TermsPrivacyCookiesSeller DPAWithdrawalSafety

EURODROP — PRIVACY POLICY

VERSION 1.1 — GDPR Last Updated: 17 July 2026

This Privacy Policy forms part of the Terms of Service and explains how Eurodrop processes personal data under Regulation (EU) 2016/679 (GDPR), the ePrivacy rules as transposed in Latvia, and Latvian data-protection law.


1. Controller

The controller is [LEGAL ENTITY NAME], registered in the Republic of Latvia under No. [•], registered office [•], VAT (PVN) No. [•] ("Eurodrop", "We"). Contact for privacy matters: [email]. Where a Data Protection Officer is appointed: [DPO contact].

The Platform is not directed at persons under 18. We do not knowingly collect personal data of children; if you believe a child has provided us data, contact [email] and we will delete it.


2. What we process, why, and on what legal basis

DataPurposeLegal basis (Art. 6 GDPR)
Telegram account (ID, name, username)Authenticate you, run the Mini App, loyalty accountContract (6(1)(b)); legitimate interests (6(1)(f))
Buyer order enquiry data (name, phone, city, delivery address)Transmit your enquiry to the independent Seller so they can contact you and arrange the sale directlyContract / steps prior to contract (6(1)(b))
Seller listings, shop settingsPublish and operate the Seller's listingsContract (6(1)(b))
Seller traceability data — Traders (name, address, phone, email, ID document, registration/VAT No.) — Art. 30 DSA / KYBCLegal trader-traceability obligation under the DSA; display of Trader identity on the Platform where Art. 30(7) DSA requiresLegal obligation (6(1)(c))
Reports of illegal content (notice, reporter contact)Notice-and-action handling under the DSA; defence of legal claimsLegal obligation (6(1)(c)); legitimate interests (6(1)(f))
Product-safety communications (Buyer contact details for recall notices)Informing Buyers of product recalls and safety issues under the GPSRLegal obligation (6(1)(c) — Art. 22, 35–36 GPSR)
Messaging base for shop broadcasts (Buyer contact identifiers linked to a specific Seller's past sales)Enable a Seller to send messages to that Seller's own past buyers via the bot. The Seller is the controller of this processing; Eurodrop acts as the Seller's processor under a Data Processing Addendum (Art. 28 GDPR)Determined by the Seller as controller. For direct marketing by electronic means: consent (opt-in) under the ePrivacy rules and the Latvian Information Society Services Law, or the "soft opt-in" exception (contact obtained by that Seller in the context of a sale, marketing of that Seller's own similar goods, with a free and easy opt-out in every message)
Service messages from Eurodrop (transactional notifications about your account, enquiries, security, or changes to terms)Operate the serviceContract (6(1)(b)); legal obligation (6(1)(c))
Tax-relevant seller data — DAC7 (incl. TIN, VAT No., financial-account identifier where applicable, consideration amounts)Reporting to the State Revenue Service (VID) where Eurodrop qualifies as a reporting platform operator; informing the Seller of the information reported about themLegal obligation (6(1)(c))
Technical logs (IP address, device/user-agent, timestamps, error logs)Security, abuse prevention, debuggingLegitimate interests (6(1)(f))

Cookies and similar technologies (including localStorage in the Mini App) are covered by the separate Cookie & Tracking Policy at [URL].


3. Buyer–Seller data sharing

3.1. Eurodrop is an advertising/classifieds platform. When you submit an order enquiry, your contact and delivery details are passed to the independent Seller you chose so they can contact you and arrange payment and delivery directly. The Seller becomes an independent controller of that data.

3.2. Eurodrop does not process payments and therefore does not collect card or bank-account data for sales between Buyers and Sellers.

3.3. Sellers must handle Buyer data in compliance with the GDPR and only for fulfilling the enquiry, and — where they use the broadcast feature — in compliance with Section 2 above and the Data Processing Addendum.


4. Recipients and processors


5. International transfers

Where personal data is transferred outside the EU/EEA, we rely on an adequacy decision or appropriate safeguards under Chapter V GDPR. In particular, transfers to Cloudflare, Inc. (USA) are covered by the EU–U.S. Data Privacy Framework, to which Cloudflare is certified, and additionally by Standard Contractual Clauses in Cloudflare's data-processing terms. Details and copies of safeguards are available on request at [email].


6. Retention

CategoryRetention period / criterion
Account and order-enquiry dataFor the duration of the account, then until expiry of applicable limitation periods: as a rule up to 10 years under the Latvian Civil Law; 3 years for commercial-transaction claims under the Commercial Law
Trader traceability (KYBC, Art. 30 DSA)6 months after the end of the contractual relationship with the Trader (Art. 30(4) DSA), unless longer retention is required by other law
DAC7 reporting recordsRetained for the period required by the DAC7 transposition rules and Latvian accounting/tax law, and no longer than necessary (as a rule up to 5 years for accounting source documents; up to 10 years where required)
Notices of illegal content and statements of reasonsFor as long as needed to handle the report, meet DSA transparency obligations, and defend legal claims
Product-safety / recall recordsFor the period required by the GPSR and market-surveillance rules
Broadcast messaging baseControlled by the relevant Seller; deleted upon Seller's instruction, upon opt-out of the data subject, or upon termination of the DPA, per the Data Processing Addendum
Technical logs[e.g., 12 months], unless needed longer for a specific security incident or legal claim

7. Your rights

Subject to conditions in the GDPR, you have the right to: access; rectification; erasure; restriction; data portability; objection (including, at any time and free of charge, to processing for direct marketing, and to processing based on legitimate interests); and to withdraw consent at any time (without affecting prior processing). To exercise these rights, contact [email].

Where a Seller is the controller (order enquiries after transmission; broadcast messaging), you may exercise your rights against that Seller; Eurodrop will assist in routing requests where it acts as processor.

You also have the right to lodge a complaint with the Latvian supervisory authority, the Data State Inspectorate (Datu valsts inspekcija), Elijas iela 17, Riga, www.dvi.gov.lv, or the authority in your country of residence.


8. Automated decision-making

Eurodrop does not make decisions producing legal or similarly significant effects based solely on automated processing within the meaning of Art. 22 GDPR. Content-moderation decisions include human review and a right to contest under the Terms (Sections 8 and 16). Where automated means are used in detecting or processing content-moderation matters, this is disclosed in the statement of reasons as required by Art. 17 DSA.


9. Security

We apply appropriate technical and organisational measures to protect personal data. Seller bot tokens and secrets are stored only in server-side environment variables and never exposed to the client. Access to personal data is limited to personnel who need it; transport encryption (TLS) is used for data in transit.


10. Changes

We may update this Policy. Material changes take effect after reasonable notice. Continued use after the effective date constitutes acknowledgement, without prejudice to your statutory rights.


This Privacy Policy is a compliance-oriented template based on the GDPR, the ePrivacy rules, the DSA, the GPSR, DAC7, and Latvian data-protection law. It is not legal advice and must be reviewed and completed (every [•]) by a qualified Latvian lawyer before publication. A Latvian-language version must be prepared before offering the service to consumers in Latvia.

Eurodrop is an advertising / classifieds hosting platform. Contracts and payments are made directly between independent Buyers and Sellers; Eurodrop does not process payments.

Compliance-oriented template based on EU & Latvian law (DSA, P2B, GPSR, DAC7, GDPR, ePrivacy, EAA, Rome I/Brussels Ia). Not legal advice; review by a qualified Latvian lawyer and complete every [•] before relying on it.