Log in List your business →
HOME / PRIVACY

Privacy policy

LAST UPDATED · 2026-01-01

About this policy

This Privacy policy explains how Food Trailers Marketplace ("we", "us", "our") collects, uses, and protects personal data when you use the platform — including when you register as a supplier, browse listings, contact us, or pay for an optional feature.

It applies in conjunction with our Terms of use. By using the platform you agree to the practices described here.

Who is the data controller

For the purposes of the EU General Data Protection Regulation (GDPR) and the Irish Data Protection Act 2018, the data controller for personal data processed via the platform is Food Trailers Marketplace, operated from Ireland. You can reach us about anything in this policy through the contact form.

What data we collect

We only collect what we need to operate the platform. The categories below cover everything we routinely process.

Supplier account data — company name, CRO and/or VAT number where supplied, account email address, hashed password, and any contact details (phone, WhatsApp, email) you choose to publish on your public profile or listings.

Listing content — titles, descriptions, prices, county, photos you upload, and category information you select.

Verification documents — for suppliers on the optional ✓ Verified tier, we collect a CRO or VAT certificate which is reviewed by our team and stored only for as long as the verification remains active.

Payment data — for paid features (Verified subscription, listing promotions), payments are processed by Stripe. We never see or store full card numbers; we only retain Stripe customer IDs, transaction IDs, and the last 4 digits + card brand to display in your dashboard.

Communications — messages you send via the contact form, replies to support emails, and any documents you attach.

Technical data — IP address (used for rate limiting and abuse prevention; hashed before being stored for analytics), browser type, device type, referring URL, pages viewed, and timestamps. Some of this is collected via cookies (see section 5).

How we use your data & lawful basis

Under GDPR, every processing activity has a lawful basis. Ours are:

  • Performance of a contract — running your account, displaying your listings, processing your subscription or promotion payment, sending transactional emails (verification, password reset, payment confirmations).
  • Legitimate interests — keeping the platform secure (rate limiting, abuse detection), preventing fraud, producing aggregate analytics so we can improve the site, and showing you relevant features in your dashboard.
  • Consent — any marketing email you specifically opt in to. You can withdraw consent at any time from your dashboard preferences.
  • Legal obligation — retaining payment and tax records for the period required by Irish law, responding to lawful requests from authorities.

We do not sell or rent personal data to third parties, and we do not use your data for automated decision-making or profiling that produces legal effects.

Cookies

We use a small set of strictly-essential cookies to keep the platform working. We currently do not run any third-party analytics, advertising, or tracking cookies.

Essential cookies (always set) — session cookie for keeping you logged in, CSRF token for form security, and a small cookie that records your cookie-banner choice so we don't ask again on every visit.

If we ever add analytics or marketing cookies in the future, we will update this section, present a granular consent banner, and load nothing non-essential until you opt in.

Sub-processors

The following third parties process personal data on our behalf in order to deliver the service. Each is bound by a data processing agreement (DPA) and processes only what's needed for its specific function.

  • Hostinger (EU) — web hosting, MySQL database hosting, transactional email delivery (SMTP).
  • Stripe (Ireland / global) — payment processing for Verified subscriptions and listing promotions. Stripe is a separate data controller for the payment information you provide directly to its checkout.

If we add a new sub-processor that materially changes how your data is handled, we will update this list and give reasonable notice in advance.

International transfers

Most of your data stays in the EU. The single exception is Stripe, which may transfer payment data outside the EU as part of its global processing infrastructure under EU-approved Standard Contractual Clauses (SCCs). If you avoid the paid features (Verified subscription, listing promotions), Stripe is never engaged on your behalf and your data stays entirely within the EU.

Data retention

We keep personal data only as long as we need it for the purpose collected, or as required by law.

  • Account data — kept while your account is active. After you close it, we delete profile, listings, images, and contact details within 7 working days; we may keep a minimal record (email + hashed password) for up to 24 months for fraud-prevention.
  • Payment & tax records — retained for at least 7 years to meet Irish tax law obligations.
  • Verification documents — kept while the Verified subscription is active and deleted within 30 days of cancellation.
  • Support & contact-form messages — retained for up to 3 years so we can refer back to past correspondence.
  • Server logs — request logs (with sensitive query-string parameters redacted) are kept for up to 30 days for security and abuse-detection purposes, then rotated.

Your rights

Under GDPR you have the following rights in relation to your personal data. We respond to all requests within one month (GDPR Art. 12.3); exercising any of them is free, and we won't penalise you for using them.

  • Access — get a copy of the personal data we hold about you. Logged-in suppliers can self-serve at /dashboard/account → "Download my data". Non-registered users can request a copy via the contact form.
  • Rectification — ask us to correct inaccurate or incomplete data. Suppliers can edit their profile + listings directly from the dashboard.
  • Erasure ("right to be forgotten") — ask us to delete your data. Logged-in suppliers can submit a deletion request at /dashboard/account → "Delete my account" (email confirmation + 7-working-day admin-action window). Subject to retention obligations described in section 8.
  • Restriction — ask us to pause processing while we resolve a query about your data. Email us via the contact form.
  • Portability — get your data in a structured, machine-readable format you can transfer to another service. The "Download my data" button on your account page returns a JSON export covering this right.
  • Objection — object to processing based on our legitimate interests, including direct marketing. Email us via the contact form.
  • Withdraw consent — where processing is based on consent (e.g. analytics cookies), you can withdraw it at any time via the cookie banner or by clearing your cookies.

Every request is logged in our internal DSR audit trail (date, type, status) so we can prove timely compliance if challenged. You'll see your own audit history on your account page.

Security

We use reasonable technical and organisational measures to protect your data:

  • HTTPS/TLS for all traffic to and from the platform
  • Passwords stored only as bcrypt hashes — never in plain text
  • Rate limiting and CSRF protection on authentication and form endpoints
  • Regular software updates and dependency patching
  • Server location in the EU (Hostinger), with backups that don't include card data
  • Access controls limiting who on our team can see account-level data

No system is perfectly secure. If we discover a breach that is likely to result in a risk to your rights, we will notify the Data Protection Commission within 72 hours and notify affected users without undue delay, in line with GDPR Article 33–34.

Children

The platform is not directed at children. We do not knowingly collect personal data from anyone under 18. If you believe a minor has registered an account, please contact us and we'll delete the account and any associated data promptly.

Changes to this policy

We may update this policy from time to time as the platform evolves or the law changes. The "last updated" date at the top of this page reflects the most recent revision. For material changes — for example, adding a new sub-processor or expanding the categories of data we collect — we will give reasonable notice by email or in-account notification before they take effect.

Contact & complaints

To reach us about anything in this policy — to exercise a right, ask a question, or raise a concern — use the contact form. We aim to respond within 5 working days and at the latest within 1 month.

If you are not satisfied with our response, you have the right to lodge a complaint with the Irish Data Protection Commission (dataprotection.ie) or with the supervisory authority in your country of residence.