Note: This is an English translation of the legally binding German version of the privacy policy (datenschutzerklaerung). In case of any discrepancy, the German version shall prevail.
The controller within the meaning of the General Data Protection Regulation (GDPR) and other national data protection laws of the EU member states is:
Anne Speerschneider
trading as "Lille Loppe"
Conrad-Röntgen-Straße 72
25524 Itzehoe
Germany
Email: datenschutz@pladsly.app
General contact: contact@pladsly.app
Contact form: pladsly.app/contact
We have not appointed a data protection officer, as the legal prerequisites for this under § 38 BDSG (German Federal Data Protection Act) and Art. 37 GDPR are not currently met. For data protection questions, please use the email address above.
This privacy policy applies to the following services we operate (together "Pladsly" or "the platform"):
portal.pladsly.app/shop/{slug},portal.pladsly.app/wizard/{storeId}, andWe process your personal data exclusively in accordance with the applicable data protection regulations, in particular the GDPR and the German Federal Data Protection Act (BDSG). We adhere to the principles of data minimisation, purpose limitation, storage limitation, and transparency.
Pladsly is B2B software that helps flea market shops manage shelf rentals to private individuals. To make the roles around your data understandable, we briefly explain the two data layers between which Pladsly separates technically and legally:
Identity layer (technical identity and login data). When you create an account on Pladsly, we store the data required for login and platform security at the Pladsly level. This includes in particular the email address as login identifier, magic-link tokens, security logs, and the technical information about which shops your account is linked to. For this data, Pladsly is the controller within the meaning of Art. 4(7) GDPR.
Business layer (business data per shop). When you, as a renter, book a shelf at a shop, list products, or conclude a rental agreement with the shop, business data is created that belongs to the respective shop (e.g. address for the rental agreement, bank details, uploaded products, sales history). This data lives technically in a shop-bound data structure (so-called "contact entity"). For this data, the respective shop is the controller; Pladsly processes it as a processor on behalf of the shop on the basis of a data processing agreement (Art. 28 GDPR).
Why this matters: Some data fields, such as your email address, appear in both places — once as a login at Pladsly (identity layer) and once as a contact address for the rental agreement with a specific shop (business layer). Even though the data may look identical, it is processed for different purposes and under different controllership. The following sections make this distinction visible.
Each time the marketing website is accessed, our hosting provider automatically records technical data temporarily in server logs:
Purpose: Provision and delivery of the website, ensuring IT security (e.g. detecting and defending against attacks), error handling.
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in the secure operation of the website).
Storage period: Short-term, as required for IT security and error handling; typically no longer than 30 days.
We use Vercel Analytics to collect statistics on how our website is used. Vercel Analytics works without cookies and without individual user trackers. Only aggregated, anonymised statistics are collected (e.g. page views per URL, approximate geographical region at country level, device type). We cannot derive any personal reference from this data.
For this reason, we do not use a cookie banner. No consent is required from you.
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in privacy-friendly reach measurement), § 25(2)(2) TDDDG (German Telecommunications Digital Services Data Protection Act — no consent required because no end-device access takes place).
If you use our contact form at pladsly.app/contact or send us an email, we process the data you provide (name, email address, content of the message) to handle your enquiry.
Legal basis: Art. 6(1)(b) GDPR (pre-contractual measures) or Art. 6(1)(f) GDPR (legitimate interest in responding to your enquiry).
Storage period: Until your enquiry is fully handled, plus a reasonable period for evidence purposes. Where retention obligations (e.g. under German commercial or tax law) apply, these take precedence.
The email is sent via our sub-processor Resend (see section 9).
The shop dashboard is intended exclusively for shop operators who subscribe to Pladsly as a software solution. Pladsly is the controller for the processing operations described in this section.
For the creation of a shop operator account, we process the following data:
Purpose: Provision of the SaaS service, performance of the contract, authentication.
Legal basis: Art. 6(1)(b) GDPR (contract).
If you, as a shop operator, want to activate the booking wizard, we are required to verify you under Art. 30 of Regulation (EU) 2022/2065 (Digital Services Act). For this we process:
We verify the information through manual sample checks.
Purpose: Fulfilment of our obligations as a provider of an online platform for consumer-to-business distance contracts under Art. 30 DSA.
Legal basis: Art. 6(1)(c) GDPR (legal obligation under Art. 30 DSA).
Storage period: For the entire duration of the wizard's use, followed by the statutory retention periods (typically up to 10 years under § 257 HGB (German Commercial Code) and § 147 AO (German Fiscal Code)).
If you use the booking wizard, you connect your own Stripe account to Pladsly via Stripe Connect (direct charges). Pladsly only stores the Stripe account ID and references to transactions, but not payment or account data. Payments from your renters are settled directly by Stripe to your account; Pladsly is at no point the recipient of funds.
For the processing of payment data, Stripe is its own controller. See the Stripe Privacy Policy.
When using the dashboard, we process configuration data (shelves, packages, prices, wizard settings) and audit logs (which account holder made which changes at what time).
Purpose: Provision of the service, traceability of critical changes, abuse prevention.
Legal basis: Art. 6(1)(b) GDPR (contract), Art. 6(1)(f) GDPR (legitimate interest in security and traceability).
Storage period: For the duration of the active business relationship. After termination, we retain audit logs only for as long as is required for security, evidence, or statutory purposes.
When you, as a visitor, access a public shop page at portal.pladsly.app/shop/{slug}, we process only the following data:
There is no cross-shop personal profiling.
The booking wizard allows you, as a renter, to book a shelf at a specific shop online and conclude the rental agreement with the shop digitally.
Who is responsible for what? Three parties meet in the wizard:
| Data category | Controller | Pladsly role |
|---|---|---|
| Contract data for the rental agreement (name, address, date of birth if requested by the shop, contact details, booking details) | The respective shop | Processor of the shop under Art. 28 GDPR |
| Pladsly account data (email as login identifier, magic-link token, link to the shop) | Pladsly | Controller |
| Payment data (credit card, SEPA, etc.) | Stripe Payments Europe Ltd. | Pladsly has no access to this data |
The entry of your payment data takes place via an input field embedded directly by Stripe (Stripe Elements). We do not see your card number or account data at any time.
Conclusion of contract and confirmation email. After successful conclusion of the contract, we send a confirmation email to your email address from the wizard via our sub-processor Resend. The email contains the content of the contract, the right-of-withdrawal notice (if applicable), the mandatory information under Art. 246a EGBGB (Introductory Act to the German Civil Code), and a magic link with which you can activate your Pladsly account.
Legal bases:
Storage period: Contract data is stored for the duration of the rental relationship and subsequently in accordance with the statutory retention periods (typically up to 10 years under § 257 HGB and § 147 AO). Account data is stored until you delete your Pladsly account.
Once you have activated your Pladsly account, you can manage your data in the portal. We process:
At the Pladsly level (identity layer), Pladsly as controller:
At the shop level (business layer), the respective shop as controller, Pladsly as processor:
If you are a renter at multiple shops, your business data is kept separately per shop. Pladsly does not aggregate this data into a cross-shop profile. You can dissolve the link to a shop at any time in your portal settings.
Legal basis identity layer: Art. 6(1)(b) GDPR (contract regarding the Pladsly account), Art. 6(1)(f) GDPR (security).
Legal basis business layer: Art. 6(1)(b) GDPR (contract with the shop, processed on behalf).
When you, as a renter, upload product images for your items, we process these images using automated procedures to categorise the products, generate descriptions and price suggestions, and assign the images to your items. This AI processing takes place via Google Cloud's "Vertex AI" service, configured in an EU region (Frankfurt or the Netherlands).
According to our Acceptable Use Policy, product images may not show any persons. If, in individual cases, persons should nevertheless appear in an image, we take technical and organisational measures to ensure that no independent insights about these persons are derived from the AI processing.
Controller: The respective shop. Pladsly processes the images as a processor.
Legal basis: Art. 6(1)(b) GDPR (contract with the shop).
Storage period: Until deletion by the renter or until the images are no longer required for the sales process.
The AI pipeline is orchestrated internally via the "Vercel Workflows" service. We have designed this orchestration step technically so that no personal data flows through it — only image references and product-related analysis results (e.g. detected product category, price suggestion). No personal data is transmitted into this system. See sections 9 and 10 for further details.
If you report allegedly unlawful content to us via the "Report content" function on a product page, we process your information (description of the content, URL, justification, optionally your contact details for follow-up questions).
Purpose: Review and, where applicable, removal of the content; fulfilment of our obligations under Art. 16 and 17 DSA.
Legal basis: Art. 6(1)(c) GDPR (legal obligation under Art. 16 DSA).
Storage period: At least 6 months from receipt of the notice in order to fulfil DSA obligations; longer where required for ongoing proceedings.
When Pladsly processes data as a processor of a shop (in particular contract data, bookings, products, sales history), the following applies:
Beyond this, Pladsly remains the controller for the processing operations described in sections 5 and 6 (identity layer, server logs, verification under Art. 30 DSA, our own security measures).
We do not use tracking cookies or third-party advertising cookies on our services.
We use only:
For this reason, we do not use a cookie consent banner.
To provide our services, we work with the following sub-processors. With all sub-processors we have concluded data processing agreements under Art. 28 GDPR and, where required, standard contractual clauses under Art. 46 GDPR.
| Sub-processor | Location / configuration | Data processed | Purpose |
|---|---|---|---|
| Vercel Inc. (Hosting) | Primary Frankfurt (EU), USA as failover | Hosting content, server logs | Platform delivery |
| Vercel Inc. (Workflows) | USA (region not configurable) | Exclusively product-related data and image references, no personal data | Orchestration of the AI pipeline for product images |
| Vercel Inc. (Analytics) | EU-aware | Aggregated, anonymous usage statistics | Reach measurement (cookieless) |
| Vercel Inc. (Blob Storage) | Frankfurt (EU) | Uploaded images (product images) | Image storage |
| MongoDB Inc. (Atlas) | Frankfurt (EU) | Database contents (all identity- and business-layer data) | Database hosting |
| Resend (Resend Inc.) | USA | Email content and recipient addresses | Sending transactional emails (e.g. magic link, confirmation emails) |
| Google LLC (Vertex AI) | Frankfurt or the Netherlands (EU region) | Product images and derived analyses | AI-supported data enrichment |
| Stripe Payments Europe Ltd. / Stripe Inc. | Ireland / USA | Payment and identity data of Stripe end customers | Payment processing (Stripe is independently responsible for the payment data) |
A continuously updated list of sub-processors is available at pladsly.app/subprocessors.
With some of our sub-processors, transfers to third countries occur, particularly to the USA. We take the following safeguards:
A copy of the respective safeguards can be requested via the email address listed in section 1.
We store personal data only for as long as is necessary for the respective purposes or as required by statutory retention obligations. We follow these principles:
| Data category | Storage period |
|---|---|
| Server logs (IP, user agent) | Short-term, as required for IT security; typically not longer than 30 days |
| Audit logs (account actions) | During the active business relationship, thereafter as required for security and evidence purposes |
| Pladsly account master data (active) | Until you delete the account |
| Pladsly account master data (inactive) | After prolonged inactivity, anonymisation or deletion may take place under our data minimisation principle |
| Shop-bound contract and booking data | Until the end of the rental relationship, followed by statutory retention periods (in particular up to 10 years under § 257 HGB / § 147 AO) |
| Renter product images | Until deletion by the renter or until the images are no longer required for the sales process |
| Notices under Art. 16 DSA | At least 6 months from receipt, longer where required for ongoing proceedings |
| Dissolved shop-renter links | For a reasonable audit period, then deletion |
| Closed or terminated shop accounts | Within a reasonable period after the end of the business relationship, subject to statutory retention obligations |
| Database backups | Rolling retention of up to 30 days |
After the respective period has expired, data is deleted or anonymised, unless statutory retention obligations preclude this. You can at any time request deletion of your data (see section 12).
In relation to us as controller for the data described in the identity layer and other own Pladsly processing operations, you have the following rights (for business-layer data, please address such requests to the respective shop, see section 7):
To exercise your rights, a simple email to datenschutz@pladsly.app is sufficient. We typically process requests within one month of receipt. In individual cases we may request additional information to verify your identity.
In the logged-in area of the portal, you can additionally delete your account yourself.
Without prejudice to other remedies, you have the right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR). The authority responsible for us is:
Independent State Centre for Data Protection Schleswig-Holstein (ULD)
Holstenstraße 98
24103 Kiel
Germany
Phone: +49 431 988-1200
Email: mail@datenschutzzentrum.de
Web: datenschutzzentrum.de
You may also contact the supervisory authority responsible for your place of residence.
You are not required by law or contract to provide personal data. You are not obliged to provide us with data. However, without the data marked as mandatory in the respective input form, we cannot provide certain functions — in particular, signing up, completing a booking, or creating a shop account is technically not possible without the data required for these.
Automated decision-making within the meaning of Art. 22 GDPR which produces legal effects concerning you or significantly affects you in a similar way does not take place. In particular, the AI-supported product analysis (section 6.4) produces only product-related results (category, price suggestion), not personal decisions.
For matters under Regulation (EU) 2022/2065 (Digital Services Act), we have set up separate contact points. These are listed in the legal notice (imprint) and can be reached via the following email addresses:
We use technical and organisational security measures to protect your data against accidental or intentional manipulation, partial or complete loss, destruction, or unauthorised access by third parties. These include in particular:
Our security measures are continuously adapted in line with technological developments.
We reserve the right to adapt this privacy policy so that it always complies with current legal requirements, or to reflect changes to our services, e.g. when new features are introduced. The current version applies to your next visit. The current version is available at any time at the URLs listed in section 2.
For material changes that affect your rights as a data subject, we will additionally inform you actively (e.g. by email to the address stored in your account).