Privacy Policy
March 14, 2026
1. Data controller
Trueku is the controller of your personal data within the meaning of Regulation (EU) 2016/679 (RGPD).
For any question about data protection, please contact our responsible: [email protected]
2. Data we collect and purposes
We collect only the data necessary to provide you with the service:
| Data | Purpose | Legal basis (RGPD Art. 6) |
|---|---|---|
| Display name, username, email, password (bcrypt hash) | Create and manage your account | Art. 6.1.b — performance of contract |
| Avatar, biography, city, country | Complete your public profile | Art. 6.1.b |
| Shipping data (full name, address, postal code, phone) | Facilitate physical exchange; only shared with the counterpart if both parties expressly consent | Art. 6.1.b / Art. 6.1.a (dual consent) |
| Approximate geolocation of the item | Show distance in search results | Art. 6.1.a (GPS) / Art. 6.1.b (city of listing) |
| Chat messages | Communication between parties during an exchange | Art. 6.1.b |
| Ratings and disputes | Guarantee trust on the platform | Art. 6.1.b / Art. 6.1.f — legitimate interest |
| Google OAuth token | Sign in with Google | Art. 6.1.b |
| IP address, access logs | Security and fraud prevention | Art. 6.1.f — legitimate interest |
| Anonymous analytics data (Vercel Analytics) | Improve platform performance | Art. 6.1.a — consent (cookie banner) |
| Marketing consent | Sending optional commercial communications | Art. 6.1.a — express consent |
3. Data retention
- Account data: while the account is active, plus 3 years after deletion (potential legal liabilities).
- Chat messages: 2 years from the end of the exchange.
- Shipping data: automatically deleted 90 days after the exchange is completed.
- Security logs: 12 months.
- Billing data (if applicable): 10 years (tax obligations applicable in each jurisdiction).
4. Recipients and data processors
Trueku uses the following providers as data processors. All are subject to the Standard Contractual Clauses (CCE/UE) approved by the European Commission (Decision 2021/914), which guarantee an equivalent level of protection to that required by the RGPD for international transfers to third countries.
| Provider | Service | Country / Safeguards |
|---|---|---|
| Railway Inc. | Server and database hosting | USA — CCE/UE |
| Vercel Inc. | Website hosting | USA — CCE/UE |
| Cloudflare Inc. | CDN and image storage (R2) | USA — CCE/UE |
| Resend Inc. | Transactional email sending | USA — CCE/UE |
| Google LLC | OAuth authentication | USA — CCE/UE |
| Sentry Inc. | Error monitoring | USA — CCE/UE |
We do not sell or transfer your data to third parties for commercial purposes.
5. Your rights
Under the RGPD you have the right to:
- Access: know what data we hold about you.
- Rectification: correct inaccurate or incomplete data.
- Erasure ('right to be forgotten'): request the deletion of your data.
- Portability: receive your data in a structured, machine-readable format.
- Objection: object to processing based on legitimate interest.
- Restriction: request that we temporarily restrict processing.
- Withdrawal of consent: at any time and without retroactive effect.
Write to [email protected] stating your name, account email and the right you wish to exercise. We will respond within a maximum period of 30 days.
If you are not satisfied with our response, you may lodge a complaint with the supervisory authority competent in your country of residence. The full directory of EU authorities is available at the European Data Protection Board (EDPB).
6. Minors
Trueku is not directed at persons under 16 years of age. We do not knowingly collect data from minors. If we detect that an account does not meet this requirement, we will proceed with its immediate cancellation.
If you are a parent or legal guardian and believe your child has an account on Trueku, please contact us at [email protected].
7. Security
We apply appropriate technical and organisational measures to protect your data: encryption in transit (TLS 1.3), passwords stored with bcrypt, two-factor authentication (optional 2FA), role-based access control and access auditing.
In the event of a security breach posing a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours and inform you without undue delay.
8. Changes to this policy
If we make material changes to this policy, we will notify you by email and by notice on the platform at least 15 days in advance. The updated version will always be available on this page.
9. Personal data in service exchanges
When an exchange involves the provision of an in-person service, the parties share contact details (name, city, phone or email) through the platform's explicit consent system. These data are processed under the same legal bases as other shipping data: Art. 6(1)(b) GDPR (performance of a contract) and Art. 6(1)(a) (explicit consent of both parties).
For remote services, the exchange may involve the use of communication tools external to Trueku (video call, email, etc.). Trueku has no access to or control over those communications and does not process data exchanged outside its platform.
Data shared between the parties in the context of a service are deleted in accordance with the retention periods set out in section 3 of this policy.