Privacy Policy

Last updated: April 2026

This policy explains how Kickstand.ie (“Kickstand”, “we”, “us”) collects, uses, and protects your personal data when you use our motorcycle marketplace at kickstand.ie. We are the “data controller” for the purposes of the EU General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”) and the Irish Data Protection Act 2018.

1. Who we are

Controller: Kickstand.ie
Address: 1 Sample St, Dublin 1, D01 ABC1, Ireland
Privacy contact: privacy@kickstand.ie

We have not appointed a statutory Data Protection Officer because our processing does not meet the GDPR Article 37 thresholds. You can still raise any privacy question with the contact above.

2. What personal data we collect

  • Account: email address, password (hashed), chosen display name, county, and (optionally) a phone number you choose to verify by SMS.
  • Listings: photos, description, price, vehicle registration (when you use the reg-lookup feature), make, model, year, mileage, engine size, location.
  • Messages: the content of conversations you have with other users on Kickstand.
  • Reports & moderation: the content of any report you file, plus moderator notes about reports against you.
  • Technical: IP address, user agent, approximate timing of requests — used for security, rate-limiting, and fraud-prevention only.
  • Analytics: aggregated, cookieless page-view metrics via Plausible Analytics (only if you accept the cookie banner's analytics option).
  • Diagnostics: error reports via Sentry, with email and IP redacted before transmission.

We do not collect special-category data (Article 9 GDPR) and we ask you not to post any in your listings or messages.

3. Why we use your data — and the legal basis (Art. 6 GDPR)

  • To run your account & deliver the service — Article 6(1)(b) contract performance.
  • To verify your phone number, prevent abuse, and detect fraud — Article 6(1)(f) legitimate interests (operating a safe marketplace).
  • To respond to reports and enforce these terms — Article 6(1)(c) legal obligation (EU Digital Services Act, Regulation (EU) 2022/2065) plus Article 6(1)(f) legitimate interests.
  • To send service emails (sign-up, password reset, account deletion confirmations) — Article 6(1)(b) contract performance.
  • To run anonymous analytics — Article 6(1)(a) your consent (given via the cookie banner; withdrawable at any time from the footer).

4. Who we share your data with

We do not sell personal data. We share the minimum necessary with infrastructure providers acting as our data processors under written contracts:

  • Supabase, Inc. — database, authentication and file metadata. Hosted in the EU (Frankfurt region).
  • Vercel, Inc. — application hosting and CDN. Edge nodes worldwide; primary processing in the EU (Dublin).
  • Cloudinary, Ltd. — listing image hosting and transformation. EU and US regions.
  • MotorCheck — Irish vehicle registration lookup when you use the reg-lookup feature on the listing form.
  • Twilio, Inc. — SMS delivery for phone verification (only if you choose to verify a phone).
  • Resend, Inc. — transactional email delivery (sign-up, password reset, account-deletion confirmation).
  • Plausible Analytics — privacy-friendly, cookieless page-view analytics. EU-hosted. Only loaded after you accept analytics in the cookie banner.
  • Functional Software, Inc. (Sentry) — error tracking. Email and IP are redacted before events leave your browser.

We may also disclose personal data where required by law (e.g. a valid Garda or court order), to defend legal claims, or to a successor entity if we are sold or merged.

5. International transfers

Where a processor stores or processes data outside the European Economic Area (notably Cloudinary, Sentry and Vercel edge nodes), we rely on the European Commission's Standard Contractual Clauses (SCCs, 2021/914) and additional safeguards as required by the Schrems II judgment.

6. How long we keep data

  • Active accounts: for the lifetime of the account.
  • Listings: visible while active; auto-expire after 30 days unless renewed; soft-deleted after a further 90 days.
  • Messages: retained for the lifetime of either participant's account.
  • Reports & moderation logs: kept for 24 months from resolution to satisfy DSA record-keeping obligations.
  • Deleted accounts: personal data is erased within 30 days of your deletion request. Anonymised transactional logs (e.g. “a deleted user filed a report”) may be retained where required by law.
  • Backups: rolling encrypted backups for up to 30 days.

7. Your rights under GDPR

You have the right to:

  • Access — request a copy of the personal data we hold about you (Art. 15).
  • Rectification — correct inaccurate or incomplete data (Art. 16). Most fields are editable directly in your profile.
  • Erasure — delete your account and all associated personal data using the “Delete account” button on your profile page (Art. 17).
  • Restriction — ask us to stop processing your data while a query is resolved (Art. 18).
  • Portability — receive your data in a machine-readable format (Art. 20). Email privacy@kickstand.ie.
  • Object — object to processing based on legitimate interests (Art. 21).
  • Withdraw consent — withdraw analytics consent at any time via the “Cookie settings” link in the footer.

We aim to respond to all requests within 30 days. There is no charge for a first request.

8. Cookies and local storage

We use the absolute minimum amount of client-side storage needed to operate the service:

  • Supabase auth cookies — strictly necessary to keep you signed in. Set when you log in; cleared when you log out.
  • kickstand.consent.v1 (localStorage) — remembers whether you accepted analytics so we don't re-prompt. Strictly necessary.
  • Plausible Analytics — cookieless; only loads if you accept the cookie banner.
  • Sentry — strictly necessary; events are transmitted with email and IP redacted.

No third-party advertising or tracking cookies are used.

9. Security

We use TLS in transit, encryption at rest, Row Level Security on every database table, rate-limiting on sensitive endpoints, and automated dependency-vulnerability scanning. No system is ever perfectly secure, so we encourage you to use a unique strong password and to report any suspected vulnerability to privacy@kickstand.ie.

10. Complaints

If you believe we have not handled your data correctly, please contact us first at privacy@kickstand.ie. You also have the right to lodge a complaint with the Irish Data Protection Commission at dataprotection.ie.

11. Changes to this policy

We will update the “Last updated” date above whenever this policy materially changes. For substantive changes that affect how we use your data we will also notify you by email or via an in-app banner.

Plain-language note: this document is a working draft prepared by the Kickstand team and must be reviewed by a solicitor before being relied on for legal compliance.