1. Who is the data controller
The data controller for Eurobots Marketplace is [Legal entity name], registered office at [Address], VAT [VAT number]. For any privacy-related request, including the exercise of the rights described below, contact us at [privacy email].
2. What data we collect and why
We collect only the personal data we need to run the Service. Different categories apply depending on how you interact with us:
2.1 Visitors of the public site
When you simply browse the catalogue we do not require an account and do not collect personal data beyond what is technically necessary to deliver the page: your IP address (processed in volatile memory by our hosting provider and in hashed form by our rate-limit layer), the User-Agent of your browser, and standard request logs. Legal basis: legitimate interest in operating, securing and monitoring the Service (Art. 6(1)(f) GDPR).
2.2 People who submit a contact / quote enquiry
When you fill in a contact, quote or "tell us your project" form, we collect the data you enter (typically: name, email, phone if you choose to provide it, company, country, message, and the listing/page you came from) and store it in our database. We use these data to forward your enquiry to the relevant seller, to reply to you, and to keep a record of the communication. Legal basis: performance of a pre-contractual measure taken at your request (Art. 6(1)(b) GDPR) and, for record-keeping and abuse prevention, legitimate interest (Art. 6(1)(f) GDPR).
2.3 Admin users
Members of the Eurobots editorial / operations team authenticate to a private back-office. We collect their authentication data (email, password hash, MFA factor), profile information (role) and audit log entries of write operations they perform. Legal basis: performance of the contract with the user / employee (Art. 6(1)(b)) and legitimate interest in the security of the Service (Art. 6(1)(f)).
3. Sub-processors
We rely on the following data processors. Each one is bound by a Data Processing Agreement consistent with Art. 28 GDPR. EU-based services keep data in EU regions; US-based services are covered by Standard Contractual Clauses and, where applicable, the EU-US Data Privacy Framework.
| Sub-processor | Purpose | Data processed | Region |
|---|---|---|---|
| Vercel Inc. | Hosting & CDN; anonymous performance telemetry (Speed Insights) | IP address, request logs, anonymous performance beacons | Global (EU regions for production traffic) |
| Supabase Inc. | Managed database (PostgreSQL) and authentication for admin users | All application data, including enquiries; admin credentials & MFA | EU (Frankfurt) |
| Sentry (Functional Software, Inc.) | Error and exception monitoring | Stack traces, request metadata, user agent; no form payloads | US (covered by SCCs / DPF) |
| Upstash, Inc. | Distributed rate limiting (Redis) | Hashed IP addresses, request counters | Global (EU regions where available) |
| OpenAI, L.L.C. | Admin-triggered automated translation of editorial copy and listings | Source text (no personal data; we never send enquiry content to the translation API) | US (covered by SCCs) |
| Resend, Inc. | Transactional email delivery for enquiry notifications and admin alerts | Recipient email, sender email, message body | US (covered by SCCs) |
4. Retention
We retain personal data only as long as we need it. The most relevant retention periods are:
- Contact / quote enquiries: 24 months from creation. After this period the record is automatically anonymised (name replaced by "Anonymous", email hashed, phone and company cleared); the anonymised record is retained for analytical purposes only.
- Request logs and rate-limit hashes: short rolling window, typically 30 days.
- Admin user accounts: for as long as the user is active, plus 12 months thereafter for audit-trail purposes.
- Audit log entries: retained for 24 months from creation for security and compliance reasons.
5. Recipients of your data
When you submit an enquiry about a specific machine, the content of your enquiry is transmitted to the seller of that machine, who acts as an independent data controller for the purpose of replying to you. We do not sell personal data and we do not share it with advertising networks or data brokers.
6. International transfers
Some of the sub-processors listed above are established outside the European Economic Area. Transfers to these processors are based on Standard Contractual Clauses approved by the European Commission and, where applicable, on the EU-US Data Privacy Framework. Copies of the relevant clauses are available on request.
7. Your rights
Under GDPR you have the right to: (a) access your personal data; (b) request rectification of inaccurate data; (c) request erasure (right to be forgotten); (d) request restriction of processing; (e) data portability; (f) object to processing based on our legitimate interest. You can exercise any of these rights by contacting [privacy email]. We will respond within one month.
You also have the right to lodge a complaint with the supervisory authority of your country of residence. In Italy the competent authority is the Garante per la protezione dei dati personali (garanteprivacy.it).
8. Security
We apply standard industry security measures: TLS 1.3 in transit, encryption at rest at the database level, strict role-based access on the back-office, mandatory multi-factor authentication for all admin accounts, application-level deny-by-default Row Level Security on sensitive tables, structured audit logging of write operations, and regular dependency review.
9. Children
The Service is addressed to professionals and is not intended for users below the age of 18. We do not knowingly collect personal data from minors.
10. Changes
We may update this Privacy Policy from time to time. The current version is always accessible from this page and the date at the top reflects the latest substantive change.
11. Language
This page is published in multiple languages. The English version is the master text; in case of discrepancy between language versions, the English text prevails.
Last updated: 2026-06-12