Privacy Policy
Data Controller
The data controller for personal data processed through the Pricevo platform is:
Registered in France — SIRET: 93116252300019
📧 privacy@pricevo.io
📍 22B AV Pasteur, 60800 Crepy-en-Valois, France
Data We Collect
We collect only the data necessary to provide and improve the Service.
Account Data
- Email address (required for account creation)
- Name (optional, used for personalisation)
- Password (hashed via Supabase Auth — never stored in plaintext)
- OAuth profile data if you sign in via Google (name, email, profile picture)
Usage Data
- Search queries submitted (vehicle make, model, criteria)
- Search history and results accessed
- Feature usage patterns and session duration
- Browser type, device type, and IP address (for security and analytics)
Billing Data
Billing information (card details, billing address, VAT number) is collected and processed exclusively by our payment processor Paddle. Pricevo does not store or process payment card data. Paddle acts as an independent data controller for billing-related personal data.
Communications Data
- Email address collected via our waitlist form (with explicit consent)
- Support inquiries and correspondence
How We Use Your Data
| Purpose | Data Used | Legal Basis |
|---|---|---|
| Provide and operate the Service | Account data, usage data | Contract performance |
| Process payments & billing | Email, billing info (via Paddle) | Contract performance |
| Send transactional emails (invoices, alerts) | Email address | Contract performance |
| Send product updates & newsletters | Email address | Consent (opt-in) |
| Improve platform features & analytics | Anonymised usage data | Legitimate interest |
| Security, fraud prevention & debugging | IP address, usage logs | Legitimate interest |
| Comply with legal obligations | Any data as required | Legal obligation |
We do not sell your personal data. We do not use your data for automated decision-making that produces legal effects.
Legal Basis (GDPR)
We process personal data under the following legal bases as defined by GDPR Article 6:
- Article 6(1)(b) — Contract: Processing necessary to provide the Service you subscribed to.
- Article 6(1)(a) — Consent: For marketing emails and optional features. You may withdraw consent at any time.
- Article 6(1)(f) — Legitimate interest: For platform security, analytics, and fraud prevention. We balance this against your rights.
- Article 6(1)(c) — Legal obligation: Where required by French or EU law (e.g. tax records).
Data Sharing & Sub-processors
We share personal data only with trusted sub-processors necessary to operate the Service:
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase | Database hosting and authentication | EU (Frankfurt) |
| Paddle | Payment processing, billing, VAT | UK / EU |
| Resend | Transactional and marketing emails | US (SCCs applied) |
| Vercel | Frontend hosting | EU |
| Railway / Hetzner | Backend API hosting | EU |
We do not share your personal data with any third parties for advertising or marketing purposes. We may disclose data if legally required to do so by a court order or competent authority.
Data Retention
- Account data: Retained for the duration of your active subscription plus 2 years following account deletion, unless a longer period is required by law.
- Search history: Retained for the duration of your active subscription.
- Billing records: Retained for 10 years as required by French accounting law.
- Waitlist emails: Retained until you unsubscribe or request deletion.
- Security logs: Retained for 12 months.
After the applicable retention period, data is permanently deleted or irreversibly anonymised.
Security
We implement appropriate technical and organisational measures to protect your personal data, including:
- Encryption of data in transit (TLS/HTTPS) and at rest
- Password hashing via bcrypt (managed by Supabase Auth)
- Role-based access controls — only authorised personnel access user data
- Regular security reviews and dependency updates
No transmission over the internet is 100% secure. In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the relevant supervisory authority (CNIL) within 72 hours as required by GDPR Article 33.
Your Rights
Under GDPR, you have the following rights regarding your personal data:
- Right of access (Art. 15) — Request a copy of the data we hold about you.
- Right to rectification (Art. 16) — Request correction of inaccurate data.
- Right to erasure (Art. 17) — Request deletion of your data ("right to be forgotten").
- Right to data portability (Art. 20) — Receive your data in a structured, machine-readable format.
- Right to object (Art. 21) — Object to processing based on legitimate interests.
- Right to restriction (Art. 18) — Request that we limit how we process your data.
- Right to withdraw consent — At any time, for processing based on consent (e.g. marketing emails).
To exercise any of these rights, email privacy@pricevo.io. We will respond within 30 days. We may need to verify your identity before processing requests.
Cookies & Local Storage
Cookies
We use minimal cookies, strictly limited to:
- Authentication cookies — Session tokens to keep you logged in (essential, cannot be disabled).
- Preference cookies — Remembering UI preferences such as selected markets.
We do not use third-party advertising or tracking cookies.
Local Storage
We use your browser's local storage to cache search results and history for performance reasons. This data is stored on your device and is not transmitted to our servers unless you replay a search.
International Data Transfers
Some of our sub-processors (notably Resend) are based outside the EEA. Where data is transferred outside the EEA, we ensure appropriate safeguards are in place, including:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Adequacy decisions where applicable
Minors
Pricevo is a professional B2B service. We do not knowingly collect personal data from individuals under the age of 18. If we become aware that a minor has provided personal data, we will delete it promptly.
Changes to this Policy
We may update this Privacy Policy from time to time. When we make significant changes, we will notify you by email and update the "Last updated" date above. We encourage you to review this policy periodically.
Contact & DPA Requests
For any privacy-related enquiries, data subject requests, or to obtain a Data Processing Agreement (DPA), please contact our privacy team:
📧 privacy@pricevo.io
We aim to respond within 5 business days. For formal data subject requests, response time is 30 days.