leftBack
Privacy Policy

Latest updated : November 19, 2025

/

1. INTRODUCTION

Tradoly of Europe, SL Spain S.L. ("Tradoly of Europe, SL", "we", "our", or "us") respects your privacy and is committed to protecting your personal data.

This Privacy Policy explains how we collect, use, disclose, and protect information when you use our platform, website (www.tradoly.com), mobile application, or any associated services (collectively, the "Services").

By accessing or using our Services, you acknowledge that you have read and understood this Policy.

2. DATA CONTROLLER INFORMATION

Data Controller:

Tradoly of Europe, SL

Registered Address: Avenida Condes de San Isidro 13, 2º Pta. A, 29640, Fuengirola, Málaga, Spain

CIF/NIF: B22725030

Email: support@tradoly.com

Website: www.tradoly.com

Tradoly of Europe, SL is responsible for determining the purposes and means of processing your personal data under Article 4(7) of the GDPR.

If you have questions or wish to exercise your data rights, contact our Data Protection Officer (DPO) at support@tradoly.com.

3. PERSONAL DATA WE COLLECT

We collect personal data directly from you, automatically through your interactions, and from third parties as described below.

3.1. Information You Provide Directly

When you use Tradoly of Europe, SL, you may provide:

  • Account Data: name, surname, email, phone number, and password.
  • Profile Information: profile photo, location, preferences, language, and vehicle interests.
  • Listing Data: car descriptions, registration number (VIN), price, images, mileage, and contact information.
  • Transaction Data: billing address, payment method, VAT details, or bank account information.
  • Communications: messages exchanged with other users, customer support, or feedback.
  • Consent Records: marketing preferences and cookie consent status.

3.2. Information We Collect Automatically

When you interact with our platform, we may automatically collect:

  • Device and Technical Data: IP address, device ID, browser type, operating system, and language.
  • Usage Data: pages visited, search filters, time spent, referral URLs, and interaction data.
  • Location Data: approximate or precise geolocation (if permitted by your device settings).
  • Cookies and Similar Technologies: used for analytics, personalization, and advertising (see our separate Cookie Policy).

3.3. Information from Third Parties

We may receive limited information from:

  • Payment processors (e.g., Stripe, Adyen) to confirm transaction status.
  • Vehicle data partners for VIN or car history verification.
  • Advertising and analytics partners for campaign performance and personalization.
  • Social login providers (e.g., Google or Facebook) when you sign in using those accounts.

4. PURPOSES AND LEGAL BASES OF PROCESSING

PurposeLegal Basis (GDPR)Examples
Account creation and managementContract (Art. 6(1)(b))Register and manage your profile
Facilitate transactions between buyers and sellersContractManage vehicle listings and communication
Payment processingLegal obligation / ContractComply with billing and accounting laws
Customer supportLegitimate interest (Art. 6(1)(f))Respond to inquiries or resolve complaints
Marketing communicationsConsent (Art. 6(1)(a))Send newsletters, promotions, or offers
Personalized advertisingConsentTailor ad display and car suggestions
Fraud detection and preventionLegitimate interestMonitor suspicious activity or fake listings
Compliance with lawLegal obligation (Art. 6(1)(c))Tax, AML, or data disclosure duties
Analytics and platform improvementLegitimate interestEvaluate performance and optimize experience

4.1. Records of Processing Activities (ROPA)

Tradoly maintains a complete ROPA as required by GDPR Art. 30, including:

  • Categories of data processed
  • Purpose of each processing activity
  • Data flows & storage locations
  • Processor involvement
  • Retention rules

Reviewed annually or after major changes.

5. DATA RETENTION PERIOD

We store personal data only as long as necessary for the purposes described above or as required by applicable law:

Data TypeRetention Period
Tax, billing & payment records6–10 years (legal obligation)
User account detailsRetained while the account is active
KYC/KYB recordsRetained as required by AML/DSA
Support communication logsRetained for 24 months
Deleted accountsAnonymized or permanently removed within 90 days, except where retention is legally required
Marketing and consent recordsUntil consent is withdrawn
Communications and listingsUntil account deletion or request for erasure
Technical logs (IP, device)12 months for security analysis

After expiry, data will be securely deleted or anonymized.

6. DATA SHARING AND DISCLOSURE

Tradoly of Europe, SL does not sell or rent personal data.

However, we may share data under the following conditions:

6.1. Service Providers

We share data with carefully selected third parties who help us operate our Services:

  • Hosting and cloud providers (e.g., AWS, Google Cloud)
  • Payment processors and banking partners
  • Analytics and marketing platforms
  • Customer support systems
  • Security and anti-fraud tools

All providers act as Data Processors under strict contractual obligations (Art. 28 GDPR).

6.2. Legal and Regulatory Authorities

We may disclose data when legally required by courts, regulators, or public authorities to comply with applicable law.

6.3. Business Transfers

In the event of a merger, acquisition, or sale of assets, user data may be transferred as part of the transaction — always under GDPR safeguards.

6.4. Third-Party Processor Oversight & Contractual Safeguards

Tradoly uses third-party service providers only where necessary for platform operation (e.g., payments, logistics integration, email/SMS services, analytics, hosting).

To ensure GDPR compliance:

  • All processors are vetted for security standards, GDPR adherence, and data minimization.
  • Data Processing Agreements (DPAs) are executed with each processor, including:
    • Art. 28 GDPR obligations
    • Sub-processor restrictions
    • Confidentiality and data protection mandates
    • Incident notification timelines
    • Data deletion/return requirements
  • Regular audits of processors through:
    • Annual compliance reviews
    • Log analysis and security reports
    • Monitoring of sub-processors
  • Cross-border transfers (if any) are covered by:
    • EU Standard Contractual Clauses (SCCs)
    • Adequacy decisions
    • Supplemental transfer impact assessments (TIAs)

Tradoly never sells or commercially brokers user data to third parties.

7. INTERNATIONAL DATA TRANSFERS

If we transfer personal data outside the European Economic Area (EEA), we ensure that:

  • The destination country has an adequacy decision by the European Commission, or
  • The transfer is governed by Standard Contractual Clauses (SCCs) and other appropriate safeguards.

You can request a copy of these safeguards by contacting support@tradoly.com.

8. USER RIGHTS (DATA SUBJECT RIGHTS)

Under the GDPR and LOPDGDD, you have the following rights:

RightDescription
AccessObtain a copy of your personal data and how it is processed
RectificationCorrect inaccurate or incomplete data
Erasure ("Right to be Forgotten")Request deletion of your data when legally possible
RestrictionLimit data processing in certain cases
PortabilityReceive your data in a machine-readable format
ObjectionObject to processing based on legitimate interest or marketing
Withdraw ConsentWithdraw consent at any time (without affecting prior processing)

You may exercise these rights by emailing support@tradoly.com.

If unsatisfied, you have the right to lodge a complaint with the Agencia Española de Protección de Datos (AEPD): https://www.aepd.es

8.1. Consent Lifecycle Management & Audit Trails

Tradoly maintains a structured Consent & Preferences Management Framework to comply with GDPR, ePrivacy Directive, and DSA requirements.

Granular consent capture for:

  • Marketing emails
  • Newsletter subscription
  • Cookie-based tracking
  • Communication preferences
  • Terms & Conditions acceptance
  • Ad Disclosure acceptance

Real-time logging of consent events, including:

  • Date and time
  • IP address
  • Browser/device fingerprint
  • Specific action taken
  • Version of the policy accepted

Version-controlled consent storage, allowing users and regulators to view historical consent states.

Withdrawal of consent:

  • Users can modify or withdraw consent at any time from:
    • "Settings → Preferences/Notifications"
    • Unsubscribe links in marketing messages
  • Withdrawal does not affect the lawfulness of processing before withdrawal.

8.2. Complaint Handling Process

Users have the right to raise concerns regarding data processing, account actions, platform behaviour, or any activity they believe is non-compliant with this Privacy Policy or applicable EU regulations. Complaints may be submitted through the following channels:

Email-Based Complaints:

Users may contact Tradoly's Data Protection Office at privacy@tradoly.com with any request or complaint relating to personal data, privacy, platform misuse, or regulatory obligations.

Report Abuse (In-Platform Mechanism):

Tradoly provides a dedicated "Report Abuse" feature within the platform, enabling users to report issues directly from their dashboard.

Users may submit complaints or alerts related to:

  • a Trader/Dealer's behaviour or misuse
  • a vehicle listing containing misleading, incorrect, or fraudulent information
  • discrepancies in an order, payment, document verification, or delivery
  • potential violations of law, tax obligations, or platform rules

All abuse reports are logged in compliance with DSA Article 16 and maintained with audit trails.

Review & Response Timelines:

Tradoly reviews all complaints promptly, categorises them by severity, and responds within a reasonable timeframe. Regulatory-related complaints (GDPR/DSA violations) are prioritised for investigation.

Tradoly maintains records of all complaints, responses, and outcomes for compliance, auditing, and regulatory reporting obligations.

9. COOKIES AND TRACKING TECHNOLOGIES

Tradoly of Europe, SL uses cookies and similar technologies to:

  • Enhance website functionality
  • Measure site traffic and analytics
  • Provide personalized recommendations
  • Deliver relevant ads

You can manage cookie preferences via our Cookie Consent Banner or through browser settings at any time. A detailed explanation is available in our separate Cookie Policy.

10. SECURITY MEASURES

We apply appropriate technical and organizational measures to safeguard data against unauthorized access, alteration, loss, or disclosure, including:

  • TLS/SSL encryption
  • Firewalls and intrusion detection
  • Role-based access control
  • Regular penetration testing
  • Secure password hashing
  • Periodic data protection audits

While we maintain high security standards, no system can guarantee 100% protection. Users are advised to maintain strong passwords and safeguard login credentials.

10.1. Internal Access Control & Logging

Only authorized personnel with secured login may access user data, strictly on a need-to-know basis. Access is logged, monitored, and regularly reviewed.

10.2. Data Breach Management & Regulatory Reporting

Tradoly maintains an internal Data Breach Response Procedure compliant with GDPR Articles 33 and 34.

In the event of a personal data breach, Tradoly will:

  • Detect and assess the breach through automated monitoring and internal security tools.
  • Record and document all breaches in a secure internal breach registry.
  • Notify the Supervisory Authority within 72 hours when required under GDPR Art. 33.
  • Notify affected users without undue delay when the breach is likely to result in high risk to user rights (GDPR Art. 34).
  • Implement corrective actions, such as access revocation, forced credential resets, or enhanced logging.

All breach investigations follow documented internal SOPs reviewed annually as part of Tradoly's security audit cycle.

11. CHILDREN'S PRIVACY

Tradoly of Europe, SL's Services are intended for users aged 18 and above. We do not knowingly collect personal data from minors.

If a parent or guardian believes a child's data has been collected, contact us immediately at support@tradoly.com, and we will delete it promptly.

12. AUTOMATED DECISION-MAKING AND PROFILING

Tradoly of Europe, SL may use limited profiling for:

  • Recommending vehicles based on prior searches
  • Displaying ads relevant to user interests

No automated decisions are made that produce legal or significant effects without human oversight (as per GDPR Art. 22).

13. LINKS TO THIRD-PARTY WEBSITES

Our platform may contain links to third-party sites (e.g., partner dealerships or insurance offers). Tradoly of Europe, SL is not responsible for the content, data practices, or security of these sites. Users should review third-party privacy notices before sharing information.

14. CHANGES TO THIS PRIVACY POLICY

We may update this Privacy Policy to reflect operational, legal, or regulatory changes. The "Last Updated" date will always indicate the latest revision. Continued use of our Services after such updates constitutes acceptance of the new terms.

15. CONTACT INFORMATION

For any privacy-related queries, requests, or complaints, contact:

Email: support@tradoly.com

Postal: Data Protection Officer, Tradoly of Europe, SL Spain S.L., Avenida Condes de San Isidro 13, 2º Pta. A, 29640, Fuengirola, Málaga, Spain

Website: www.tradoly.com