive endpoints)
  • Regular Security Audits: Vulnerability scanning and security reviews

10. Your Rights Under GDPR

As a data subject in the European Economic Area (EEA), you have the following rights:

  • Right of Access (Art. 15): Request a copy of your personal data. Available through your account settings or by contacting us.
  • Right to Rectification (Art. 16): Correct inaccurate data via your profile settings or by request.
  • Right to Erasure (Art. 17): Request deletion of your account and associated data. Note: Financial records must be retained for 7 years per legal requirements.
  • Right to Restrict Processing (Art. 18): Request limitation of processing in certain circumstances.
  • Right to Data Portability (Art. 20): Receive your data in a structured, machine-readable format (JSON export available).
  • Right to Object (Art. 21): Object to processing based on legitimate interests.
  • Right to Withdraw Consent (Art. 7(3)): Withdraw consent at any time for consent-based processing.

To exercise these rights, contact us at the address below. We will respond within 30 days.

11. International Data Transfers

Some of our service providers are located outside the EEA (primarily in the United States). For these transfers, we ensure appropriate safeguards are in place, including:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Data Processing Agreements with all processors
  • Verification that processors maintain adequate security measures

12. Children's Privacy

RideSpot is not intended for children under 16 years of age. We do not knowingly collect personal data from children under 16. If you believe we have collected data from a child under 16, please contact us immediately.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by:

  • Posting the new Privacy Policy on this page
  • Updating the "Last updated" date
  • Sending an email notification for significant changes (where required)

14. Complaints

If you believe your data protection rights have been violated, you have the right to lodge a complaint with a supervisory authority. In Germany, this is the relevant State Data Protection Authority (Landesdatenschutzbeauftragter) or the Federal Commissioner for Data Protection (BfDI).

15. Contact Us

For any questions about this Privacy Policy or to exercise your data protection rights, please contact us at:

RideSpot Team
Email Address - info@ridespot.de